{ "CVE-2003-1604": { "affected_versions": "v2.6.12-rc2 to v2.6.12-rc2", "backport": true, "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "7.8" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "score": "7.5" }, "cwe": "Other", "fixes": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "nvd_text": "The redirect_target function in net/ipv4/netfilter/ipt_REDIRECT.c in the Linux kernel before 2.6.0 allows remote attackers to cause a denial of service (NULL pointer dereference and OOPS) by sending packets to an interface that has a 0.0.0.0 IP address, a related issue to CVE-2015-8787.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2003-1604", "ExploitDB": "https://www.exploit-db.com/search?cve=2003-1604", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2003-1604", "Red Hat": "https://access.redhat.com/security/cve/CVE-2003-1604", "SUSE": "https://www.suse.com/security/cve/CVE-2003-1604", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2003/CVE-2003-1604" } }, "CVE-2004-0230": { "affected_versions": "unk to v3.6-rc1", "breaks": "", "cmt_msg": "tcp: implement RFC 5961 3.2", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "5.0" }, "cwe": "Other", "fixes": "282f23c6ee343126156dd41218b22ece96d747e3", "last_affected_version": "3.2.36", "nvd_text": "TCP, when using a large Window Size, makes it easier for remote attackers to guess sequence numbers and cause a denial of service (connection loss) to persistent TCP connections by repeatedly injecting a TCP RST packet, especially in protocols that use long-lived connections, such as BGP.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2004-0230", "ExploitDB": "https://www.exploit-db.com/search?cve=2004-0230", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2004-0230", "Red Hat": "https://access.redhat.com/security/cve/CVE-2004-0230", "SUSE": "https://www.suse.com/security/cve/CVE-2004-0230", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2004/CVE-2004-0230" } }, "CVE-2005-3660": { "affected_versions": "v2.6.12-rc2 to unk", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "4.9" }, "cwe": "Other", "fixes": "", "nvd_text": "Linux kernel 2.4 and 2.6 allows attackers to cause a denial of service (memory exhaustion and panic) by creating a large number of connected file descriptors or socketpairs and setting a large data transfer buffer, then preventing Linux from being able to finish the transfer by causing the process to become a zombie, or closing the file descriptor without closing an associated reference.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2005-3660", "ExploitDB": "https://www.exploit-db.com/search?cve=2005-3660", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2005-3660", "Red Hat": "https://access.redhat.com/security/cve/CVE-2005-3660", "SUSE": "https://www.suse.com/security/cve/CVE-2005-3660", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2005/CVE-2005-3660" } }, "CVE-2006-3635": { "affected_versions": "v2.6.12-rc2 to v2.6.26-rc5", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "4.9" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "score": "5.5" }, "cwe": "Buffer Errors", "fixes": "4dcc29e1574d88f4465ba865ed82800032f76418", "nvd_text": "The ia64 subsystem in the Linux kernel before 2.6.26 allows local users to cause a denial of service (stack consumption and system crash) via a crafted application that leverages the mishandling of invalid Register Stack Engine (RSE) state.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2006-3635", "ExploitDB": "https://www.exploit-db.com/search?cve=2006-3635", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2006-3635", "Red Hat": "https://access.redhat.com/security/cve/CVE-2006-3635", "SUSE": "https://www.suse.com/security/cve/CVE-2006-3635", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2006/CVE-2006-3635" } }, "CVE-2006-5331": { "affected_versions": "v2.6.12-rc2 to v2.6.19-rc3", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "4.9" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "score": "5.5" }, "cwe": "Data Handling", "fixes": "6c4841c2b6c32a134f9f36e5e08857138cc12b10", "nvd_text": "The altivec_unavailable_exception function in arch/powerpc/kernel/traps.c in the Linux kernel before 2.6.19 on 64-bit systems mishandles the case where CONFIG_ALTIVEC is defined and the CPU actually supports Altivec, but the Altivec support was not detected by the kernel, which allows local users to cause a denial of service (panic) by triggering execution of an Altivec instruction.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2006-5331", "ExploitDB": "https://www.exploit-db.com/search?cve=2006-5331", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2006-5331", "Red Hat": "https://access.redhat.com/security/cve/CVE-2006-5331", "SUSE": "https://www.suse.com/security/cve/CVE-2006-5331", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2006/CVE-2006-5331" } }, "CVE-2006-6128": { "affected_versions": "unk to v2.6.19-rc2", "breaks": "", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "2.1" }, "cwe": "Other", "fixes": "edc666e2ff9ec2e4e9510f1127c68c22cffc93f6", "nvd_text": "The ReiserFS functionality in Linux kernel 2.6.18, and possibly other versions, allows local users to cause a denial of service via a malformed ReiserFS file system that triggers memory corruption when a sync is performed.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2006-6128", "ExploitDB": "https://www.exploit-db.com/search?cve=2006-6128", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2006-6128", "Red Hat": "https://access.redhat.com/security/cve/CVE-2006-6128", "SUSE": "https://www.suse.com/security/cve/CVE-2006-6128", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2006/CVE-2006-6128" } }, "CVE-2007-3719": { "affected_versions": "unk to unk", "breaks": "", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "2.1" }, "cwe": "Other", "fixes": "", "nvd_text": "The process scheduler in the Linux kernel 2.6.16 gives preference to \"interactive\" processes that perform voluntary sleeps, which allows local users to cause a denial of service (CPU consumption), as described in \"Secretly Monopolizing the CPU Without Superuser Privileges.\"", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2007-3719", "ExploitDB": "https://www.exploit-db.com/search?cve=2007-3719", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2007-3719", "Red Hat": "https://access.redhat.com/security/cve/CVE-2007-3719", "SUSE": "https://www.suse.com/security/cve/CVE-2007-3719", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2007/CVE-2007-3719" } }, "CVE-2007-4774": { "affected_versions": "v2.6.12-rc2 to v2.6.12-rc2", "backport": true, "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "None", "Integrity Impact": "Partial", "raw": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "score": "4.3" }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Network", "Availability": "None", "Confidentiality": "None", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "score": "5.9" }, "cwe": "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", "fixes": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "last_modified": "2020-01-28", "nvd_text": "The Linux kernel before 2.4.36-rc1 has a race condition. It was possible to bypass systrace policies by flooding the ptraced process with SIGCONT signals, which can can wake up a PTRACED process.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2007-4774", "ExploitDB": "https://www.exploit-db.com/search?cve=2007-4774", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2007-4774", "Red Hat": "https://access.redhat.com/security/cve/CVE-2007-4774", "SUSE": "https://www.suse.com/security/cve/CVE-2007-4774", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2007/CVE-2007-4774" } }, "CVE-2007-6761": { "affected_versions": "v2.6.12-rc2 to v2.6.24-rc6", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "score": "4.6" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "score": "7.8" }, "cwe": "Buffer Errors", "fixes": "0b29669c065f60501e7289e1950fa2a618962358", "nvd_text": "drivers/media/video/videobuf-vmalloc.c in the Linux kernel before 2.6.24 does not initialize videobuf_mapping data structures, which allows local users to trigger an incorrect count value and videobuf leak via unspecified vectors, a different vulnerability than CVE-2010-5321.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2007-6761", "ExploitDB": "https://www.exploit-db.com/search?cve=2007-6761", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2007-6761", "Red Hat": "https://access.redhat.com/security/cve/CVE-2007-6761", "SUSE": "https://www.suse.com/security/cve/CVE-2007-6761", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2007/CVE-2007-6761" } }, "CVE-2007-6762": { "affected_versions": "v2.6.19-rc1 to v2.6.20-rc5", "breaks": "fd3858554b62c3af6b7664b5c58ad864c87116c9", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "score": "7.5" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "score": "9.8" }, "cwe": "Improper Restriction of Operations within the Bounds of a Memory Buffer", "fixes": "2a2f11c227bdf292b3a2900ad04139d301b56ac4", "last_modified": "2020-06-25", "nvd_text": "In the Linux kernel before 2.6.20, there is an off-by-one bug in net/netlabel/netlabel_cipso_v4.c where it is possible to overflow the doi_def->tags[] array.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2007-6762", "ExploitDB": "https://www.exploit-db.com/search?cve=2007-6762", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2007-6762", "Red Hat": "https://access.redhat.com/security/cve/CVE-2007-6762", "SUSE": "https://www.suse.com/security/cve/CVE-2007-6762", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2007/CVE-2007-6762" } }, "CVE-2008-2544": { "affected_versions": "unk to unk", "breaks": "", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "None", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "None", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "score": 5.5 }, "cwe": "Exposure of Resource to Wrong Sphere", "fixes": "", "last_modified": "2021-06-08", "nvd_text": "Mounting /proc filesystem via chroot command silently mounts it in read-write mode. The user could bypass the chroot environment and gain write access to files, he would never have otherwise.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2008-2544", "ExploitDB": "https://www.exploit-db.com/search?cve=2008-2544", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2008-2544", "Red Hat": "https://access.redhat.com/security/cve/CVE-2008-2544", "SUSE": "https://www.suse.com/security/cve/CVE-2008-2544", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2008/CVE-2008-2544" } }, "CVE-2008-4609": { "affected_versions": "unk to unk", "breaks": "", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "7.1" }, "cwe": "Configuration", "fixes": "", "nvd_text": "The TCP implementation in (1) Linux, (2) platforms based on BSD Unix, (3) Microsoft Windows, (4) Cisco products, and probably other operating systems allows remote attackers to cause a denial of service (connection queue exhaustion) via multiple vectors that manipulate information in the TCP state table, as demonstrated by sockstress.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2008-4609", "ExploitDB": "https://www.exploit-db.com/search?cve=2008-4609", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2008-4609", "Red Hat": "https://access.redhat.com/security/cve/CVE-2008-4609", "SUSE": "https://www.suse.com/security/cve/CVE-2008-4609", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2008/CVE-2008-4609" } }, "CVE-2008-7316": { "affected_versions": "v2.6.12-rc2 to v2.6.25-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "2.1" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "score": "5.5" }, "cwe": "Input Validation", "fixes": "124d3b7041f9a0ca7c43a6293e1cae4576c32fd5", "nvd_text": "mm/filemap.c in the Linux kernel before 2.6.25 allows local users to cause a denial of service (infinite loop) via a writev system call that triggers an iovec of zero length, followed by a page fault for an iovec of nonzero length.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2008-7316", "ExploitDB": "https://www.exploit-db.com/search?cve=2008-7316", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2008-7316", "Red Hat": "https://access.redhat.com/security/cve/CVE-2008-7316", "SUSE": "https://www.suse.com/security/cve/CVE-2008-7316", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2008/CVE-2008-7316" } }, "CVE-2009-2692": { "affected_versions": "unk to v2.6.31-rc6", "breaks": "", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "7.2" }, "cwe": "Improper Restriction of Operations within the Bounds of a Memory Buffer", "fixes": "e694958388c50148389b0e9b9e9e8945cf0f1b98", "last_modified": "2019-09-12", "nvd_text": "The Linux kernel 2.6.0 through 2.6.30.4, and 2.4.4 through 2.4.37.4, does not initialize all function pointers for socket operations in proto_ops structures, which allows local users to trigger a NULL pointer dereference and gain privileges by using mmap to map page zero, placing arbitrary code on this page, and then invoking an unavailable operation, as demonstrated by the sendpage operation (sock_sendpage function) on a PF_PPPOX socket.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2009-2692", "ExploitDB": "https://www.exploit-db.com/search?cve=2009-2692", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2009-2692", "Red Hat": "https://access.redhat.com/security/cve/CVE-2009-2692", "SUSE": "https://www.suse.com/security/cve/CVE-2009-2692", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2009/CVE-2009-2692" } }, "CVE-2010-0008": { "affected_versions": "unk to v2.6.23-rc9", "breaks": "", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "7.8" }, "cwe": "Resource Management Errors", "fixes": "ece25dfa0991f65c4e1d26beb1c3c45bda4239b8", "last_modified": "2019-06-17", "nvd_text": "The sctp_rcv_ootb function in the SCTP implementation in the Linux kernel before 2.6.23 allows remote attackers to cause a denial of service (infinite loop) via (1) an Out Of The Blue (OOTB) chunk or (2) a chunk of zero length.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2010-0008", "ExploitDB": "https://www.exploit-db.com/search?cve=2010-0008", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2010-0008", "Red Hat": "https://access.redhat.com/security/cve/CVE-2010-0008", "SUSE": "https://www.suse.com/security/cve/CVE-2010-0008", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2010/CVE-2010-0008" } }, "CVE-2010-3432": { "affected_versions": "unk to v2.6.36-rc5", "breaks": "", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "7.8" }, "cwe": "Other", "fixes": "4bdab43323b459900578b200a4b8cf9713ac8fab", "last_modified": "2019-03-26", "nvd_text": "The sctp_packet_config function in net/sctp/output.c in the Linux kernel before 2.6.35.6 performs extraneous initializations of packet data structures, which allows remote attackers to cause a denial of service (panic) via a certain sequence of SCTP traffic.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2010-3432", "ExploitDB": "https://www.exploit-db.com/search?cve=2010-3432", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2010-3432", "Red Hat": "https://access.redhat.com/security/cve/CVE-2010-3432", "SUSE": "https://www.suse.com/security/cve/CVE-2010-3432", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2010/CVE-2010-3432" } }, "CVE-2010-4563": { "affected_versions": "unk to unk", "breaks": "", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "score": "5.0" }, "cwe": "Information Leak / Disclosure", "fixes": "", "nvd_text": "The Linux kernel, when using IPv6, allows remote attackers to determine whether a host is sniffing the network by sending an ICMPv6 Echo Request to a multicast address and determining whether an Echo Reply is sent, as demonstrated by thcping.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2010-4563", "ExploitDB": "https://www.exploit-db.com/search?cve=2010-4563", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2010-4563", "Red Hat": "https://access.redhat.com/security/cve/CVE-2010-4563", "SUSE": "https://www.suse.com/security/cve/CVE-2010-4563", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2010/CVE-2010-4563" } }, "CVE-2010-4648": { "affected_versions": "v2.6.28-rc1 to v2.6.37-rc6", "breaks": "d03032af511c56d3c1580fa4f54f6285f650e638", "cvss2": { "Access Complexity": "Low", "Access Vector": "Adjacent Network", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "score": "3.3" }, "cwe": "Insufficient Information", "fixes": "0a54917c3fc295cb61f3fb52373c173fd3b69f48", "last_modified": "2019-03-26", "nvd_text": "The orinoco_ioctl_set_auth function in drivers/net/wireless/orinoco/wext.c in the Linux kernel before 2.6.37 does not properly implement a TKIP protection mechanism, which makes it easier for remote attackers to obtain access to a Wi-Fi network by reading Wi-Fi frames.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2010-4648", "ExploitDB": "https://www.exploit-db.com/search?cve=2010-4648", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2010-4648", "Red Hat": "https://access.redhat.com/security/cve/CVE-2010-4648", "SUSE": "https://www.suse.com/security/cve/CVE-2010-4648", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2010/CVE-2010-4648" } }, "CVE-2010-5313": { "affected_versions": "v2.6.12-rc2 to v2.6.38-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "4.9" }, "cwe": "Race Conditions", "fixes": "fc3a9157d3148ab91039c75423da8ef97be3e105", "nvd_text": "Race condition in arch/x86/kvm/x86.c in the Linux kernel before 2.6.38 allows L2 guest OS users to cause a denial of service (L1 guest OS crash) via a crafted instruction that triggers an L2 emulation failure report, a similar issue to CVE-2014-7842.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2010-5313", "ExploitDB": "https://www.exploit-db.com/search?cve=2010-5313", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2010-5313", "Red Hat": "https://access.redhat.com/security/cve/CVE-2010-5313", "SUSE": "https://www.suse.com/security/cve/CVE-2010-5313", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2010/CVE-2010-5313" } }, "CVE-2010-5321": { "affected_versions": "unk to unk", "breaks": "", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "4.9" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Physical", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "score": "4.3" }, "cwe": "Buffer Errors", "fixes": "", "nvd_text": "Memory leak in drivers/media/video/videobuf-core.c in the videobuf subsystem in the Linux kernel 2.6.x through 4.x allows local users to cause a denial of service (memory consumption) by leveraging /dev/video access for a series of mmap calls that require new allocations, a different vulnerability than CVE-2007-6761. NOTE: as of 2016-06-18, this affects only 11 drivers that have not been updated to use videobuf2 instead of videobuf.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2010-5321", "ExploitDB": "https://www.exploit-db.com/search?cve=2010-5321", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2010-5321", "Red Hat": "https://access.redhat.com/security/cve/CVE-2010-5321", "SUSE": "https://www.suse.com/security/cve/CVE-2010-5321", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2010/CVE-2010-5321" } }, "CVE-2010-5328": { "affected_versions": "v2.6.12-rc2 to v2.6.35-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "4.9" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "score": "5.5" }, "cwe": "Input Validation", "fixes": "f106eee10038c2ee5b6056aaf3f6d5229be6dcdd", "nvd_text": "include/linux/init_task.h in the Linux kernel before 2.6.35 does not prevent signals with a process group ID of zero from reaching the swapper process, which allows local users to cause a denial of service (system crash) by leveraging access to this process group.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2010-5328", "ExploitDB": "https://www.exploit-db.com/search?cve=2010-5328", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2010-5328", "Red Hat": "https://access.redhat.com/security/cve/CVE-2010-5328", "SUSE": "https://www.suse.com/security/cve/CVE-2010-5328", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2010/CVE-2010-5328" } }, "CVE-2010-5329": { "affected_versions": "v2.6.12-rc2 to v2.6.39-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "4.9" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "score": "5.5" }, "cwe": "Resource Management Errors", "fixes": "fc0a80798576f80ca10b3f6c9c7097f12fd1d64e", "nvd_text": "The video_usercopy function in drivers/media/video/v4l2-ioctl.c in the Linux kernel before 2.6.39 relies on the count value of a v4l2_ext_controls data structure to determine a kmalloc size, which might allow local users to cause a denial of service (memory consumption) via a large value.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2010-5329", "ExploitDB": "https://www.exploit-db.com/search?cve=2010-5329", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2010-5329", "Red Hat": "https://access.redhat.com/security/cve/CVE-2010-5329", "SUSE": "https://www.suse.com/security/cve/CVE-2010-5329", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2010/CVE-2010-5329" } }, "CVE-2010-5331": { "affected_versions": "v2.6.32-rc1 to v2.6.34-rc7", "breaks": "4ce001abafafe77e5dd943d1480fc9f87894e96f", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "score": "7.5" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "score": "9.8" }, "cwe": "Improper Restriction of Operations within the Bounds of a Memory Buffer", "fixes": "0031c41be5c529f8329e327b63cde92ba1284842", "last_modified": "2020-02-22", "nvd_text": "** DISPUTED ** In the Linux kernel before 2.6.34, a range check issue in drivers/gpu/drm/radeon/atombios.c could cause an off by one (buffer overflow) problem. NOTE: At least one Linux maintainer believes that this CVE is incorrectly assigned and should be rejected because the value is hard coded and are not user-controllable where it is used.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2010-5331", "ExploitDB": "https://www.exploit-db.com/search?cve=2010-5331", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2010-5331", "Red Hat": "https://access.redhat.com/security/cve/CVE-2010-5331", "SUSE": "https://www.suse.com/security/cve/CVE-2010-5331", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2010/CVE-2010-5331" } }, "CVE-2010-5332": { "affected_versions": "v2.6.28-rc1 to v2.6.37-rc1", "breaks": "2a2336f8228292b8197f4187e54b0748903e6645", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "score": "7.5" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "score": "9.8" }, "cwe": "Improper Restriction of Operations within the Bounds of a Memory Buffer", "fixes": "0926f91083f34d047abc74f1ca4fa6a9c161f7db", "last_modified": "2019-07-30", "nvd_text": "In the Linux kernel before 2.6.37, an out of bounds array access happened in drivers/net/mlx4/port.c. When searching for a free entry in either mlx4_register_vlan() or mlx4_register_mac(), and there is no free entry, the loop terminates without updating the local variable free thus causing out of array bounds access.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2010-5332", "ExploitDB": "https://www.exploit-db.com/search?cve=2010-5332", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2010-5332", "Red Hat": "https://access.redhat.com/security/cve/CVE-2010-5332", "SUSE": "https://www.suse.com/security/cve/CVE-2010-5332", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2010/CVE-2010-5332" } }, "CVE-2011-4098": { "affected_versions": "v2.6.37-rc1 to v3.2-rc1", "breaks": "3921120e757f9167f3fcd3a1781239824471b14d", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "1.9" }, "cwe": "Buffer Errors", "fixes": "64dd153c83743af81f20924c6343652d731eeecb", "nvd_text": "The fallocate implementation in the GFS2 filesystem in the Linux kernel before 3.2 relies on the page cache, which might allow local users to cause a denial of service by preallocating blocks in certain situations involving insufficient memory.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2011-4098", "ExploitDB": "https://www.exploit-db.com/search?cve=2011-4098", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2011-4098", "Red Hat": "https://access.redhat.com/security/cve/CVE-2011-4098", "SUSE": "https://www.suse.com/security/cve/CVE-2011-4098", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2011/CVE-2011-4098" } }, "CVE-2011-4131": { "affected_versions": "v2.6.12-rc2 to v3.3-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "NFSv4: include bitmap in nfsv4 get acl data", "cvss2": { "Access Complexity": "High", "Access Vector": "Adjacent Network", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "4.6" }, "cwe": "Numeric Errors", "fixes": "bf118a342f10dafe44b14451a1392c3254629a1f", "last_affected_version": "3.2.1", "nvd_text": "The NFSv4 implementation in the Linux kernel before 3.2.2 does not properly handle bitmap sizes in GETACL replies, which allows remote NFS servers to cause a denial of service (OOPS) by sending an excessive number of bitmap words.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2011-4131", "ExploitDB": "https://www.exploit-db.com/search?cve=2011-4131", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2011-4131", "Red Hat": "https://access.redhat.com/security/cve/CVE-2011-4131", "SUSE": "https://www.suse.com/security/cve/CVE-2011-4131", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2011/CVE-2011-4131" } }, "CVE-2011-4915": { "affected_versions": "v2.6.28-rc1 to v3.2-rc1", "breaks": "4a2b5fddd53b80efcb3266ee36e23b8de28e761a", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": "2.1" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": "5.5" }, "cwe": "Information Exposure", "fixes": "c290f8358acaeffd8e0c551ddcc24d1206143376", "last_modified": "2020-02-26", "nvd_text": "fs/proc/base.c in the Linux kernel through 3.1 allows local users to obtain sensitive keystroke information via access to /proc/interrupts.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2011-4915", "ExploitDB": "https://www.exploit-db.com/search?cve=2011-4915", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2011-4915", "Red Hat": "https://access.redhat.com/security/cve/CVE-2011-4915", "SUSE": "https://www.suse.com/security/cve/CVE-2011-4915", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2011/CVE-2011-4915" } }, "CVE-2011-4916": { "affected_versions": "unk to unk", "breaks": "", "fixes": "", "last_modified": "2022-07-13", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2011-4916", "ExploitDB": "https://www.exploit-db.com/search?cve=2011-4916", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2011-4916", "Red Hat": "https://access.redhat.com/security/cve/CVE-2011-4916", "SUSE": "https://www.suse.com/security/cve/CVE-2011-4916", "Ubuntu": "https://ubuntu.com/security/CVE-2011-4916" } }, "CVE-2011-4917": { "affected_versions": "unk to unk", "breaks": "", "fixes": "", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2011-4917", "ExploitDB": "https://www.exploit-db.com/search?cve=2011-4917", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2011-4917", "Red Hat": "https://access.redhat.com/security/cve/CVE-2011-4917", "SUSE": "https://www.suse.com/security/cve/CVE-2011-4917", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2011/CVE-2011-4917" } }, "CVE-2011-5321": { "affected_versions": "v2.6.28-rc1 to v3.2-rc1", "breaks": "4a2b5fddd53b80efcb3266ee36e23b8de28e761a", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "4.9" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "score": "5.5" }, "cwe": "Other", "fixes": "c290f8358acaeffd8e0c551ddcc24d1206143376", "nvd_text": "The tty_open function in drivers/tty/tty_io.c in the Linux kernel before 3.1.1 mishandles a driver-lookup failure, which allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via crafted access to a device file under the /dev/pts directory.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2011-5321", "ExploitDB": "https://www.exploit-db.com/search?cve=2011-5321", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2011-5321", "Red Hat": "https://access.redhat.com/security/cve/CVE-2011-5321", "SUSE": "https://www.suse.com/security/cve/CVE-2011-5321", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2011/CVE-2011-5321" } }, "CVE-2011-5327": { "affected_versions": "v2.6.39-rc1 to v3.1-rc1", "breaks": "3703b2c5d041a68095cdd22380c23ce27d449ad7", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "score": "7.5" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "score": "9.8" }, "cwe": "Improper Restriction of Operations within the Bounds of a Memory Buffer", "fixes": "12f09ccb4612734a53e47ed5302e0479c10a50f8", "last_modified": "2019-08-01", "nvd_text": "In the Linux kernel before 3.1, an off by one in the drivers/target/loopback/tcm_loop.c tcm_loop_make_naa_tpg() function could result in at least memory corruption.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2011-5327", "ExploitDB": "https://www.exploit-db.com/search?cve=2011-5327", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2011-5327", "Red Hat": "https://access.redhat.com/security/cve/CVE-2011-5327", "SUSE": "https://www.suse.com/security/cve/CVE-2011-5327", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2011/CVE-2011-5327" } }, "CVE-2012-0957": { "affected_versions": "v3.1-rc4 to v3.7-rc2", "breaks": "be27425dcc516fd08245b047ea57f83b8f6f0903", "cmt_msg": "kernel/sys.c: fix stack memory content leak via UNAME26", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Complete", "Integrity Impact": "None", "score": "4.9" }, "cwe": "Configuration", "fixes": "2702b1526c7278c4d65d78de209a465d4de2885e", "last_affected_version": "3.2.32", "nvd_text": "The override_release function in kernel/sys.c in the Linux kernel before 3.4.16 allows local users to obtain sensitive information from kernel stack memory via a uname system call in conjunction with a UNAME26 personality.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2012-0957", "ExploitDB": "https://www.exploit-db.com/search?cve=2012-0957", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2012-0957", "Red Hat": "https://access.redhat.com/security/cve/CVE-2012-0957", "SUSE": "https://www.suse.com/security/cve/CVE-2012-0957", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2012/CVE-2012-0957" } }, "CVE-2012-2119": { "affected_versions": "v3.1-rc1 to v3.5-rc1", "breaks": "97bc3633bec7ed0fdfbda6b9cf86c51e4f58f8e2", "cmt_msg": "macvtap: zerocopy: fix offset calculation when building skb", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Adjacent Network", "Authentication": "Single", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "5.2" }, "cwe": "Buffer Errors", "fixes": "3afc9621f15701c557e60f61eba9242bac2771dd", "last_affected_version": "3.2.23", "nvd_text": "Buffer overflow in the macvtap device driver in the Linux kernel before 3.4.5, when running in certain configurations, allows privileged KVM guest users to cause a denial of service (crash) via a long descriptor with a long vector length.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2012-2119", "ExploitDB": "https://www.exploit-db.com/search?cve=2012-2119", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2012-2119", "Red Hat": "https://access.redhat.com/security/cve/CVE-2012-2119", "SUSE": "https://www.suse.com/security/cve/CVE-2012-2119", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2012/CVE-2012-2119" } }, "CVE-2012-2136": { "affected_versions": "v2.6.12-rc2 to v3.5-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "net: sock: validate data_len before allocating skb in sock_alloc_send_pskb()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "7.2" }, "cwe": "Input Validation", "fixes": "cc9b17ad29ecaa20bfe426a8d4dbfb94b13ff1cc", "last_affected_version": "3.2.22", "nvd_text": "The sock_alloc_send_pskb function in net/core/sock.c in the Linux kernel before 3.4.5 does not properly validate a certain length value, which allows local users to cause a denial of service (heap-based buffer overflow and system crash) or possibly gain privileges by leveraging access to a TUN/TAP device.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2012-2136", "ExploitDB": "https://www.exploit-db.com/search?cve=2012-2136", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2012-2136", "Red Hat": "https://access.redhat.com/security/cve/CVE-2012-2136", "SUSE": "https://www.suse.com/security/cve/CVE-2012-2136", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2012/CVE-2012-2136" } }, "CVE-2012-2137": { "affected_versions": "v2.6.33-rc1 to v3.5-rc2", "breaks": "46e624b95c36d729bdf24010fff11d16f6fe94fa", "cmt_msg": "KVM: Fix buffer overflow in kvm_set_irq()", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "6.9" }, "cwe": "Buffer Errors", "fixes": "f2ebd422f71cda9c791f76f85d2ca102ae34a1ed", "last_affected_version": "3.2.23", "nvd_text": "Buffer overflow in virt/kvm/irq_comm.c in the KVM subsystem in the Linux kernel before 3.2.24 allows local users to cause a denial of service (crash) and possibly execute arbitrary code via vectors related to Message Signaled Interrupts (MSI), irq routing entries, and an incorrect check by the setup_routing_entry function before invoking the kvm_set_irq function.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2012-2137", "ExploitDB": "https://www.exploit-db.com/search?cve=2012-2137", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2012-2137", "Red Hat": "https://access.redhat.com/security/cve/CVE-2012-2137", "SUSE": "https://www.suse.com/security/cve/CVE-2012-2137", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2012/CVE-2012-2137" } }, "CVE-2012-2313": { "affected_versions": "v2.6.12-rc2 to v3.4-rc6", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "dl2k: Clean up rio_ioctl", "cvss2": { "Access Complexity": "High", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "1.2" }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "1bb57e940e1958e40d51f2078f50c3a96a9b2d75", "last_affected_version": "3.2.18", "nvd_text": "The rio_ioctl function in drivers/net/ethernet/dlink/dl2k.c in the Linux kernel before 3.3.7 does not restrict access to the SIOCSMIIREG command, which allows local users to write data to an Ethernet adapter via an ioctl call.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2012-2313", "ExploitDB": "https://www.exploit-db.com/search?cve=2012-2313", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2012-2313", "Red Hat": "https://access.redhat.com/security/cve/CVE-2012-2313", "SUSE": "https://www.suse.com/security/cve/CVE-2012-2313", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2012/CVE-2012-2313" } }, "CVE-2012-2319": { "affected_versions": "v2.6.12-rc2 to v3.4-rc6", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "hfsplus: Fix potential buffer overflows", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "7.2" }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "6f24f892871acc47b40dd594c63606a17c714f77", "last_affected_version": "3.2.16", "nvd_text": "Multiple buffer overflows in the hfsplus filesystem implementation in the Linux kernel before 3.3.5 allow local users to gain privileges via a crafted HFS plus filesystem, a related issue to CVE-2009-4020.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2012-2319", "ExploitDB": "https://www.exploit-db.com/search?cve=2012-2319", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2012-2319", "Red Hat": "https://access.redhat.com/security/cve/CVE-2012-2319", "SUSE": "https://www.suse.com/security/cve/CVE-2012-2319", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2012/CVE-2012-2319" } }, "CVE-2012-2372": { "affected_versions": "v2.6.30-rc1 to v3.13-rc4", "breaks": "639b321b4d8f4e412bfbb2a4a19bfebc1e68ace4", "cmt_msg": "rds: prevent BUG_ON triggered on congestion update to loopback", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "Single", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "4.4" }, "cwe": "Insufficient Information", "fixes": "18fc25c94eadc52a42c025125af24657a93638c0", "last_affected_version": "3.12.7", "nvd_text": "The rds_ib_xmit function in net/rds/ib_send.c in the Reliable Datagram Sockets (RDS) protocol implementation in the Linux kernel 3.7.4 and earlier allows local users to cause a denial of service (BUG_ON and kernel panic) by establishing an RDS connection with the source IP address equal to the IPoIB interface's own IP address, as demonstrated by rds-ping.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2012-2372", "ExploitDB": "https://www.exploit-db.com/search?cve=2012-2372", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2012-2372", "Red Hat": "https://access.redhat.com/security/cve/CVE-2012-2372", "SUSE": "https://www.suse.com/security/cve/CVE-2012-2372", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2012/CVE-2012-2372" } }, "CVE-2012-2375": { "affected_versions": "v2.6.12-rc2 to v3.4-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "Fix length of buffer copied in __nfs4_get_acl_uncached", "cvss2": { "Access Complexity": "High", "Access Vector": "Adjacent Network", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "4.6" }, "cwe": "Numeric Errors", "fixes": "20e0fa98b751facf9a1101edaefbc19c82616a68", "last_affected_version": "3.2.14", "nvd_text": "The __nfs4_get_acl_uncached function in fs/nfs/nfs4proc.c in the NFSv4 implementation in the Linux kernel before 3.3.2 uses an incorrect length variable during a copy operation, which allows remote NFS servers to cause a denial of service (OOPS) by sending an excessive number of bitmap words in an FATTR4_ACL reply. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-4131.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2012-2375", "ExploitDB": "https://www.exploit-db.com/search?cve=2012-2375", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2012-2375", "Red Hat": "https://access.redhat.com/security/cve/CVE-2012-2375", "SUSE": "https://www.suse.com/security/cve/CVE-2012-2375", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2012/CVE-2012-2375" } }, "CVE-2012-2390": { "affected_versions": "v2.6.12-rc2 to v3.5-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "hugetlb: fix resv_map leak in error path", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "4.9" }, "cwe": "Resource Management Errors", "fixes": "c50ac050811d6485616a193eb0f37bfbd191cc89", "last_affected_version": "3.2.19", "nvd_text": "Memory leak in mm/hugetlb.c in the Linux kernel before 3.4.2 allows local users to cause a denial of service (memory consumption or system crash) via invalid MAP_HUGETLB mmap operations.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2012-2390", "ExploitDB": "https://www.exploit-db.com/search?cve=2012-2390", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2012-2390", "Red Hat": "https://access.redhat.com/security/cve/CVE-2012-2390", "SUSE": "https://www.suse.com/security/cve/CVE-2012-2390", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2012/CVE-2012-2390" } }, "CVE-2012-2669": { "affected_versions": "v2.6.39-rc1 to v3.5-rc4", "breaks": "cc04acf53fb1bba1e57b0d34a400ccaf498fc9be", "cmt_msg": "Tools: hv: verify origin of netlink connector message", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "None", "Integrity Impact": "Partial", "score": "2.1" }, "cwe": "Input Validation", "fixes": "bcc2c9c3fff859e0eb019fe6fec26f9b8eba795c", "last_affected_version": "3.2.21", "nvd_text": "The main function in tools/hv/hv_kvp_daemon.c in hypervkvpd, as distributed in the Linux kernel before 3.4.5, does not validate the origin of Netlink messages, which allows local users to spoof Netlink communication via a crafted connector message.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2012-2669", "ExploitDB": "https://www.exploit-db.com/search?cve=2012-2669", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2012-2669", "Red Hat": "https://access.redhat.com/security/cve/CVE-2012-2669", "SUSE": "https://www.suse.com/security/cve/CVE-2012-2669", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2012/CVE-2012-2669" } }, "CVE-2012-2744": { "affected_versions": "v2.6.12-rc2 to v2.6.34-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "7.8" }, "cwe": "Other", "fixes": "9e2dcf72023d1447f09c47d77c99b0c49659e5ce", "nvd_text": "net/ipv6/netfilter/nf_conntrack_reasm.c in the Linux kernel before 2.6.34, when the nf_conntrack_ipv6 module is enabled, allows remote attackers to cause a denial of service (NULL pointer dereference and system crash) via certain types of fragmented IPv6 packets.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2012-2744", "ExploitDB": "https://www.exploit-db.com/search?cve=2012-2744", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2012-2744", "Red Hat": "https://access.redhat.com/security/cve/CVE-2012-2744", "SUSE": "https://www.suse.com/security/cve/CVE-2012-2744", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2012/CVE-2012-2744" } }, "CVE-2012-2745": { "affected_versions": "v2.6.32-rc1 to v3.4-rc3", "breaks": "ee18d64c1f632043a02e6f5ba5e045bb26a5465f", "cmt_msg": "cred: copy_process() should clear child->replacement_session_keyring", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "4.7" }, "cwe": "Buffer Errors", "fixes": "79549c6dfda0603dba9a70a53467ce62d9335c33", "last_affected_version": "3.2.14", "nvd_text": "The copy_creds function in kernel/cred.c in the Linux kernel before 3.3.2 provides an invalid replacement session keyring to a child process, which allows local users to cause a denial of service (panic) via a crafted application that uses the fork system call.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2012-2745", "ExploitDB": "https://www.exploit-db.com/search?cve=2012-2745", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2012-2745", "Red Hat": "https://access.redhat.com/security/cve/CVE-2012-2745", "SUSE": "https://www.suse.com/security/cve/CVE-2012-2745", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2012/CVE-2012-2745" } }, "CVE-2012-3364": { "affected_versions": "v3.1-rc1 to v3.5-rc6", "breaks": "3e256b8f8dfa309a80b5dece388d85d9a9801a29", "cmt_msg": "NFC: Prevent multiple buffer overflows in NCI", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "5.0" }, "cwe": "Buffer Errors", "fixes": "67de956ff5dc1d4f321e16cfbd63f5be3b691b43", "last_affected_version": "3.2.22", "nvd_text": "Multiple stack-based buffer overflows in the Near Field Communication Controller Interface (NCI) in the Linux kernel before 3.4.5 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via incoming frames with crafted length fields.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2012-3364", "ExploitDB": "https://www.exploit-db.com/search?cve=2012-3364", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2012-3364", "Red Hat": "https://access.redhat.com/security/cve/CVE-2012-3364", "SUSE": "https://www.suse.com/security/cve/CVE-2012-3364", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2012/CVE-2012-3364" } }, "CVE-2012-3375": { "affected_versions": "v3.3-rc1 to v3.4-rc5", "breaks": "28d82dc1c4edbc352129f97f4ca22624d1fe61de", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "4.9" }, "cwe": "Other", "fixes": "13d518074a952d33d47c428419693f63389547e9", "nvd_text": "The epoll_ctl system call in fs/eventpoll.c in the Linux kernel before 3.2.24 does not properly handle ELOOP errors in EPOLL_CTL_ADD operations, which allows local users to cause a denial of service (file-descriptor consumption and system crash) via a crafted application that attempts to create a circular epoll dependency. NOTE: this vulnerability exists because of an incorrect fix for CVE-2011-1083.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2012-3375", "ExploitDB": "https://www.exploit-db.com/search?cve=2012-3375", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2012-3375", "Red Hat": "https://access.redhat.com/security/cve/CVE-2012-3375", "SUSE": "https://www.suse.com/security/cve/CVE-2012-3375", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2012/CVE-2012-3375" } }, "CVE-2012-3400": { "affected_versions": "v2.6.12-rc2 to v3.5-rc5", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "udf: Fortify loading of sparing table", "cvss2": { "Access Complexity": "High", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "7.6" }, "cwe": "Buffer Errors", "fixes": "1df2ae31c724e57be9d7ac00d78db8a5dabdd050", "last_affected_version": "3.2.22", "nvd_text": "Heap-based buffer overflow in the udf_load_logicalvol function in fs/udf/super.c in the Linux kernel before 3.4.5 allows remote attackers to cause a denial of service (system crash) or possibly have unspecified other impact via a crafted UDF filesystem.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2012-3400", "ExploitDB": "https://www.exploit-db.com/search?cve=2012-3400", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2012-3400", "Red Hat": "https://access.redhat.com/security/cve/CVE-2012-3400", "SUSE": "https://www.suse.com/security/cve/CVE-2012-3400", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2012/CVE-2012-3400" } }, "CVE-2012-3412": { "affected_versions": "v2.6.12-rc2 to v3.6-rc2", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "net: Allow driver to limit number of GSO segments per skb", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "7.8" }, "cwe": "Numeric Errors", "fixes": "30b678d844af3305cda5953467005cebb5d7b687", "last_affected_version": "3.2.29", "nvd_text": "The sfc (aka Solarflare Solarstorm) driver in the Linux kernel before 3.2.30 allows remote attackers to cause a denial of service (DMA descriptor consumption and network-controller outage) via crafted TCP packets that trigger a small MSS value.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2012-3412", "ExploitDB": "https://www.exploit-db.com/search?cve=2012-3412", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2012-3412", "Red Hat": "https://access.redhat.com/security/cve/CVE-2012-3412", "SUSE": "https://www.suse.com/security/cve/CVE-2012-3412", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2012/CVE-2012-3412" } }, "CVE-2012-3430": { "affected_versions": "v2.6.12-rc2 to v3.6-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "rds: set correct msg_namelen", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "score": "2.1" }, "cwe": "Information Leak / Disclosure", "fixes": "06b6a1cf6e776426766298d055bb3991957d90a7", "last_affected_version": "3.2.30", "nvd_text": "The rds_recvmsg function in net/rds/recv.c in the Linux kernel before 3.0.44 does not initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel stack memory via a (1) recvfrom or (2) recvmsg system call on an RDS socket.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2012-3430", "ExploitDB": "https://www.exploit-db.com/search?cve=2012-3430", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2012-3430", "Red Hat": "https://access.redhat.com/security/cve/CVE-2012-3430", "SUSE": "https://www.suse.com/security/cve/CVE-2012-3430", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2012/CVE-2012-3430" } }, "CVE-2012-3510": { "affected_versions": "v2.6.19-rc1 to v2.6.19-rc4", "breaks": "9acc1853519a0473620d424105f9d49ea5b4e62e", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "score": "5.6" }, "cwe": "Resource Management Errors", "fixes": "f0ec1aaf54caddd21c259aea8b2ecfbde4ee4fb9", "nvd_text": "Use-after-free vulnerability in the xacct_add_tsk function in kernel/tsacct.c in the Linux kernel before 2.6.19 allows local users to obtain potentially sensitive information from kernel memory or cause a denial of service (system crash) via a taskstats TASKSTATS_CMD_ATTR_PID command.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2012-3510", "ExploitDB": "https://www.exploit-db.com/search?cve=2012-3510", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2012-3510", "Red Hat": "https://access.redhat.com/security/cve/CVE-2012-3510", "SUSE": "https://www.suse.com/security/cve/CVE-2012-3510", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2012/CVE-2012-3510" } }, "CVE-2012-3511": { "affected_versions": "v2.6.21-rc6 to v3.5-rc6", "breaks": "90ed52ebe48181d3c5427b3bd1d24f659e7575ad", "cmt_msg": "mm: Hold a file reference in madvise_remove", "cvss2": { "Access Complexity": "High", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "6.2" }, "cwe": "Race Conditions", "fixes": "9ab4233dd08036fe34a89c7dc6f47a8bf2eb29eb", "last_affected_version": "3.2.22", "nvd_text": "Multiple race conditions in the madvise_remove function in mm/madvise.c in the Linux kernel before 3.4.5 allow local users to cause a denial of service (use-after-free and system crash) via vectors involving a (1) munmap or (2) close system call.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2012-3511", "ExploitDB": "https://www.exploit-db.com/search?cve=2012-3511", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2012-3511", "Red Hat": "https://access.redhat.com/security/cve/CVE-2012-3511", "SUSE": "https://www.suse.com/security/cve/CVE-2012-3511", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2012/CVE-2012-3511" } }, "CVE-2012-3520": { "affected_versions": "v3.2-rc1 to v3.6-rc3", "breaks": "16e5726269611b71c930054ffe9b858c1cea88eb", "cmt_msg": "af_netlink: force credentials passing [CVE-2012-3520]", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "None", "Integrity Impact": "Partial", "score": "1.9" }, "cwe": "Authentication Issues", "fixes": "e0e3cea46d31d23dc40df0a49a7a2c04fe8edfea", "last_affected_version": "3.2.29", "nvd_text": "The Netlink implementation in the Linux kernel before 3.2.30 does not properly handle messages that lack SCM_CREDENTIALS data, which might allow local users to spoof Netlink communication via a crafted message, as demonstrated by a message to (1) Avahi or (2) NetworkManager.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2012-3520", "ExploitDB": "https://www.exploit-db.com/search?cve=2012-3520", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2012-3520", "Red Hat": "https://access.redhat.com/security/cve/CVE-2012-3520", "SUSE": "https://www.suse.com/security/cve/CVE-2012-3520", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2012/CVE-2012-3520" } }, "CVE-2012-3552": { "affected_versions": "v2.6.12-rc2 to v3.0-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cvss2": { "Access Complexity": "High", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "5.4" }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 5.9 }, "cwe": "Race Conditions", "fixes": "f6d8bd051c391c1c0458a30b2a7abcd939329259", "last_modified": "2020-08-04", "nvd_text": "Race condition in the IP implementation in the Linux kernel before 3.0 might allow remote attackers to cause a denial of service (slab corruption and system crash) by sending packets to an application that sets socket options during the handling of network traffic.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2012-3552", "ExploitDB": "https://www.exploit-db.com/search?cve=2012-3552", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2012-3552", "Red Hat": "https://access.redhat.com/security/cve/CVE-2012-3552", "SUSE": "https://www.suse.com/security/cve/CVE-2012-3552", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2012/CVE-2012-3552" } }, "CVE-2012-4220": { "breaks": "", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "score": "6.8" }, "cwe": "Insufficient Information", "fixes": "", "nvd_text": "diagchar_core.c in the Qualcomm Innovation Center (QuIC) Diagnostics (aka DIAG) kernel-mode driver for Android 2.3 through 4.2 allows attackers to execute arbitrary code or cause a denial of service (incorrect pointer dereference) via an application that uses crafted arguments in a local diagchar_ioctl call.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2012-4220", "ExploitDB": "https://www.exploit-db.com/search?cve=2012-4220", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2012-4220", "Red Hat": "https://access.redhat.com/security/cve/CVE-2012-4220", "SUSE": "https://www.suse.com/security/cve/CVE-2012-4220", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2012/CVE-2012-4220" }, "vendor_specific": true }, "CVE-2012-4221": { "breaks": "", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "score": "6.8" }, "cwe": "Numeric Errors", "fixes": "", "nvd_text": "Integer overflow in diagchar_core.c in the Qualcomm Innovation Center (QuIC) Diagnostics (aka DIAG) kernel-mode driver for Android 2.3 through 4.2 allows attackers to execute arbitrary code or cause a denial of service via an application that uses crafted arguments in a local diagchar_ioctl call.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2012-4221", "ExploitDB": "https://www.exploit-db.com/search?cve=2012-4221", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2012-4221", "Red Hat": "https://access.redhat.com/security/cve/CVE-2012-4221", "SUSE": "https://www.suse.com/security/cve/CVE-2012-4221", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2012/CVE-2012-4221" }, "vendor_specific": true }, "CVE-2012-4222": { "breaks": "", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "4.3" }, "cwe": "Input Validation", "fixes": "", "nvd_text": "drivers/gpu/msm/kgsl.c in the Qualcomm Innovation Center (QuIC) Graphics KGSL kernel-mode driver for Android 2.3 through 4.2 allows attackers to cause a denial of service (NULL pointer dereference) via an application that uses crafted arguments in a local kgsl_ioctl call.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2012-4222", "ExploitDB": "https://www.exploit-db.com/search?cve=2012-4222", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2012-4222", "Red Hat": "https://access.redhat.com/security/cve/CVE-2012-4222", "SUSE": "https://www.suse.com/security/cve/CVE-2012-4222", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2012/CVE-2012-4222" }, "vendor_specific": true }, "CVE-2012-4398": { "affected_versions": "v2.6.12-rc2 to v3.4-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "usermodehelper: use UMH_WAIT_PROC consistently", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "4.9" }, "cwe": "Input Validation", "fixes": "70834d3070c3f3015ab5c05176d54bd4a0100546", "nvd_text": "The __request_module function in kernel/kmod.c in the Linux kernel before 3.4 does not set a certain killable attribute, which allows local users to cause a denial of service (memory consumption) via a crafted application.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2012-4398", "ExploitDB": "https://www.exploit-db.com/search?cve=2012-4398", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2012-4398", "Red Hat": "https://access.redhat.com/security/cve/CVE-2012-4398", "SUSE": "https://www.suse.com/security/cve/CVE-2012-4398", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2012/CVE-2012-4398" } }, "CVE-2012-4444": { "affected_versions": "v2.6.12-rc2 to v2.6.36-rc4", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "None", "Integrity Impact": "Partial", "score": "5.0" }, "cwe": "Insufficient Information", "fixes": "70789d7052239992824628db8133de08dc78e593", "nvd_text": "The ip6_frag_queue function in net/ipv6/reassembly.c in the Linux kernel before 2.6.36 allows remote attackers to bypass intended network restrictions via overlapping IPv6 fragments.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2012-4444", "ExploitDB": "https://www.exploit-db.com/search?cve=2012-4444", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2012-4444", "Red Hat": "https://access.redhat.com/security/cve/CVE-2012-4444", "SUSE": "https://www.suse.com/security/cve/CVE-2012-4444", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2012/CVE-2012-4444" } }, "CVE-2012-4461": { "affected_versions": "v2.6.36-rc1 to v3.7-rc6", "breaks": "2acf923e38fb6a4ce0c57115decbb38d334902ac", "cmt_msg": "KVM: x86: invalid opcode oops on SET_SREGS with OSXSAVE bit set (CVE-2012-4461)", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "1.9" }, "cwe": "Insufficient Information", "fixes": "6d1068b3a98519247d8ba4ec85cd40ac136dbdf9", "last_affected_version": "3.2.35", "nvd_text": "The KVM subsystem in the Linux kernel before 3.6.9, when running on hosts that use qemu userspace without XSAVE, allows local users to cause a denial of service (kernel OOPS) by using the KVM_SET_SREGS ioctl to set the X86_CR4_OSXSAVE bit in the guest cr4 register, then calling the KVM_RUN ioctl.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2012-4461", "ExploitDB": "https://www.exploit-db.com/search?cve=2012-4461", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2012-4461", "Red Hat": "https://access.redhat.com/security/cve/CVE-2012-4461", "SUSE": "https://www.suse.com/security/cve/CVE-2012-4461", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2012/CVE-2012-4461" } }, "CVE-2012-4467": { "affected_versions": "v3.4-rc1 to v3.6-rc5", "breaks": "644595f89620ba8446cc555be336d24a34464950", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "None", "score": "6.6" }, "cwe": "Resource Management Errors", "fixes": "ed6fe9d614fc1bca95eb8c0ccd0e92db00ef9d5d", "nvd_text": "The (1) do_siocgstamp and (2) do_siocgstampns functions in net/socket.c in the Linux kernel before 3.5.4 use an incorrect argument order, which allows local users to obtain sensitive information from kernel memory or cause a denial of service (system crash) via a crafted ioctl call.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2012-4467", "ExploitDB": "https://www.exploit-db.com/search?cve=2012-4467", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2012-4467", "Red Hat": "https://access.redhat.com/security/cve/CVE-2012-4467", "SUSE": "https://www.suse.com/security/cve/CVE-2012-4467", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2012/CVE-2012-4467" } }, "CVE-2012-4508": { "affected_versions": "v2.6.12-rc2 to v3.7-rc3", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "ext4: race-condition protection for ext4_convert_unwritten_extents_endio", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "score": "1.9" }, "cwe": "Race Conditions", "fixes": "dee1f973ca341c266229faa5a1a5bb268bed3531", "last_affected_version": "3.2.32", "nvd_text": "Race condition in fs/ext4/extents.c in the Linux kernel before 3.4.16 allows local users to obtain sensitive information from a deleted file by reading an extent that was not properly marked as uninitialized.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2012-4508", "ExploitDB": "https://www.exploit-db.com/search?cve=2012-4508", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2012-4508", "Red Hat": "https://access.redhat.com/security/cve/CVE-2012-4508", "SUSE": "https://www.suse.com/security/cve/CVE-2012-4508", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2012/CVE-2012-4508" } }, "CVE-2012-4530": { "affected_versions": "v2.6.28-rc1 to v3.8-rc1", "breaks": "bf2a9a39639b8b51377905397a5005f444e9a892", "cmt_msg": "exec: use -ELOOP for max recursion depth", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "score": "2.1" }, "cwe": "Information Leak / Disclosure", "fixes": "d740269867021faf4ce38a449353d2b986c34a67", "last_affected_version": "3.2.39", "nvd_text": "The load_script function in fs/binfmt_script.c in the Linux kernel before 3.7.2 does not properly handle recursion, which allows local users to obtain sensitive information from kernel stack memory via a crafted application.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2012-4530", "ExploitDB": "https://www.exploit-db.com/search?cve=2012-4530", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2012-4530", "Red Hat": "https://access.redhat.com/security/cve/CVE-2012-4530", "SUSE": "https://www.suse.com/security/cve/CVE-2012-4530", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2012/CVE-2012-4530" } }, "CVE-2012-4542": { "affected_versions": "unk to unk", "breaks": "", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "score": "4.6" }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "", "nvd_text": "block/scsi_ioctl.c in the Linux kernel through 3.8 does not properly consider the SCSI device class during authorization of SCSI commands, which allows local users to bypass intended access restrictions via an SG_IO ioctl call that leverages overlapping opcodes.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2012-4542", "ExploitDB": "https://www.exploit-db.com/search?cve=2012-4542", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2012-4542", "Red Hat": "https://access.redhat.com/security/cve/CVE-2012-4542", "SUSE": "https://www.suse.com/security/cve/CVE-2012-4542", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2012/CVE-2012-4542" } }, "CVE-2012-4565": { "affected_versions": "v2.6.12-rc2 to v3.7-rc4", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "net: fix divide by zero in tcp algorithm illinois", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "4.7" }, "cwe": "Numeric Errors", "fixes": "8f363b77ee4fbf7c3bbcf5ec2c5ca482d396d664", "last_affected_version": "3.2.33", "nvd_text": "The tcp_illinois_info function in net/ipv4/tcp_illinois.c in the Linux kernel before 3.4.19, when the net.ipv4.tcp_congestion_control illinois setting is enabled, allows local users to cause a denial of service (divide-by-zero error and OOPS) by reading TCP stats.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2012-4565", "ExploitDB": "https://www.exploit-db.com/search?cve=2012-4565", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2012-4565", "Red Hat": "https://access.redhat.com/security/cve/CVE-2012-4565", "SUSE": "https://www.suse.com/security/cve/CVE-2012-4565", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2012/CVE-2012-4565" } }, "CVE-2012-5374": { "affected_versions": "v2.6.29-rc1 to v3.8-rc1", "breaks": "39279cc3d2704cfbf9c35dcb5bdd392159ae4625", "cmt_msg": "Btrfs: fix hash overflow handling", "cvss2": { "Access Complexity": "High", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "4.0" }, "cwe": "Cryptographic Issues", "fixes": "9c52057c698fb96f8f07e7a4bcf4801a092bda89", "nvd_text": "The CRC32C feature in the Btrfs implementation in the Linux kernel before 3.8-rc1 allows local users to cause a denial of service (extended runtime of kernel code) by creating many different files whose names are associated with the same CRC32C hash value.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2012-5374", "ExploitDB": "https://www.exploit-db.com/search?cve=2012-5374", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2012-5374", "Red Hat": "https://access.redhat.com/security/cve/CVE-2012-5374", "SUSE": "https://www.suse.com/security/cve/CVE-2012-5374", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2012/CVE-2012-5374" } }, "CVE-2012-5375": { "affected_versions": "v2.6.29-rc1 to v3.8-rc1", "breaks": "39279cc3d2704cfbf9c35dcb5bdd392159ae4625", "cmt_msg": "Btrfs: fix hash overflow handling", "cvss2": { "Access Complexity": "High", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "4.0" }, "cwe": "Cryptographic Issues", "fixes": "9c52057c698fb96f8f07e7a4bcf4801a092bda89", "nvd_text": "The CRC32C feature in the Btrfs implementation in the Linux kernel before 3.8-rc1 allows local users to cause a denial of service (prevention of file creation) by leveraging the ability to write to a directory important to the victim, and creating a file with a crafted name that is associated with a specific CRC32C hash value.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2012-5375", "ExploitDB": "https://www.exploit-db.com/search?cve=2012-5375", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2012-5375", "Red Hat": "https://access.redhat.com/security/cve/CVE-2012-5375", "SUSE": "https://www.suse.com/security/cve/CVE-2012-5375", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2012/CVE-2012-5375" } }, "CVE-2012-5517": { "affected_versions": "v2.6.35-rc1 to v3.6-rc1", "breaks": "1f522509c77a5dea8dc384b735314f03908a6415", "cmt_msg": "mm/hotplug: correctly add new zone to all other nodes' zone lists", "cvss2": { "Access Complexity": "High", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "4.0" }, "cwe": "Other", "fixes": "08dff7b7d629807dbb1f398c68dd9cd58dd657a1", "last_affected_version": "3.2.40", "nvd_text": "The online_pages function in mm/memory_hotplug.c in the Linux kernel before 3.6 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact in opportunistic circumstances by using memory that was hot-added by an administrator.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2012-5517", "ExploitDB": "https://www.exploit-db.com/search?cve=2012-5517", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2012-5517", "Red Hat": "https://access.redhat.com/security/cve/CVE-2012-5517", "SUSE": "https://www.suse.com/security/cve/CVE-2012-5517", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2012/CVE-2012-5517" } }, "CVE-2012-6536": { "affected_versions": "v2.6.39-rc1 to v3.6-rc7", "breaks": "d8647b79c3b7e223ac051439d165bc8e7bbb832f", "cmt_msg": "xfrm_user: ensure user supplied esn replay window is valid", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "score": "2.1" }, "cwe": "Information Leak / Disclosure", "fixes": "ecd7918745234e423dd87fcc0c077da557909720", "last_affected_version": "3.2.30", "nvd_text": "net/xfrm/xfrm_user.c in the Linux kernel before 3.6 does not verify that the actual Netlink message length is consistent with a certain header field, which allows local users to obtain sensitive information from kernel heap memory by leveraging the CAP_NET_ADMIN capability and providing a (1) new or (2) updated state.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2012-6536", "ExploitDB": "https://www.exploit-db.com/search?cve=2012-6536", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2012-6536", "Red Hat": "https://access.redhat.com/security/cve/CVE-2012-6536", "SUSE": "https://www.suse.com/security/cve/CVE-2012-6536", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2012/CVE-2012-6536" } }, "CVE-2012-6537": { "affected_versions": "v2.6.12-rc2 to v3.6-rc7", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "xfrm_user: fix info leak in copy_to_user_tmpl()", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "score": "1.9" }, "cwe": "Information Leak / Disclosure", "fixes": "1f86840f897717f86d523a13e99a447e6a5d2fa5", "last_affected_version": "3.2.30", "nvd_text": "net/xfrm/xfrm_user.c in the Linux kernel before 3.6 does not initialize certain structures, which allows local users to obtain sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2012-6537", "ExploitDB": "https://www.exploit-db.com/search?cve=2012-6537", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2012-6537", "Red Hat": "https://access.redhat.com/security/cve/CVE-2012-6537", "SUSE": "https://www.suse.com/security/cve/CVE-2012-6537", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2012/CVE-2012-6537" } }, "CVE-2012-6538": { "affected_versions": "v2.6.33-rc1 to v3.6-rc7", "breaks": "4447bb33f09444920a8f1d89e1540137429351b6", "cmt_msg": "xfrm_user: fix info leak in copy_to_user_auth()", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "score": "1.9" }, "cwe": "Information Leak / Disclosure", "fixes": "4c87308bdea31a7b4828a51f6156e6f721a1fcc9", "last_affected_version": "3.2.30", "nvd_text": "The copy_to_user_auth function in net/xfrm/xfrm_user.c in the Linux kernel before 3.6 uses an incorrect C library function for copying a string, which allows local users to obtain sensitive information from kernel heap memory by leveraging the CAP_NET_ADMIN capability.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2012-6538", "ExploitDB": "https://www.exploit-db.com/search?cve=2012-6538", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2012-6538", "Red Hat": "https://access.redhat.com/security/cve/CVE-2012-6538", "SUSE": "https://www.suse.com/security/cve/CVE-2012-6538", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2012/CVE-2012-6538" } }, "CVE-2012-6539": { "affected_versions": "v2.6.12-rc2 to v3.6-rc3", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "net: fix info leak in compat dev_ifconf()", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "score": "1.9" }, "cwe": "Information Leak / Disclosure", "fixes": "43da5f2e0d0c69ded3d51907d9552310a6b545e8", "last_affected_version": "3.2.29", "nvd_text": "The dev_ifconf function in net/socket.c in the Linux kernel before 3.6 does not initialize a certain structure, which allows local users to obtain sensitive information from kernel stack memory via a crafted application.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2012-6539", "ExploitDB": "https://www.exploit-db.com/search?cve=2012-6539", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2012-6539", "Red Hat": "https://access.redhat.com/security/cve/CVE-2012-6539", "SUSE": "https://www.suse.com/security/cve/CVE-2012-6539", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2012/CVE-2012-6539" } }, "CVE-2012-6540": { "affected_versions": "v2.6.12-rc2 to v3.6-rc3", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "ipvs: fix info leak in getsockopt(IP_VS_SO_GET_TIMEOUT)", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "score": "1.9" }, "cwe": "Information Leak / Disclosure", "fixes": "2d8a041b7bfe1097af21441cb77d6af95f4f4680", "last_affected_version": "3.2.29", "nvd_text": "The do_ip_vs_get_ctl function in net/netfilter/ipvs/ip_vs_ctl.c in the Linux kernel before 3.6 does not initialize a certain structure for IP_VS_SO_GET_TIMEOUT commands, which allows local users to obtain sensitive information from kernel stack memory via a crafted application.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2012-6540", "ExploitDB": "https://www.exploit-db.com/search?cve=2012-6540", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2012-6540", "Red Hat": "https://access.redhat.com/security/cve/CVE-2012-6540", "SUSE": "https://www.suse.com/security/cve/CVE-2012-6540", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2012/CVE-2012-6540" } }, "CVE-2012-6541": { "affected_versions": "v2.6.37-rc1 to v3.6-rc3", "breaks": "67b67e365f07d6dc70f3bb266af3268bac0a4836", "cmt_msg": "dccp: fix info leak via getsockopt(DCCP_SOCKOPT_CCID_TX_INFO)", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "score": "1.9" }, "cwe": "Information Leak / Disclosure", "fixes": "7b07f8eb75aa3097cdfd4f6eac3da49db787381d", "last_affected_version": "3.2.29", "nvd_text": "The ccid3_hc_tx_getsockopt function in net/dccp/ccids/ccid3.c in the Linux kernel before 3.6 does not initialize a certain structure, which allows local users to obtain sensitive information from kernel stack memory via a crafted application.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2012-6541", "ExploitDB": "https://www.exploit-db.com/search?cve=2012-6541", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2012-6541", "Red Hat": "https://access.redhat.com/security/cve/CVE-2012-6541", "SUSE": "https://www.suse.com/security/cve/CVE-2012-6541", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2012/CVE-2012-6541" } }, "CVE-2012-6542": { "affected_versions": "v2.6.12-rc2 to v3.6-rc3", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "llc: fix info leak via getsockname()", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "score": "1.9" }, "cwe": "Information Leak / Disclosure", "fixes": "3592aaeb80290bda0f2cf0b5456c97bfc638b192", "last_affected_version": "3.2.29", "nvd_text": "The llc_ui_getname function in net/llc/af_llc.c in the Linux kernel before 3.6 has an incorrect return value in certain circumstances, which allows local users to obtain sensitive information from kernel stack memory via a crafted application that leverages an uninitialized pointer argument.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2012-6542", "ExploitDB": "https://www.exploit-db.com/search?cve=2012-6542", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2012-6542", "Red Hat": "https://access.redhat.com/security/cve/CVE-2012-6542", "SUSE": "https://www.suse.com/security/cve/CVE-2012-6542", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2012/CVE-2012-6542" } }, "CVE-2012-6543": { "affected_versions": "v3.5-rc1 to v3.6-rc3", "breaks": "a32e0eec7042b21ccb52896cf715e3e2641fed93", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "score": "1.9" }, "cwe": "Information Leak / Disclosure", "fixes": "04d4fbca1017c11381e7d82acea21dd741e748bc", "nvd_text": "The l2tp_ip6_getname function in net/l2tp/l2tp_ip6.c in the Linux kernel before 3.6 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel stack memory via a crafted application.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2012-6543", "ExploitDB": "https://www.exploit-db.com/search?cve=2012-6543", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2012-6543", "Red Hat": "https://access.redhat.com/security/cve/CVE-2012-6543", "SUSE": "https://www.suse.com/security/cve/CVE-2012-6543", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2012/CVE-2012-6543" } }, "CVE-2012-6544": { "affected_versions": "v2.6.12-rc2 to v3.6-rc3", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "Bluetooth: L2CAP - Fix info leak via getsockname()", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "score": "1.9" }, "cwe": "Information Leak / Disclosure", "fixes": "792039c73cf176c8e39a6e8beef2c94ff46522ed", "last_affected_version": "3.2.29", "nvd_text": "The Bluetooth protocol stack in the Linux kernel before 3.6 does not properly initialize certain structures, which allows local users to obtain sensitive information from kernel stack memory via a crafted application that targets the (1) L2CAP or (2) HCI implementation.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2012-6544", "ExploitDB": "https://www.exploit-db.com/search?cve=2012-6544", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2012-6544", "Red Hat": "https://access.redhat.com/security/cve/CVE-2012-6544", "SUSE": "https://www.suse.com/security/cve/CVE-2012-6544", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2012/CVE-2012-6544" } }, "CVE-2012-6545": { "affected_versions": "v2.6.12-rc2 to v3.6-rc3", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "Bluetooth: RFCOMM - Fix info leak via getsockname()", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "score": "1.9" }, "cwe": "Information Leak / Disclosure", "fixes": "9344a972961d1a6d2c04d9008b13617bcb6ec2ef", "last_affected_version": "3.2.29", "nvd_text": "The Bluetooth RFCOMM implementation in the Linux kernel before 3.6 does not properly initialize certain structures, which allows local users to obtain sensitive information from kernel memory via a crafted application.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2012-6545", "ExploitDB": "https://www.exploit-db.com/search?cve=2012-6545", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2012-6545", "Red Hat": "https://access.redhat.com/security/cve/CVE-2012-6545", "SUSE": "https://www.suse.com/security/cve/CVE-2012-6545", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2012/CVE-2012-6545" } }, "CVE-2012-6546": { "affected_versions": "v2.6.12-rc2 to v3.6-rc3", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "atm: fix info leak via getsockname()", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "score": "1.9" }, "cwe": "Information Leak / Disclosure", "fixes": "3c0c5cfdcd4d69ffc4b9c0907cec99039f30a50a", "last_affected_version": "3.2.29", "nvd_text": "The ATM implementation in the Linux kernel before 3.6 does not initialize certain structures, which allows local users to obtain sensitive information from kernel stack memory via a crafted application.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2012-6546", "ExploitDB": "https://www.exploit-db.com/search?cve=2012-6546", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2012-6546", "Red Hat": "https://access.redhat.com/security/cve/CVE-2012-6546", "SUSE": "https://www.suse.com/security/cve/CVE-2012-6546", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2012/CVE-2012-6546" } }, "CVE-2012-6547": { "affected_versions": "v2.6.12-rc2 to v3.6-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "net/tun: fix ioctl() based info leaks", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "score": "1.9" }, "cwe": "Information Leak / Disclosure", "fixes": "a117dacde0288f3ec60b6e5bcedae8fa37ee0dfc", "last_affected_version": "3.2.27", "nvd_text": "The __tun_chr_ioctl function in drivers/net/tun.c in the Linux kernel before 3.6 does not initialize a certain structure, which allows local users to obtain sensitive information from kernel stack memory via a crafted application.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2012-6547", "ExploitDB": "https://www.exploit-db.com/search?cve=2012-6547", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2012-6547", "Red Hat": "https://access.redhat.com/security/cve/CVE-2012-6547", "SUSE": "https://www.suse.com/security/cve/CVE-2012-6547", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2012/CVE-2012-6547" } }, "CVE-2012-6548": { "affected_versions": "v2.6.12-rc2 to v3.6-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "udf: avoid info leak on export", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "score": "1.9" }, "cwe": "Information Leak / Disclosure", "fixes": "0143fc5e9f6f5aad4764801015bc8d4b4a278200", "last_affected_version": "3.2.41", "nvd_text": "The udf_encode_fh function in fs/udf/namei.c in the Linux kernel before 3.6 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel heap memory via a crafted application.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2012-6548", "ExploitDB": "https://www.exploit-db.com/search?cve=2012-6548", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2012-6548", "Red Hat": "https://access.redhat.com/security/cve/CVE-2012-6548", "SUSE": "https://www.suse.com/security/cve/CVE-2012-6548", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2012/CVE-2012-6548" } }, "CVE-2012-6549": { "affected_versions": "v2.6.12-rc2 to v3.6-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "isofs: avoid info leak on export", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "score": "1.9" }, "cwe": "Information Leak / Disclosure", "fixes": "fe685aabf7c8c9f138e5ea900954d295bf229175", "last_affected_version": "3.2.41", "nvd_text": "The isofs_export_encode_fh function in fs/isofs/export.c in the Linux kernel before 3.6 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel heap memory via a crafted application.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2012-6549", "ExploitDB": "https://www.exploit-db.com/search?cve=2012-6549", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2012-6549", "Red Hat": "https://access.redhat.com/security/cve/CVE-2012-6549", "SUSE": "https://www.suse.com/security/cve/CVE-2012-6549", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2012/CVE-2012-6549" } }, "CVE-2012-6638": { "affected_versions": "v2.6.12-rc2 to v3.3-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "tcp: drop SYN+FIN messages", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "7.8" }, "cwe": "Resource Management Errors", "fixes": "fdf5af0daf8019cec2396cdef8fb042d80fe71fa", "last_affected_version": "3.2.23", "nvd_text": "The tcp_rcv_state_process function in net/ipv4/tcp_input.c in the Linux kernel before 3.2.24 allows remote attackers to cause a denial of service (kernel resource consumption) via a flood of SYN+FIN TCP packets, a different vulnerability than CVE-2012-2663.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2012-6638", "ExploitDB": "https://www.exploit-db.com/search?cve=2012-6638", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2012-6638", "Red Hat": "https://access.redhat.com/security/cve/CVE-2012-6638", "SUSE": "https://www.suse.com/security/cve/CVE-2012-6638", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2012/CVE-2012-6638" } }, "CVE-2012-6647": { "affected_versions": "v2.6.31-rc1 to v3.6-rc2", "breaks": "52400ba946759af28442dee6265c5c0180ac7122", "cmt_msg": "futex: Forbid uaddr == uaddr2 in futex_wait_requeue_pi()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "4.9" }, "cwe": "Input Validation", "fixes": "6f7b0a2a5c0fb03be7c25bd1745baa50582348ef", "last_affected_version": "3.2.26", "nvd_text": "The futex_wait_requeue_pi function in kernel/futex.c in the Linux kernel before 3.5.1 does not ensure that calls have two different futex addresses, which allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted FUTEX_WAIT_REQUEUE_PI command.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2012-6647", "ExploitDB": "https://www.exploit-db.com/search?cve=2012-6647", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2012-6647", "Red Hat": "https://access.redhat.com/security/cve/CVE-2012-6647", "SUSE": "https://www.suse.com/security/cve/CVE-2012-6647", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2012/CVE-2012-6647" } }, "CVE-2012-6657": { "affected_versions": "v2.6.12-rc2 to v3.6", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "net: guard tcp_set_keepalive() to tcp sockets", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "4.9" }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "3e10986d1d698140747fcfc2761ec9cb64c1d582", "last_affected_version": "3.2.30", "nvd_text": "The sock_setsockopt function in net/core/sock.c in the Linux kernel before 3.5.7 does not ensure that a keepalive action is associated with a stream socket, which allows local users to cause a denial of service (system crash) by leveraging the ability to create a raw socket.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2012-6657", "ExploitDB": "https://www.exploit-db.com/search?cve=2012-6657", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2012-6657", "Red Hat": "https://access.redhat.com/security/cve/CVE-2012-6657", "SUSE": "https://www.suse.com/security/cve/CVE-2012-6657", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2012/CVE-2012-6657" } }, "CVE-2012-6689": { "affected_versions": "unk to v3.6-rc5", "breaks": "", "cmt_msg": "netlink: fix possible spoofing from non-root processes", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "7.2" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "score": "7.8" }, "cwe": "Improper Access Control", "fixes": "20e1db19db5d6b9e4e83021595eab0dc8f107bef", "last_affected_version": "3.2.29", "nvd_text": "The netlink_sendmsg function in net/netlink/af_netlink.c in the Linux kernel before 3.5.5 does not validate the dst_pid field, which allows local users to have an unspecified impact by spoofing Netlink messages.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2012-6689", "ExploitDB": "https://www.exploit-db.com/search?cve=2012-6689", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2012-6689", "Red Hat": "https://access.redhat.com/security/cve/CVE-2012-6689", "SUSE": "https://www.suse.com/security/cve/CVE-2012-6689", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2012/CVE-2012-6689" } }, "CVE-2012-6701": { "affected_versions": "v2.6.12-rc2 to v3.5-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "vfs: make AIO use the proper rw_verify_area() area helpers", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "7.2" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "score": "7.8" }, "cwe": "Other", "fixes": "a70b52ec1aaeaf60f4739edb1b422827cb6f3893", "last_affected_version": "3.2.18", "nvd_text": "Integer overflow in fs/aio.c in the Linux kernel before 3.4.1 allows local users to cause a denial of service or possibly have unspecified other impact via a large AIO iovec.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2012-6701", "ExploitDB": "https://www.exploit-db.com/search?cve=2012-6701", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2012-6701", "Red Hat": "https://access.redhat.com/security/cve/CVE-2012-6701", "SUSE": "https://www.suse.com/security/cve/CVE-2012-6701", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2012/CVE-2012-6701" } }, "CVE-2012-6703": { "affected_versions": "v3.3-rc1 to v3.7-rc1", "breaks": "b21c60a4edd22e26fbebe7dd7078349a8cfa7273", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "7.2" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "score": "7.8" }, "cwe": "Other", "fixes": "b35cc8225845112a616e3a2266d2fde5ab13d3ab", "nvd_text": "Integer overflow in the snd_compr_allocate_buffer function in sound/core/compress_offload.c in the ALSA subsystem in the Linux kernel before 3.6-rc6-next-20120917 allows local users to cause a denial of service (insufficient memory allocation) or possibly have unspecified other impact via a crafted SNDRV_COMPRESS_SET_PARAMS ioctl call.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2012-6703", "ExploitDB": "https://www.exploit-db.com/search?cve=2012-6703", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2012-6703", "Red Hat": "https://access.redhat.com/security/cve/CVE-2012-6703", "SUSE": "https://www.suse.com/security/cve/CVE-2012-6703", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2012/CVE-2012-6703" } }, "CVE-2012-6704": { "affected_versions": "v2.6.12-rc2 to v3.5-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "net: cleanups in sock_setsockopt()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "7.2" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "score": "7.8" }, "cwe": "Buffer Errors", "fixes": "82981930125abfd39d7c8378a9cfdf5e1be2002b", "last_affected_version": "3.2.84", "nvd_text": "The sock_setsockopt function in net/core/sock.c in the Linux kernel before 3.5 mishandles negative values of sk_sndbuf and sk_rcvbuf, which allows local users to cause a denial of service (memory corruption and system crash) or possibly have unspecified other impact by leveraging the CAP_NET_ADMIN capability for a crafted setsockopt system call with the (1) SO_SNDBUF or (2) SO_RCVBUF option.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2012-6704", "ExploitDB": "https://www.exploit-db.com/search?cve=2012-6704", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2012-6704", "Red Hat": "https://access.redhat.com/security/cve/CVE-2012-6704", "SUSE": "https://www.suse.com/security/cve/CVE-2012-6704", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2012/CVE-2012-6704" } }, "CVE-2012-6712": { "affected_versions": "v2.6.27-rc1 to v3.4-rc1", "breaks": "24e5c40130c29bed0fbfbcc9c23613ae6ffc4c0a", "cmt_msg": "iwlwifi: Sanity check for sta_id", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "score": "7.5" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "score": "9.8" }, "cwe": "Improper Restriction of Operations within the Bounds of a Memory Buffer", "fixes": "2da424b0773cea3db47e1e81db71eeebde8269d4", "last_modified": "2019-08-01", "nvd_text": "In the Linux kernel before 3.4, a buffer overflow occurs in drivers/net/wireless/iwlwifi/iwl-agn-sta.c, which will cause at least memory corruption.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2012-6712", "ExploitDB": "https://www.exploit-db.com/search?cve=2012-6712", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2012-6712", "Red Hat": "https://access.redhat.com/security/cve/CVE-2012-6712", "SUSE": "https://www.suse.com/security/cve/CVE-2012-6712", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2012/CVE-2012-6712" } }, "CVE-2013-0160": { "affected_versions": "v2.6.12-rc2 to v3.9-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "TTY: do not update atime/mtime on read/write", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "score": "2.1" }, "cwe": "Information Leak / Disclosure", "fixes": "b0de59b5733d18b0d1974a060860a8b5c1b36a2e", "last_affected_version": "3.2.44", "nvd_text": "The Linux kernel through 3.7.9 allows local users to obtain sensitive information about keystroke timing by using the inotify API on the /dev/ptmx device.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-0160", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-0160", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-0160", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-0160", "SUSE": "https://www.suse.com/security/cve/CVE-2013-0160", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-0160" } }, "CVE-2013-0190": { "affected_versions": "v2.6.23-rc1 to v3.8-rc5", "breaks": "5ead97c84fa7d63a6a7a2f4e9f18f452bd109045", "cmt_msg": "xen: Fix stack corruption in xen_failsafe_callback for 32bit PVOPS guests.", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "4.9" }, "cwe": "Input Validation", "fixes": "9174adbee4a9a49d0139f5d71969852b36720809", "last_affected_version": "3.2.37", "nvd_text": "The xen_failsafe_callback function in Xen for the Linux kernel 2.6.23 and other versions, when running a 32-bit PVOPS guest, allows local users to cause a denial of service (guest crash) by triggering an iret fault, leading to use of an incorrect stack pointer and stack corruption.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-0190", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-0190", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-0190", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-0190", "SUSE": "https://www.suse.com/security/cve/CVE-2013-0190", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-0190" } }, "CVE-2013-0216": { "affected_versions": "v2.6.12-rc2 to v3.8-rc7", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "netback: correct netbk_tx_err to handle wrap around.", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Adjacent Network", "Authentication": "Single", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "5.2" }, "cwe": "Input Validation", "fixes": "b9149729ebdcfce63f853aa54a404c6a8f6ebbf3", "last_affected_version": "3.2.38", "nvd_text": "The Xen netback functionality in the Linux kernel before 3.7.8 allows guest OS users to cause a denial of service (loop) by triggering ring pointer corruption.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-0216", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-0216", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-0216", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-0216", "SUSE": "https://www.suse.com/security/cve/CVE-2013-0216", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-0216" } }, "CVE-2013-0217": { "affected_versions": "v2.6.12-rc2 to v3.8-rc7", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "xen/netback: don't leak pages on failure in xen_netbk_tx_check_gop.", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Adjacent Network", "Authentication": "Single", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "5.2" }, "cwe": "Resource Management Errors", "fixes": "7d5145d8eb2b9791533ffe4dc003b129b9696c48", "last_affected_version": "3.2.38", "nvd_text": "Memory leak in drivers/net/xen-netback/netback.c in the Xen netback functionality in the Linux kernel before 3.7.8 allows guest OS users to cause a denial of service (memory consumption) by triggering certain error conditions.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-0217", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-0217", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-0217", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-0217", "SUSE": "https://www.suse.com/security/cve/CVE-2013-0217", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-0217" } }, "CVE-2013-0228": { "affected_versions": "v2.6.12-rc2 to v3.8", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "x86/xen: don't assume %ds is usable in xen_iret for 32-bit PVOPS.", "cvss2": { "Access Complexity": "High", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "6.2" }, "cwe": "Numeric Errors", "fixes": "13d2b4d11d69a92574a55bfd985cfb0ca77aebdc", "last_affected_version": "3.2.38", "nvd_text": "The xen_iret function in arch/x86/xen/xen-asm_32.S in the Linux kernel before 3.7.9 on 32-bit Xen paravirt_ops platforms does not properly handle an invalid value in the DS segment register, which allows guest OS users to gain guest OS privileges via a crafted application.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-0228", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-0228", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-0228", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-0228", "SUSE": "https://www.suse.com/security/cve/CVE-2013-0228", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-0228" } }, "CVE-2013-0231": { "affected_versions": "v2.6.12-rc2 to v3.8-rc7", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "xen-pciback: rate limit error messages from xen_pcibk_enable_msi{,x}()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "4.9" }, "cwe": "Buffer Errors", "fixes": "51ac8893a7a51b196501164e645583bf78138699", "last_affected_version": "3.2.39", "nvd_text": "The pciback_enable_msi function in the PCI backend driver (drivers/xen/pciback/conf_space_capability_msi.c) in Xen for the Linux kernel 2.6.18 and 3.8 allows guest OS users with PCI device access to cause a denial of service via a large number of kernel log messages. NOTE: some of these details are obtained from third party information.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-0231", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-0231", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-0231", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-0231", "SUSE": "https://www.suse.com/security/cve/CVE-2013-0231", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-0231" } }, "CVE-2013-0268": { "affected_versions": "v2.6.12-rc2 to v3.8-rc6", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "x86/msr: Add capabilities check", "cvss2": { "Access Complexity": "High", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "6.2" }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "c903f0456bc69176912dee6dd25c6a66ee1aed00", "last_affected_version": "3.2.37", "nvd_text": "The msr_open function in arch/x86/kernel/msr.c in the Linux kernel before 3.7.6 allows local users to bypass intended capability restrictions by executing a crafted application as root, as demonstrated by msr32.c.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-0268", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-0268", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-0268", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-0268", "SUSE": "https://www.suse.com/security/cve/CVE-2013-0268", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-0268" } }, "CVE-2013-0290": { "affected_versions": "v3.4-rc1 to v3.8", "breaks": "3f518bf745cbd6007d8069100fb9cb09e960c872", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "4.9" }, "cwe": "Input Validation", "fixes": "77c1090f94d1b0b5186fb13a1b71b47b1343f87f", "nvd_text": "The __skb_recv_datagram function in net/core/datagram.c in the Linux kernel before 3.8 does not properly handle the MSG_PEEK flag with zero-length data, which allows local users to cause a denial of service (infinite loop and system hang) via a crafted application.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-0290", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-0290", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-0290", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-0290", "SUSE": "https://www.suse.com/security/cve/CVE-2013-0290", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-0290" } }, "CVE-2013-0309": { "affected_versions": "v2.6.12-rc2 to v3.7-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "mm: thp: fix pmd_present for split_huge_page and PROT_NONE with THP", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "4.7" }, "cwe": "Buffer Errors", "fixes": "027ef6c87853b0a9df53175063028edb4950d476", "last_affected_version": "3.2.31", "nvd_text": "arch/x86/include/asm/pgtable.h in the Linux kernel before 3.6.2, when transparent huge pages are used, does not properly support PROT_NONE memory regions, which allows local users to cause a denial of service (system crash) via a crafted application.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-0309", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-0309", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-0309", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-0309", "SUSE": "https://www.suse.com/security/cve/CVE-2013-0309", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-0309" } }, "CVE-2013-0310": { "affected_versions": "v2.6.12-rc2 to v3.5", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "cipso: don't follow a NULL pointer when setsockopt() is called", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "Single", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "6.6" }, "cwe": "Buffer Errors", "fixes": "89d7ae34cdda4195809a5a987f697a517a2a3177", "last_affected_version": "3.2.27", "nvd_text": "The cipso_v4_validate function in net/ipv4/cipso_ipv4.c in the Linux kernel before 3.4.8 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via an IPOPT_CIPSO IP_OPTIONS setsockopt system call.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-0310", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-0310", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-0310", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-0310", "SUSE": "https://www.suse.com/security/cve/CVE-2013-0310", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-0310" } }, "CVE-2013-0311": { "affected_versions": "v2.6.34-rc1 to v3.7-rc8", "breaks": "3a4d5c94e959359ece6d6b55045c3f046677f55c", "cmt_msg": "vhost: fix length for cross region descriptor", "cvss2": { "Access Complexity": "High", "Access Vector": "Adjacent Network", "Authentication": "Single", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "6.5" }, "cwe": "Other", "fixes": "bd97120fc3d1a11f3124c7c9ba1d91f51829eb85", "last_affected_version": "3.2.39", "nvd_text": "The translate_desc function in drivers/vhost/vhost.c in the Linux kernel before 3.7 does not properly handle cross-region descriptors, which allows guest OS users to obtain host OS privileges by leveraging KVM guest OS privileges.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-0311", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-0311", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-0311", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-0311", "SUSE": "https://www.suse.com/security/cve/CVE-2013-0311", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-0311" } }, "CVE-2013-0313": { "affected_versions": "v2.6.12-rc2 to v3.8-rc5", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "evm: checking if removexattr is not a NULL", "cvss2": { "Access Complexity": "High", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "6.2" }, "cwe": "Insufficient Information", "fixes": "a67adb997419fb53540d4a4f79c6471c60bc69b6", "last_affected_version": "3.2.37", "nvd_text": "The evm_update_evmxattr function in security/integrity/evm/evm_crypto.c in the Linux kernel before 3.7.5, when the Extended Verification Module (EVM) is enabled, allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via an attempted removexattr operation on an inode of a sockfs filesystem.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-0313", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-0313", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-0313", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-0313", "SUSE": "https://www.suse.com/security/cve/CVE-2013-0313", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-0313" } }, "CVE-2013-0343": { "affected_versions": "v2.6.12-rc2 to v3.11-rc7", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "ipv6: remove max_addresses check from ipv6_create_tempaddr", "cvss2": { "Access Complexity": "High", "Access Vector": "Adjacent Network", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "score": "3.2" }, "cwe": "Insufficient Information", "fixes": "4b08a8f1bd8cb4541c93ec170027b4d0782dab52", "last_affected_version": "3.2.51", "nvd_text": "The ipv6_create_tempaddr function in net/ipv6/addrconf.c in the Linux kernel through 3.8 does not properly handle problems with the generation of IPv6 temporary addresses, which allows remote attackers to cause a denial of service (excessive retries and address-generation outage), and consequently obtain sensitive information, via ICMPv6 Router Advertisement (RA) messages.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-0343", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-0343", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-0343", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-0343", "SUSE": "https://www.suse.com/security/cve/CVE-2013-0343", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-0343" } }, "CVE-2013-0349": { "affected_versions": "v2.6.12-rc2 to v3.8-rc6", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "Bluetooth: Fix incorrect strncpy() in hidp_setup_hid()", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "score": "1.9" }, "cwe": "Information Leak / Disclosure", "fixes": "0a9ab9bdb3e891762553f667066190c1d22ad62b", "last_affected_version": "3.2.37", "nvd_text": "The hidp_setup_hid function in net/bluetooth/hidp/core.c in the Linux kernel before 3.7.6 does not properly copy a certain name field, which allows local users to obtain sensitive information from kernel memory by setting a long name and making an HIDPCONNADD ioctl call.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-0349", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-0349", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-0349", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-0349", "SUSE": "https://www.suse.com/security/cve/CVE-2013-0349", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-0349" } }, "CVE-2013-0871": { "affected_versions": "v2.6.12-rc2 to v3.8-rc5", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "ptrace: introduce signal_wake_up_state() and ptrace_signal_wake_up()", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "6.9" }, "cwe": "Race Conditions", "fixes": "910ffdb18a6408e14febbb6e4b6840fd2c928c82", "last_affected_version": "3.2.38", "nvd_text": "Race condition in the ptrace functionality in the Linux kernel before 3.7.5 allows local users to gain privileges via a PTRACE_SETREGS ptrace system call in a crafted application, as demonstrated by ptrace_death.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-0871", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-0871", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-0871", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-0871", "SUSE": "https://www.suse.com/security/cve/CVE-2013-0871", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-0871" } }, "CVE-2013-0913": { "affected_versions": "v2.6.37-rc5 to v3.9-rc4", "breaks": "d1d788302e8c76e5138dfa61f4a5eee4f72a748f", "cmt_msg": "drm/i915: bounds check execbuffer relocation count", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "7.2" }, "cwe": "Numeric Errors", "fixes": "3118a4f652c7b12c752f3222af0447008f9b2368", "last_affected_version": "3.2.41", "nvd_text": "Integer overflow in drivers/gpu/drm/i915/i915_gem_execbuffer.c in the i915 driver in the Direct Rendering Manager (DRM) subsystem in the Linux kernel through 3.8.3, as used in Google Chrome OS before 25.0.1364.173 and other products, allows local users to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted application that triggers many relocation copies, and potentially leads to a race condition.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-0913", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-0913", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-0913", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-0913", "SUSE": "https://www.suse.com/security/cve/CVE-2013-0913", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-0913" } }, "CVE-2013-0914": { "affected_versions": "v2.6.12-rc2 to v3.9-rc3", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "signal: always clear sa_restorer on execve", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "score": "3.6" }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "2ca39528c01a933f6689cd6505ce65bd6d68a530", "last_affected_version": "3.2.40", "nvd_text": "The flush_signal_handlers function in kernel/signal.c in the Linux kernel before 3.8.4 preserves the value of the sa_restorer field across an exec operation, which makes it easier for local users to bypass the ASLR protection mechanism via a crafted application containing a sigaction system call.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-0914", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-0914", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-0914", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-0914", "SUSE": "https://www.suse.com/security/cve/CVE-2013-0914", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-0914" } }, "CVE-2013-1059": { "affected_versions": "v2.6.34-rc2 to v3.11-rc1", "breaks": "4e7a5dcd1bbab6560fbc8ada29a840e7a20ed7bc", "cmt_msg": "libceph: Fix NULL pointer dereference in auth client code", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "7.8" }, "cwe": "Other", "fixes": "2cb33cac622afde897aa02d3dcd9fbba8bae839e", "last_affected_version": "3.2.48", "nvd_text": "net/ceph/auth_none.c in the Linux kernel through 3.10 allows remote attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via an auth_reply message that triggers an attempted build_request operation.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-1059", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-1059", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-1059", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-1059", "SUSE": "https://www.suse.com/security/cve/CVE-2013-1059", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-1059" } }, "CVE-2013-1763": { "affected_versions": "v3.3-rc1 to v3.9-rc1", "breaks": "8ef874bfc7296fa206eea2ad1e8a426f576bf6f6", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "7.2" }, "cwe": "Input Validation", "fixes": "6e601a53566d84e1ffd25e7b6fe0b6894ffd79c0", "nvd_text": "Array index error in the __sock_diag_rcv_msg function in net/core/sock_diag.c in the Linux kernel before 3.7.10 allows local users to gain privileges via a large family value in a Netlink message.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-1763", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-1763", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-1763", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-1763", "SUSE": "https://www.suse.com/security/cve/CVE-2013-1763", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-1763" } }, "CVE-2013-1767": { "affected_versions": "v2.6.12-rc2 to v3.9-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "tmpfs: fix use-after-free of mempolicy object", "cvss2": { "Access Complexity": "High", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "6.2" }, "cwe": "Resource Management Errors", "fixes": "5f00110f7273f9ff04ac69a5f85bb535a4fd0987", "last_affected_version": "3.2.39", "nvd_text": "Use-after-free vulnerability in the shmem_remount_fs function in mm/shmem.c in the Linux kernel before 3.7.10 allows local users to gain privileges or cause a denial of service (system crash) by remounting a tmpfs filesystem without specifying a required mpol (aka mempolicy) mount option.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-1767", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-1767", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-1767", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-1767", "SUSE": "https://www.suse.com/security/cve/CVE-2013-1767", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-1767" } }, "CVE-2013-1772": { "affected_versions": "v3.0-rc1 to v3.5-rc1", "breaks": "162a7e7500f9664636e649ba59defe541b7c2c60", "cmt_msg": "printk: convert byte-buffer to variable-length record buffer", "cvss2": { "Access Complexity": "High", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "4.0" }, "cwe": "Buffer Errors", "fixes": "7ff9554bb578ba02166071d2d487b7fc7d860d62", "nvd_text": "The log_prefix function in kernel/printk.c in the Linux kernel 3.x before 3.4.33 does not properly remove a prefix string from a syslog header, which allows local users to cause a denial of service (buffer overflow and system crash) by leveraging /dev/kmsg write access and triggering a call_console_drivers function call.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-1772", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-1772", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-1772", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-1772", "SUSE": "https://www.suse.com/security/cve/CVE-2013-1772", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-1772" } }, "CVE-2013-1773": { "affected_versions": "v2.6.31-rc1 to v3.3-rc1", "breaks": "74675a58507e769beee7d949dbed788af3c4139d", "cmt_msg": "NLS: improve UTF8 -> UTF16 string conversion routine", "cvss2": { "Access Complexity": "High", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "6.2" }, "cwe": "Buffer Errors", "fixes": "0720a06a7518c9d0c0125bd5d1f3b6264c55c3dd", "last_affected_version": "3.2.40", "nvd_text": "Buffer overflow in the VFAT filesystem implementation in the Linux kernel before 3.3 allows local users to gain privileges or cause a denial of service (system crash) via a VFAT write operation on a filesystem with the utf8 mount option, which is not properly handled during UTF-8 to UTF-16 conversion.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-1773", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-1773", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-1773", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-1773", "SUSE": "https://www.suse.com/security/cve/CVE-2013-1773", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-1773" } }, "CVE-2013-1774": { "affected_versions": "v2.6.12-rc2 to v3.8-rc5", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "USB: io_ti: Fix NULL dereference in chase_port()", "cvss2": { "Access Complexity": "High", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "4.0" }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "1ee0a224bc9aad1de496c795f96bc6ba2c394811", "last_affected_version": "3.2.37", "nvd_text": "The chase_port function in drivers/usb/serial/io_ti.c in the Linux kernel before 3.7.4 allows local users to cause a denial of service (NULL pointer dereference and system crash) via an attempted /dev/ttyUSB read or write operation on a disconnected Edgeport USB serial converter.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-1774", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-1774", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-1774", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-1774", "SUSE": "https://www.suse.com/security/cve/CVE-2013-1774", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-1774" } }, "CVE-2013-1792": { "affected_versions": "v2.6.12-rc2 to v3.9-rc3", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "keys: fix race with concurrent install_user_keyrings()", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "4.7" }, "cwe": "Race Conditions", "fixes": "0da9dfdd2cd9889201bc6f6f43580c99165cd087", "last_affected_version": "3.2.40", "nvd_text": "Race condition in the install_user_keyrings function in security/keys/process_keys.c in the Linux kernel before 3.8.3 allows local users to cause a denial of service (NULL pointer dereference and system crash) via crafted keyctl system calls that trigger keyring operations in simultaneous threads.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-1792", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-1792", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-1792", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-1792", "SUSE": "https://www.suse.com/security/cve/CVE-2013-1792", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-1792" } }, "CVE-2013-1796": { "affected_versions": "v2.6.12-rc2 to v3.9-rc4", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "KVM: x86: fix for buffer overflow in handling of MSR_KVM_SYSTEM_TIME (CVE-2013-1796)", "cvss2": { "Access Complexity": "High", "Access Vector": "Adjacent Network", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "6.8" }, "cwe": "Buffer Errors", "fixes": "c300aa64ddf57d9c5d9c898a64b36877345dd4a9", "last_affected_version": "3.2.43", "nvd_text": "The kvm_set_msr_common function in arch/x86/kvm/x86.c in the Linux kernel through 3.8.4 does not ensure a required time_page alignment during an MSR_KVM_SYSTEM_TIME operation, which allows guest OS users to cause a denial of service (buffer overflow and host OS memory corruption) or possibly have unspecified other impact via a crafted application.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-1796", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-1796", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-1796", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-1796", "SUSE": "https://www.suse.com/security/cve/CVE-2013-1796", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-1796" } }, "CVE-2013-1797": { "affected_versions": "v2.6.12-rc2 to v3.9-rc4", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "KVM: x86: Convert MSR_KVM_SYSTEM_TIME to use gfn_to_hva_cache functions (CVE-2013-1797)", "cvss2": { "Access Complexity": "High", "Access Vector": "Adjacent Network", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "6.8" }, "cwe": "Resource Management Errors", "fixes": "0b79459b482e85cb7426aa7da683a9f2c97aeae1", "last_affected_version": "3.2.43", "nvd_text": "Use-after-free vulnerability in arch/x86/kvm/x86.c in the Linux kernel through 3.8.4 allows guest OS users to cause a denial of service (host OS memory corruption) or possibly have unspecified other impact via a crafted application that triggers use of a guest physical address (GPA) in (1) movable or (2) removable memory during an MSR_KVM_SYSTEM_TIME kvm_set_msr_common operation.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-1797", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-1797", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-1797", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-1797", "SUSE": "https://www.suse.com/security/cve/CVE-2013-1797", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-1797" } }, "CVE-2013-1798": { "affected_versions": "v2.6.12-rc2 to v3.9-rc4", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "KVM: Fix bounds checking in ioapic indirect register reads (CVE-2013-1798)", "cvss2": { "Access Complexity": "High", "Access Vector": "Adjacent Network", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "None", "score": "6.2" }, "cwe": "Input Validation", "fixes": "a2c118bfab8bc6b8bb213abfc35201e441693d55", "last_affected_version": "3.2.43", "nvd_text": "The ioapic_read_indirect function in virt/kvm/ioapic.c in the Linux kernel through 3.8.4 does not properly handle a certain combination of invalid IOAPIC_REG_SELECT and IOAPIC_REG_WINDOW operations, which allows guest OS users to obtain sensitive information from host OS memory or cause a denial of service (host OS OOPS) via a crafted application.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-1798", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-1798", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-1798", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-1798", "SUSE": "https://www.suse.com/security/cve/CVE-2013-1798", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-1798" } }, "CVE-2013-1819": { "affected_versions": "v2.6.37-rc1 to v3.8-rc6", "breaks": "74f75a0cb7033918eb0fa4a50df25091ac75c16e", "cmt_msg": "xfs: fix _xfs_buf_find oops on blocks beyond the filesystem end", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "score": "4.6" }, "cwe": "Input Validation", "fixes": "eb178619f930fa2ba2348de332a1ff1c66a31424", "nvd_text": "The _xfs_buf_find function in fs/xfs/xfs_buf.c in the Linux kernel before 3.7.6 does not validate block numbers, which allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by leveraging the ability to mount an XFS filesystem containing a metadata inode with an invalid extent map.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-1819", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-1819", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-1819", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-1819", "SUSE": "https://www.suse.com/security/cve/CVE-2013-1819", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-1819" } }, "CVE-2013-1826": { "affected_versions": "v2.6.12-rc2 to v3.6-rc7", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "xfrm_user: return error pointer instead of NULL", "cvss2": { "Access Complexity": "High", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "6.2" }, "cwe": "Other", "fixes": "864745d291b5ba80ea0bd0edcbe67273de368836", "last_affected_version": "3.2.30", "nvd_text": "The xfrm_state_netlink function in net/xfrm/xfrm_user.c in the Linux kernel before 3.5.7 does not properly handle error conditions in dump_one_state function calls, which allows local users to gain privileges or cause a denial of service (NULL pointer dereference and system crash) by leveraging the CAP_NET_ADMIN capability.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-1826", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-1826", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-1826", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-1826", "SUSE": "https://www.suse.com/security/cve/CVE-2013-1826", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-1826" } }, "CVE-2013-1827": { "affected_versions": "v2.6.12-rc2 to v3.6-rc3", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "dccp: check ccid before dereferencing", "cvss2": { "Access Complexity": "High", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "6.2" }, "cwe": "Other", "fixes": "276bdb82dedb290511467a5a4fdbe9f0b52dce6f", "last_affected_version": "3.2.28", "nvd_text": "net/dccp/ccid.h in the Linux kernel before 3.5.4 allows local users to gain privileges or cause a denial of service (NULL pointer dereference and system crash) by leveraging the CAP_NET_ADMIN capability for a certain (1) sender or (2) receiver getsockopt call.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-1827", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-1827", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-1827", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-1827", "SUSE": "https://www.suse.com/security/cve/CVE-2013-1827", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-1827" } }, "CVE-2013-1828": { "affected_versions": "v3.8-rc1 to v3.9-rc2", "breaks": "196d67593439b03088913227093e374235596e33", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "6.9" }, "cwe": "Input Validation", "fixes": "726bc6b092da4c093eb74d13c07184b18c1af0f1", "nvd_text": "The sctp_getsockopt_assoc_stats function in net/sctp/socket.c in the Linux kernel before 3.8.4 does not validate a size value before proceeding to a copy_from_user operation, which allows local users to gain privileges via a crafted application that contains an SCTP_GET_ASSOC_STATS getsockopt system call.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-1828", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-1828", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-1828", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-1828", "SUSE": "https://www.suse.com/security/cve/CVE-2013-1828", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-1828" } }, "CVE-2013-1848": { "affected_versions": "v2.6.33-rc1 to v3.9-rc3", "breaks": "4cf46b67eb6de94532c1bea11d2479d085229d0e", "cmt_msg": "ext3: Fix format string issues", "cvss2": { "Access Complexity": "High", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "6.2" }, "cwe": "Input Validation", "fixes": "8d0c2d10dd72c5292eda7a06231056a4c972e4cc", "last_affected_version": "3.2.40", "nvd_text": "fs/ext3/super.c in the Linux kernel before 3.8.4 uses incorrect arguments to functions in certain circumstances related to printk input, which allows local users to conduct format-string attacks and possibly gain privileges via a crafted application.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-1848", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-1848", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-1848", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-1848", "SUSE": "https://www.suse.com/security/cve/CVE-2013-1848", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-1848" } }, "CVE-2013-1858": { "affected_versions": "v3.8-rc1 to v3.9-rc3", "breaks": "5eaf563e53294d6696e651466697eb9d491f3946", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "7.2" }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "e66eded8309ebf679d3d3c1f5820d1f2ca332c71", "nvd_text": "The clone system-call implementation in the Linux kernel before 3.8.3 does not properly handle a combination of the CLONE_NEWUSER and CLONE_FS flags, which allows local users to gain privileges by calling chroot and leveraging the sharing of the / directory between a parent process and a child process.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-1858", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-1858", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-1858", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-1858", "SUSE": "https://www.suse.com/security/cve/CVE-2013-1858", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-1858" } }, "CVE-2013-1860": { "affected_versions": "v2.6.12-rc2 to v3.9-rc3", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "USB: cdc-wdm: fix buffer overflow", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "6.9" }, "cwe": "Buffer Errors", "fixes": "c0f5ecee4e741667b2493c742b60b6218d40b3aa", "last_affected_version": "3.2.40", "nvd_text": "Heap-based buffer overflow in the wdm_in_callback function in drivers/usb/class/cdc-wdm.c in the Linux kernel before 3.8.4 allows physically proximate attackers to cause a denial of service (system crash) or possibly execute arbitrary code via a crafted cdc-wdm USB device.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-1860", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-1860", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-1860", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-1860", "SUSE": "https://www.suse.com/security/cve/CVE-2013-1860", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-1860" } }, "CVE-2013-1928": { "affected_versions": "v2.6.12-rc2 to v3.7-rc3", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "fs/compat_ioctl.c: VIDEO_SET_SPU_PALETTE missing error check", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Complete", "Integrity Impact": "None", "score": "4.7" }, "cwe": "Information Leak / Disclosure", "fixes": "12176503366885edd542389eed3aaf94be163fdb", "last_affected_version": "3.2.32", "nvd_text": "The do_video_set_spu_palette function in fs/compat_ioctl.c in the Linux kernel before 3.6.5 on unspecified architectures lacks a certain error check, which might allow local users to obtain sensitive information from kernel stack memory via a crafted VIDEO_SET_SPU_PALETTE ioctl call on a /dev/dvb device.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-1928", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-1928", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-1928", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-1928", "SUSE": "https://www.suse.com/security/cve/CVE-2013-1928", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-1928" } }, "CVE-2013-1929": { "affected_versions": "v2.6.35-rc1 to v3.9-rc6", "breaks": "184b89044fb6e2a74611dafa69b1dce0d98612c6", "cmt_msg": "tg3: fix length overflow in VPD firmware parsing", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "score": "4.4" }, "cwe": "Buffer Errors", "fixes": "715230a44310a8cf66fbfb5a46f9a62a9b2de424", "last_affected_version": "3.2.42", "nvd_text": "Heap-based buffer overflow in the tg3_read_vpd function in drivers/net/ethernet/broadcom/tg3.c in the Linux kernel before 3.8.6 allows physically proximate attackers to cause a denial of service (system crash) or possibly execute arbitrary code via crafted firmware that specifies a long string in the Vital Product Data (VPD) data structure.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-1929", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-1929", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-1929", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-1929", "SUSE": "https://www.suse.com/security/cve/CVE-2013-1929", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-1929" } }, "CVE-2013-1935": { "backport": true, "breaks": "ae7a2a3fb6f8b784c2752863f4f1f20c656f76fb", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Adjacent Network", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "5.7" }, "cwe": "Race Conditions", "fixes": "b463a6f744a263fccd7da14db1afdc880371a280", "nvd_text": "A certain Red Hat patch to the KVM subsystem in the kernel package before 2.6.32-358.11.1.el6 on Red Hat Enterprise Linux (RHEL) 6 does not properly implement the PV EOI feature, which allows guest OS users to cause a denial of service (host OS crash) by leveraging a time window during which interrupts are disabled but copy_to_user function calls are possible.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-1935", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-1935", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-1935", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-1935", "SUSE": "https://www.suse.com/security/cve/CVE-2013-1935", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-1935" } }, "CVE-2013-1943": { "affected_versions": "v2.6.12-rc2 to v3.0-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "6.9" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "raw": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Input Validation", "fixes": "fa3d315a4ce2c0891cdde262562e710d95fba19e", "last_modified": "2020-08-05", "nvd_text": "The KVM subsystem in the Linux kernel before 3.0 does not check whether kernel addresses are specified during allocation of memory slots for use in a guest's physical address space, which allows local users to gain privileges or obtain sensitive information from kernel memory via a crafted application, related to arch/x86/kvm/paging_tmpl.h and virt/kvm/kvm_main.c.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-1943", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-1943", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-1943", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-1943", "SUSE": "https://www.suse.com/security/cve/CVE-2013-1943", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-1943" } }, "CVE-2013-1956": { "affected_versions": "v2.6.12-rc2 to v3.9-rc5", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "userns: Don't allow creation if the user is chrooted", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "None", "Integrity Impact": "Partial", "score": "2.1" }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "3151527ee007b73a0ebd296010f1c0454a919c7d", "nvd_text": "The create_user_ns function in kernel/user_namespace.c in the Linux kernel before 3.8.6 does not check whether a chroot directory exists that differs from the namespace root directory, which allows local users to bypass intended filesystem restrictions via a crafted clone system call.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-1956", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-1956", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-1956", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-1956", "SUSE": "https://www.suse.com/security/cve/CVE-2013-1956", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-1956" } }, "CVE-2013-1957": { "affected_versions": "v3.8-rc1 to v3.9-rc5", "breaks": "0c55cfc4166d9a0f38de779bd4d75a90afbe7734", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Complete", "Integrity Impact": "None", "score": "4.7" }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "90563b198e4c6674c63672fae1923da467215f45", "nvd_text": "The clone_mnt function in fs/namespace.c in the Linux kernel before 3.8.6 does not properly restrict changes to the MNT_READONLY flag, which allows local users to bypass an intended read-only property of a filesystem by leveraging a separate mount namespace.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-1957", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-1957", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-1957", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-1957", "SUSE": "https://www.suse.com/security/cve/CVE-2013-1957", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-1957" } }, "CVE-2013-1958": { "affected_versions": "v3.8-rc1 to v3.9-rc5", "breaks": "49f4d8b93ccf9454284b6f524b96c66d8d7fbccc", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "None", "Integrity Impact": "Partial", "score": "1.9" }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "92f28d973cce45ef5823209aab3138eb45d8b349", "nvd_text": "The scm_check_creds function in net/core/scm.c in the Linux kernel before 3.8.6 does not properly enforce capability requirements for controlling the PID value associated with a UNIX domain socket, which allows local users to bypass intended access restrictions by leveraging the time interval during which a user namespace has been created but a PID namespace has not been created.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-1958", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-1958", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-1958", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-1958", "SUSE": "https://www.suse.com/security/cve/CVE-2013-1958", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-1958" } }, "CVE-2013-1959": { "affected_versions": "v3.8-rc1 to v3.9-rc7", "breaks": "771b1371686e0a63e938ada28de020b9a0040f55", "cvss2": { "Access Complexity": "High", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "score": "3.7" }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "935d8aabd4331f47a89c3e1daa5779d23cf244ee", "nvd_text": "kernel/user_namespace.c in the Linux kernel before 3.8.9 does not have appropriate capability requirements for the uid_map and gid_map files, which allows local users to gain privileges by opening a file within an unprivileged process and then modifying the file within a privileged process.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-1959", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-1959", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-1959", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-1959", "SUSE": "https://www.suse.com/security/cve/CVE-2013-1959", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-1959" } }, "CVE-2013-1979": { "affected_versions": "v2.6.36-rc1 to v3.9-rc8", "breaks": "257b5358b32f17e0603b6ff57b13610b0e02348f", "cmt_msg": "net: fix incorrect credentials passing", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "6.9" }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "83f1b4ba917db5dc5a061a44b3403ddb6e783494", "last_affected_version": "3.2.43", "nvd_text": "The scm_set_cred function in include/net/scm.h in the Linux kernel before 3.8.11 uses incorrect uid and gid values during credentials passing, which allows local users to gain privileges via a crafted application.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-1979", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-1979", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-1979", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-1979", "SUSE": "https://www.suse.com/security/cve/CVE-2013-1979", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-1979" } }, "CVE-2013-2015": { "affected_versions": "v3.7-rc1 to v3.8-rc2", "breaks": "c9b92530a723ac5ef8e352885a1862b18f31b2f5", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "4.7" }, "cwe": "Resource Management Errors", "fixes": "0e9a9a1ad619e7e987815d20262d36a2f95717ca", "nvd_text": "The ext4_orphan_del function in fs/ext4/namei.c in the Linux kernel before 3.7.3 does not properly handle orphan-list entries for non-journal filesystems, which allows physically proximate attackers to cause a denial of service (system hang) via a crafted filesystem on removable media, as demonstrated by the e2fsprogs tests/f_orphan_extents_inode/image.gz test.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-2015", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-2015", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-2015", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-2015", "SUSE": "https://www.suse.com/security/cve/CVE-2013-2015", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-2015" } }, "CVE-2013-2017": { "affected_versions": "v2.6.33-rc1 to v2.6.34", "breaks": "445409602c09219767c06497c0dc2285eac244ed", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "7.8" }, "cwe": "Resource Management Errors", "fixes": "6ec82562ffc6f297d0de36d65776cff8e5704867", "nvd_text": "The veth (aka virtual Ethernet) driver in the Linux kernel before 2.6.34 does not properly manage skbs during congestion, which allows remote attackers to cause a denial of service (system crash) by leveraging lack of skb consumption in conjunction with a double-free error.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-2017", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-2017", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-2017", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-2017", "SUSE": "https://www.suse.com/security/cve/CVE-2013-2017", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-2017" } }, "CVE-2013-2058": { "affected_versions": "v3.5-rc1 to v3.8-rc4", "breaks": "eb70e5ab8f95a81283623c03d2c99dfc59fcb319", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "4.7" }, "cwe": "Buffer Errors", "fixes": "929473ea05db455ad88cdc081f2adc556b8dc48f", "nvd_text": "The host_start function in drivers/usb/chipidea/host.c in the Linux kernel before 3.7.4 does not properly support a certain non-streaming option, which allows local users to cause a denial of service (system crash) by sending a large amount of network traffic through a USB/Ethernet adapter.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-2058", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-2058", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-2058", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-2058", "SUSE": "https://www.suse.com/security/cve/CVE-2013-2058", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-2058" } }, "CVE-2013-2094": { "affected_versions": "v2.6.37-rc1 to v3.9-rc8", "breaks": "b0a873ebbf87bf38bf70b5e39a7cadc96099fa13", "cmt_msg": "perf: Treat attr.config as u64 in perf_swevent_init()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "7.2" }, "cwe": "Numeric Errors", "fixes": "8176cced706b5e5d15887584150764894e94e02f", "last_affected_version": "3.2.44", "nvd_text": "The perf_swevent_init function in kernel/events/core.c in the Linux kernel before 3.8.9 uses an incorrect integer data type, which allows local users to gain privileges via a crafted perf_event_open system call.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-2094", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-2094", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-2094", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-2094", "SUSE": "https://www.suse.com/security/cve/CVE-2013-2094", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-2094" } }, "CVE-2013-2128": { "affected_versions": "v2.6.12-rc2 to v2.6.34-rc4", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "4.9" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Buffer Errors", "fixes": "baff42ab1494528907bf4d5870359e31711746ae", "last_modified": "2020-08-05", "nvd_text": "The tcp_read_sock function in net/ipv4/tcp.c in the Linux kernel before 2.6.34 does not properly manage skb consumption, which allows local users to cause a denial of service (system crash) via a crafted splice system call for a TCP socket.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-2128", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-2128", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-2128", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-2128", "SUSE": "https://www.suse.com/security/cve/CVE-2013-2128", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-2128" } }, "CVE-2013-2140": { "affected_versions": "v3.2-rc1 to v3.11-rc3", "breaks": "b3cb0d6adc4bbc70b5e37e49a6068e973545ead7", "cmt_msg": "xen/blkback: Check device permissions before allowing OP_DISCARD", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Adjacent Network", "Authentication": "Single", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "Partial", "score": "3.8" }, "cwe": "Input Validation", "fixes": "604c499cbbcc3d5fe5fb8d53306aa0fae1990109", "nvd_text": "The dispatch_discard_io function in drivers/block/xen-blkback/blkback.c in the Xen blkback implementation in the Linux kernel before 3.10.5 allows guest OS users to cause a denial of service (data loss) via filesystem write operations on a read-only disk that supports the (1) BLKIF_OP_DISCARD (aka discard or TRIM) or (2) SCSI UNMAP feature.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-2140", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-2140", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-2140", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-2140", "SUSE": "https://www.suse.com/security/cve/CVE-2013-2140", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-2140" } }, "CVE-2013-2141": { "affected_versions": "v2.6.12-rc2 to v3.9-rc8", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "kernel/signal.c: stop info leak via the tkill and the tgkill syscalls", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "score": "2.1" }, "cwe": "Resource Management Errors", "fixes": "b9e146d8eb3b9ecae5086d373b50fa0c1f3e7f0f", "last_affected_version": "3.2.43", "nvd_text": "The do_tkill function in kernel/signal.c in the Linux kernel before 3.8.9 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel memory via a crafted application that makes a (1) tkill or (2) tgkill system call.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-2141", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-2141", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-2141", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-2141", "SUSE": "https://www.suse.com/security/cve/CVE-2013-2141", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-2141" } }, "CVE-2013-2146": { "affected_versions": "v3.1-rc1 to v3.9-rc8", "breaks": "ee89cbc2d48150c7c0e9f2aaac00afde99af098c", "cmt_msg": "perf/x86: Fix offcore_rsp valid mask for SNB/IVB", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "4.7" }, "cwe": "Input Validation", "fixes": "f1923820c447e986a9da0fc6bf60c1dccdf0408e", "last_affected_version": "3.2.44", "nvd_text": "arch/x86/kernel/cpu/perf_event_intel.c in the Linux kernel before 3.8.9, when the Performance Events Subsystem is enabled, specifies an incorrect bitmask, which allows local users to cause a denial of service (general protection fault and system crash) by attempting to set a reserved bit.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-2146", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-2146", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-2146", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-2146", "SUSE": "https://www.suse.com/security/cve/CVE-2013-2146", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-2146" } }, "CVE-2013-2147": { "affected_versions": "v2.6.12-rc2 to v3.12-rc3", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "cpqarray: fix info leak in ida_locked_ioctl()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "score": "2.1" }, "cwe": "Resource Management Errors", "fixes": "627aad1c01da6f881e7f98d71fd928ca0c316b1a", "last_affected_version": "3.2.51", "nvd_text": "The HP Smart Array controller disk-array driver and Compaq SMART2 controller disk-array driver in the Linux kernel through 3.9.4 do not initialize certain data structures, which allows local users to obtain sensitive information from kernel memory via (1) a crafted IDAGETPCIINFO command for a /dev/ida device, related to the ida_locked_ioctl function in drivers/block/cpqarray.c or (2) a crafted CCISS_PASSTHRU32 command for a /dev/cciss device, related to the cciss_ioctl32_passthru function in drivers/block/cciss.c.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-2147", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-2147", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-2147", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-2147", "SUSE": "https://www.suse.com/security/cve/CVE-2013-2147", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-2147" } }, "CVE-2013-2148": { "affected_versions": "v2.6.37-rc7 to v3.11-rc1", "breaks": "62731fa0c893515dc6cbc3e0a2879a92793c735f", "cmt_msg": "fanotify: info leak in copy_event_to_user()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "score": "2.1" }, "cwe": "Resource Management Errors", "fixes": "de1e0c40aceb9d5bff09c3a3b97b2f1b178af53f", "last_affected_version": "3.2.49", "nvd_text": "The fill_event_metadata function in fs/notify/fanotify/fanotify_user.c in the Linux kernel through 3.9.4 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel memory via a read operation on the fanotify descriptor.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-2148", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-2148", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-2148", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-2148", "SUSE": "https://www.suse.com/security/cve/CVE-2013-2148", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-2148" } }, "CVE-2013-2164": { "affected_versions": "v2.6.12-rc2 to v3.11-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "drivers/cdrom/cdrom.c: use kzalloc() for failing hardware", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "score": "2.1" }, "cwe": "Information Leak / Disclosure", "fixes": "542db01579fbb7ea7d1f7bb9ddcef1559df660b2", "last_affected_version": "3.2.48", "nvd_text": "The mmc_ioctl_cdrom_read_data function in drivers/cdrom/cdrom.c in the Linux kernel through 3.10 allows local users to obtain sensitive information from kernel memory via a read operation on a malfunctioning CD-ROM drive.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-2164", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-2164", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-2164", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-2164", "SUSE": "https://www.suse.com/security/cve/CVE-2013-2164", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-2164" } }, "CVE-2013-2188": { "breaks": "", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "4.7" }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "", "nvd_text": "A certain Red Hat patch to the do_filp_open function in fs/namei.c in the kernel package before 2.6.32-358.11.1.el6 on Red Hat Enterprise Linux (RHEL) 6 does not properly handle failure to obtain write permissions, which allows local users to cause a denial of service (system crash) by leveraging access to a filesystem that is mounted read-only.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-2188", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-2188", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-2188", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-2188", "SUSE": "https://www.suse.com/security/cve/CVE-2013-2188", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-2188" }, "vendor_specific": true }, "CVE-2013-2206": { "affected_versions": "v2.6.12-rc2 to v3.9-rc4", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "sctp: Use correct sideffect command in duplicate cookie handling", "cvss2": { "Access Complexity": "High", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "5.4" }, "cwe": "Other", "fixes": "f2815633504b442ca0b0605c16bf3d88a3a0fcea", "nvd_text": "The sctp_sf_do_5_2_4_dupcook function in net/sctp/sm_statefuns.c in the SCTP implementation in the Linux kernel before 3.8.5 does not properly handle associations during the processing of a duplicate COOKIE ECHO chunk, which allows remote attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via crafted SCTP traffic.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-2206", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-2206", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-2206", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-2206", "SUSE": "https://www.suse.com/security/cve/CVE-2013-2206", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-2206" } }, "CVE-2013-2224": { "breaks": "", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "6.9" }, "cwe": "Other", "fixes": "", "nvd_text": "A certain Red Hat patch for the Linux kernel 2.6.32 on Red Hat Enterprise Linux (RHEL) 6 allows local users to cause a denial of service (invalid free operation and system crash) or possibly gain privileges via a sendmsg system call with the IP_RETOPTS option, as demonstrated by hemlock.c. NOTE: this vulnerability exists because of an incorrect fix for CVE-2012-3552.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-2224", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-2224", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-2224", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-2224", "SUSE": "https://www.suse.com/security/cve/CVE-2013-2224", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-2224" }, "vendor_specific": true }, "CVE-2013-2232": { "affected_versions": "v2.6.12-rc2 to v3.10", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "ipv6: ip6_sk_dst_check() must not assume ipv6 dst", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "4.9" }, "cwe": "Input Validation", "fixes": "a963a37d384d71ad43b3e9e79d68d42fbe0901f3", "last_affected_version": "3.2.49", "nvd_text": "The ip6_sk_dst_check function in net/ipv6/ip6_output.c in the Linux kernel before 3.10 allows local users to cause a denial of service (system crash) by using an AF_INET6 socket for a connection to an IPv4 interface.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-2232", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-2232", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-2232", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-2232", "SUSE": "https://www.suse.com/security/cve/CVE-2013-2232", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-2232" } }, "CVE-2013-2234": { "affected_versions": "v2.6.12-rc2 to v3.10", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "af_key: fix info leaks in notify messages", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "score": "2.1" }, "cwe": "Buffer Errors", "fixes": "a5cc68f3d63306d0d288f31edfc2ae6ef8ecd887", "last_affected_version": "3.2.49", "nvd_text": "The (1) key_notify_sa_flush and (2) key_notify_policy_flush functions in net/key/af_key.c in the Linux kernel before 3.10 do not initialize certain structure members, which allows local users to obtain sensitive information from kernel heap memory by reading a broadcast message from the notify interface of an IPSec key_socket.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-2234", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-2234", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-2234", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-2234", "SUSE": "https://www.suse.com/security/cve/CVE-2013-2234", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-2234" } }, "CVE-2013-2237": { "affected_versions": "v2.6.12-rc2 to v3.9-rc6", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "af_key: initialize satype in key_notify_policy_flush()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "score": "2.1" }, "cwe": "Buffer Errors", "fixes": "85dfb745ee40232876663ae206cba35f24ab2a40", "last_affected_version": "3.2.50", "nvd_text": "The key_notify_policy_flush function in net/key/af_key.c in the Linux kernel before 3.9 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel heap memory by reading a broadcast message from the notify_policy interface of an IPSec key_socket.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-2237", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-2237", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-2237", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-2237", "SUSE": "https://www.suse.com/security/cve/CVE-2013-2237", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-2237" } }, "CVE-2013-2239": { "breaks": "", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Complete", "Integrity Impact": "None", "score": "4.7" }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "", "nvd_text": "vzkernel before 042stab080.2 in the OpenVZ modification for the Linux kernel 2.6.32 does not initialize certain length variables, which allows local users to obtain sensitive information from kernel stack memory via (1) a crafted ploop driver ioctl call, related to the ploop_getdevice_ioc function in drivers/block/ploop/dev.c, or (2) a crafted quotactl system call, related to the compat_quotactl function in fs/quota/quota.c.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-2239", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-2239", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-2239", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-2239", "SUSE": "https://www.suse.com/security/cve/CVE-2013-2239", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-2239" }, "vendor_specific": true }, "CVE-2013-2546": { "affected_versions": "v2.6.12-rc2 to v3.9-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "crypto: user - fix info leaks in report API", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "score": "2.1" }, "cwe": "Cryptographic Issues", "fixes": "9a5467bf7b6e9e02ec9c3da4e23747c05faeaac6", "last_affected_version": "3.2.40", "nvd_text": "The report API in the crypto user configuration API in the Linux kernel through 3.8.2 uses an incorrect C library function for copying strings, which allows local users to obtain sensitive information from kernel stack memory by leveraging the CAP_NET_ADMIN capability.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-2546", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-2546", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-2546", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-2546", "SUSE": "https://www.suse.com/security/cve/CVE-2013-2546", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-2546" } }, "CVE-2013-2547": { "affected_versions": "v2.6.12-rc2 to v3.9-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "crypto: user - fix info leaks in report API", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "score": "2.1" }, "cwe": "Cryptographic Issues", "fixes": "9a5467bf7b6e9e02ec9c3da4e23747c05faeaac6", "last_affected_version": "3.2.40", "nvd_text": "The crypto_report_one function in crypto/crypto_user.c in the report API in the crypto user configuration API in the Linux kernel through 3.8.2 does not initialize certain structure members, which allows local users to obtain sensitive information from kernel heap memory by leveraging the CAP_NET_ADMIN capability.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-2547", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-2547", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-2547", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-2547", "SUSE": "https://www.suse.com/security/cve/CVE-2013-2547", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-2547" } }, "CVE-2013-2548": { "affected_versions": "v2.6.12-rc2 to v3.9-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "crypto: user - fix info leaks in report API", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "score": "2.1" }, "cwe": "Cryptographic Issues", "fixes": "9a5467bf7b6e9e02ec9c3da4e23747c05faeaac6", "last_affected_version": "3.2.40", "nvd_text": "The crypto_report_one function in crypto/crypto_user.c in the report API in the crypto user configuration API in the Linux kernel through 3.8.2 uses an incorrect length value during a copy operation, which allows local users to obtain sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-2548", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-2548", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-2548", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-2548", "SUSE": "https://www.suse.com/security/cve/CVE-2013-2548", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-2548" } }, "CVE-2013-2596": { "affected_versions": "v2.6.12-rc2 to v3.9-rc8", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "vm: convert fb_mmap to vm_iomap_memory() helper", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "6.9" }, "cwe": "Numeric Errors", "fixes": "fc9bbca8f650e5f738af8806317c0a041a48ae4a", "last_affected_version": "3.2.44", "last_modified": "2020-05-27", "nvd_text": "Integer overflow in the fb_mmap function in drivers/video/fbmem.c in the Linux kernel before 3.8.9, as used in a certain Motorola build of Android 4.1.2 and other products, allows local users to create a read-write memory mapping for the entirety of kernel memory, and consequently gain privileges, via crafted /dev/graphics/fb0 mmap2 system calls, as demonstrated by the Motochopper pwn program.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-2596", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-2596", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-2596", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-2596", "SUSE": "https://www.suse.com/security/cve/CVE-2013-2596", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-2596" } }, "CVE-2013-2634": { "affected_versions": "v2.6.29-rc1 to v3.9-rc3", "breaks": "2f90b8657ec942d1880f720e0177ee71df7c8e3c", "cmt_msg": "dcbnl: fix various netlink info leaks", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "score": "1.9" }, "cwe": "Resource Management Errors", "fixes": "29cd8ae0e1a39e239a3a7b67da1986add1199fc0", "last_affected_version": "3.2.41", "nvd_text": "net/dcb/dcbnl.c in the Linux kernel before 3.8.4 does not initialize certain structures, which allows local users to obtain sensitive information from kernel stack memory via a crafted application.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-2634", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-2634", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-2634", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-2634", "SUSE": "https://www.suse.com/security/cve/CVE-2013-2634", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-2634" } }, "CVE-2013-2635": { "affected_versions": "v2.6.34-rc1 to v3.9-rc3", "breaks": "ebc08a6f47ee76ecad8e9f26c26e6ec9b46ca659", "cmt_msg": "rtnl: fix info leak on RTM_GETLINK request for VF devices", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "score": "1.9" }, "cwe": "Resource Management Errors", "fixes": "84d73cd3fb142bf1298a8c13fd4ca50fd2432372", "nvd_text": "The rtnl_fill_ifinfo function in net/core/rtnetlink.c in the Linux kernel before 3.8.4 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel stack memory via a crafted application.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-2635", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-2635", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-2635", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-2635", "SUSE": "https://www.suse.com/security/cve/CVE-2013-2635", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-2635" } }, "CVE-2013-2636": { "affected_versions": "v3.8-rc1 to v3.9-rc3", "breaks": "ee07c6e7a6f8a25c18f0a6b18152fbd7499245f6", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "score": "1.9" }, "cwe": "Resource Management Errors", "fixes": "c085c49920b2f900ba716b4ca1c1a55ece9872cc", "nvd_text": "net/bridge/br_mdb.c in the Linux kernel before 3.8.4 does not initialize certain structures, which allows local users to obtain sensitive information from kernel memory via a crafted application.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-2636", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-2636", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-2636", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-2636", "SUSE": "https://www.suse.com/security/cve/CVE-2013-2636", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-2636" } }, "CVE-2013-2850": { "affected_versions": "v3.1-rc1 to v3.10-rc4", "breaks": "e48354ce078c079996f89d715dfa44814b4eba01", "cmt_msg": "iscsi-target: fix heap buffer overflow on error", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Adjacent Network", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "7.9" }, "cwe": "Buffer Errors", "fixes": "cea4dcfdad926a27a18e188720efe0f2c9403456", "last_affected_version": "3.2.46", "nvd_text": "Heap-based buffer overflow in the iscsi_add_notunderstood_response function in drivers/target/iscsi/iscsi_target_parameters.c in the iSCSI target subsystem in the Linux kernel through 3.9.4 allows remote attackers to cause a denial of service (memory corruption and OOPS) or possibly execute arbitrary code via a long key that is not properly handled during construction of an error-response packet.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-2850", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-2850", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-2850", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-2850", "SUSE": "https://www.suse.com/security/cve/CVE-2013-2850", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-2850" } }, "CVE-2013-2851": { "affected_versions": "v2.6.12-rc2 to v3.11-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "block: do not pass disk names as format strings", "cvss2": { "Access Complexity": "High", "Access Vector": "Local Access", "Authentication": "Single", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "6.0" }, "cwe": "Format String Vulnerability", "fixes": "ffc8b30866879ed9ba62bd0a86fecdbd51cd3d19", "last_affected_version": "3.2.48", "nvd_text": "Format string vulnerability in the register_disk function in block/genhd.c in the Linux kernel through 3.9.4 allows local users to gain privileges by leveraging root access and writing format string specifiers to /sys/module/md_mod/parameters/new_array in order to create a crafted /dev/md device name.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-2851", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-2851", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-2851", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-2851", "SUSE": "https://www.suse.com/security/cve/CVE-2013-2851", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-2851" } }, "CVE-2013-2852": { "affected_versions": "v2.6.12-rc2 to v3.10-rc6", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "b43: stop format string leaking into error msgs", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "6.9" }, "cwe": "Format String Vulnerability", "fixes": "e0e29b683d6784ef59bbc914eac85a04b650e63c", "last_affected_version": "3.2.46", "nvd_text": "Format string vulnerability in the b43_request_firmware function in drivers/net/wireless/b43/main.c in the Broadcom B43 wireless driver in the Linux kernel through 3.9.4 allows local users to gain privileges by leveraging root access and including format string specifiers in an fwpostfix modprobe parameter, leading to improper construction of an error message.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-2852", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-2852", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-2852", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-2852", "SUSE": "https://www.suse.com/security/cve/CVE-2013-2852", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-2852" } }, "CVE-2013-2888": { "affected_versions": "v2.6.12-rc2 to v3.12-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "HID: validate HID report id size", "cvss2": { "Access Complexity": "High", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "6.2" }, "cwe": "Input Validation", "fixes": "43622021d2e2b82ea03d883926605bdd0525e1d1", "last_affected_version": "3.2.51", "nvd_text": "Multiple array index errors in drivers/hid/hid-core.c in the Human Interface Device (HID) subsystem in the Linux kernel through 3.11 allow physically proximate attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via a crafted device that provides an invalid Report ID.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-2888", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-2888", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-2888", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-2888", "SUSE": "https://www.suse.com/security/cve/CVE-2013-2888", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-2888" } }, "CVE-2013-2889": { "affected_versions": "v2.6.12-rc2 to v3.12-rc2", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "HID: zeroplus: validate output report details", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "4.7" }, "cwe": "Buffer Errors", "fixes": "78214e81a1bf43740ce89bb5efda78eac2f8ef83", "last_affected_version": "3.2.51", "nvd_text": "drivers/hid/hid-zpff.c in the Human Interface Device (HID) subsystem in the Linux kernel through 3.11, when CONFIG_HID_ZEROPLUS is enabled, allows physically proximate attackers to cause a denial of service (heap-based out-of-bounds write) via a crafted device.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-2889", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-2889", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-2889", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-2889", "SUSE": "https://www.suse.com/security/cve/CVE-2013-2889", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-2889" } }, "CVE-2013-2890": { "affected_versions": "v3.11-rc1 to v3.12-rc2", "breaks": "f04d51404f51947d3feabf2518495ba5aa3bb2c4", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "4.7" }, "cwe": "Buffer Errors", "fixes": "9446edb9a1740989cf6c20daf7510fb9a23be14a", "nvd_text": "drivers/hid/hid-sony.c in the Human Interface Device (HID) subsystem in the Linux kernel through 3.11, when CONFIG_HID_SONY is enabled, allows physically proximate attackers to cause a denial of service (heap-based out-of-bounds write) via a crafted device.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-2890", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-2890", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-2890", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-2890", "SUSE": "https://www.suse.com/security/cve/CVE-2013-2890", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-2890" } }, "CVE-2013-2891": { "affected_versions": "v3.9-rc1 to v3.12-rc2", "breaks": "2e2daff3a51f2d10155b03f461f4e29eaf80dcbd", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "4.7" }, "cwe": "Buffer Errors", "fixes": "41df7f6d43723deb7364340b44bc5d94bf717456", "nvd_text": "drivers/hid/hid-steelseries.c in the Human Interface Device (HID) subsystem in the Linux kernel through 3.11, when CONFIG_HID_STEELSERIES is enabled, allows physically proximate attackers to cause a denial of service (heap-based out-of-bounds write) via a crafted device.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-2891", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-2891", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-2891", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-2891", "SUSE": "https://www.suse.com/security/cve/CVE-2013-2891", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-2891" } }, "CVE-2013-2892": { "affected_versions": "v2.6.12-rc2 to v3.12-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "HID: pantherlord: validate output report details", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "4.7" }, "cwe": "Buffer Errors", "fixes": "412f30105ec6735224535791eed5cdc02888ecb4", "last_affected_version": "3.2.51", "nvd_text": "drivers/hid/hid-pl.c in the Human Interface Device (HID) subsystem in the Linux kernel through 3.11, when CONFIG_HID_PANTHERLORD is enabled, allows physically proximate attackers to cause a denial of service (heap-based out-of-bounds write) via a crafted device.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-2892", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-2892", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-2892", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-2892", "SUSE": "https://www.suse.com/security/cve/CVE-2013-2892", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-2892" } }, "CVE-2013-2893": { "affected_versions": "v2.6.12-rc2 to v3.12-rc2", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "HID: LG: validate HID output report details", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "4.7" }, "cwe": "Buffer Errors", "fixes": "0fb6bd06e06792469acc15bbe427361b56ada528", "last_affected_version": "3.2.51", "nvd_text": "The Human Interface Device (HID) subsystem in the Linux kernel through 3.11, when CONFIG_LOGITECH_FF, CONFIG_LOGIG940_FF, or CONFIG_LOGIWHEELS_FF is enabled, allows physically proximate attackers to cause a denial of service (heap-based out-of-bounds write) via a crafted device, related to (1) drivers/hid/hid-lgff.c, (2) drivers/hid/hid-lg3ff.c, and (3) drivers/hid/hid-lg4ff.c.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-2893", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-2893", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-2893", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-2893", "SUSE": "https://www.suse.com/security/cve/CVE-2013-2893", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-2893" } }, "CVE-2013-2894": { "affected_versions": "v3.6-rc1 to v3.12-rc2", "breaks": "c1dcad2d32d0252e8a3023d20311b52a187ecda3", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "4.7" }, "cwe": "Buffer Errors", "fixes": "0a9cd0a80ac559357c6a90d26c55270ed752aa26", "nvd_text": "drivers/hid/hid-lenovo-tpkbd.c in the Human Interface Device (HID) subsystem in the Linux kernel through 3.11, when CONFIG_HID_LENOVO_TPKBD is enabled, allows physically proximate attackers to cause a denial of service (heap-based out-of-bounds write) via a crafted device.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-2894", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-2894", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-2894", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-2894", "SUSE": "https://www.suse.com/security/cve/CVE-2013-2894", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-2894" } }, "CVE-2013-2895": { "affected_versions": "v3.2-rc1 to v3.12-rc2", "breaks": "534a7b8e10ec55d9f521e68c20dbb3634c25b98a", "cmt_msg": "HID: logitech-dj: validate output report details", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "score": "5.4" }, "cwe": "Buffer Errors", "fixes": "297502abb32e225fb23801fcdb0e4f6f8e17099a", "last_affected_version": "3.2.51", "nvd_text": "drivers/hid/hid-logitech-dj.c in the Human Interface Device (HID) subsystem in the Linux kernel through 3.11, when CONFIG_HID_LOGITECH_DJ is enabled, allows physically proximate attackers to cause a denial of service (NULL pointer dereference and OOPS) or obtain sensitive information from kernel memory via a crafted device.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-2895", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-2895", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-2895", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-2895", "SUSE": "https://www.suse.com/security/cve/CVE-2013-2895", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-2895" } }, "CVE-2013-2896": { "affected_versions": "v2.6.39-rc1 to v3.12-rc1", "breaks": "7b2a64c96ad53c4299f7e6ddf8c2f99cb48940a9", "cmt_msg": "HID: ntrig: validate feature report details", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "4.7" }, "cwe": "Other", "fixes": "875b4e3763dbc941f15143dd1a18d10bb0be303b", "last_affected_version": "3.2.51", "nvd_text": "drivers/hid/hid-ntrig.c in the Human Interface Device (HID) subsystem in the Linux kernel through 3.11, when CONFIG_HID_NTRIG is enabled, allows physically proximate attackers to cause a denial of service (NULL pointer dereference and OOPS) via a crafted device.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-2896", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-2896", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-2896", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-2896", "SUSE": "https://www.suse.com/security/cve/CVE-2013-2896", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-2896" } }, "CVE-2013-2897": { "affected_versions": "v3.6-rc1 to v3.12-rc2", "breaks": "4aceed37e315e8eaa26cb4c8dfd619a32fa24669", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "4.7" }, "cwe": "Input Validation", "fixes": "8821f5dc187bdf16cfb32ef5aa8c3035273fa79a", "nvd_text": "Multiple array index errors in drivers/hid/hid-multitouch.c in the Human Interface Device (HID) subsystem in the Linux kernel through 3.11, when CONFIG_HID_MULTITOUCH is enabled, allow physically proximate attackers to cause a denial of service (heap memory corruption, or NULL pointer dereference and OOPS) via a crafted device.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-2897", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-2897", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-2897", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-2897", "SUSE": "https://www.suse.com/security/cve/CVE-2013-2897", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-2897" } }, "CVE-2013-2898": { "affected_versions": "v3.7-rc1 to v3.12-rc1", "breaks": "401ca24fb34aee0cedf9c4fef361e533224f15a1", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "score": "1.9" }, "cwe": "Input Validation", "fixes": "9e8910257397372633e74b333ef891f20c800ee4", "nvd_text": "drivers/hid/hid-sensor-hub.c in the Human Interface Device (HID) subsystem in the Linux kernel through 3.11, when CONFIG_HID_SENSOR_HUB is enabled, allows physically proximate attackers to obtain sensitive information from kernel memory via a crafted device.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-2898", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-2898", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-2898", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-2898", "SUSE": "https://www.suse.com/security/cve/CVE-2013-2898", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-2898" } }, "CVE-2013-2899": { "affected_versions": "v2.6.35-rc1 to v3.12-rc1", "breaks": "236db47c2b3b69464d50c695ab2ddd516cf64520", "cmt_msg": "HID: picolcd_core: validate output report details", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "4.7" }, "cwe": "Buffer Errors", "fixes": "1e87a2456b0227ca4ab881e19a11bb99d164e792", "last_affected_version": "3.2.51", "nvd_text": "drivers/hid/hid-picolcd_core.c in the Human Interface Device (HID) subsystem in the Linux kernel through 3.11, when CONFIG_HID_PICOLCD is enabled, allows physically proximate attackers to cause a denial of service (NULL pointer dereference and OOPS) via a crafted device.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-2899", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-2899", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-2899", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-2899", "SUSE": "https://www.suse.com/security/cve/CVE-2013-2899", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-2899" } }, "CVE-2013-2929": { "affected_versions": "v2.6.12-rc2 to v3.13-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "exec/ptrace: fix get_dumpable() incorrect tests", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "score": "3.3" }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "d049f74f2dbe71354d43d393ac3a188947811348", "last_affected_version": "3.12.1", "nvd_text": "The Linux kernel before 3.12.2 does not properly use the get_dumpable function, which allows local users to bypass intended ptrace restrictions or obtain sensitive information from IA64 scratch registers via a crafted application, related to kernel/ptrace.c and arch/ia64/include/asm/processor.h.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-2929", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-2929", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-2929", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-2929", "SUSE": "https://www.suse.com/security/cve/CVE-2013-2929", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-2929" } }, "CVE-2013-2930": { "affected_versions": "v3.4-rc1 to v3.13-rc1", "breaks": "ced39002f5ea736b716ae233fb68b26d59783912", "cmt_msg": "perf/ftrace: Fix paranoid level for enabling function tracer", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "score": "3.6" }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "12ae030d54ef250706da5642fc7697cc60ad0df7", "last_affected_version": "3.12.1", "nvd_text": "The perf_trace_event_perm function in kernel/trace/trace_event_perf.c in the Linux kernel before 3.12.2 does not properly restrict access to the perf subsystem, which allows local users to enable function tracing via a crafted application.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-2930", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-2930", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-2930", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-2930", "SUSE": "https://www.suse.com/security/cve/CVE-2013-2930", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-2930" } }, "CVE-2013-3076": { "affected_versions": "v2.6.38-rc1 to v3.9", "breaks": "03c8efc1ffeb6b82a22c1af8dd908af349563314", "cmt_msg": "crypto: algif - suppress sending source address information in recvmsg", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Complete", "Integrity Impact": "None", "score": "4.9" }, "cwe": "Information Leak / Disclosure", "fixes": "72a763d805a48ac8c0bf48fdb510e84c12de51fe", "last_affected_version": "3.2.44", "nvd_text": "The crypto API in the Linux kernel through 3.9-rc8 does not initialize certain length variables, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call, related to the hash_recvmsg function in crypto/algif_hash.c and the skcipher_recvmsg function in crypto/algif_skcipher.c.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-3076", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-3076", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-3076", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-3076", "SUSE": "https://www.suse.com/security/cve/CVE-2013-3076", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-3076" } }, "CVE-2013-3222": { "affected_versions": "v2.6.12-rc2 to v3.9-rc7", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "atm: update msg_namelen in vcc_recvmsg()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Complete", "Integrity Impact": "None", "score": "4.9" }, "cwe": "Information Leak / Disclosure", "fixes": "9b3e617f3df53822345a8573b6d358f6b9e5ed87", "last_affected_version": "3.2.44", "nvd_text": "The vcc_recvmsg function in net/atm/common.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-3222", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-3222", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-3222", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-3222", "SUSE": "https://www.suse.com/security/cve/CVE-2013-3222", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-3222" } }, "CVE-2013-3223": { "affected_versions": "v2.6.12-rc2 to v3.9-rc7", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "ax25: fix info leak via msg_name in ax25_recvmsg()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Complete", "Integrity Impact": "None", "score": "4.9" }, "cwe": "Information Leak / Disclosure", "fixes": "ef3313e84acbf349caecae942ab3ab731471f1a1", "last_affected_version": "3.2.44", "nvd_text": "The ax25_recvmsg function in net/ax25/af_ax25.c in the Linux kernel before 3.9-rc7 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-3223", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-3223", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-3223", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-3223", "SUSE": "https://www.suse.com/security/cve/CVE-2013-3223", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-3223" } }, "CVE-2013-3224": { "affected_versions": "v2.6.12-rc2 to v3.9-rc7", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "Bluetooth: fix possible info leak in bt_sock_recvmsg()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Complete", "Integrity Impact": "None", "score": "4.9" }, "cwe": "Information Leak / Disclosure", "fixes": "4683f42fde3977bdb4e8a09622788cc8b5313778", "last_affected_version": "3.2.44", "nvd_text": "The bt_sock_recvmsg function in net/bluetooth/af_bluetooth.c in the Linux kernel before 3.9-rc7 does not properly initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-3224", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-3224", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-3224", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-3224", "SUSE": "https://www.suse.com/security/cve/CVE-2013-3224", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-3224" } }, "CVE-2013-3225": { "affected_versions": "v2.6.12-rc2 to v3.9-rc7", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "Bluetooth: RFCOMM - Fix missing msg_namelen update in rfcomm_sock_recvmsg()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Complete", "Integrity Impact": "None", "score": "4.9" }, "cwe": "Information Leak / Disclosure", "fixes": "e11e0455c0d7d3d62276a0c55d9dfbc16779d691", "nvd_text": "The rfcomm_sock_recvmsg function in net/bluetooth/rfcomm/sock.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-3225", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-3225", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-3225", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-3225", "SUSE": "https://www.suse.com/security/cve/CVE-2013-3225", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-3225" } }, "CVE-2013-3226": { "affected_versions": "v3.8-rc1 to v3.9-rc7", "breaks": "20714bfef84d3e690c9c6f8e9cd46543b5ae1eed", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Complete", "Integrity Impact": "None", "score": "4.9" }, "cwe": "Information Leak / Disclosure", "fixes": "c8c499175f7d295ef867335bceb9a76a2c3cdc38", "nvd_text": "The sco_sock_recvmsg function in net/bluetooth/sco.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-3226", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-3226", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-3226", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-3226", "SUSE": "https://www.suse.com/security/cve/CVE-2013-3226", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-3226" } }, "CVE-2013-3227": { "affected_versions": "v2.6.35-rc1 to v3.9-rc7", "breaks": "e6f95ec8db312491235b4f06343fbd991a82ce20", "cmt_msg": "caif: Fix missing msg_namelen update in caif_seqpkt_recvmsg()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Complete", "Integrity Impact": "None", "score": "4.9" }, "cwe": "Information Leak / Disclosure", "fixes": "2d6fbfe733f35c6b355c216644e08e149c61b271", "nvd_text": "The caif_seqpkt_recvmsg function in net/caif/caif_socket.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-3227", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-3227", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-3227", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-3227", "SUSE": "https://www.suse.com/security/cve/CVE-2013-3227", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-3227" } }, "CVE-2013-3228": { "affected_versions": "v2.6.12-rc2 to v3.9-rc7", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "irda: Fix missing msg_namelen update in irda_recvmsg_dgram()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Complete", "Integrity Impact": "None", "score": "4.9" }, "cwe": "Information Leak / Disclosure", "fixes": "5ae94c0d2f0bed41d6718be743985d61b7f5c47d", "nvd_text": "The irda_recvmsg_dgram function in net/irda/af_irda.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-3228", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-3228", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-3228", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-3228", "SUSE": "https://www.suse.com/security/cve/CVE-2013-3228", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-3228" } }, "CVE-2013-3229": { "affected_versions": "v2.6.12-rc2 to v3.9-rc7", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "iucv: Fix missing msg_namelen update in iucv_sock_recvmsg()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Complete", "Integrity Impact": "None", "score": "4.9" }, "cwe": "Information Leak / Disclosure", "fixes": "a5598bd9c087dc0efc250a5221e5d0e6f584ee88", "nvd_text": "The iucv_sock_recvmsg function in net/iucv/af_iucv.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-3229", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-3229", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-3229", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-3229", "SUSE": "https://www.suse.com/security/cve/CVE-2013-3229", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-3229" } }, "CVE-2013-3230": { "affected_versions": "v3.5-rc1 to v3.9-rc7", "breaks": "a32e0eec7042b21ccb52896cf715e3e2641fed93", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Complete", "Integrity Impact": "None", "score": "4.9" }, "cwe": "Information Leak / Disclosure", "fixes": "b860d3cc62877fad02863e2a08efff69a19382d2", "nvd_text": "The l2tp_ip6_recvmsg function in net/l2tp/l2tp_ip6.c in the Linux kernel before 3.9-rc7 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-3230", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-3230", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-3230", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-3230", "SUSE": "https://www.suse.com/security/cve/CVE-2013-3230", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-3230" } }, "CVE-2013-3231": { "affected_versions": "v2.6.12-rc2 to v3.9-rc7", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "llc: Fix missing msg_namelen update in llc_ui_recvmsg()", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Complete", "Integrity Impact": "None", "score": "4.7" }, "cwe": "Information Leak / Disclosure", "fixes": "c77a4b9cffb6215a15196ec499490d116dfad181", "nvd_text": "The llc_ui_recvmsg function in net/llc/af_llc.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-3231", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-3231", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-3231", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-3231", "SUSE": "https://www.suse.com/security/cve/CVE-2013-3231", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-3231" } }, "CVE-2013-3232": { "affected_versions": "v2.6.12-rc2 to v3.9-rc7", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "netrom: fix info leak via msg_name in nr_recvmsg()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Complete", "Integrity Impact": "None", "score": "4.9" }, "cwe": "Information Leak / Disclosure", "fixes": "3ce5efad47b62c57a4f5c54248347085a750ce0e", "last_affected_version": "3.2.44", "nvd_text": "The nr_recvmsg function in net/netrom/af_netrom.c in the Linux kernel before 3.9-rc7 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-3232", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-3232", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-3232", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-3232", "SUSE": "https://www.suse.com/security/cve/CVE-2013-3232", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-3232" } }, "CVE-2013-3233": { "affected_versions": "v3.3-rc1 to v3.9-rc7", "breaks": "d646960f7986fefb460a2b062d5ccc8ccfeacc3a", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Complete", "Integrity Impact": "None", "score": "4.9" }, "cwe": "Information Leak / Disclosure", "fixes": "d26d6504f23e803824e8ebd14e52d4fc0a0b09cb", "nvd_text": "The llcp_sock_recvmsg function in net/nfc/llcp/sock.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable and a certain data structure, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-3233", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-3233", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-3233", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-3233", "SUSE": "https://www.suse.com/security/cve/CVE-2013-3233", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-3233" } }, "CVE-2013-3234": { "affected_versions": "v2.6.12-rc2 to v3.9-rc7", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "rose: fix info leak via msg_name in rose_recvmsg()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Complete", "Integrity Impact": "None", "score": "4.9" }, "cwe": "Information Leak / Disclosure", "fixes": "4a184233f21645cf0b719366210ed445d1024d72", "last_affected_version": "3.2.44", "nvd_text": "The rose_recvmsg function in net/rose/af_rose.c in the Linux kernel before 3.9-rc7 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-3234", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-3234", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-3234", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-3234", "SUSE": "https://www.suse.com/security/cve/CVE-2013-3234", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-3234" } }, "CVE-2013-3235": { "affected_versions": "v2.6.12-rc2 to v3.9-rc7", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "tipc: fix info leaks via msg_name in recv_msg/recv_stream", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Complete", "Integrity Impact": "None", "score": "4.9" }, "cwe": "Information Leak / Disclosure", "fixes": "60085c3d009b0df252547adb336d1ccca5ce52ec", "nvd_text": "net/tipc/socket.c in the Linux kernel before 3.9-rc7 does not initialize a certain data structure and a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-3235", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-3235", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-3235", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-3235", "SUSE": "https://www.suse.com/security/cve/CVE-2013-3235", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-3235" } }, "CVE-2013-3236": { "affected_versions": "v3.9-rc1 to v3.9-rc7", "breaks": "d021c344051af91f42c5ba9fdedc176740cbd238", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Complete", "Integrity Impact": "None", "score": "4.9" }, "cwe": "Information Leak / Disclosure", "fixes": "680d04e0ba7e926233e3b9cee59125ce181f66ba", "nvd_text": "The vmci_transport_dgram_dequeue function in net/vmw_vsock/vmci_transport.c in the Linux kernel before 3.9-rc7 does not properly initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-3236", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-3236", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-3236", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-3236", "SUSE": "https://www.suse.com/security/cve/CVE-2013-3236", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-3236" } }, "CVE-2013-3237": { "affected_versions": "v3.9-rc1 to v3.9-rc7", "breaks": "d021c344051af91f42c5ba9fdedc176740cbd238", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Complete", "Integrity Impact": "None", "score": "4.9" }, "cwe": "Information Leak / Disclosure", "fixes": "d5e0d0f607a7a029c6563a0470d88255c89a8d11", "nvd_text": "The vsock_stream_sendmsg function in net/vmw_vsock/af_vsock.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-3237", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-3237", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-3237", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-3237", "SUSE": "https://www.suse.com/security/cve/CVE-2013-3237", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-3237" } }, "CVE-2013-3301": { "affected_versions": "v2.6.33-rc1 to v3.9-rc7", "breaks": "756d17ee7ee4fbc8238bdf97100af63e6ac441ef", "cmt_msg": "tracing: Fix possible NULL pointer dereferences", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "7.2" }, "cwe": "Other", "fixes": "6a76f8c0ab19f215af2a3442870eeb5f0e81998d", "last_affected_version": "3.2.43", "nvd_text": "The ftrace implementation in the Linux kernel before 3.8.8 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by leveraging the CAP_SYS_ADMIN capability for write access to the (1) set_ftrace_pid or (2) set_graph_function file, and then making an lseek system call.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-3301", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-3301", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-3301", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-3301", "SUSE": "https://www.suse.com/security/cve/CVE-2013-3301", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-3301" } }, "CVE-2013-3302": { "affected_versions": "v3.7-rc1 to v3.8-rc3", "breaks": "6f49f46b187df34539f1e5df2469b8a541897700", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "score": "4.4" }, "cwe": "Race Conditions", "fixes": "ea702b80e0bbb2448e201472127288beb82ca2fe", "nvd_text": "Race condition in the smb_send_rqst function in fs/cifs/transport.c in the Linux kernel before 3.7.2 allows local users to cause a denial of service (NULL pointer dereference and OOPS) or possibly have unspecified other impact via vectors involving a reconnection event.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-3302", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-3302", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-3302", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-3302", "SUSE": "https://www.suse.com/security/cve/CVE-2013-3302", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-3302" } }, "CVE-2013-4125": { "affected_versions": "v3.8-rc1 to v3.11-rc1", "breaks": "51ebd3181572af8d5076808dab2682d800f6da5d", "cvss2": { "Access Complexity": "High", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "5.4" }, "cwe": "Resource Management Errors", "fixes": "307f2fb95e9b96b3577916e73d92e104f8f26494", "nvd_text": "The fib6_add_rt2node function in net/ipv6/ip6_fib.c in the IPv6 stack in the Linux kernel through 3.10.1 does not properly handle Router Advertisement (RA) messages in certain circumstances involving three routes that initially qualified for membership in an ECMP route set until a change occurred for one of the first two routes, which allows remote attackers to cause a denial of service (system crash) via a crafted sequence of messages.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-4125", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-4125", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-4125", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-4125", "SUSE": "https://www.suse.com/security/cve/CVE-2013-4125", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-4125" } }, "CVE-2013-4127": { "affected_versions": "v3.8-rc1 to v3.11-rc1", "breaks": "1280c27f8e29acf4af2da914e80ec27c3dbd5c01", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "4.7" }, "cwe": "Resource Management Errors", "fixes": "dd7633ecd553a5e304d349aa6f8eb8a0417098c5", "nvd_text": "Use-after-free vulnerability in the vhost_net_set_backend function in drivers/vhost/net.c in the Linux kernel through 3.10.3 allows local users to cause a denial of service (OOPS and system crash) via vectors involving powering on a virtual machine.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-4127", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-4127", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-4127", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-4127", "SUSE": "https://www.suse.com/security/cve/CVE-2013-4127", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-4127" } }, "CVE-2013-4129": { "affected_versions": "v3.11-rc1 to v3.11-rc1", "backport": true, "breaks": "9f00b2e7cf241fa389733d41b615efdaa2cb0f5b", "cmt_msg": "bridge: fix some kernel warning in multicast timer", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "4.7" }, "cwe": "Input Validation", "fixes": "c7e8e8a8f7a70b343ca1e0f90a31e35ab2d16de1", "last_modified": "2021-07-08", "nvd_text": "The bridge multicast implementation in the Linux kernel through 3.10.3 does not check whether a certain timer is armed before modifying the timeout value of that timer, which allows local users to cause a denial of service (BUG and system crash) via vectors involving the shutdown of a KVM virtual machine, related to net/bridge/br_mdb.c and net/bridge/br_multicast.c.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-4129", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-4129", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-4129", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-4129", "SUSE": "https://www.suse.com/security/cve/CVE-2013-4129", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-4129" } }, "CVE-2013-4162": { "affected_versions": "v2.6.12-rc2 to v3.11-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "ipv6: call udp_push_pending_frames when uncorking a socket with AF_INET pending data", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "4.7" }, "cwe": "Resource Management Errors", "fixes": "8822b64a0fa64a5dd1dfcf837c5b0be83f8c05d1", "last_affected_version": "3.2.49", "nvd_text": "The udp_v6_push_pending_frames function in net/ipv6/udp.c in the IPv6 implementation in the Linux kernel through 3.10.3 makes an incorrect function call for pending data, which allows local users to cause a denial of service (BUG and system crash) via a crafted application that uses the UDP_CORK option in a setsockopt system call.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-4162", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-4162", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-4162", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-4162", "SUSE": "https://www.suse.com/security/cve/CVE-2013-4162", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-4162" } }, "CVE-2013-4163": { "affected_versions": "v3.5-rc1 to v3.11-rc1", "breaks": "0c1833797a5a6ec23ea9261d979aa18078720b74", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "4.7" }, "cwe": "Resource Management Errors", "fixes": "75a493e60ac4bbe2e977e7129d6d8cbb0dd236be", "nvd_text": "The ip6_append_data_mtu function in net/ipv6/ip6_output.c in the IPv6 implementation in the Linux kernel through 3.10.3 does not properly maintain information about whether the IPV6_MTU setsockopt option had been specified, which allows local users to cause a denial of service (BUG and system crash) via a crafted application that uses the UDP_CORK option in a setsockopt system call.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-4163", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-4163", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-4163", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-4163", "SUSE": "https://www.suse.com/security/cve/CVE-2013-4163", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-4163" } }, "CVE-2013-4205": { "affected_versions": "v3.8-rc1 to v3.11-rc5", "breaks": "b2e0d98705e60e45bbb3c0032c48824ad7ae0704", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "4.7" }, "cwe": "Resource Management Errors", "fixes": "6160968cee8b90a5dd95318d716e31d7775c4ef3", "nvd_text": "Memory leak in the unshare_userns function in kernel/user_namespace.c in the Linux kernel before 3.10.6 allows local users to cause a denial of service (memory consumption) via an invalid CLONE_NEWUSER unshare call.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-4205", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-4205", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-4205", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-4205", "SUSE": "https://www.suse.com/security/cve/CVE-2013-4205", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-4205" } }, "CVE-2013-4220": { "affected_versions": "v3.7-rc1 to v3.10-rc4", "breaks": "60ffc30d5652810dd34ea2eec41504222f5d5791", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "4.9" }, "cwe": "Insufficient Information", "fixes": "9955ac47f4ba1c95ecb6092aeaefb40a22e99268", "nvd_text": "The bad_mode function in arch/arm64/kernel/traps.c in the Linux kernel before 3.9.5 on the ARM64 platform allows local users to cause a denial of service (system crash) via vectors involving an attempted register access that triggers an unexpected value in the Exception Syndrome Register (ESR).", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-4220", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-4220", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-4220", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-4220", "SUSE": "https://www.suse.com/security/cve/CVE-2013-4220", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-4220" } }, "CVE-2013-4247": { "affected_versions": "v3.8-rc1 to v3.10-rc5", "breaks": "839db3d10a5ba792d6533b8bb3380f52ac877344", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "7.8" }, "cwe": "Numeric Errors", "fixes": "1fc29bacedeabb278080e31bb9c1ecb49f143c3b", "nvd_text": "Off-by-one error in the build_unc_path_to_root function in fs/cifs/connect.c in the Linux kernel before 3.9.6 allows remote attackers to cause a denial of service (memory corruption and system crash) via a DFS share mount operation that triggers use of an unexpected DFS referral name length.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-4247", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-4247", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-4247", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-4247", "SUSE": "https://www.suse.com/security/cve/CVE-2013-4247", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-4247" } }, "CVE-2013-4254": { "affected_versions": "v2.6.38-rc1 to v3.11-rc6", "breaks": "84fee97a026ca085f08381054513f9e24689a303", "cmt_msg": "ARM: 7810/1: perf: Fix array out of bounds access in armpmu_map_hw_event()", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "6.9" }, "cwe": "Input Validation", "fixes": "d9f966357b14e356dbd83b8f4a197a287ab4ff83", "nvd_text": "The validate_event function in arch/arm/kernel/perf_event.c in the Linux kernel before 3.10.8 on the ARM platform allows local users to gain privileges or cause a denial of service (NULL pointer dereference and system crash) by adding a hardware event to an event group led by a software event.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-4254", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-4254", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-4254", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-4254", "SUSE": "https://www.suse.com/security/cve/CVE-2013-4254", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-4254" } }, "CVE-2013-4270": { "affected_versions": "v3.8-rc1 to v3.12-rc4", "breaks": "cff109768b2d9c03095848f4cd4b0754117262aa", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "score": "3.6" }, "cwe": "Input Validation", "fixes": "2433c8f094a008895e66f25bd1773cdb01c91d01", "nvd_text": "The net_ctl_permissions function in net/sysctl_net.c in the Linux kernel before 3.11.5 does not properly determine uid and gid values, which allows local users to bypass intended /proc/sys/net restrictions via a crafted application.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-4270", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-4270", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-4270", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-4270", "SUSE": "https://www.suse.com/security/cve/CVE-2013-4270", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-4270" } }, "CVE-2013-4299": { "affected_versions": "v2.6.12-rc2 to v3.12-rc6", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "dm snapshot: fix data corruption", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "Single", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "score": "6.0" }, "cwe": "Information Leak / Disclosure", "fixes": "e9c6a182649f4259db704ae15a91ac820e63b0ca", "last_affected_version": "3.2.52", "nvd_text": "Interpretation conflict in drivers/md/dm-snap-persistent.c in the Linux kernel through 3.11.6 allows remote authenticated users to obtain sensitive information or modify data via a crafted mapping to a snapshot block device.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-4299", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-4299", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-4299", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-4299", "SUSE": "https://www.suse.com/security/cve/CVE-2013-4299", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-4299" } }, "CVE-2013-4300": { "affected_versions": "v3.9-rc5 to v3.11", "breaks": "92f28d973cce45ef5823209aab3138eb45d8b349", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "7.2" }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "d661684cf6820331feae71146c35da83d794467e", "nvd_text": "The scm_check_creds function in net/core/scm.c in the Linux kernel before 3.11 performs a capability check in an incorrect namespace, which allows local users to gain privileges via PID spoofing.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-4300", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-4300", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-4300", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-4300", "SUSE": "https://www.suse.com/security/cve/CVE-2013-4300", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-4300" } }, "CVE-2013-4312": { "affected_versions": "v2.6.12-rc2 to v4.5-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "unix: properly account for FDs passed over unix sockets", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "4.9" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "score": "6.2" }, "cwe": "Buffer Errors", "fixes": "712f4aad406bb1ed67f3f98d04c044191f0ff593", "last_affected_version": "4.4.0", "last_modified": "2019-03-20", "nvd_text": "The Linux kernel before 4.4.1 allows local users to bypass file-descriptor limits and cause a denial of service (memory consumption) by sending each descriptor over a UNIX socket before closing it, related to net/unix/af_unix.c and net/unix/garbage.c.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-4312", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-4312", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-4312", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-4312", "SUSE": "https://www.suse.com/security/cve/CVE-2013-4312", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-4312" } }, "CVE-2013-4343": { "affected_versions": "v3.8-rc1 to v3.12-rc2", "breaks": "c8d68e6be1c3b242f1c598595830890b65cea64a", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "6.9" }, "cwe": "Resource Management Errors", "fixes": "662ca437e714caaab855b12415d6ffd815985bc0", "nvd_text": "Use-after-free vulnerability in drivers/net/tun.c in the Linux kernel through 3.11.1 allows local users to gain privileges by leveraging the CAP_NET_ADMIN capability and providing an invalid tuntap interface name in a TUNSETIFF ioctl call.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-4343", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-4343", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-4343", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-4343", "SUSE": "https://www.suse.com/security/cve/CVE-2013-4343", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-4343" } }, "CVE-2013-4345": { "affected_versions": "v2.6.12-rc2 to v3.13-rc2", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "crypto: ansi_cprng - Fix off by one error in non-block size request", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "score": "5.8" }, "cwe": "Numeric Errors", "fixes": "714b33d15130cbb5ab426456d4e3de842d6c5b8a", "last_affected_version": "3.12.1", "nvd_text": "Off-by-one error in the get_prng_bytes function in crypto/ansi_cprng.c in the Linux kernel through 3.11.4 makes it easier for context-dependent attackers to defeat cryptographic protection mechanisms via multiple requests for small amounts of data, leading to improper management of the state of the consumed data.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-4345", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-4345", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-4345", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-4345", "SUSE": "https://www.suse.com/security/cve/CVE-2013-4345", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-4345" } }, "CVE-2013-4348": { "affected_versions": "v3.2-rc1 to v3.13-rc1", "breaks": "ec5efe7946280d1e84603389a1030ccec0a767ae", "cmt_msg": "net: flow_dissector: fail on evil iph->ihl", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "7.1" }, "cwe": "Resource Management Errors", "fixes": "6f092343855a71e03b8d209815d8c45bf3a27fcd", "last_affected_version": "3.12.0", "nvd_text": "The skb_flow_dissect function in net/core/flow_dissector.c in the Linux kernel through 3.12 allows remote attackers to cause a denial of service (infinite loop) via a small value in the IHL field of a packet with IPIP encapsulation.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-4348", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-4348", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-4348", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-4348", "SUSE": "https://www.suse.com/security/cve/CVE-2013-4348", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-4348" } }, "CVE-2013-4350": { "affected_versions": "v2.6.12-rc2 to v3.12-rc2", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "net: sctp: fix ipv6 ipsec encryption bug in sctp_v6_xmit", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "score": "5.0" }, "cwe": "Cryptographic Issues", "fixes": "95ee62083cb6453e056562d91f597552021e6ae7", "last_affected_version": "3.2.51", "nvd_text": "The IPv6 SCTP implementation in net/sctp/ipv6.c in the Linux kernel through 3.11.1 uses data structures and function calls that do not trigger an intended configuration of IPsec encryption, which allows remote attackers to obtain sensitive information by sniffing the network.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-4350", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-4350", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-4350", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-4350", "SUSE": "https://www.suse.com/security/cve/CVE-2013-4350", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-4350" } }, "CVE-2013-4387": { "affected_versions": "v2.6.15-rc1 to v3.12-rc4", "breaks": "e89e9cf539a28df7d0eb1d0a545368e9920b34ac", "cmt_msg": "ipv6: udp packets following an UFO enqueued packet need also be handled by UFO", "cvss2": { "Access Complexity": "Low", "Access Vector": "Adjacent Network", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "6.1" }, "cwe": "Buffer Errors", "fixes": "2811ebac2521ceac84f2bdae402455baa6a7fb47", "last_affected_version": "3.2.51", "nvd_text": "net/ipv6/ip6_output.c in the Linux kernel through 3.11.4 does not properly determine the need for UDP Fragmentation Offload (UFO) processing of small packets after the UFO queueing of a large packet, which allows remote attackers to cause a denial of service (memory corruption and system crash) or possibly have unspecified other impact via network traffic that triggers a large response packet.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-4387", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-4387", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-4387", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-4387", "SUSE": "https://www.suse.com/security/cve/CVE-2013-4387", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-4387" } }, "CVE-2013-4470": { "affected_versions": "v2.6.15-rc1 to v3.12-rc7", "breaks": "e89e9cf539a28df7d0eb1d0a545368e9920b34ac", "cmt_msg": "ip6_output: do skb ufo init for peeked non ufo skb as well", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "6.9" }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "c547dbf55d5f8cf615ccc0e7265e98db27d3fb8b", "last_affected_version": "3.2.52", "nvd_text": "The Linux kernel before 3.12, when UDP Fragmentation Offload (UFO) is enabled, does not properly initialize certain data structures, which allows local users to cause a denial of service (memory corruption and system crash) or possibly gain privileges via a crafted application that uses the UDP_CORK option in a setsockopt system call and sends both short and long packets, related to the ip_ufo_append_data function in net/ipv4/ip_output.c and the ip6_ufo_append_data function in net/ipv6/ip6_output.c.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-4470", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-4470", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-4470", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-4470", "SUSE": "https://www.suse.com/security/cve/CVE-2013-4470", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-4470" } }, "CVE-2013-4483": { "affected_versions": "v2.6.12-rc2 to v3.10-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "ipc,sem: fine grained locking for semtimedop", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "4.9" }, "cwe": "Numeric Errors", "fixes": "6062a8dc0517bce23e3c2f7d2fea5e22411269a3", "last_affected_version": "3.2.56", "nvd_text": "The ipc_rcu_putref function in ipc/util.c in the Linux kernel before 3.10 does not properly manage a reference count, which allows local users to cause a denial of service (memory consumption or system crash) via a crafted application.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-4483", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-4483", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-4483", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-4483", "SUSE": "https://www.suse.com/security/cve/CVE-2013-4483", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-4483" } }, "CVE-2013-4511": { "affected_versions": "v2.6.12-rc2 to v3.12", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "uml: check length in exitcode_proc_write()", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "6.9" }, "cwe": "Numeric Errors", "fixes": "201f99f170df14ba52ea4c52847779042b7a623b", "last_affected_version": "3.11", "nvd_text": "Multiple integer overflows in Alchemy LCD frame-buffer drivers in the Linux kernel before 3.12 allow local users to create a read-write memory mapping for the entirety of kernel memory, and consequently gain privileges, via crafted mmap operations, related to the (1) au1100fb_fb_mmap function in drivers/video/au1100fb.c and the (2) au1200fb_fb_mmap function in drivers/video/au1200fb.c.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-4511", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-4511", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-4511", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-4511", "SUSE": "https://www.suse.com/security/cve/CVE-2013-4511", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-4511" } }, "CVE-2013-4512": { "affected_versions": "v2.6.12-rc2 to v3.12", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "uml: check length in exitcode_proc_write()", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "4.7" }, "cwe": "Buffer Errors", "fixes": "201f99f170df14ba52ea4c52847779042b7a623b", "last_affected_version": "3.11", "nvd_text": "Buffer overflow in the exitcode_proc_write function in arch/um/kernel/exitcode.c in the Linux kernel before 3.12 allows local users to cause a denial of service or possibly have unspecified other impact by leveraging root privileges for a write operation.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-4512", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-4512", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-4512", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-4512", "SUSE": "https://www.suse.com/security/cve/CVE-2013-4512", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-4512" } }, "CVE-2013-4513": { "affected_versions": "v3.4-rc1 to v3.12", "breaks": "23af8c2a088fe5ae142103fb32fa03755cda694c", "cmt_msg": "staging: ozwpan: prevent overflow in oz_cdev_write()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "4.9" }, "cwe": "Buffer Errors", "fixes": "c2c65cd2e14ada6de44cb527e7f1990bede24e15", "last_affected_version": "3.11", "nvd_text": "Buffer overflow in the oz_cdev_write function in drivers/staging/ozwpan/ozcdev.c in the Linux kernel before 3.12 allows local users to cause a denial of service or possibly have unspecified other impact via a crafted write operation.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-4513", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-4513", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-4513", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-4513", "SUSE": "https://www.suse.com/security/cve/CVE-2013-4513", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-4513" } }, "CVE-2013-4514": { "affected_versions": "v2.6.33-rc1 to v3.12", "breaks": "68c0bdff7ac903421f224e080499c51cd5287f97", "cmt_msg": "staging: wlags49_h2: buffer overflow setting station name", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "4.7" }, "cwe": "Buffer Errors", "fixes": "b5e2f339865fb443107e5b10603e53bbc92dc054", "last_affected_version": "3.11", "nvd_text": "Multiple buffer overflows in drivers/staging/wlags49_h2/wl_priv.c in the Linux kernel before 3.12 allow local users to cause a denial of service or possibly have unspecified other impact by leveraging the CAP_NET_ADMIN capability and providing a long station-name string, related to the (1) wvlan_uil_put_info and (2) wvlan_set_station_nickname functions.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-4514", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-4514", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-4514", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-4514", "SUSE": "https://www.suse.com/security/cve/CVE-2013-4514", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-4514" } }, "CVE-2013-4515": { "affected_versions": "v2.6.37-rc1 to v3.12", "breaks": "f8942e07a3db9d82e8fb11d3d494876b8bae9ff9", "cmt_msg": "Staging: bcm: info leak in ioctl", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Complete", "Integrity Impact": "None", "score": "4.9" }, "cwe": "Information Leak / Disclosure", "fixes": "8d1e72250c847fa96498ec029891de4dc638a5ba", "last_affected_version": "3.11", "nvd_text": "The bcm_char_ioctl function in drivers/staging/bcm/Bcmchar.c in the Linux kernel before 3.12 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel memory via an IOCTL_BCM_GET_DEVICE_DRIVER_INFO ioctl call.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-4515", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-4515", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-4515", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-4515", "SUSE": "https://www.suse.com/security/cve/CVE-2013-4515", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-4515" } }, "CVE-2013-4516": { "affected_versions": "v3.8-rc1 to v3.12", "breaks": "68a81291ff6650f3ff409ebfc58ef97dfe85a2e4", "cmt_msg": "Staging: sb105x: info leak in mp_get_count()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Complete", "Integrity Impact": "None", "score": "4.9" }, "cwe": "Information Leak / Disclosure", "fixes": "a8b33654b1e3b0c74d4a1fed041c9aae50b3c427", "last_affected_version": "3.11", "nvd_text": "The mp_get_count function in drivers/staging/sb105x/sb_pci_mp.c in the Linux kernel before 3.12 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel stack memory via a TIOCGICOUNT ioctl call.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-4516", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-4516", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-4516", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-4516", "SUSE": "https://www.suse.com/security/cve/CVE-2013-4516", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-4516" } }, "CVE-2013-4563": { "affected_versions": "v3.10-rc5 to v3.13-rc1", "breaks": "1e2bd517c108816220f262d7954b697af03b5f9c", "cmt_msg": "ipv6: fix headroom calculation in udp6_ufo_fragment", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "7.1" }, "cwe": "Numeric Errors", "fixes": "0e033e04c2678dbbe74a46b23fffb7bb918c288e", "last_affected_version": "3.12.3", "nvd_text": "The udp6_ufo_fragment function in net/ipv6/udp_offload.c in the Linux kernel through 3.12, when UDP Fragmentation Offload (UFO) is enabled, does not properly perform a certain size comparison before inserting a fragment header, which allows remote attackers to cause a denial of service (panic) via a large IPv6 UDP packet, as demonstrated by use of the Token Bucket Filter (TBF) queueing discipline.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-4563", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-4563", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-4563", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-4563", "SUSE": "https://www.suse.com/security/cve/CVE-2013-4563", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-4563" } }, "CVE-2013-4579": { "affected_versions": "v2.6.39-rc1 to v3.13-rc7", "breaks": "585895cdfc683a067d803fead83267cee309ffd0", "cmt_msg": "ath9k_htc: properly set MAC address and BSSID mask", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "score": "4.3" }, "cwe": "Cryptographic Issues", "fixes": "657eb17d87852c42b55c4b06d5425baa08b2ddb3", "last_affected_version": "3.12.6", "nvd_text": "The ath9k_htc_set_bssid_mask function in drivers/net/wireless/ath/ath9k/htc_drv_main.c in the Linux kernel through 3.12 uses a BSSID masking approach to determine the set of MAC addresses on which a Wi-Fi device is listening, which allows remote attackers to discover the original MAC address after spoofing by sending a series of packets to MAC addresses with certain bit manipulations.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-4579", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-4579", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-4579", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-4579", "SUSE": "https://www.suse.com/security/cve/CVE-2013-4579", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-4579" } }, "CVE-2013-4587": { "affected_versions": "v2.6.12-rc2 to v3.13-rc4", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "KVM: Improve create VCPU parameter (CVE-2013-4587)", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "7.2" }, "cwe": "Input Validation", "fixes": "338c7dbadd2671189cec7faf64c84d01071b3f96", "last_affected_version": "3.12.5", "nvd_text": "Array index error in the kvm_vm_ioctl_create_vcpu function in virt/kvm/kvm_main.c in the KVM subsystem in the Linux kernel through 3.12.5 allows local users to gain privileges via a large id value.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-4587", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-4587", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-4587", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-4587", "SUSE": "https://www.suse.com/security/cve/CVE-2013-4587", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-4587" } }, "CVE-2013-4588": { "affected_versions": "v2.6.12-rc2 to v2.6.33-rc4", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "Single", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "6.6" }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.0 }, "cwe": "Buffer Errors", "fixes": "04bcef2a83f40c6db24222b27a52892cba39dffb", "last_modified": "2020-08-06", "nvd_text": "Multiple stack-based buffer overflows in net/netfilter/ipvs/ip_vs_ctl.c in the Linux kernel before 2.6.33, when CONFIG_IP_VS is used, allow local users to gain privileges by leveraging the CAP_NET_ADMIN capability for (1) a getsockopt system call, related to the do_ip_vs_get_ctl function, or (2) a setsockopt system call, related to the do_ip_vs_set_ctl function.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-4588", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-4588", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-4588", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-4588", "SUSE": "https://www.suse.com/security/cve/CVE-2013-4588", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-4588" } }, "CVE-2013-4591": { "affected_versions": "v3.6-rc6 to v3.8-rc1", "breaks": "1f1ea6c2d9d8c0be9ec56454b05315273b5de8ce", "cvss2": { "Access Complexity": "High", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "6.2" }, "cwe": "Buffer Errors", "fixes": "7d3e91a89b7adbc2831334def9e494dd9892f9af", "nvd_text": "Buffer overflow in the __nfs4_get_acl_uncached function in fs/nfs/nfs4proc.c in the Linux kernel before 3.7.2 allows local users to cause a denial of service (memory corruption and system crash) or possibly have unspecified other impact via a getxattr system call for the system.nfs4_acl extended attribute of a pathname on an NFSv4 filesystem.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-4591", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-4591", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-4591", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-4591", "SUSE": "https://www.suse.com/security/cve/CVE-2013-4591", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-4591" } }, "CVE-2013-4592": { "affected_versions": "v2.6.12-rc2 to v3.7-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "KVM: perform an invalid memslot step for gpa base change", "cvss2": { "Access Complexity": "High", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "4.0" }, "cwe": "Resource Management Errors", "fixes": "12d6e7538e2d418c08f082b1b44ffa5fb7270ed8", "last_affected_version": "3.2.53", "nvd_text": "Memory leak in the __kvm_set_memory_region function in virt/kvm/kvm_main.c in the Linux kernel before 3.9 allows local users to cause a denial of service (memory consumption) by leveraging certain device access to trigger movement of memory slots.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-4592", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-4592", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-4592", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-4592", "SUSE": "https://www.suse.com/security/cve/CVE-2013-4592", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-4592" } }, "CVE-2013-4737": { "breaks": "", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "9.3" }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "", "nvd_text": "The CONFIG_STRICT_MEMORY_RWX implementation for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, does not properly consider certain memory sections, which makes it easier for attackers to bypass intended access restrictions by leveraging the presence of RWX memory at a fixed location.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-4737", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-4737", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-4737", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-4737", "SUSE": "https://www.suse.com/security/cve/CVE-2013-4737", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-4737" }, "vendor_specific": true }, "CVE-2013-4738": { "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "7.2" }, "cwe": "Buffer Errors", "fixes": "c9c81836ee44db9974007d34cf2aaeb1a51a8d45", "nvd_text": "Multiple stack-based buffer overflows in the MSM camera driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allow attackers to gain privileges via (1) a crafted VIDIOC_MSM_VPE_DEQUEUE_STREAM_BUFF_INFO ioctl call, related to drivers/media/platform/msm/camera_v2/pproc/vpe/msm_vpe.c, or (2) a crafted VIDIOC_MSM_CPP_DEQUEUE_STREAM_BUFF_INFO ioctl call, related to drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-4738", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-4738", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-4738", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-4738", "SUSE": "https://www.suse.com/security/cve/CVE-2013-4738", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-4738" }, "vendor_specific": true }, "CVE-2013-4739": { "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Complete", "Integrity Impact": "None", "score": "4.9" }, "cwe": "Information Leak / Disclosure", "fixes": "8604847927f952cc8e773b97eca24e1060a570f2", "nvd_text": "The MSM camera driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to obtain sensitive information from kernel stack memory via (1) a crafted MSM_MCR_IOCTL_EVT_GET ioctl call, related to drivers/media/platform/msm/camera_v1/mercury/msm_mercury_sync.c, or (2) a crafted MSM_JPEG_IOCTL_EVT_GET ioctl call, related to drivers/media/platform/msm/camera_v2/jpeg_10/msm_jpeg_sync.c.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-4739", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-4739", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-4739", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-4739", "SUSE": "https://www.suse.com/security/cve/CVE-2013-4739", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-4739" }, "vendor_specific": true }, "CVE-2013-5634": { "affected_versions": "v3.9-rc1 to v3.10-rc5", "breaks": "f7ed45be3ba524e06a6d933f0517dc7ad2d06703", "cvss2": { "Access Complexity": "High", "Access Vector": "Adjacent Network", "Authentication": "Single", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "4.3" }, "cwe": "Resource Management Errors", "fixes": "e8180dcaa8470ceca21109f143876fdcd9fe050a", "nvd_text": "arch/arm/kvm/arm.c in the Linux kernel before 3.10 on the ARM platform, when KVM is used, allows host OS users to cause a denial of service (NULL pointer dereference, OOPS, and host OS crash) or possibly have unspecified other impact by omitting vCPU initialization before a KVM_GET_REG_LIST ioctl call.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-5634", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-5634", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-5634", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-5634", "SUSE": "https://www.suse.com/security/cve/CVE-2013-5634", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-5634" } }, "CVE-2013-6282": { "affected_versions": "v2.6.12-rc2 to v3.6-rc6", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "ARM: 7527/1: uaccess: explicitly check __user pointer when !CPU_USE_DOMAINS", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "7.2" }, "cwe": "Input Validation", "fixes": "8404663f81d212918ff85f493649a7991209fa04", "last_affected_version": "3.2.53", "nvd_text": "The (1) get_user and (2) put_user API functions in the Linux kernel before 3.5.5 on the v6k and v7 ARM platforms do not validate certain addresses, which allows attackers to read or modify the contents of arbitrary kernel memory locations via a crafted application, as exploited in the wild against Android devices in October and November 2013.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-6282", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-6282", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-6282", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-6282", "SUSE": "https://www.suse.com/security/cve/CVE-2013-6282", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-6282" } }, "CVE-2013-6367": { "affected_versions": "v2.6.12-rc2 to v3.13-rc4", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "KVM: x86: Fix potential divide by 0 in lapic (CVE-2013-6367)", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Adjacent Network", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "5.7" }, "cwe": "Numeric Errors", "fixes": "b963a22e6d1a266a67e9eecc88134713fd54775c", "last_affected_version": "3.12.5", "nvd_text": "The apic_get_tmcct function in arch/x86/kvm/lapic.c in the KVM subsystem in the Linux kernel through 3.12.5 allows guest OS users to cause a denial of service (divide-by-zero error and host OS crash) via crafted modifications of the TMICT value.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-6367", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-6367", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-6367", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-6367", "SUSE": "https://www.suse.com/security/cve/CVE-2013-6367", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-6367" } }, "CVE-2013-6368": { "affected_versions": "v2.6.12-rc2 to v3.13-rc4", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "KVM: x86: Convert vapic synchronization to _cached functions (CVE-2013-6368)", "cvss2": { "Access Complexity": "High", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "6.2" }, "cwe": "Input Validation", "fixes": "fda4e2e85589191b123d31cdc21fd33ee70f50fd", "last_affected_version": "3.12.5", "nvd_text": "The KVM subsystem in the Linux kernel through 3.12.5 allows local users to gain privileges or cause a denial of service (system crash) via a VAPIC synchronization operation involving a page-end address.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-6368", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-6368", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-6368", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-6368", "SUSE": "https://www.suse.com/security/cve/CVE-2013-6368", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-6368" } }, "CVE-2013-6376": { "affected_versions": "v3.7-rc1 to v3.13-rc4", "breaks": "1e08ec4a130e2745d96df169e67c58df98a07311", "cmt_msg": "KVM: x86: fix guest-initiated crash with x2apic (CVE-2013-6376)", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Adjacent Network", "Authentication": "Single", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "5.2" }, "cwe": "Numeric Errors", "fixes": "17d68b763f09a9ce824ae23eb62c9efc57b69271", "last_affected_version": "3.12.5", "nvd_text": "The recalculate_apic_map function in arch/x86/kvm/lapic.c in the KVM subsystem in the Linux kernel through 3.12.5 allows guest OS users to cause a denial of service (host OS crash) via a crafted ICR write operation in x2apic mode.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-6376", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-6376", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-6376", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-6376", "SUSE": "https://www.suse.com/security/cve/CVE-2013-6376", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-6376" } }, "CVE-2013-6378": { "affected_versions": "v2.6.12-rc2 to v3.13-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "libertas: potential oops in debugfs", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "Single", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "4.4" }, "cwe": "Numeric Errors", "fixes": "a497e47d4aec37aaf8f13509f3ef3d1f6a717d88", "last_affected_version": "3.12.1", "nvd_text": "The lbs_debugfs_write function in drivers/net/wireless/libertas/debugfs.c in the Linux kernel through 3.12.1 allows local users to cause a denial of service (OOPS) by leveraging root privileges for a zero-length write operation.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-6378", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-6378", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-6378", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-6378", "SUSE": "https://www.suse.com/security/cve/CVE-2013-6378", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-6378" } }, "CVE-2013-6380": { "affected_versions": "v2.6.12-rc2 to v3.13-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "aacraid: prevent invalid pointer dereference", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "4.7" }, "cwe": "Input Validation", "fixes": "b4789b8e6be3151a955ade74872822f30e8cd914", "last_affected_version": "3.12.1", "nvd_text": "The aac_send_raw_srb function in drivers/scsi/aacraid/commctrl.c in the Linux kernel through 3.12.1 does not properly validate a certain size value, which allows local users to cause a denial of service (invalid pointer dereference) or possibly have unspecified other impact via an FSACTL_SEND_RAW_SRB ioctl call that triggers a crafted SRB command.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-6380", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-6380", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-6380", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-6380", "SUSE": "https://www.suse.com/security/cve/CVE-2013-6380", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-6380" } }, "CVE-2013-6381": { "affected_versions": "v2.6.12-rc2 to v3.13-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "qeth: avoid buffer overflow in snmp ioctl", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "6.9" }, "cwe": "Buffer Errors", "fixes": "6fb392b1a63ae36c31f62bc3fc8630b49d602b62", "last_affected_version": "3.12.2", "nvd_text": "Buffer overflow in the qeth_snmp_command function in drivers/s390/net/qeth_core_main.c in the Linux kernel through 3.12.1 allows local users to cause a denial of service or possibly have unspecified other impact via an SNMP ioctl call with a length value that is incompatible with the command-buffer size.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-6381", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-6381", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-6381", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-6381", "SUSE": "https://www.suse.com/security/cve/CVE-2013-6381", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-6381" } }, "CVE-2013-6382": { "affected_versions": "v2.6.12-rc2 to v3.13-rc4", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "xfs: underflow bug in xfs_attrlist_by_handle()", "cvss2": { "Access Complexity": "High", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "4.0" }, "cwe": "Buffer Errors", "fixes": "31978b5cc66b8ba8a7e8eef60b12395d41b7b890", "last_affected_version": "3.12.5", "nvd_text": "Multiple buffer underflows in the XFS implementation in the Linux kernel through 3.12.1 allow local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging the CAP_SYS_ADMIN capability for a (1) XFS_IOC_ATTRLIST_BY_HANDLE or (2) XFS_IOC_ATTRLIST_BY_HANDLE_32 ioctl call with a crafted length value, related to the xfs_attrlist_by_handle function in fs/xfs/xfs_ioctl.c and the xfs_compat_attrlist_by_handle function in fs/xfs/xfs_ioctl32.c.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-6382", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-6382", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-6382", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-6382", "SUSE": "https://www.suse.com/security/cve/CVE-2013-6382", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-6382" } }, "CVE-2013-6383": { "affected_versions": "v2.6.12-rc2 to v3.12", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "aacraid: missing capable() check in compat ioctl", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "6.9" }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "f856567b930dfcdbc3323261bf77240ccdde01f5", "last_affected_version": "3.11", "nvd_text": "The aac_compat_ioctl function in drivers/scsi/aacraid/linit.c in the Linux kernel before 3.11.8 does not require the CAP_SYS_RAWIO capability, which allows local users to bypass intended access restrictions via a crafted ioctl call.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-6383", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-6383", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-6383", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-6383", "SUSE": "https://www.suse.com/security/cve/CVE-2013-6383", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-6383" } }, "CVE-2013-6392": { "breaks": "", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Complete", "Integrity Impact": "None", "score": "4.9" }, "cwe": "Resource Management Errors", "fixes": "", "nvd_text": "The genlock_dev_ioctl function in genlock.c in the Genlock driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, does not properly initialize a certain data structure, which allows local users to obtain sensitive information from kernel stack memory via a crafted GENLOCK_IOC_EXPORT ioctl call.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-6392", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-6392", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-6392", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-6392", "SUSE": "https://www.suse.com/security/cve/CVE-2013-6392", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-6392" }, "vendor_specific": true }, "CVE-2013-6431": { "affected_versions": "v3.7-rc1 to v3.12-rc1", "breaks": "188c517a050ec5b123e72cab76ea213721e5bd9d", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "4.7" }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "ae7b4e1f213aa659aedf9c6ecad0bf5f0476e1e2", "nvd_text": "The fib6_add function in net/ipv6/ip6_fib.c in the Linux kernel before 3.11.5 does not properly implement error-code encoding, which allows local users to cause a denial of service (NULL pointer dereference and system crash) by leveraging the CAP_NET_ADMIN capability for an IPv6 SIOCADDRT ioctl call.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-6431", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-6431", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-6431", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-6431", "SUSE": "https://www.suse.com/security/cve/CVE-2013-6431", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-6431" } }, "CVE-2013-6432": { "affected_versions": "v3.11-rc1 to v3.13-rc1", "breaks": "6d0bfe22611602f36617bc7aa2ffa1bbb2f54c67", "cmt_msg": "ping: prevent NULL pointer dereference on write to msg_name", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "Single", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "4.6" }, "cwe": "Other", "fixes": "cf970c002d270c36202bd5b9c2804d3097a52da0", "last_affected_version": "3.12.3", "nvd_text": "The ping_recvmsg function in net/ipv4/ping.c in the Linux kernel before 3.12.4 does not properly interact with read system calls on ping sockets, which allows local users to cause a denial of service (NULL pointer dereference and system crash) by leveraging unspecified privileges to execute a crafted application.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-6432", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-6432", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-6432", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-6432", "SUSE": "https://www.suse.com/security/cve/CVE-2013-6432", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-6432" } }, "CVE-2013-6885": { "affected_versions": "unk to v3.14-rc1", "breaks": "", "cmt_msg": "x86, cpu, amd: Add workaround for family 16h, erratum 793", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "4.7" }, "cwe": "Resource Management Errors", "fixes": "3b56496865f9f7d9bcb2f93b44c63f274f08e3b6", "last_affected_version": "3.12.9", "nvd_text": "The microcode on AMD 16h 00h through 0Fh processors does not properly handle the interaction between locked instructions and write-combined memory types, which allows local users to cause a denial of service (system hang) via a crafted application, aka the errata 793 issue.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-6885", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-6885", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-6885", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-6885", "SUSE": "https://www.suse.com/security/cve/CVE-2013-6885", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-6885" } }, "CVE-2013-7026": { "affected_versions": "v3.12-rc1 to v3.13-rc1", "breaks": "c2c737a0461e61a34676bd0bd1bc1a70a1b4e396", "cmt_msg": "ipc,shm: fix shm_file deletion races", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "4.7" }, "cwe": "Race Conditions", "fixes": "a399b29dfbaaaf91162b2dc5a5875dd51bbfa2a1", "last_affected_version": "3.12.1", "nvd_text": "Multiple race conditions in ipc/shm.c in the Linux kernel before 3.12.2 allow local users to cause a denial of service (use-after-free and system crash) or possibly have unspecified other impact via a crafted application that uses shmctl IPC_RMID operations in conjunction with other shm system calls.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-7026", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-7026", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-7026", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-7026", "SUSE": "https://www.suse.com/security/cve/CVE-2013-7026", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-7026" } }, "CVE-2013-7027": { "affected_versions": "v2.6.12-rc2 to v3.12-rc7", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "wireless: radiotap: fix parsing buffer overrun", "cvss2": { "Access Complexity": "Low", "Access Vector": "Adjacent Network", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "6.1" }, "cwe": "Buffer Errors", "fixes": "f5563318ff1bde15b10e736e97ffce13be08bc1a", "last_affected_version": "3.2.52", "nvd_text": "The ieee80211_radiotap_iterator_init function in net/wireless/radiotap.c in the Linux kernel before 3.11.7 does not check whether a frame contains any data outside of the header, which might allow attackers to cause a denial of service (buffer over-read) via a crafted header.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-7027", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-7027", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-7027", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-7027", "SUSE": "https://www.suse.com/security/cve/CVE-2013-7027", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-7027" } }, "CVE-2013-7263": { "affected_versions": "v2.6.12-rc2 to v3.13-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "inet: prevent leakage of uninitialized memory to user in recv syscalls", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Complete", "Integrity Impact": "None", "score": "4.9" }, "cwe": "Input Validation", "fixes": "bceaa90240b6019ed73b49965eac7d167610be69", "last_affected_version": "3.12.3", "nvd_text": "The Linux kernel before 3.12.4 updates certain length values before ensuring that associated data structures have been initialized, which allows local users to obtain sensitive information from kernel stack memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call, related to net/ipv4/ping.c, net/ipv4/raw.c, net/ipv4/udp.c, net/ipv6/raw.c, and net/ipv6/udp.c.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-7263", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-7263", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-7263", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-7263", "SUSE": "https://www.suse.com/security/cve/CVE-2013-7263", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-7263" } }, "CVE-2013-7264": { "affected_versions": "v2.6.12-rc2 to v3.13-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "inet: prevent leakage of uninitialized memory to user in recv syscalls", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Complete", "Integrity Impact": "None", "score": "4.9" }, "cwe": "Input Validation", "fixes": "bceaa90240b6019ed73b49965eac7d167610be69", "last_affected_version": "3.12.3", "nvd_text": "The l2tp_ip_recvmsg function in net/l2tp/l2tp_ip.c in the Linux kernel before 3.12.4 updates a certain length value before ensuring that an associated data structure has been initialized, which allows local users to obtain sensitive information from kernel stack memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-7264", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-7264", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-7264", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-7264", "SUSE": "https://www.suse.com/security/cve/CVE-2013-7264", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-7264" } }, "CVE-2013-7265": { "affected_versions": "v2.6.12-rc2 to v3.13-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "inet: prevent leakage of uninitialized memory to user in recv syscalls", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Complete", "Integrity Impact": "None", "score": "4.9" }, "cwe": "Input Validation", "fixes": "bceaa90240b6019ed73b49965eac7d167610be69", "last_affected_version": "3.12.3", "nvd_text": "The pn_recvmsg function in net/phonet/datagram.c in the Linux kernel before 3.12.4 updates a certain length value before ensuring that an associated data structure has been initialized, which allows local users to obtain sensitive information from kernel stack memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-7265", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-7265", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-7265", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-7265", "SUSE": "https://www.suse.com/security/cve/CVE-2013-7265", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-7265" } }, "CVE-2013-7266": { "affected_versions": "v2.6.12-rc2 to v3.13-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "net: rework recvmsg handler msg_name and msg_namelen logic", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Complete", "Integrity Impact": "None", "score": "4.9" }, "cwe": "Input Validation", "fixes": "f3d3342602f8bcbf37d7c46641cb9bca7618eb1c", "last_affected_version": "3.12.3", "nvd_text": "The mISDN_sock_recvmsg function in drivers/isdn/mISDN/socket.c in the Linux kernel before 3.12.4 does not ensure that a certain length value is consistent with the size of an associated data structure, which allows local users to obtain sensitive information from kernel memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-7266", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-7266", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-7266", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-7266", "SUSE": "https://www.suse.com/security/cve/CVE-2013-7266", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-7266" } }, "CVE-2013-7267": { "affected_versions": "v2.6.12-rc2 to v3.13-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "net: rework recvmsg handler msg_name and msg_namelen logic", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Complete", "Integrity Impact": "None", "score": "4.9" }, "cwe": "Input Validation", "fixes": "f3d3342602f8bcbf37d7c46641cb9bca7618eb1c", "last_affected_version": "3.12.3", "nvd_text": "The atalk_recvmsg function in net/appletalk/ddp.c in the Linux kernel before 3.12.4 updates a certain length value without ensuring that an associated data structure has been initialized, which allows local users to obtain sensitive information from kernel memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-7267", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-7267", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-7267", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-7267", "SUSE": "https://www.suse.com/security/cve/CVE-2013-7267", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-7267" } }, "CVE-2013-7268": { "affected_versions": "v2.6.12-rc2 to v3.13-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "net: rework recvmsg handler msg_name and msg_namelen logic", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Complete", "Integrity Impact": "None", "score": "4.9" }, "cwe": "Input Validation", "fixes": "f3d3342602f8bcbf37d7c46641cb9bca7618eb1c", "last_affected_version": "3.12.3", "nvd_text": "The ipx_recvmsg function in net/ipx/af_ipx.c in the Linux kernel before 3.12.4 updates a certain length value without ensuring that an associated data structure has been initialized, which allows local users to obtain sensitive information from kernel memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-7268", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-7268", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-7268", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-7268", "SUSE": "https://www.suse.com/security/cve/CVE-2013-7268", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-7268" } }, "CVE-2013-7269": { "affected_versions": "v2.6.12-rc2 to v3.13-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "net: rework recvmsg handler msg_name and msg_namelen logic", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Complete", "Integrity Impact": "None", "score": "4.9" }, "cwe": "Input Validation", "fixes": "f3d3342602f8bcbf37d7c46641cb9bca7618eb1c", "last_affected_version": "3.12.3", "nvd_text": "The nr_recvmsg function in net/netrom/af_netrom.c in the Linux kernel before 3.12.4 updates a certain length value without ensuring that an associated data structure has been initialized, which allows local users to obtain sensitive information from kernel memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-7269", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-7269", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-7269", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-7269", "SUSE": "https://www.suse.com/security/cve/CVE-2013-7269", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-7269" } }, "CVE-2013-7270": { "affected_versions": "v2.6.12-rc2 to v3.13-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "net: rework recvmsg handler msg_name and msg_namelen logic", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Complete", "Integrity Impact": "None", "score": "4.9" }, "cwe": "Input Validation", "fixes": "f3d3342602f8bcbf37d7c46641cb9bca7618eb1c", "last_affected_version": "3.12.3", "nvd_text": "The packet_recvmsg function in net/packet/af_packet.c in the Linux kernel before 3.12.4 updates a certain length value before ensuring that an associated data structure has been initialized, which allows local users to obtain sensitive information from kernel memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-7270", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-7270", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-7270", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-7270", "SUSE": "https://www.suse.com/security/cve/CVE-2013-7270", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-7270" } }, "CVE-2013-7271": { "affected_versions": "v2.6.12-rc2 to v3.13-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "net: rework recvmsg handler msg_name and msg_namelen logic", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Complete", "Integrity Impact": "None", "score": "4.9" }, "cwe": "Input Validation", "fixes": "f3d3342602f8bcbf37d7c46641cb9bca7618eb1c", "last_affected_version": "3.12.3", "nvd_text": "The x25_recvmsg function in net/x25/af_x25.c in the Linux kernel before 3.12.4 updates a certain length value without ensuring that an associated data structure has been initialized, which allows local users to obtain sensitive information from kernel memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-7271", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-7271", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-7271", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-7271", "SUSE": "https://www.suse.com/security/cve/CVE-2013-7271", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-7271" } }, "CVE-2013-7281": { "affected_versions": "v2.6.12-rc2 to v3.13-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "inet: prevent leakage of uninitialized memory to user in recv syscalls", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Complete", "Integrity Impact": "None", "score": "4.9" }, "cwe": "Information Leak / Disclosure", "fixes": "bceaa90240b6019ed73b49965eac7d167610be69", "last_affected_version": "3.12.3", "nvd_text": "The dgram_recvmsg function in net/ieee802154/dgram.c in the Linux kernel before 3.12.4 updates a certain length value without ensuring that an associated data structure has been initialized, which allows local users to obtain sensitive information from kernel stack memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-7281", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-7281", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-7281", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-7281", "SUSE": "https://www.suse.com/security/cve/CVE-2013-7281", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-7281" } }, "CVE-2013-7339": { "affected_versions": "v2.6.12-rc2 to v3.13-rc7", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "rds: prevent dereference of a NULL device", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "4.7" }, "cwe": "Resource Management Errors", "fixes": "c2349758acf1874e4c2b93fe41d072336f1a31d0", "last_affected_version": "3.12.7", "nvd_text": "The rds_ib_laddr_check function in net/rds/ib.c in the Linux kernel before 3.12.8 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a bind system call for an RDS socket on a system that lacks RDS transports.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-7339", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-7339", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-7339", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-7339", "SUSE": "https://www.suse.com/security/cve/CVE-2013-7339", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-7339" } }, "CVE-2013-7348": { "affected_versions": "v3.13-rc1 to v3.13-rc1", "backport": true, "breaks": "e34ecee2ae791df674dfb466ce40692ca6218e43", "cmt_msg": "aio: prevent double free in ioctx_alloc", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "score": "4.6" }, "cwe": "Resource Management Errors", "fixes": "d558023207e008a4476a3b7bb8706b2a2bf5d84f", "last_affected_version": "3.12.3", "last_modified": "2021-07-08", "nvd_text": "Double free vulnerability in the ioctx_alloc function in fs/aio.c in the Linux kernel before 3.12.4 allows local users to cause a denial of service (system crash) or possibly have unspecified other impact via vectors involving an error condition in the aio_setup_ring function.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-7348", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-7348", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-7348", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-7348", "SUSE": "https://www.suse.com/security/cve/CVE-2013-7348", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-7348" } }, "CVE-2013-7421": { "affected_versions": "v2.6.38-rc1 to v3.19-rc1", "breaks": "03c8efc1ffeb6b82a22c1af8dd908af349563314", "cmt_msg": "crypto: prefix module autoloading with \"crypto-\"", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "None", "Integrity Impact": "Partial", "score": "2.1" }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "5d26a105b5a73e5635eae0629b42fa0a90e07b7b", "last_affected_version": "3.18.4", "nvd_text": "The Crypto API in the Linux kernel before 3.18.5 allows local users to load arbitrary kernel modules via a bind system call for an AF_ALG socket with a module name in the salg_name field, a different vulnerability than CVE-2014-9644.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-7421", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-7421", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-7421", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-7421", "SUSE": "https://www.suse.com/security/cve/CVE-2013-7421", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-7421" } }, "CVE-2013-7445": { "affected_versions": "unk to unk", "breaks": "", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "7.8" }, "cwe": "Resource Management Errors", "fixes": "", "nvd_text": "The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated by JavaScript code that creates many CANVAS elements for rendering by Chrome or Firefox.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-7445", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-7445", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-7445", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-7445", "SUSE": "https://www.suse.com/security/cve/CVE-2013-7445", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-7445" } }, "CVE-2013-7446": { "affected_versions": "v2.6.26-rc9 to v4.4-rc4", "breaks": "ec0d215f9420564fc8286dcf93d2d068bb53a07e", "cmt_msg": "unix: avoid use-after-free in ep_remove_wait_queue", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "Partial", "score": "5.4" }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "Low", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "score": "5.3" }, "cwe": "Other", "fixes": "7d267278a9ece963d77eefec61630223fce08c6c", "last_affected_version": "4.3.2", "last_modified": "2019-03-20", "nvd_text": "Use-after-free vulnerability in net/unix/af_unix.c in the Linux kernel before 4.3.3 allows local users to bypass intended AF_UNIX socket permissions or cause a denial of service (panic) via crafted epoll_ctl calls.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-7446", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-7446", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-7446", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-7446", "SUSE": "https://www.suse.com/security/cve/CVE-2013-7446", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-7446" } }, "CVE-2013-7470": { "affected_versions": "v2.6.12-rc2 to v3.12-rc7", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "net: fix cipso packet validation when !NETLABEL", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "7.1" }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "score": "5.9" }, "cwe": "Uncontrolled Resource Consumption ('Resource Exhaustion')", "fixes": "f2e5ddcc0d12f9c4c7b254358ad245c9dddce13b", "last_affected_version": "3.2.52", "last_modified": "2019-04-26", "nvd_text": "cipso_v4_validate in include/net/cipso_ipv4.h in the Linux kernel before 3.11.7, when CONFIG_NETLABEL is disabled, allows attackers to cause a denial of service (infinite loop and crash), as demonstrated by icmpsic, a different vulnerability than CVE-2013-0310.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2013-7470", "ExploitDB": "https://www.exploit-db.com/search?cve=2013-7470", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2013-7470", "Red Hat": "https://access.redhat.com/security/cve/CVE-2013-7470", "SUSE": "https://www.suse.com/security/cve/CVE-2013-7470", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-7470" } }, "CVE-2014-0038": { "affected_versions": "v3.4-rc1 to v3.14-rc1", "breaks": "ee4fa23c4bfcc635d077a9633d405610de45bc70", "cmt_msg": "x86, x32: Correct invalid use of user timespec in the kernel", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "6.9" }, "cwe": "Input Validation", "fixes": "2def2ef2ae5f3990aabdbe8a755911902707d268", "last_affected_version": "3.12.9", "nvd_text": "The compat_sys_recvmmsg function in net/compat.c in the Linux kernel before 3.13.2, when CONFIG_X86_X32 is enabled, allows local users to gain privileges via a recvmmsg system call with a crafted timeout pointer parameter.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-0038", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-0038", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-0038", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-0038", "SUSE": "https://www.suse.com/security/cve/CVE-2014-0038", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-0038" } }, "CVE-2014-0049": { "affected_versions": "v3.5-rc1 to v3.14-rc5", "breaks": "f78146b0f9230765c6315b2e14f56112513389ad", "cmt_msg": "kvm: x86: fix emulator buffer overflow (CVE-2014-0049)", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Adjacent Network", "Authentication": "Single", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "7.4" }, "cwe": "Buffer Errors", "fixes": "a08d3b3b99efd509133946056531cdf8f3a0c09b", "last_affected_version": "3.12.13", "nvd_text": "Buffer overflow in the complete_emulated_mmio function in arch/x86/kvm/x86.c in the Linux kernel before 3.13.6 allows guest OS users to execute arbitrary code on the host OS by leveraging a loop that triggers an invalid memory copy affecting certain cancel_work_item data.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-0049", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-0049", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-0049", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-0049", "SUSE": "https://www.suse.com/security/cve/CVE-2014-0049", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-0049" } }, "CVE-2014-0055": { "affected_versions": "v2.6.36-rc1 to v3.14", "breaks": "8dd014adfea6f173c1ef6378f7e5e7924866c923", "cmt_msg": "vhost: validate vhost_get_vq_desc return value", "cvss2": { "Access Complexity": "Low", "Access Vector": "Adjacent Network", "Authentication": "Single", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "5.5" }, "cwe": "Insufficient Information", "fixes": "a39ee449f96a2cd44ce056d8a0a112211a9b1a1f", "last_affected_version": "3.13", "nvd_text": "The get_rx_bufs function in drivers/vhost/net.c in the vhost-net subsystem in the Linux kernel package before 2.6.32-431.11.2 on Red Hat Enterprise Linux (RHEL) 6 does not properly handle vhost_get_vq_desc errors, which allows guest OS users to cause a denial of service (host OS crash) via unspecified vectors.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-0055", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-0055", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-0055", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-0055", "SUSE": "https://www.suse.com/security/cve/CVE-2014-0055", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-0055" } }, "CVE-2014-0069": { "affected_versions": "v2.6.38-rc3 to v3.14-rc4", "breaks": "72432ffcf555decbbae47f1be338e1d2f210aa69", "cmt_msg": "cifs: ensure that uncached writes handle unmapped areas correctly", "cvss2": { "Access Complexity": "High", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "6.2" }, "cwe": "Buffer Errors", "fixes": "5d81de8e8667da7135d3a32a964087c0faf5483f", "last_affected_version": "3.12.13", "nvd_text": "The cifs_iovec_write function in fs/cifs/file.c in the Linux kernel through 3.13.5 does not properly handle uncached write operations that copy fewer than the requested number of bytes, which allows local users to obtain sensitive information from kernel memory, cause a denial of service (memory corruption and system crash), or possibly gain privileges via a writev system call with a crafted pointer.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-0069", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-0069", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-0069", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-0069", "SUSE": "https://www.suse.com/security/cve/CVE-2014-0069", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-0069" } }, "CVE-2014-0077": { "affected_versions": "v2.6.36-rc1 to v3.14", "breaks": "8dd014adfea6f173c1ef6378f7e5e7924866c923", "cmt_msg": "vhost: fix total length when packets are too short", "cvss2": { "Access Complexity": "High", "Access Vector": "Adjacent Network", "Authentication": "Single", "Availability Impact": "Complete", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "score": "5.5" }, "cwe": "Input Validation", "fixes": "d8316f3991d207fe32881a9ac20241be8fa2bad0", "last_affected_version": "3.13", "nvd_text": "drivers/vhost/net.c in the Linux kernel before 3.13.10, when mergeable buffers are disabled, does not properly validate packet lengths, which allows guest OS users to cause a denial of service (memory corruption and host OS crash) or possibly gain privileges on the host OS via crafted packets, related to the handle_rx and get_rx_bufs functions.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-0077", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-0077", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-0077", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-0077", "SUSE": "https://www.suse.com/security/cve/CVE-2014-0077", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-0077" } }, "CVE-2014-0100": { "affected_versions": "v3.9-rc1 to v3.14-rc7", "breaks": "3ef0eb0db4bf92c6d2510fe5c4dc51852746f206", "cmt_msg": "net: fix for a race condition in the inet frag code", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "9.3" }, "cwe": "Race Conditions", "fixes": "24b9bf43e93e0edd89072da51cf1fab95fc69dec", "last_affected_version": "3.12.17", "nvd_text": "Race condition in the inet_frag_intern function in net/ipv4/inet_fragment.c in the Linux kernel through 3.13.6 allows remote attackers to cause a denial of service (use-after-free error) or possibly have unspecified other impact via a large series of fragmented ICMP Echo Request packets to a system with a heavy CPU load.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-0100", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-0100", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-0100", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-0100", "SUSE": "https://www.suse.com/security/cve/CVE-2014-0100", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-0100" } }, "CVE-2014-0101": { "affected_versions": "v2.6.24-rc1 to v3.14-rc6", "breaks": "bbd0d59809f923ea2b540cbd781b32110e249f6e", "cmt_msg": "net: sctp: fix sctp_sf_do_5_1D_ce to verify if we/peer is AUTH capable", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "7.1" }, "cwe": "Input Validation", "fixes": "ec0223ec48a90cb605244b45f7c62de856403729", "last_affected_version": "3.12.14", "nvd_text": "The sctp_sf_do_5_1D_ce function in net/sctp/sm_statefuns.c in the Linux kernel through 3.13.6 does not validate certain auth_enable and auth_capable fields before making an sctp_sf_authenticate call, which allows remote attackers to cause a denial of service (NULL pointer dereference and system crash) via an SCTP handshake with a modified INIT chunk and a crafted AUTH chunk before a COOKIE_ECHO chunk.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-0101", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-0101", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-0101", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-0101", "SUSE": "https://www.suse.com/security/cve/CVE-2014-0101", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-0101" } }, "CVE-2014-0102": { "affected_versions": "v3.13-rc1 to v3.14-rc6", "breaks": "b2a4df200d570b2c33a57e1ebfa5896e4bc81b69", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Adjacent Network", "Authentication": "Single", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "5.2" }, "cwe": "Cryptographic Issues", "fixes": "979e0d74651ba5aa533277f2a6423d0f982fb6f6", "nvd_text": "The keyring_detect_cycle_iterator function in security/keys/keyring.c in the Linux kernel through 3.13.6 does not properly determine whether keyrings are identical, which allows local users to cause a denial of service (OOPS) via crafted keyctl commands.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-0102", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-0102", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-0102", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-0102", "SUSE": "https://www.suse.com/security/cve/CVE-2014-0102", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-0102" } }, "CVE-2014-0131": { "affected_versions": "v3.1-rc1 to v3.14-rc7", "breaks": "a6686f2f382b13f8a7253401a66690c3633b6a74", "cmt_msg": "skbuff: skb_segment: orphan frags before copying", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Adjacent Network", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "score": "2.9" }, "cwe": "Resource Management Errors", "fixes": "1fd819ecb90cc9b822cd84d3056ddba315d3340f", "last_affected_version": "3.12.22", "nvd_text": "Use-after-free vulnerability in the skb_segment function in net/core/skbuff.c in the Linux kernel through 3.13.6 allows attackers to obtain sensitive information from kernel memory by leveraging the absence of a certain orphaning operation.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-0131", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-0131", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-0131", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-0131", "SUSE": "https://www.suse.com/security/cve/CVE-2014-0131", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-0131" } }, "CVE-2014-0155": { "affected_versions": "v3.10-rc1 to v3.15-rc2", "breaks": "2c2bf01136971c33e3b3fabce23925f372c1017e", "cmt_msg": "KVM: ioapic: fix assignment of ioapic->rtc_status.pending_eoi (CVE-2014-0155)", "cvss2": { "Access Complexity": "Low", "Access Vector": "Adjacent Network", "Authentication": "Single", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "5.5" }, "cwe": "Input Validation", "fixes": "5678de3f15010b9022ee45673f33bcfc71d47b60", "last_affected_version": "3.14.3", "nvd_text": "The ioapic_deliver function in virt/kvm/ioapic.c in the Linux kernel through 3.14.1 does not properly validate the kvm_irq_delivery_to_apic return value, which allows guest OS users to cause a denial of service (host OS crash) via a crafted entry in the redirection table of an I/O APIC. NOTE: the affected code was moved to the ioapic_service function before the vulnerability was announced.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-0155", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-0155", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-0155", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-0155", "SUSE": "https://www.suse.com/security/cve/CVE-2014-0155", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-0155" } }, "CVE-2014-0181": { "affected_versions": "v2.6.12-rc2 to v3.15-rc5", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "net: Use netlink_ns_capable to verify the permisions of netlink messages", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "None", "Integrity Impact": "Partial", "score": "2.1" }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "90f62cf30a78721641e08737bda787552428061e", "last_affected_version": "3.14.8", "nvd_text": "The Netlink implementation in the Linux kernel through 3.14.1 does not provide a mechanism for authorizing socket operations based on the opener of a socket, which allows local users to bypass intended access restrictions and modify network configurations by using a Netlink socket for the (1) stdout or (2) stderr of a setuid program.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-0181", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-0181", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-0181", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-0181", "SUSE": "https://www.suse.com/security/cve/CVE-2014-0181", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-0181" } }, "CVE-2014-0196": { "affected_versions": "v2.6.31-rc3 to v3.15-rc5", "breaks": "d945cb9cce20ac7143c2de8d88b187f62db99bdc", "cmt_msg": "n_tty: Fix n_tty_write crash when echoing in raw mode", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "6.9" }, "cwe": "Race Conditions", "fixes": "4291086b1f081b869c6d79e5b7441633dc3ace00", "last_affected_version": "3.14.3", "last_modified": "2020-06-25", "nvd_text": "The n_tty_write function in drivers/tty/n_tty.c in the Linux kernel through 3.14.3 does not properly manage tty driver access in the \"LECHO & !OPOST\" case, which allows local users to cause a denial of service (memory corruption and system crash) or gain privileges by triggering a race condition involving read and write operations with long strings.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-0196", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-0196", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-0196", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-0196", "SUSE": "https://www.suse.com/security/cve/CVE-2014-0196", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-0196" } }, "CVE-2014-0203": { "affected_versions": "v2.6.12-rc2 to v2.6.33-rc5", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "4.9" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Input Validation", "fixes": "86acdca1b63e6890540fa19495cfc708beff3d8b", "last_modified": "2020-08-13", "nvd_text": "The __do_follow_link function in fs/namei.c in the Linux kernel before 2.6.33 does not properly handle the last pathname component during use of certain filesystems, which allows local users to cause a denial of service (incorrect free operations and system crash) via an open system call.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-0203", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-0203", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-0203", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-0203", "SUSE": "https://www.suse.com/security/cve/CVE-2014-0203", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-0203" } }, "CVE-2014-0205": { "affected_versions": "v2.6.12-rc2 to v2.6.37-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "6.9" }, "cwe": "Buffer Errors", "fixes": "7ada876a8703f23befbb20a7465a702ee39b1704", "nvd_text": "The futex_wait function in kernel/futex.c in the Linux kernel before 2.6.37 does not properly maintain a certain reference count during requeue operations, which allows local users to cause a denial of service (use-after-free and system crash) or possibly gain privileges via a crafted application that triggers a zero count.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-0205", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-0205", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-0205", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-0205", "SUSE": "https://www.suse.com/security/cve/CVE-2014-0205", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-0205" } }, "CVE-2014-0206": { "affected_versions": "v3.10-rc1 to v3.16-rc3", "breaks": "a31ad380bed817aa25f8830ad23e1a0480fef797", "cmt_msg": "aio: fix kernel memory disclosure in io_getevents() introduced in v3.10", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "score": "2.1" }, "cwe": "Other", "fixes": "edfbbf388f293d70bf4b7c0bc38774d05e6f711a", "last_affected_version": "3.14.9", "nvd_text": "Array index error in the aio_read_events_ring function in fs/aio.c in the Linux kernel through 3.15.1 allows local users to obtain sensitive information from kernel memory via a large head value.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-0206", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-0206", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-0206", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-0206", "SUSE": "https://www.suse.com/security/cve/CVE-2014-0206", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-0206" } }, "CVE-2014-0972": { "breaks": "", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "7.2" }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "", "nvd_text": "The kgsl graphics driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, does not properly prevent write access to IOMMU context registers, which allows local users to select a custom page table, and consequently write to arbitrary memory locations, by using a crafted GPU command stream to modify the contents of a certain register.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-0972", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-0972", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-0972", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-0972", "SUSE": "https://www.suse.com/security/cve/CVE-2014-0972", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-0972" }, "vendor_specific": true }, "CVE-2014-1438": { "affected_versions": "v2.6.12-rc2 to v3.13", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "x86, fpu, amd: Clear exceptions in AMD FXSAVE workaround", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "4.7" }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "26bef1318adc1b3a530ecc807ef99346db2aa8b0", "last_affected_version": "3.12.7", "nvd_text": "The restore_fpu_checking function in arch/x86/include/asm/fpu-internal.h in the Linux kernel before 3.12.8 on the AMD K7 and K8 platforms does not clear pending exceptions before proceeding to an EMMS instruction, which allows local users to cause a denial of service (task kill) or possibly gain privileges via a crafted application.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-1438", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-1438", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-1438", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-1438", "SUSE": "https://www.suse.com/security/cve/CVE-2014-1438", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-1438" } }, "CVE-2014-1444": { "affected_versions": "v2.6.12-rc2 to v3.12-rc7", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "farsync: fix info leak in ioctl", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "Single", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "score": "1.7" }, "cwe": "Resource Management Errors", "fixes": "96b340406724d87e4621284ebac5e059d67b2194", "last_affected_version": "3.2.52", "nvd_text": "The fst_get_iface function in drivers/net/wan/farsync.c in the Linux kernel before 3.11.7 does not properly initialize a certain data structure, which allows local users to obtain sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability for an SIOCWANDEV ioctl call.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-1444", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-1444", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-1444", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-1444", "SUSE": "https://www.suse.com/security/cve/CVE-2014-1444", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-1444" } }, "CVE-2014-1445": { "affected_versions": "v2.6.12-rc2 to v3.12-rc7", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "wanxl: fix info leak in ioctl", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "score": "2.1" }, "cwe": "Resource Management Errors", "fixes": "2b13d06c9584b4eb773f1e80bbaedab9a1c344e1", "last_affected_version": "3.2.52", "nvd_text": "The wanxl_ioctl function in drivers/net/wan/wanxl.c in the Linux kernel before 3.11.7 does not properly initialize a certain data structure, which allows local users to obtain sensitive information from kernel memory via an ioctl call.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-1445", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-1445", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-1445", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-1445", "SUSE": "https://www.suse.com/security/cve/CVE-2014-1445", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-1445" } }, "CVE-2014-1446": { "affected_versions": "v2.6.12-rc2 to v3.13-rc7", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "hamradio/yam: fix info leak in ioctl", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "score": "1.9" }, "cwe": "Resource Management Errors", "fixes": "8e3fbf870481eb53b2d3a322d1fc395ad8b367ed", "last_affected_version": "3.12.7", "nvd_text": "The yam_ioctl function in drivers/net/hamradio/yam.c in the Linux kernel before 3.12.8 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability for an SIOCYAMGCFG ioctl call.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-1446", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-1446", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-1446", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-1446", "SUSE": "https://www.suse.com/security/cve/CVE-2014-1446", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-1446" } }, "CVE-2014-1690": { "affected_versions": "v3.7-rc1 to v3.13-rc8", "breaks": "5901b6be885e2c9a30fd94803b846b3d33e351dd", "cmt_msg": "netfilter: nf_nat: fix access to uninitialized buffer in IRC NAT helper", "cvss2": { "Access Complexity": "High", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "score": "2.6" }, "cwe": "Buffer Errors", "fixes": "2690d97ade05c5325cbf7c72b94b90d265659886", "last_affected_version": "3.12.7", "nvd_text": "The help function in net/netfilter/nf_nat_irc.c in the Linux kernel before 3.12.8 allows remote attackers to obtain sensitive information from kernel memory by establishing an IRC DCC session in which incorrect packet data is transmitted during use of the NAT mangle feature.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-1690", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-1690", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-1690", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-1690", "SUSE": "https://www.suse.com/security/cve/CVE-2014-1690", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-1690" } }, "CVE-2014-1737": { "affected_versions": "v2.6.12-rc2 to v3.15-rc5", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "floppy: ignore kernel-only members in FDRAWCMD ioctl input", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "7.2" }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "ef87dbe7614341c2e7bfe8d32fcb7028cc97442c", "last_affected_version": "3.14.3", "nvd_text": "The raw_cmd_copyin function in drivers/block/floppy.c in the Linux kernel through 3.14.3 does not properly handle error conditions during processing of an FDRAWCMD ioctl call, which allows local users to trigger kfree operations and gain privileges by leveraging write access to a /dev/fd device.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-1737", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-1737", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-1737", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-1737", "SUSE": "https://www.suse.com/security/cve/CVE-2014-1737", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-1737" } }, "CVE-2014-1738": { "affected_versions": "v2.6.12-rc2 to v3.15-rc5", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "floppy: don't write kernel-only members to FDRAWCMD ioctl output", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Complete", "Integrity Impact": "None", "score": "4.9" }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "2145e15e0557a01b9195d1c7199a1b92cb9be81f", "last_affected_version": "3.14.3", "nvd_text": "The raw_cmd_copyout function in drivers/block/floppy.c in the Linux kernel through 3.14.3 does not properly restrict access to certain pointers during processing of an FDRAWCMD ioctl call, which allows local users to obtain sensitive information from kernel heap memory by leveraging write access to a /dev/fd device.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-1738", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-1738", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-1738", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-1738", "SUSE": "https://www.suse.com/security/cve/CVE-2014-1738", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-1738" } }, "CVE-2014-1739": { "affected_versions": "v2.6.39-rc1 to v3.15-rc6", "breaks": "1651333b09743887bc2dd3d158a11853a2be3fe7", "cmt_msg": "[media] media-device: fix infoleak in ioctl media_enum_entities()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "Single", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "score": "1.7" }, "cwe": "Information Leak / Disclosure", "fixes": "e6a623460e5fc960ac3ee9f946d3106233fd28d8", "last_affected_version": "3.14.5", "nvd_text": "The media_device_enum_entities function in drivers/media/media-device.c in the Linux kernel before 3.14.6 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel memory by leveraging /dev/media0 read access for a MEDIA_IOC_ENUM_ENTITIES ioctl call.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-1739", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-1739", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-1739", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-1739", "SUSE": "https://www.suse.com/security/cve/CVE-2014-1739", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-1739" } }, "CVE-2014-1874": { "affected_versions": "v2.6.12-rc2 to v3.14-rc2", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "SELinux: Fix kernel BUG on empty security contexts.", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "Single", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "4.4" }, "cwe": "Input Validation", "fixes": "2172fa709ab32ca60e86179dc67d0857be8e2c98", "nvd_text": "The security_context_to_sid_core function in security/selinux/ss/services.c in the Linux kernel before 3.13.4 allows local users to cause a denial of service (system crash) by leveraging the CAP_MAC_ADMIN capability to set a zero-length security context.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-1874", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-1874", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-1874", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-1874", "SUSE": "https://www.suse.com/security/cve/CVE-2014-1874", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-1874" } }, "CVE-2014-2038": { "affected_versions": "v3.11-rc1 to v3.14-rc1", "breaks": "c7559663e42f4294ffe31fe159da6b6a66b35d61", "cmt_msg": "nfs: always make sure page is up-to-date before extending a write to cover the entire page", "cvss2": { "Access Complexity": "High", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "score": "3.7" }, "cwe": "Input Validation", "fixes": "263b4509ec4d47e0da3e753f85a39ea12d1eff24", "last_affected_version": "3.12.10", "nvd_text": "The nfs_can_extend_write function in fs/nfs/write.c in the Linux kernel before 3.13.3 relies on a write delegation to extend a write operation without a certain up-to-date verification, which allows local users to obtain sensitive information from kernel memory in opportunistic circumstances by writing to a file in an NFS filesystem and then reading the same file.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-2038", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-2038", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-2038", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-2038", "SUSE": "https://www.suse.com/security/cve/CVE-2014-2038", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-2038" } }, "CVE-2014-2039": { "affected_versions": "v2.6.12-rc2 to v3.14-rc3", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "s390: fix kernel crash due to linkage stack instructions", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "4.9" }, "cwe": "Input Validation", "fixes": "8d7f6690cedb83456edd41c9bd583783f0703bf0", "last_affected_version": "3.12.12", "nvd_text": "arch/s390/kernel/head64.S in the Linux kernel before 3.13.5 on the s390 platform does not properly handle attempted use of the linkage stack, which allows local users to cause a denial of service (system crash) by executing a crafted instruction.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-2039", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-2039", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-2039", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-2039", "SUSE": "https://www.suse.com/security/cve/CVE-2014-2039", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-2039" } }, "CVE-2014-2309": { "affected_versions": "v3.0-rc7 to v3.14-rc7", "breaks": "957c665f37007de93ccbe45902a23143724170d0", "cmt_msg": "ipv6: don't set DST_NOCOUNT for remotely added routes", "cvss2": { "Access Complexity": "Low", "Access Vector": "Adjacent Network", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "6.1" }, "cwe": "Numeric Errors", "fixes": "c88507fbad8055297c1d1e21e599f46960cbee39", "last_affected_version": "3.12.17", "nvd_text": "The ip6_route_add function in net/ipv6/route.c in the Linux kernel through 3.13.6 does not properly count the addition of routes, which allows remote attackers to cause a denial of service (memory consumption) via a flood of ICMPv6 Router Advertisement packets.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-2309", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-2309", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-2309", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-2309", "SUSE": "https://www.suse.com/security/cve/CVE-2014-2309", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-2309" } }, "CVE-2014-2523": { "affected_versions": "v2.6.12-rc2 to v3.14-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "netfilter: nf_conntrack_dccp: fix skb_header_pointer API usages", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "10.0" }, "cwe": "Input Validation", "fixes": "b22f5126a24b3b2f15448c3f2a254fc10cbc2b92", "last_affected_version": "3.12.16", "nvd_text": "net/netfilter/nf_conntrack_proto_dccp.c in the Linux kernel through 3.13.6 uses a DCCP header pointer incorrectly, which allows remote attackers to cause a denial of service (system crash) or possibly execute arbitrary code via a DCCP packet that triggers a call to the (1) dccp_new, (2) dccp_packet, or (3) dccp_error function.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-2523", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-2523", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-2523", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-2523", "SUSE": "https://www.suse.com/security/cve/CVE-2014-2523", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-2523" } }, "CVE-2014-2568": { "affected_versions": "v3.10-rc1 to v3.14", "breaks": "ae08ce0021087a5d812d2714fb2a326ef9f8c450", "cmt_msg": "core, nfqueue, openvswitch: Orphan frags in skb_zerocopy and handle errors", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Adjacent Network", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "score": "2.9" }, "cwe": "Resource Management Errors", "fixes": "36d5fe6a000790f56039afe26834265db0a3ad4c", "last_affected_version": "3.13", "nvd_text": "Use-after-free vulnerability in the nfqnl_zcopy function in net/netfilter/nfnetlink_queue_core.c in the Linux kernel through 3.13.6 allows attackers to obtain sensitive information from kernel memory by leveraging the absence of a certain orphaning operation. NOTE: the affected code was moved to the skb_zerocopy function in net/core/skbuff.c before the vulnerability was announced.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-2568", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-2568", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-2568", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-2568", "SUSE": "https://www.suse.com/security/cve/CVE-2014-2568", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-2568" } }, "CVE-2014-2580": { "affected_versions": "v3.12-rc1 to v3.15-rc1", "breaks": "b3f980bd827e6e81a050c518d60ed7811a83061d", "cmt_msg": "xen-netback: disable rogue vif in kthread context", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "Single", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "4.4" }, "cwe": "Resource Management Errors", "fixes": "e9d8b2c2968499c1f96563e6522c56958d5a1d0d", "last_affected_version": "3.14.0", "nvd_text": "The netback driver in Xen, when using certain Linux versions that do not allow sleeping in softirq context, allows local guest administrators to cause a denial of service (\"scheduling while atomic\" error and host crash) via a malformed packet, which causes a mutex to be taken when trying to disable the interface.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-2580", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-2580", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-2580", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-2580", "SUSE": "https://www.suse.com/security/cve/CVE-2014-2580", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-2580" } }, "CVE-2014-2672": { "affected_versions": "v3.0-rc1 to v3.14-rc6", "breaks": "5519541d5a5f19893546883547e2f0f2e5934df7", "cmt_msg": "ath9k: protect tid->sched check", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "7.1" }, "cwe": "Race Conditions", "fixes": "21f8aaee0c62708654988ce092838aa7df4d25d8", "last_affected_version": "3.12.14", "nvd_text": "Race condition in the ath_tx_aggr_sleep function in drivers/net/wireless/ath/ath9k/xmit.c in the Linux kernel before 3.13.7 allows remote attackers to cause a denial of service (system crash) via a large amount of network traffic that triggers certain list deletions.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-2672", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-2672", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-2672", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-2672", "SUSE": "https://www.suse.com/security/cve/CVE-2014-2672", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-2672" } }, "CVE-2014-2673": { "affected_versions": "v3.9-rc1 to v3.14-rc6", "breaks": "fb09692e71f13af7298eb603a1975850b1c7a8d8", "cmt_msg": "powerpc/tm: Fix crash when forking inside a transaction", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "4.7" }, "cwe": "Input Validation", "fixes": "621b5060e823301d0cba4cb52a7ee3491922d291", "last_affected_version": "3.12.14", "nvd_text": "The arch_dup_task_struct function in the Transactional Memory (TM) implementation in arch/powerpc/kernel/process.c in the Linux kernel before 3.13.7 on the powerpc platform does not properly interact with the clone and fork system calls, which allows local users to cause a denial of service (Program Check and system crash) via certain instructions that are executed with the processor in the Transactional state.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-2673", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-2673", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-2673", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-2673", "SUSE": "https://www.suse.com/security/cve/CVE-2014-2673", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-2673" } }, "CVE-2014-2678": { "affected_versions": "v2.6.12-rc2 to v3.15-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "rds: prevent dereference of a NULL device in rds_iw_laddr_check", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "4.7" }, "cwe": "Other", "fixes": "bf39b4247b8799935ea91d90db250ab608a58e50", "last_affected_version": "3.14.0", "nvd_text": "The rds_iw_laddr_check function in net/rds/iw.c in the Linux kernel through 3.14 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a bind system call for an RDS socket on a system that lacks RDS transports.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-2678", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-2678", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-2678", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-2678", "SUSE": "https://www.suse.com/security/cve/CVE-2014-2678", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-2678" } }, "CVE-2014-2706": { "affected_versions": "v2.6.33-rc1 to v3.14-rc6", "breaks": "af81858172cc0f3da81946aab919c26e4b364efc", "cmt_msg": "mac80211: fix AP powersave TX vs. wakeup race", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "7.1" }, "cwe": "Race Conditions", "fixes": "1d147bfa64293b2723c4fec50922168658e613ba", "last_affected_version": "3.12.14", "nvd_text": "Race condition in the mac80211 subsystem in the Linux kernel before 3.13.7 allows remote attackers to cause a denial of service (system crash) via network traffic that improperly interacts with the WLAN_STA_PS_STA state (aka power-save mode), related to sta_info.c and tx.c.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-2706", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-2706", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-2706", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-2706", "SUSE": "https://www.suse.com/security/cve/CVE-2014-2706", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-2706" } }, "CVE-2014-2739": { "affected_versions": "v3.14-rc1 to v3.15-rc1", "breaks": "dd5f03beb4f76ae65d76d8c22a8815e424fc607c", "cmt_msg": "IB/core: Don't resolve passive side RoCE L2 address in CMA REQ handler", "cvss2": { "Access Complexity": "High", "Access Vector": "Adjacent Network", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "4.6" }, "cwe": "Input Validation", "fixes": "b2853fd6c2d0f383dbdf7427e263eb576a633867", "last_affected_version": "3.14.2", "nvd_text": "The cma_req_handler function in drivers/infiniband/core/cma.c in the Linux kernel 3.14.x through 3.14.1 attempts to resolve an RDMA over Converged Ethernet (aka RoCE) address that is properly resolved within a different module, which allows remote attackers to cause a denial of service (incorrect pointer dereference and system crash) via crafted network traffic.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-2739", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-2739", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-2739", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-2739", "SUSE": "https://www.suse.com/security/cve/CVE-2014-2739", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-2739" } }, "CVE-2014-2851": { "affected_versions": "v3.0-rc1 to v3.15-rc2", "breaks": "c319b4d76b9e583a5d88d6bf190e079c4e43213d", "cmt_msg": "net: ipv4: current group_info should be put after using.", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "6.9" }, "cwe": "Numeric Errors", "fixes": "b04c46190219a4f845e46a459e3102137b7f6cac", "last_affected_version": "3.14.4", "nvd_text": "Integer overflow in the ping_init_sock function in net/ipv4/ping.c in the Linux kernel through 3.14.1 allows local users to cause a denial of service (use-after-free and system crash) or possibly gain privileges via a crafted application that leverages an improperly managed reference counter.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-2851", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-2851", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-2851", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-2851", "SUSE": "https://www.suse.com/security/cve/CVE-2014-2851", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-2851" } }, "CVE-2014-2889": { "affected_versions": "v3.0-rc1 to v3.2-rc7", "breaks": "0a14842f5a3c0e88a1e59fac5c3025db39721f74", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "score": "4.6" }, "cwe": "Numeric Errors", "fixes": "a03ffcf873fe0f2565386ca8ef832144c42e67fa", "nvd_text": "Off-by-one error in the bpf_jit_compile function in arch/x86/net/bpf_jit_comp.c in the Linux kernel before 3.1.8, when BPF JIT is enabled, allows local users to cause a denial of service (system crash) or possibly gain privileges via a long jump after a conditional jump.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-2889", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-2889", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-2889", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-2889", "SUSE": "https://www.suse.com/security/cve/CVE-2014-2889", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-2889" } }, "CVE-2014-3122": { "affected_versions": "v2.6.28-rc1 to v3.15-rc1", "breaks": "b291f000393f5a0b679012b39d79fbc85c018233", "cmt_msg": "mm: try_to_unmap_cluster() should lock_page() before mlocking", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "4.9" }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "57e68e9cd65b4b8eb4045a1e0d0746458502554c", "last_affected_version": "3.14.2", "nvd_text": "The try_to_unmap_cluster function in mm/rmap.c in the Linux kernel before 3.14.3 does not properly consider which pages must be locked, which allows local users to cause a denial of service (system crash) by triggering a memory-usage pattern that requires removal of page-table mappings.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-3122", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-3122", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-3122", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-3122", "SUSE": "https://www.suse.com/security/cve/CVE-2014-3122", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-3122" } }, "CVE-2014-3144": { "affected_versions": "v2.6.26-rc1 to v3.15-rc2", "breaks": "4738c1db1593687713869fa69e733eebc7b0d6d8", "cmt_msg": "filter: prevent nla extensions to peek beyond the end of the message", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "4.9" }, "cwe": "Numeric Errors", "fixes": "05ab8f2647e4221cbdb3856dd7d32bd5407316b3", "last_affected_version": "3.14.4", "nvd_text": "The (1) BPF_S_ANC_NLATTR and (2) BPF_S_ANC_NLATTR_NEST extension implementations in the sk_run_filter function in net/core/filter.c in the Linux kernel through 3.14.3 do not check whether a certain length value is sufficiently large, which allows local users to cause a denial of service (integer underflow and system crash) via crafted BPF instructions. NOTE: the affected code was moved to the __skb_get_nlattr and __skb_get_nlattr_nest functions before the vulnerability was announced.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-3144", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-3144", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-3144", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-3144", "SUSE": "https://www.suse.com/security/cve/CVE-2014-3144", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-3144" } }, "CVE-2014-3145": { "affected_versions": "v2.6.29-rc1 to v3.15-rc2", "breaks": "d214c7537bbf2f247991fb65b3420b0b3d712c67", "cmt_msg": "filter: prevent nla extensions to peek beyond the end of the message", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "4.9" }, "cwe": "Numeric Errors", "fixes": "05ab8f2647e4221cbdb3856dd7d32bd5407316b3", "last_affected_version": "3.14.4", "nvd_text": "The BPF_S_ANC_NLATTR_NEST extension implementation in the sk_run_filter function in net/core/filter.c in the Linux kernel through 3.14.3 uses the reverse order in a certain subtraction, which allows local users to cause a denial of service (over-read and system crash) via crafted BPF instructions. NOTE: the affected code was moved to the __skb_get_nlattr_nest function before the vulnerability was announced.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-3145", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-3145", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-3145", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-3145", "SUSE": "https://www.suse.com/security/cve/CVE-2014-3145", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-3145" } }, "CVE-2014-3153": { "affected_versions": "v2.6.31-rc1 to v3.15", "breaks": "52400ba946759af28442dee6265c5c0180ac7122", "cmt_msg": "futex: Make lookup_pi_state more robust", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "7.2" }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "54a217887a7b658e2650c3feff22756ab80c7339", "last_affected_version": "3.14.5", "nvd_text": "The futex_requeue function in kernel/futex.c in the Linux kernel through 3.14.5 does not ensure that calls have two different futex addresses, which allows local users to gain privileges via a crafted FUTEX_REQUEUE command that facilitates unsafe waiter modification.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-3153", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-3153", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-3153", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-3153", "SUSE": "https://www.suse.com/security/cve/CVE-2014-3153", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-3153" } }, "CVE-2014-3180": { "affected_versions": "v2.6.12-rc2 to v3.17-rc4", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "compat: nanosleep: Clarify error handling", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:N/AC:L/Au:N/C:P/I:N/A:P", "score": "6.4" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "score": "9.1" }, "cwe": "Out-of-bounds Read", "fixes": "849151dd5481bc8acb1d287a299b5d6a4ca9f1c3", "last_modified": "2020-01-28", "nvd_text": "** DISPUTED ** In kernel/compat.c in the Linux kernel before 3.17, as used in Google Chrome OS and other products, there is a possible out-of-bounds read. restart_syscall uses uninitialized data when restarting compat_sys_nanosleep. NOTE: this is disputed because the code path is unreachable.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-3180", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-3180", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-3180", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-3180", "SUSE": "https://www.suse.com/security/cve/CVE-2014-3180", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-3180" } }, "CVE-2014-3181": { "affected_versions": "v2.6.37-rc1 to v3.17-rc3", "breaks": "a462230e16acc8664145216da3c928d03556691a", "cmt_msg": "HID: magicmouse: sanity check report size in raw_event() callback", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "6.9" }, "cwe": "Buffer Errors", "fixes": "c54def7bd64d7c0b6993336abcffb8444795bf38", "last_affected_version": "3.16.3", "nvd_text": "Multiple stack-based buffer overflows in the magicmouse_raw_event function in drivers/hid/hid-magicmouse.c in the Magic Mouse HID driver in the Linux kernel through 3.16.3 allow physically proximate attackers to cause a denial of service (system crash) or possibly execute arbitrary code via a crafted device that provides a large amount of (1) EHCI or (2) XHCI data associated with an event.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-3181", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-3181", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-3181", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-3181", "SUSE": "https://www.suse.com/security/cve/CVE-2014-3181", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-3181" } }, "CVE-2014-3182": { "affected_versions": "v2.6.12-rc2 to v3.17-rc2", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "HID: logitech: perform bounds checking on device_id early enough", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "6.9" }, "cwe": "Buffer Errors", "fixes": "ad3e14d7c5268c2e24477c6ef54bbdf88add5d36", "last_affected_version": "3.16.1", "nvd_text": "Array index error in the logi_dj_raw_event function in drivers/hid/hid-logitech-dj.c in the Linux kernel before 3.16.2 allows physically proximate attackers to execute arbitrary code or cause a denial of service (invalid kfree) via a crafted device that provides a malformed REPORT_TYPE_NOTIF_DEVICE_UNPAIRED value.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-3182", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-3182", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-3182", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-3182", "SUSE": "https://www.suse.com/security/cve/CVE-2014-3182", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-3182" } }, "CVE-2014-3183": { "affected_versions": "v3.15-rc1 to v3.17-rc2", "breaks": "0e40d35637d68f654b66f4562c9a914be7d06bd1", "cmt_msg": "HID: logitech: fix bounds checking on LED report size", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "6.9" }, "cwe": "Buffer Errors", "fixes": "51217e69697fba92a06e07e16f55c9a52d8e8945", "last_affected_version": "3.16.1", "nvd_text": "Heap-based buffer overflow in the logi_dj_ll_raw_request function in drivers/hid/hid-logitech-dj.c in the Linux kernel before 3.16.2 allows physically proximate attackers to cause a denial of service (system crash) or possibly execute arbitrary code via a crafted device that specifies a large report size for an LED report.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-3183", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-3183", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-3183", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-3183", "SUSE": "https://www.suse.com/security/cve/CVE-2014-3183", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-3183" } }, "CVE-2014-3184": { "affected_versions": "v2.6.12-rc2 to v3.17-rc2", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "HID: fix a couple of off-by-ones", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "4.7" }, "cwe": "Buffer Errors", "fixes": "4ab25786c87eb20857bbb715c3ae34ec8fd6a214", "last_affected_version": "3.16.1", "nvd_text": "The report_fixup functions in the HID subsystem in the Linux kernel before 3.16.2 might allow physically proximate attackers to cause a denial of service (out-of-bounds write) via a crafted device that provides a small report descriptor, related to (1) drivers/hid/hid-cherry.c, (2) drivers/hid/hid-kye.c, (3) drivers/hid/hid-lg.c, (4) drivers/hid/hid-monterey.c, (5) drivers/hid/hid-petalynx.c, and (6) drivers/hid/hid-sunplus.c.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-3184", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-3184", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-3184", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-3184", "SUSE": "https://www.suse.com/security/cve/CVE-2014-3184", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-3184" } }, "CVE-2014-3185": { "affected_versions": "v2.6.12-rc2 to v3.17-rc3", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "USB: whiteheat: Added bounds checking for bulk command response", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "6.9" }, "cwe": "Buffer Errors", "fixes": "6817ae225cd650fb1c3295d769298c38b1eba818", "last_affected_version": "3.16.1", "nvd_text": "Multiple buffer overflows in the command_port_read_callback function in drivers/usb/serial/whiteheat.c in the Whiteheat USB Serial Driver in the Linux kernel before 3.16.2 allow physically proximate attackers to execute arbitrary code or cause a denial of service (memory corruption and system crash) via a crafted device that provides a large amount of (1) EHCI or (2) XHCI data associated with a bulk response.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-3185", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-3185", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-3185", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-3185", "SUSE": "https://www.suse.com/security/cve/CVE-2014-3185", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-3185" } }, "CVE-2014-3186": { "affected_versions": "v2.6.35-rc1 to v3.17-rc3", "breaks": "236db47c2b3b69464d50c695ab2ddd516cf64520", "cmt_msg": "HID: picolcd: sanity check report size in raw_event() callback", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "6.9" }, "cwe": "Buffer Errors", "fixes": "844817e47eef14141cf59b8d5ac08dd11c0a9189", "last_affected_version": "3.16.3", "nvd_text": "Buffer overflow in the picolcd_raw_event function in devices/hid/hid-picolcd_core.c in the PicoLCD HID device driver in the Linux kernel through 3.16.3, as used in Android on Nexus 7 devices, allows physically proximate attackers to cause a denial of service (system crash) or possibly execute arbitrary code via a crafted device that sends a large report.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-3186", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-3186", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-3186", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-3186", "SUSE": "https://www.suse.com/security/cve/CVE-2014-3186", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-3186" } }, "CVE-2014-3519": { "breaks": "", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Complete", "Integrity Impact": "None", "score": "4.9" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Changed", "User Interaction": "None", "score": "6.5" }, "cwe": "Improper Access Control", "fixes": "", "nvd_text": "The open_by_handle_at function in vzkernel before 042stab090.5 in the OpenVZ modification for the Linux kernel 2.6.32, when using simfs, might allow local container users with CAP_DAC_READ_SEARCH capability to bypass an intended container protection mechanism and access arbitrary files on a filesystem via vectors related to use of the file_handle structure.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-3519", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-3519", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-3519", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-3519", "SUSE": "https://www.suse.com/security/cve/CVE-2014-3519", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-3519" }, "vendor_specific": true }, "CVE-2014-3534": { "affected_versions": "v2.6.12-rc2 to v3.16-rc7", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "s390/ptrace: fix PSW mask check", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "7.2" }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "dab6cf55f81a6e16b8147aed9a843e1691dcd318", "last_affected_version": "3.14.14", "nvd_text": "arch/s390/kernel/ptrace.c in the Linux kernel before 3.15.8 on the s390 platform does not properly restrict address-space control operations in PTRACE_POKEUSR_AREA requests, which allows local users to obtain read and write access to kernel memory locations, and consequently gain privileges, via a crafted application that makes a ptrace system call.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-3534", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-3534", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-3534", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-3534", "SUSE": "https://www.suse.com/security/cve/CVE-2014-3534", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-3534" } }, "CVE-2014-3535": { "affected_versions": "v2.6.34-rc1 to v2.6.36-rc1", "breaks": "b3d95c5c93d4b57eaea0ad3f582b08a6b5fb3eb1", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "7.8" }, "cwe": "Buffer Errors", "fixes": "256df2f3879efdb2e9808bdb1b54b16fbb11fa38", "nvd_text": "include/linux/netdevice.h in the Linux kernel before 2.6.36 incorrectly uses macros for netdev_printk and its related logging implementation, which allows remote attackers to cause a denial of service (NULL pointer dereference and system crash) by sending invalid packets to a VxLAN interface.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-3535", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-3535", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-3535", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-3535", "SUSE": "https://www.suse.com/security/cve/CVE-2014-3535", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-3535" } }, "CVE-2014-3601": { "affected_versions": "v2.6.35-rc1 to v3.17-rc2", "breaks": "fcd95807fb61e67d602610e7ff7129ed769e9fee", "cmt_msg": "kvm: iommu: fix the third parameter of kvm_iommu_put_pages (CVE-2014-3601)", "cvss2": { "Access Complexity": "High", "Access Vector": "Adjacent Network", "Authentication": "Single", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "4.3" }, "cwe": "Numeric Errors", "fixes": "350b8bdd689cd2ab2c67c8a86a0be86cfa0751a7", "last_affected_version": "3.16.1", "nvd_text": "The kvm_iommu_map_pages function in virt/kvm/iommu.c in the Linux kernel through 3.16.1 miscalculates the number of pages during the handling of a mapping failure, which allows guest OS users to (1) cause a denial of service (host OS memory corruption) or possibly have unspecified other impact by triggering a large gfn value or (2) cause a denial of service (host OS memory consumption) by triggering a small gfn value that leads to permanently pinned pages.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-3601", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-3601", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-3601", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-3601", "SUSE": "https://www.suse.com/security/cve/CVE-2014-3601", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-3601" } }, "CVE-2014-3610": { "affected_versions": "v2.6.12-rc2 to v3.18-rc2", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "KVM: x86: Check non-canonical addresses upon WRMSR", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "4.9" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "854e8bb1aa06c578c2c9145fa6bfe3680ef63b23", "last_affected_version": "3.16.34", "last_modified": "2020-08-20", "nvd_text": "The WRMSR processing functionality in the KVM subsystem in the Linux kernel through 3.17.2 does not properly handle the writing of a non-canonical address to a model-specific register, which allows guest OS users to cause a denial of service (host OS crash) by leveraging guest OS privileges, related to the wrmsr_interception function in arch/x86/kvm/svm.c and the handle_wrmsr function in arch/x86/kvm/vmx.c.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-3610", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-3610", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-3610", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-3610", "SUSE": "https://www.suse.com/security/cve/CVE-2014-3610", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-3610" } }, "CVE-2014-3611": { "affected_versions": "v2.6.12-rc2 to v3.18-rc2", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "KVM: x86: Improve thread safety in pit", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "4.9" }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 4.7 }, "cwe": "Race Conditions", "fixes": "2febc839133280d5a5e8e1179c94ea674489dae2", "last_affected_version": "3.16.34", "last_modified": "2020-08-18", "nvd_text": "Race condition in the __kvm_migrate_pit_timer function in arch/x86/kvm/i8254.c in the KVM subsystem in the Linux kernel through 3.17.2 allows guest OS users to cause a denial of service (host OS crash) by leveraging incorrect PIT emulation.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-3611", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-3611", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-3611", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-3611", "SUSE": "https://www.suse.com/security/cve/CVE-2014-3611", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-3611" } }, "CVE-2014-3631": { "affected_versions": "v3.13-rc1 to v3.17-rc5", "breaks": "b2a4df200d570b2c33a57e1ebfa5896e4bc81b69", "cmt_msg": "KEYS: Fix termination condition in assoc array garbage collection", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "7.2" }, "cwe": "Other", "fixes": "95389b08d93d5c06ec63ab49bd732b0069b7c35e", "last_affected_version": "3.16.2", "nvd_text": "The assoc_array_gc function in the associative-array implementation in lib/assoc_array.c in the Linux kernel before 3.16.3 does not properly implement garbage collection, which allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via multiple \"keyctl newring\" operations followed by a \"keyctl timeout\" operation.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-3631", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-3631", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-3631", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-3631", "SUSE": "https://www.suse.com/security/cve/CVE-2014-3631", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-3631" } }, "CVE-2014-3645": { "affected_versions": "v2.6.12-rc2 to v3.12-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "nEPT: Nested INVEPT", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "2.1" }, "cwe": "Input Validation", "fixes": "bfd0a56b90005f8c8a004baf407ad90045c2b11e", "last_affected_version": "3.2.63", "nvd_text": "arch/x86/kvm/vmx.c in the KVM subsystem in the Linux kernel before 3.12 does not have an exit handler for the INVEPT instruction, which allows guest OS users to cause a denial of service (guest OS crash) via a crafted application.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-3645", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-3645", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-3645", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-3645", "SUSE": "https://www.suse.com/security/cve/CVE-2014-3645", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-3645" } }, "CVE-2014-3646": { "affected_versions": "v2.6.12-rc2 to v3.18-rc2", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "kvm: vmx: handle invvpid vm exit gracefully", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "2.1" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "raw": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "a642fc305053cc1c6e47e4f4df327895747ab485", "last_affected_version": "3.16.34", "last_modified": "2020-08-20", "nvd_text": "arch/x86/kvm/vmx.c in the KVM subsystem in the Linux kernel through 3.17.2 does not have an exit handler for the INVVPID instruction, which allows guest OS users to cause a denial of service (guest OS crash) via a crafted application.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-3646", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-3646", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-3646", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-3646", "SUSE": "https://www.suse.com/security/cve/CVE-2014-3646", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-3646" } }, "CVE-2014-3647": { "affected_versions": "v2.6.12-rc2 to v3.18-rc2", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "KVM: x86: Emulator fixes for eip canonical checks on near branches", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "2.1" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "raw": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "234f3ce485d54017f15cf5e0699cff4100121601", "last_affected_version": "3.16.34", "last_modified": "2020-08-20", "nvd_text": "arch/x86/kvm/emulate.c in the KVM subsystem in the Linux kernel through 3.17.2 does not properly perform RIP changes, which allows guest OS users to cause a denial of service (guest OS crash) via a crafted application.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-3647", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-3647", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-3647", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-3647", "SUSE": "https://www.suse.com/security/cve/CVE-2014-3647", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-3647" } }, "CVE-2014-3673": { "affected_versions": "v2.6.12-rc2 to v3.18-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "net: sctp: fix skb_over_panic when receiving malformed ASCONF chunks", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "7.8" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 7.5 }, "cwe": "Resource Management Errors", "fixes": "9de7922bc709eee2f609cd01d98aaedc4cf5ea74", "last_affected_version": "3.16.34", "last_modified": "2020-08-13", "nvd_text": "The SCTP implementation in the Linux kernel through 3.17.2 allows remote attackers to cause a denial of service (system crash) via a malformed ASCONF chunk, related to net/sctp/sm_make_chunk.c and net/sctp/sm_statefuns.c.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-3673", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-3673", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-3673", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-3673", "SUSE": "https://www.suse.com/security/cve/CVE-2014-3673", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-3673" } }, "CVE-2014-3687": { "affected_versions": "v2.6.27-rc1 to v3.18-rc1", "breaks": "2e3216cd54b142ba605e87522e15f42e0c4e3996", "cmt_msg": "net: sctp: fix panic on duplicate ASCONF chunks", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "7.8" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 7.5 }, "cwe": "Resource Management Errors", "fixes": "b69040d8e39f20d5215a03502a8e8b4c6ab78395", "last_affected_version": "3.16.34", "last_modified": "2020-08-13", "nvd_text": "The sctp_assoc_lookup_asconf_ack function in net/sctp/associola.c in the SCTP implementation in the Linux kernel through 3.17.2 allows remote attackers to cause a denial of service (panic) via duplicate ASCONF chunks that trigger an incorrect uncork within the side-effect interpreter.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-3687", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-3687", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-3687", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-3687", "SUSE": "https://www.suse.com/security/cve/CVE-2014-3687", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-3687" } }, "CVE-2014-3688": { "affected_versions": "v2.6.27-rc1 to v3.18-rc1", "breaks": "2e3216cd54b142ba605e87522e15f42e0c4e3996", "cmt_msg": "net: sctp: fix remote memory pressure from excessive queueing", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "5.0" }, "cwe": "Resource Management Errors", "fixes": "26b87c7881006311828bb0ab271a551a62dcceb4", "last_affected_version": "3.16.34", "nvd_text": "The SCTP implementation in the Linux kernel before 3.17.4 allows remote attackers to cause a denial of service (memory consumption) by triggering a large number of chunks in an association's output queue, as demonstrated by ASCONF probes, related to net/sctp/inqueue.c and net/sctp/sm_statefuns.c.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-3688", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-3688", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-3688", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-3688", "SUSE": "https://www.suse.com/security/cve/CVE-2014-3688", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-3688" } }, "CVE-2014-3690": { "affected_versions": "v2.6.12-rc2 to v3.18-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "x86,kvm,vmx: Preserve CR4 across VM entry", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "4.9" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Resource Management Errors", "fixes": "d974baa398f34393db76be45f7d4d04fbdbb4a0a", "last_affected_version": "3.16.6", "last_modified": "2020-08-20", "nvd_text": "arch/x86/kvm/vmx.c in the KVM subsystem in the Linux kernel before 3.17.2 on Intel processors does not ensure that the value in the CR4 control register remains the same after a VM entry, which allows host OS users to kill arbitrary processes or cause a denial of service (system disruption) by leveraging /dev/kvm access, as demonstrated by PR_SET_TSC prctl calls within a modified copy of QEMU.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-3690", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-3690", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-3690", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-3690", "SUSE": "https://www.suse.com/security/cve/CVE-2014-3690", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-3690" } }, "CVE-2014-3917": { "affected_versions": "v2.6.12-rc2 to v3.16-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "auditsc: audit_krule mask accesses need bounds checking", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "score": "3.3" }, "cwe": "Information Leak / Disclosure", "fixes": "a3c54931199565930d6d84f4c3456f6440aefd41", "last_affected_version": "3.14.7", "nvd_text": "kernel/auditsc.c in the Linux kernel through 3.14.5, when CONFIG_AUDITSYSCALL is enabled with certain syscall rules, allows local users to obtain potentially sensitive single-bit values from kernel memory or cause a denial of service (OOPS) via a large value of a syscall number.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-3917", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-3917", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-3917", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-3917", "SUSE": "https://www.suse.com/security/cve/CVE-2014-3917", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-3917" } }, "CVE-2014-3940": { "affected_versions": "v3.12-rc1 to v3.15", "breaks": "e2d8cf405525d83e6ca42969be460f94b0339798", "cmt_msg": "mm: add !pte_present() check on existing hugetlb_entry callbacks", "cvss2": { "Access Complexity": "High", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "4.0" }, "cwe": "Race Conditions", "fixes": "d4c54919ed86302094c0ca7d48a8cbd4ee753e92", "last_affected_version": "3.14.6", "nvd_text": "The Linux kernel through 3.14.5 does not properly consider the presence of hugetlb entries, which allows local users to cause a denial of service (memory corruption or system crash) by accessing certain memory locations, as demonstrated by triggering a race condition via numa_maps read operations during hugepage migration, related to fs/proc/task_mmu.c and mm/mempolicy.c.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-3940", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-3940", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-3940", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-3940", "SUSE": "https://www.suse.com/security/cve/CVE-2014-3940", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-3940" } }, "CVE-2014-4014": { "affected_versions": "v3.5-rc1 to v3.16-rc1", "breaks": "1a48e2ac034d47ed843081c4523b63c46b46888b", "cmt_msg": "fs,userns: Change inode_capable to capable_wrt_inode_uidgid", "cvss2": { "Access Complexity": "High", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "6.2" }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "23adbe12ef7d3d4195e80800ab36b37bee28cd03", "last_affected_version": "3.14.7", "nvd_text": "The capabilities implementation in the Linux kernel before 3.14.8 does not properly consider that namespaces are inapplicable to inodes, which allows local users to bypass intended chmod restrictions by first creating a user namespace, as demonstrated by setting the setgid bit on a file with group ownership of root.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-4014", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-4014", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-4014", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-4014", "SUSE": "https://www.suse.com/security/cve/CVE-2014-4014", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-4014" } }, "CVE-2014-4027": { "affected_versions": "v2.6.38-rc1 to v3.14-rc1", "breaks": "c66ac9db8d4ad9994a02b3e933ea2ccc643e1fe5", "cmt_msg": "target/rd: Refactor rd_build_device_space + rd_release_device_space", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Adjacent Network", "Authentication": "Single", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "score": "2.3" }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "4442dc8a92b8f9ad8ee9e7f8438f4c04c03a22dc", "nvd_text": "The rd_build_device_space function in drivers/target/target_core_rd.c in the Linux kernel before 3.14 does not properly initialize a certain data structure, which allows local users to obtain sensitive information from ramdisk_mcp memory by leveraging access to a SCSI initiator.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-4027", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-4027", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-4027", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-4027", "SUSE": "https://www.suse.com/security/cve/CVE-2014-4027", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-4027" } }, "CVE-2014-4157": { "affected_versions": "v2.6.12-rc2 to v3.15-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "MIPS: asm: thread_info: Add _TIF_SECCOMP flag", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "score": "4.6" }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "137f7df8cead00688524c82360930845396b8a21", "last_affected_version": "3.14.7", "nvd_text": "arch/mips/include/asm/thread_info.h in the Linux kernel before 3.14.8 on the MIPS platform does not configure _TIF_SECCOMP checks on the fast system-call path, which allows local users to bypass intended PR_SET_SECCOMP restrictions by executing a crafted application without invoking a trace or audit subsystem.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-4157", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-4157", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-4157", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-4157", "SUSE": "https://www.suse.com/security/cve/CVE-2014-4157", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-4157" } }, "CVE-2014-4171": { "affected_versions": "v2.6.12-rc2 to v3.16-rc3", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "shmem: fix faulting into a hole while it's punched", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "4.7" }, "cwe": "Other", "fixes": "f00cdc6df7d7cfcabb5b740911e6788cb0802bdb", "last_affected_version": "3.14.13", "nvd_text": "mm/shmem.c in the Linux kernel through 3.15.1 does not properly implement the interaction between range notification and hole punching, which allows local users to cause a denial of service (i_mutex hold) by using the mmap system call to access a hole, as demonstrated by interfering with intended shmem activity by blocking completion of (1) an MADV_REMOVE madvise call or (2) an FALLOC_FL_PUNCH_HOLE fallocate call.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-4171", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-4171", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-4171", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-4171", "SUSE": "https://www.suse.com/security/cve/CVE-2014-4171", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-4171" } }, "CVE-2014-4322": { "breaks": "", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "7.2" }, "cwe": "Buffer Errors", "fixes": "", "nvd_text": "drivers/misc/qseecom.c in the QSEECOM driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, does not validate certain offset, length, and base values within an ioctl call, which allows attackers to gain privileges or cause a denial of service (memory corruption) via a crafted application.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-4322", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-4322", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-4322", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-4322", "SUSE": "https://www.suse.com/security/cve/CVE-2014-4322", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-4322" }, "vendor_specific": true }, "CVE-2014-4323": { "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "score": "7.5" }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "014fa8def84c62893fa016e873c12de1da498603", "nvd_text": "The mdp_lut_hw_update function in drivers/video/msm/mdp.c in the MDP display driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, does not validate certain start and length values within an ioctl call, which allows attackers to gain privileges via a crafted application.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-4323", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-4323", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-4323", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-4323", "SUSE": "https://www.suse.com/security/cve/CVE-2014-4323", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-4323" }, "vendor_specific": true }, "CVE-2014-4508": { "affected_versions": "v2.6.12-rc2 to v3.16-rc3", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "x86_32, entry: Do syscall exit work on badsys (CVE-2014-4508)", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "4.7" }, "cwe": "Numeric Errors", "fixes": "554086d85e71f30abe46fc014fea31929a7c6a8a", "last_affected_version": "3.14.9", "nvd_text": "arch/x86/kernel/entry_32.S in the Linux kernel through 3.15.1 on 32-bit x86 platforms, when syscall auditing is enabled and the sep CPU feature flag is set, allows local users to cause a denial of service (OOPS and system crash) via an invalid syscall number, as demonstrated by number 1000.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-4508", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-4508", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-4508", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-4508", "SUSE": "https://www.suse.com/security/cve/CVE-2014-4508", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-4508" } }, "CVE-2014-4608": { "affected_versions": "v2.6.23-rc1 to v3.18-rc1", "breaks": "64c70b1cf43de158282bc1675918d503e5b15cc1", "cmt_msg": "lzo: check for length overrun in variable length encoding.", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "5.0" }, "cwe": "Buffer Errors", "fixes": "72cf90124e87d975d0b2114d930808c58b4c05e4", "last_affected_version": "3.16.6", "nvd_text": "** DISPUTED ** Multiple integer overflows in the lzo1x_decompress_safe function in lib/lzo/lzo1x_decompress_safe.c in the LZO decompressor in the Linux kernel before 3.15.2 allow context-dependent attackers to cause a denial of service (memory corruption) via a crafted Literal Run. NOTE: the author of the LZO algorithms says \"the Linux kernel is *not* affected; media hype.\"", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-4608", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-4608", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-4608", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-4608", "SUSE": "https://www.suse.com/security/cve/CVE-2014-4608", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-4608" } }, "CVE-2014-4611": { "affected_versions": "v3.11-rc1 to v3.16-rc3", "breaks": "cffb78b0e0b3a30b059b27a1d97500cf6464efa9", "cmt_msg": "lz4: ensure length does not wrap", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "5.0" }, "cwe": "Input Validation", "fixes": "206204a1162b995e2185275167b22468c00d6b36", "last_affected_version": "3.14.8", "nvd_text": "Integer overflow in the LZ4 algorithm implementation, as used in Yann Collet LZ4 before r118 and in the lz4_uncompress function in lib/lz4/lz4_decompress.c in the Linux kernel before 3.15.2, on 32-bit platforms might allow context-dependent attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a crafted Literal Run that would be improperly handled by programs not complying with an API limitation, a different vulnerability than CVE-2014-4715.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-4611", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-4611", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-4611", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-4611", "SUSE": "https://www.suse.com/security/cve/CVE-2014-4611", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-4611" } }, "CVE-2014-4652": { "affected_versions": "v2.6.12-rc2 to v3.16-rc2", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "ALSA: control: Protect user controls against concurrent access", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Complete", "Integrity Impact": "None", "score": "4.7" }, "cwe": "Race Conditions", "fixes": "07f4d9d74a04aa7c72c5dae0ef97565f28f17b92", "last_affected_version": "3.14.8", "nvd_text": "Race condition in the tlv handler functionality in the snd_ctl_elem_user_tlv function in sound/core/control.c in the ALSA control implementation in the Linux kernel before 3.15.2 allows local users to obtain sensitive information from kernel memory by leveraging /dev/snd/controlCX access.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-4652", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-4652", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-4652", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-4652", "SUSE": "https://www.suse.com/security/cve/CVE-2014-4652", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-4652" } }, "CVE-2014-4653": { "affected_versions": "v2.6.12-rc2 to v3.16-rc2", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "ALSA: control: Don't access controls outside of protected regions", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "None", "score": "6.6" }, "cwe": "Other", "fixes": "fd9f26e4eca5d08a27d12c0933fceef76ed9663d", "last_affected_version": "3.14.8", "nvd_text": "sound/core/control.c in the ALSA control implementation in the Linux kernel before 3.15.2 does not ensure possession of a read/write lock, which allows local users to cause a denial of service (use-after-free) and obtain sensitive information from kernel memory by leveraging /dev/snd/controlCX access.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-4653", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-4653", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-4653", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-4653", "SUSE": "https://www.suse.com/security/cve/CVE-2014-4653", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-4653" } }, "CVE-2014-4654": { "affected_versions": "v2.6.12-rc2 to v3.16-rc2", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "ALSA: control: Fix replacing user controls", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "4.9" }, "cwe": "Other", "fixes": "82262a46627bebb0febcc26664746c25cef08563", "last_affected_version": "3.14.8", "nvd_text": "The snd_ctl_elem_add function in sound/core/control.c in the ALSA control implementation in the Linux kernel before 3.15.2 does not check authorization for SNDRV_CTL_IOCTL_ELEM_REPLACE commands, which allows local users to remove kernel controls and cause a denial of service (use-after-free and system crash) by leveraging /dev/snd/controlCX access for an ioctl call.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-4654", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-4654", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-4654", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-4654", "SUSE": "https://www.suse.com/security/cve/CVE-2014-4654", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-4654" } }, "CVE-2014-4655": { "affected_versions": "v2.6.12-rc2 to v3.16-rc2", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "ALSA: control: Fix replacing user controls", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "4.9" }, "cwe": "Numeric Errors", "fixes": "82262a46627bebb0febcc26664746c25cef08563", "last_affected_version": "3.14.8", "nvd_text": "The snd_ctl_elem_add function in sound/core/control.c in the ALSA control implementation in the Linux kernel before 3.15.2 does not properly maintain the user_ctl_count value, which allows local users to cause a denial of service (integer overflow and limit bypass) by leveraging /dev/snd/controlCX access for a large number of SNDRV_CTL_IOCTL_ELEM_REPLACE ioctl calls.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-4655", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-4655", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-4655", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-4655", "SUSE": "https://www.suse.com/security/cve/CVE-2014-4655", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-4655" } }, "CVE-2014-4656": { "affected_versions": "v2.6.12-rc2 to v3.16-rc2", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "ALSA: control: Handle numid overflow", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "4.9" }, "cwe": "Numeric Errors", "fixes": "ac902c112d90a89e59916f751c2745f4dbdbb4bd", "last_affected_version": "3.14.8", "nvd_text": "Multiple integer overflows in sound/core/control.c in the ALSA control implementation in the Linux kernel before 3.15.2 allow local users to cause a denial of service by leveraging /dev/snd/controlCX access, related to (1) index values in the snd_ctl_add function and (2) numid values in the snd_ctl_remove_numid_conflict function.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-4656", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-4656", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-4656", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-4656", "SUSE": "https://www.suse.com/security/cve/CVE-2014-4656", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-4656" } }, "CVE-2014-4667": { "affected_versions": "v2.6.19-rc5 to v3.16-rc1", "breaks": "de76e695a5ce19c121ba7e246b45f258be678a75", "cmt_msg": "sctp: Fix sk_ack_backlog wrap-around problem", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "5.0" }, "cwe": "Input Validation", "fixes": "d3217b15a19a4779c39b212358a5c71d725822ee", "last_affected_version": "3.14.8", "nvd_text": "The sctp_association_free function in net/sctp/associola.c in the Linux kernel before 3.15.2 does not properly manage a certain backlog value, which allows remote attackers to cause a denial of service (socket outage) via a crafted SCTP packet.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-4667", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-4667", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-4667", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-4667", "SUSE": "https://www.suse.com/security/cve/CVE-2014-4667", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-4667" } }, "CVE-2014-4699": { "affected_versions": "v2.6.17 to v3.16-rc4", "breaks": "427abfa28afedffadfca9dd8b067eb6d36bac53f", "cmt_msg": "ptrace,x86: force IRET path after a ptrace_stop()", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "6.9" }, "cwe": "Race Conditions", "fixes": "b9cd18de4db3c9ffa7e17b0dc0ca99ed5aa4d43a", "last_affected_version": "3.14.10", "nvd_text": "The Linux kernel before 3.15.4 on Intel processors does not properly restrict use of a non-canonical value for the saved RIP address in the case of a system call that does not use IRET, which allows local users to leverage a race condition and gain privileges, or cause a denial of service (double fault), via a crafted application that makes ptrace and fork system calls.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-4699", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-4699", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-4699", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-4699", "SUSE": "https://www.suse.com/security/cve/CVE-2014-4699", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-4699" } }, "CVE-2014-4943": { "affected_versions": "v2.6.12-rc2 to v3.16-rc6", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "net/l2tp: don't fall back on UDP [get|set]sockopt", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "6.9" }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "3cf521f7dc87c031617fd47e4b7aa2593c2f3daf", "last_affected_version": "3.2.61", "last_modified": "2023-05-05", "nvd_text": "The PPPoL2TP feature in net/l2tp/l2tp_ppp.c in the Linux kernel through 3.15.6 allows local users to gain privileges by leveraging data-structure differences between an l2tp socket and an inet socket.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-4943", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-4943", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-4943", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-4943", "SUSE": "https://www.suse.com/security/cve/CVE-2014-4943", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-4943" } }, "CVE-2014-5045": { "affected_versions": "v3.12-rc1 to v3.16-rc7", "breaks": "8033426e6bdb2690d302872ac1e1fadaec1a5581", "cmt_msg": "fs: umount on symlink leaks mnt count", "cvss2": { "Access Complexity": "High", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "6.2" }, "cwe": "Link Following", "fixes": "295dc39d941dc2ae53d5c170365af4c9d5c16212", "last_affected_version": "3.14.14", "nvd_text": "The mountpoint_last function in fs/namei.c in the Linux kernel before 3.15.8 does not properly maintain a certain reference count during attempts to use the umount system call in conjunction with a symlink, which allows local users to cause a denial of service (memory consumption or use-after-free) or possibly have unspecified other impact via the umount program.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-5045", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-5045", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-5045", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-5045", "SUSE": "https://www.suse.com/security/cve/CVE-2014-5045", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-5045" } }, "CVE-2014-5077": { "affected_versions": "v2.6.12-rc2 to v3.16", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "net: sctp: inherit auth_capable on INIT collisions", "cvss2": { "Access Complexity": "High", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "5.4" }, "cwe": "Other", "fixes": "1be9a950c646c9092fb3618197f7b6bfb50e82aa", "last_affected_version": "3.15", "nvd_text": "The sctp_assoc_update function in net/sctp/associola.c in the Linux kernel through 3.15.8, when SCTP authentication is enabled, allows remote attackers to cause a denial of service (NULL pointer dereference and OOPS) by starting to establish an association between two endpoints immediately after an exchange of INIT and INIT ACK chunks to establish an earlier association between these endpoints in the opposite direction.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-5077", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-5077", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-5077", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-5077", "SUSE": "https://www.suse.com/security/cve/CVE-2014-5077", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-5077" } }, "CVE-2014-5206": { "affected_versions": "v3.8-rc1 to v3.17-rc1", "breaks": "0c55cfc4166d9a0f38de779bd4d75a90afbe7734", "cmt_msg": "mnt: Only change user settable mount flags in remount", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "7.2" }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "a6138db815df5ee542d848318e5dae681590fccd", "last_affected_version": "3.16.2", "nvd_text": "The do_remount function in fs/namespace.c in the Linux kernel through 3.16.1 does not maintain the MNT_LOCK_READONLY bit across a remount of a bind mount, which allows local users to bypass an intended read-only restriction and defeat certain sandbox protection mechanisms via a \"mount -o remount\" command within a user namespace.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-5206", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-5206", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-5206", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-5206", "SUSE": "https://www.suse.com/security/cve/CVE-2014-5206", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-5206" } }, "CVE-2014-5207": { "affected_versions": "v3.8-rc1 to v3.17-rc1", "breaks": "0c55cfc4166d9a0f38de779bd4d75a90afbe7734", "cmt_msg": "mnt: Correct permission checks in do_remount", "cvss2": { "Access Complexity": "High", "Access Vector": "Local Access", "Authentication": "Single", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "6.0" }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "9566d6742852c527bf5af38af5cbb878dad75705", "last_affected_version": "3.16.2", "nvd_text": "fs/namespace.c in the Linux kernel through 3.16.1 does not properly restrict clearing MNT_NODEV, MNT_NOSUID, and MNT_NOEXEC and changing MNT_ATIME_MASK during a remount of a bind mount, which allows local users to gain privileges, interfere with backups and auditing on systems that had atime enabled, or cause a denial of service (excessive filesystem updating) on systems that had atime disabled via a \"mount -o remount\" command within a user namespace.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-5207", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-5207", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-5207", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-5207", "SUSE": "https://www.suse.com/security/cve/CVE-2014-5207", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-5207" } }, "CVE-2014-5332": { "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "6.9" }, "cwe": "Race Conditions", "fixes": "-", "nvd_text": "Race condition in NVMap in NVIDIA Tegra Linux Kernel 3.10 allows local users to gain privileges via a crafted NVMAP_IOC_CREATE IOCTL call, which triggers a use-after-free error, as demonstrated by using a race condition to escape the Chrome sandbox.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-5332", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-5332", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-5332", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-5332", "SUSE": "https://www.suse.com/security/cve/CVE-2014-5332", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-5332" }, "vendor_specific": true }, "CVE-2014-5471": { "affected_versions": "v2.6.12-rc2 to v3.17-rc2", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "isofs: Fix unbounded recursion when processing relocated directories", "cvss2": { "Access Complexity": "High", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "4.0" }, "cwe": "Resource Management Errors", "fixes": "410dd3cf4c9b36f27ed4542ee18b1af5e68645a4", "last_affected_version": "3.16.1", "nvd_text": "Stack consumption vulnerability in the parse_rock_ridge_inode_internal function in fs/isofs/rock.c in the Linux kernel through 3.16.1 allows local users to cause a denial of service (uncontrolled recursion, and system crash or reboot) via a crafted iso9660 image with a CL entry referring to a directory entry that has a CL entry.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-5471", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-5471", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-5471", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-5471", "SUSE": "https://www.suse.com/security/cve/CVE-2014-5471", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-5471" } }, "CVE-2014-5472": { "affected_versions": "v2.6.12-rc2 to v3.17-rc2", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "isofs: Fix unbounded recursion when processing relocated directories", "cvss2": { "Access Complexity": "High", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "4.0" }, "cwe": "Input Validation", "fixes": "410dd3cf4c9b36f27ed4542ee18b1af5e68645a4", "last_affected_version": "3.16.1", "nvd_text": "The parse_rock_ridge_inode_internal function in fs/isofs/rock.c in the Linux kernel through 3.16.1 allows local users to cause a denial of service (unkillable mount process) via a crafted iso9660 image with a self-referential CL entry.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-5472", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-5472", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-5472", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-5472", "SUSE": "https://www.suse.com/security/cve/CVE-2014-5472", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-5472" } }, "CVE-2014-6410": { "affected_versions": "v2.6.12-rc2 to v3.17-rc5", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "udf: Avoid infinite loop when processing indirect ICBs", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "4.7" }, "cwe": "Resource Management Errors", "fixes": "c03aa9f6e1f938618e6db2e23afef0574efeeb65", "last_affected_version": "3.16.4", "nvd_text": "The __udf_read_inode function in fs/udf/inode.c in the Linux kernel through 3.16.3 does not restrict the amount of ICB indirection, which allows physically proximate attackers to cause a denial of service (infinite loop or stack consumption) via a UDF filesystem with a crafted inode.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-6410", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-6410", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-6410", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-6410", "SUSE": "https://www.suse.com/security/cve/CVE-2014-6410", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-6410" } }, "CVE-2014-6416": { "affected_versions": "v2.6.34-rc2 to v3.17-rc5", "breaks": "ec0994e48ea2aebf62ff08376227f3a9ccf46262", "cmt_msg": "libceph: do not hard code max auth ticket len", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "7.8" }, "cwe": "Buffer Errors", "fixes": "c27a3e4d667fdcad3db7b104f75659478e0c68d8", "last_affected_version": "3.16.2", "nvd_text": "Buffer overflow in net/ceph/auth_x.c in Ceph, as used in the Linux kernel before 3.16.3, allows remote attackers to cause a denial of service (memory corruption and panic) or possibly have unspecified other impact via a long unencrypted auth ticket.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-6416", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-6416", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-6416", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-6416", "SUSE": "https://www.suse.com/security/cve/CVE-2014-6416", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-6416" } }, "CVE-2014-6417": { "affected_versions": "v2.6.34-rc2 to v3.17-rc5", "breaks": "ec0994e48ea2aebf62ff08376227f3a9ccf46262", "cmt_msg": "libceph: do not hard code max auth ticket len", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "7.8" }, "cwe": "Resource Management Errors", "fixes": "c27a3e4d667fdcad3db7b104f75659478e0c68d8", "last_affected_version": "3.16.2", "nvd_text": "net/ceph/auth_x.c in Ceph, as used in the Linux kernel before 3.16.3, does not properly consider the possibility of kmalloc failure, which allows remote attackers to cause a denial of service (system crash) or possibly have unspecified other impact via a long unencrypted auth ticket.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-6417", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-6417", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-6417", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-6417", "SUSE": "https://www.suse.com/security/cve/CVE-2014-6417", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-6417" } }, "CVE-2014-6418": { "affected_versions": "v2.6.34-rc2 to v3.17-rc5", "breaks": "ec0994e48ea2aebf62ff08376227f3a9ccf46262", "cmt_msg": "libceph: do not hard code max auth ticket len", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "7.1" }, "cwe": "Resource Management Errors", "fixes": "c27a3e4d667fdcad3db7b104f75659478e0c68d8", "last_affected_version": "3.16.2", "nvd_text": "net/ceph/auth_x.c in Ceph, as used in the Linux kernel before 3.16.3, does not properly validate auth replies, which allows remote attackers to cause a denial of service (system crash) or possibly have unspecified other impact via crafted data from the IP address of a Ceph Monitor.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-6418", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-6418", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-6418", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-6418", "SUSE": "https://www.suse.com/security/cve/CVE-2014-6418", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-6418" } }, "CVE-2014-7145": { "affected_versions": "v3.6-rc1 to v3.17-rc2", "breaks": "faaf946a7d5b79194358437150f34ab4c66bfe21", "cmt_msg": "[CIFS] Possible null ptr deref in SMB2_tcon", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "7.8" }, "cwe": "Resource Management Errors", "fixes": "18f39e7be0121317550d03e267e3ebd4dbfbb3ce", "nvd_text": "The SMB2_tcon function in fs/cifs/smb2pdu.c in the Linux kernel before 3.16.3 allows remote CIFS servers to cause a denial of service (NULL pointer dereference and client system crash) or possibly have unspecified other impact by deleting the IPC$ share during resolution of DFS referrals.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-7145", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-7145", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-7145", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-7145", "SUSE": "https://www.suse.com/security/cve/CVE-2014-7145", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-7145" } }, "CVE-2014-7207": { "backport": true, "breaks": "73f156a6e8c1074ac6327e0abd1169e95eb66463", "cmt_msg": "ipv6: reuse ip6_frag_id from ip6_ufo_append_data", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Complete", "Integrity Impact": "None", "score": "4.9" }, "cwe": "Other", "fixes": "916e4cf46d0204806c062c8c6c4d1f633852c5b6", "last_affected_version": "3.12.14", "nvd_text": "A certain Debian patch to the IPv6 implementation in the Linux kernel 3.2.x through 3.2.63 does not properly validate arguments in ipv6_select_ident function calls, which allows local users to cause a denial of service (NULL pointer dereference and system crash) by leveraging (1) tun or (2) macvtap device access.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-7207", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-7207", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-7207", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-7207", "SUSE": "https://www.suse.com/security/cve/CVE-2014-7207", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-7207" } }, "CVE-2014-7283": { "affected_versions": "v3.10-rc1 to v3.15-rc1", "breaks": "f5ea110044fa858925a880b4fa9f551bfa2dfc38", "cmt_msg": "xfs: fix directory hash ordering bug", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "4.9" }, "cwe": "Resource Management Errors", "fixes": "c88547a8119e3b581318ab65e9b72f27f23e641d", "last_affected_version": "3.14.1", "nvd_text": "The xfs_da3_fixhashpath function in fs/xfs/xfs_da_btree.c in the xfs implementation in the Linux kernel before 3.14.2 does not properly compare btree hash values, which allows local users to cause a denial of service (filesystem corruption, and OOPS or panic) via operations on directories that have hash collisions, as demonstrated by rmdir operations.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-7283", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-7283", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-7283", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-7283", "SUSE": "https://www.suse.com/security/cve/CVE-2014-7283", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-7283" } }, "CVE-2014-7284": { "affected_versions": "v3.13-rc1 to v3.15-rc7", "breaks": "a48e42920ff38bc90bbf75143fff4555723d4540", "cmt_msg": "net: avoid dependency of net_get_random_once on nop patching", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "Partial", "score": "6.4" }, "cwe": "Information Leak / Disclosure", "fixes": "3d4405226d27b3a215e4d03cfa51f536244e5de7", "last_affected_version": "3.14.4", "nvd_text": "The net_get_random_once implementation in net/core/utils.c in the Linux kernel 3.13.x and 3.14.x before 3.14.5 on certain Intel processors does not perform the intended slow-path operation to initialize random seeds, which makes it easier for remote attackers to spoof or disrupt IP communication by leveraging the predictability of TCP sequence numbers, TCP and UDP port numbers, and IP ID values.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-7284", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-7284", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-7284", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-7284", "SUSE": "https://www.suse.com/security/cve/CVE-2014-7284", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-7284" } }, "CVE-2014-7822": { "affected_versions": "v2.6.12-rc2 to v3.16-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "->splice_write() via ->write_iter()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "7.2" }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "8d0207652cbe27d1f962050737848e5ad4671958", "last_affected_version": "3.14.46", "nvd_text": "The implementation of certain splice_write file operations in the Linux kernel before 3.16 does not enforce a restriction on the maximum size of a single file, which allows local users to cause a denial of service (system crash) or possibly have unspecified other impact via a crafted splice system call, as demonstrated by use of a file descriptor associated with an ext4 filesystem.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-7822", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-7822", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-7822", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-7822", "SUSE": "https://www.suse.com/security/cve/CVE-2014-7822", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-7822" } }, "CVE-2014-7825": { "affected_versions": "v2.6.12-rc2 to v3.18-rc3", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "tracing/syscalls: Ignore numbers outside NR_syscalls' range", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "4.9" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Buffer Errors", "fixes": "086ba77a6db00ed858ff07451bedee197df868c9", "last_affected_version": "3.16.34", "last_modified": "2020-08-20", "nvd_text": "kernel/trace/trace_syscalls.c in the Linux kernel through 3.17.2 does not properly handle private syscall numbers during use of the perf subsystem, which allows local users to cause a denial of service (out-of-bounds read and OOPS) or bypass the ASLR protection mechanism via a crafted application.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-7825", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-7825", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-7825", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-7825", "SUSE": "https://www.suse.com/security/cve/CVE-2014-7825", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-7825" } }, "CVE-2014-7826": { "affected_versions": "v2.6.12-rc2 to v3.18-rc3", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "tracing/syscalls: Ignore numbers outside NR_syscalls' range", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "score": "4.6" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "086ba77a6db00ed858ff07451bedee197df868c9", "last_affected_version": "3.16.34", "last_modified": "2020-08-20", "nvd_text": "kernel/trace/trace_syscalls.c in the Linux kernel through 3.17.2 does not properly handle private syscall numbers during use of the ftrace subsystem, which allows local users to gain privileges or cause a denial of service (invalid pointer dereference) via a crafted application.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-7826", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-7826", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-7826", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-7826", "SUSE": "https://www.suse.com/security/cve/CVE-2014-7826", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-7826" } }, "CVE-2014-7841": { "affected_versions": "v2.6.25-rc1 to v3.18-rc5", "breaks": "d6de3097592b7ae7f8e233a4dafb088e2aa8170f", "cmt_msg": "net: sctp: fix NULL pointer dereference in af->from_addr_param on malformed packet", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "5.0" }, "cwe": "Resource Management Errors", "fixes": "e40607cbe270a9e8360907cb1e62ddf0736e4864", "last_affected_version": "3.16.34", "nvd_text": "The sctp_process_param function in net/sctp/sm_make_chunk.c in the SCTP implementation in the Linux kernel before 3.17.4, when ASCONF is used, allows remote attackers to cause a denial of service (NULL pointer dereference and system crash) via a malformed INIT chunk.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-7841", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-7841", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-7841", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-7841", "SUSE": "https://www.suse.com/security/cve/CVE-2014-7841", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-7841" } }, "CVE-2014-7842": { "affected_versions": "v2.6.38-rc1 to v3.18-rc1", "breaks": "fc3a9157d3148ab91039c75423da8ef97be3e105", "cmt_msg": "KVM: x86: Don't report guest userspace emulation error to userspace", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "4.9" }, "cwe": "Race Conditions", "fixes": "a2b9e6c1a35afcc0973acb72e591c714e78885ff", "last_affected_version": "3.16.34", "nvd_text": "Race condition in arch/x86/kvm/x86.c in the Linux kernel before 3.17.4 allows guest OS users to cause a denial of service (guest OS crash) via a crafted application that performs an MMIO transaction or a PIO transaction to trigger a guest userspace emulation error report, a similar issue to CVE-2010-5313.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-7842", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-7842", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-7842", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-7842", "SUSE": "https://www.suse.com/security/cve/CVE-2014-7842", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-7842" } }, "CVE-2014-7843": { "affected_versions": "v3.7-rc1 to v3.18-rc5", "breaks": "0aea86a2176c22647a5b683768f858d880d5e05b", "cmt_msg": "arm64: __clear_user: handle exceptions on strb", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "4.9" }, "cwe": "Code", "fixes": "97fc15436b36ee3956efad83e22a557991f7d19d", "last_affected_version": "3.16.34", "nvd_text": "The __clear_user function in arch/arm64/lib/clear_user.S in the Linux kernel before 3.17.4 on the ARM64 platform allows local users to cause a denial of service (system crash) by reading one byte beyond a /dev/zero page boundary.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-7843", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-7843", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-7843", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-7843", "SUSE": "https://www.suse.com/security/cve/CVE-2014-7843", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-7843" } }, "CVE-2014-7970": { "affected_versions": "v2.6.12-rc2 to v3.18-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "mnt: Prevent pivot_root from creating a loop in the mount tree", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "4.9" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Resource Management Errors", "fixes": "0d0826019e529f21c84687521d03f60cd241ca7d", "last_affected_version": "3.16.34", "last_modified": "2020-08-20", "nvd_text": "The pivot_root implementation in fs/namespace.c in the Linux kernel through 3.17 does not properly interact with certain locations of a chroot directory, which allows local users to cause a denial of service (mount-tree loop) via . (dot) values in both arguments to the pivot_root system call.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-7970", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-7970", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-7970", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-7970", "SUSE": "https://www.suse.com/security/cve/CVE-2014-7970", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-7970" } }, "CVE-2014-7975": { "affected_versions": "v2.6.12-rc2 to v3.18-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "fs: Add a missing permission check to do_umount", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "4.9" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "a1480dcc3c706e309a88884723446f2e84fedd5b", "last_affected_version": "3.16.6", "last_modified": "2020-08-20", "nvd_text": "The do_umount function in fs/namespace.c in the Linux kernel through 3.17 does not require the CAP_SYS_ADMIN capability for do_remount_sb calls that change the root filesystem to read-only, which allows local users to cause a denial of service (loss of writability) by making certain unshare system calls, clearing the / MNT_LOCKED flag, and making an MNT_FORCE umount system call.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-7975", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-7975", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-7975", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-7975", "SUSE": "https://www.suse.com/security/cve/CVE-2014-7975", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-7975" } }, "CVE-2014-8086": { "affected_versions": "v3.16-rc1 to v3.18-rc3", "breaks": "8ad2850f44831919f63f0e58d7203e65d5b3914c", "cmt_msg": "ext4: prevent bugon on race between write/fcntl", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "4.9" }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 4.7 }, "cwe": "Race Conditions", "fixes": "a41537e69b4aa43f0fea02498c2595a81267383b", "last_affected_version": "3.16.34", "last_modified": "2020-08-20", "nvd_text": "Race condition in the ext4_file_write_iter function in fs/ext4/file.c in the Linux kernel through 3.17 allows local users to cause a denial of service (file unavailability) via a combination of a write action and an F_SETFL fcntl operation for the O_DIRECT flag.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-8086", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-8086", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-8086", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-8086", "SUSE": "https://www.suse.com/security/cve/CVE-2014-8086", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-8086" } }, "CVE-2014-8133": { "affected_versions": "v2.6.12-rc2 to v3.19-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "x86/tls: Validate TLS entries to protect espfix", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "None", "Integrity Impact": "Partial", "score": "2.1" }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "41bdc78544b8a93a9c6814b8bbbfef966272abbe", "last_affected_version": "3.18.1", "nvd_text": "arch/x86/kernel/tls.c in the Thread Local Storage (TLS) implementation in the Linux kernel through 3.18.1 allows local users to bypass the espfix protection mechanism, and consequently makes it easier for local users to bypass the ASLR protection mechanism, via a crafted application that makes a set_thread_area system call and later reads a 16-bit value.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-8133", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-8133", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-8133", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-8133", "SUSE": "https://www.suse.com/security/cve/CVE-2014-8133", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-8133" } }, "CVE-2014-8134": { "affected_versions": "v2.6.12-rc2 to v3.19-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "x86, kvm: Clear paravirt_enabled on KVM guests for espfix32's benefit", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "score": "2.1" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "Low", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "raw": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "score": 3.3 }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "29fa6825463c97e5157284db80107d1bfac5d77b", "last_affected_version": "3.18.1", "last_modified": "2020-08-20", "nvd_text": "The paravirt_ops_setup function in arch/x86/kernel/kvm.c in the Linux kernel through 3.18 uses an improper paravirt_enabled setting for KVM guest kernels, which makes it easier for guest OS users to bypass the ASLR protection mechanism via a crafted application that reads a 16-bit value.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-8134", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-8134", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-8134", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-8134", "SUSE": "https://www.suse.com/security/cve/CVE-2014-8134", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-8134" } }, "CVE-2014-8159": { "affected_versions": "v2.6.12-rc2 to v4.0-rc7", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "IB/uverbs: Prevent integer overflow in ib_umem_get address arithmetic", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "6.9" }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "8494057ab5e40df590ef6ef7d66324d3ae33356b", "last_affected_version": "3.18.12", "nvd_text": "The InfiniBand (IB) implementation in the Linux kernel package before 2.6.32-504.12.2 on Red Hat Enterprise Linux (RHEL) 6 does not properly restrict use of User Verbs for registration of memory regions, which allows local users to access arbitrary physical memory locations, and consequently cause a denial of service (system crash) or gain privileges, by leveraging permissions on a uverbs device under /dev/infiniband/.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-8159", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-8159", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-8159", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-8159", "SUSE": "https://www.suse.com/security/cve/CVE-2014-8159", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-8159" } }, "CVE-2014-8160": { "affected_versions": "v2.6.12-rc2 to v3.18-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "netfilter: conntrack: disable generic tracking for known protocols", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "None", "Integrity Impact": "Partial", "score": "5.0" }, "cwe": "Security Features", "fixes": "db29a9508a9246e77087c5531e45b2c88ec6988b", "last_affected_version": "3.16.34", "nvd_text": "net/netfilter/nf_conntrack_proto_generic.c in the Linux kernel before 3.18 generates incorrect conntrack entries during handling of certain iptables rule sets for the SCTP, DCCP, GRE, and UDP-Lite protocols, which allows remote attackers to bypass intended access restrictions via packets with disallowed port numbers.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-8160", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-8160", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-8160", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-8160", "SUSE": "https://www.suse.com/security/cve/CVE-2014-8160", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-8160" } }, "CVE-2014-8171": { "affected_versions": "v2.6.12-rc2 to v3.12-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "mm: memcg: do not trap chargers with full callstack on OOM", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "4.9" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "score": "5.5" }, "cwe": "Resource Management Errors", "fixes": "3812c8c8f3953921ef18544110dafc3505c1ac62", "nvd_text": "The memory resource controller (aka memcg) in the Linux kernel allows local users to cause a denial of service (deadlock) by spawning new processes within a memory-constrained cgroup.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-8171", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-8171", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-8171", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-8171", "SUSE": "https://www.suse.com/security/cve/CVE-2014-8171", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-8171" } }, "CVE-2014-8172": { "affected_versions": "v2.6.12-rc2 to v3.13-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "get rid of s_files and files_lock", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "4.9" }, "cwe": "Code", "fixes": "eee5cc2702929fd41cce28058dc6d6717f723f87", "last_affected_version": "3.12.44", "nvd_text": "The filesystem implementation in the Linux kernel before 3.13 performs certain operations on lists of files with an inappropriate locking approach, which allows local users to cause a denial of service (soft lockup or system crash) via unspecified use of Asynchronous I/O (AIO) operations.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-8172", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-8172", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-8172", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-8172", "SUSE": "https://www.suse.com/security/cve/CVE-2014-8172", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-8172" } }, "CVE-2014-8173": { "affected_versions": "v3.9-rc1 to v3.13-rc5", "breaks": "1998cc048901109a29924380b8e91bc049b32951", "cmt_msg": "mm: Fix NULL pointer dereference in madvise(MADV_WILLNEED) support", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "7.2" }, "cwe": "Other", "fixes": "ee53664bda169f519ce3c6a22d378f0b946c8178", "last_affected_version": "3.12.42", "nvd_text": "The pmd_none_or_trans_huge_or_clear_bad function in include/asm-generic/pgtable.h in the Linux kernel before 3.13 on NUMA systems does not properly determine whether a Page Middle Directory (PMD) entry is a transparent huge-table entry, which allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted MADV_WILLNEED madvise system call that leverages the absence of a page-table lock.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-8173", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-8173", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-8173", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-8173", "SUSE": "https://www.suse.com/security/cve/CVE-2014-8173", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-8173" } }, "CVE-2014-8181": { "breaks": "", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": "2.1" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": "5.5" }, "cwe": "Improper Initialization", "fixes": "", "last_modified": "2019-11-10", "nvd_text": "The kernel in Red Hat Enterprise Linux 7 and MRG-2 does not clear garbage data for SG_IO buffer, which may leaking sensitive information to userspace.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-8181", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-8181", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-8181", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-8181", "SUSE": "https://www.suse.com/security/cve/CVE-2014-8181", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-8181" }, "vendor_specific": true }, "CVE-2014-8369": { "affected_versions": "v3.17-rc2 to v3.18-rc2", "breaks": "350b8bdd689cd2ab2c67c8a86a0be86cfa0751a7", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "score": "4.6" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Numeric Errors", "fixes": "3d32e4dbe71374a6780eaf51d719d76f9a9bf22f", "last_modified": "2020-08-20", "nvd_text": "The kvm_iommu_map_pages function in virt/kvm/iommu.c in the Linux kernel through 3.17.2 miscalculates the number of pages during the handling of a mapping failure, which allows guest OS users to cause a denial of service (host OS page unpinning) or possibly have unspecified other impact by leveraging guest OS privileges. NOTE: this vulnerability exists because of an incorrect fix for CVE-2014-3601.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-8369", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-8369", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-8369", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-8369", "SUSE": "https://www.suse.com/security/cve/CVE-2014-8369", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-8369" } }, "CVE-2014-8480": { "affected_versions": "v3.17-rc1 to v3.18-rc2", "breaks": "41061cdb98a0bec464278b4db8e894a3121671f5", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "4.9" }, "cwe": "Resource Management Errors", "fixes": "3f6f1480d86bf9fc16c160d803ab1d006e3058d5", "nvd_text": "The instruction decoder in arch/x86/kvm/emulate.c in the KVM subsystem in the Linux kernel before 3.18-rc2 lacks intended decoder-table flags for certain RIP-relative instructions, which allows guest OS users to cause a denial of service (NULL pointer dereference and host OS crash) via a crafted application.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-8480", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-8480", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-8480", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-8480", "SUSE": "https://www.suse.com/security/cve/CVE-2014-8480", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-8480" } }, "CVE-2014-8481": { "affected_versions": "v3.17-rc1 to v3.18-rc2", "breaks": "41061cdb98a0bec464278b4db8e894a3121671f5", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "4.9" }, "cwe": "Resource Management Errors", "fixes": "a430c9166312e1aa3d80bce32374233bdbfeba32", "nvd_text": "The instruction decoder in arch/x86/kvm/emulate.c in the KVM subsystem in the Linux kernel before 3.18-rc2 does not properly handle invalid instructions, which allows guest OS users to cause a denial of service (NULL pointer dereference and host OS crash) via a crafted application that triggers (1) an improperly fetched instruction or (2) an instruction that occupies too many bytes. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-8480.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-8481", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-8481", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-8481", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-8481", "SUSE": "https://www.suse.com/security/cve/CVE-2014-8481", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-8481" } }, "CVE-2014-8559": { "affected_versions": "v2.6.39-rc1 to v3.19-rc1", "breaks": "c826cb7dfce80512c26c984350077a25046bd215", "cmt_msg": "move d_rcu from overlapping d_child to overlapping d_alias", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "4.9" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Resource Management Errors", "fixes": "946e51f2bf37f1656916eb75bd0742ba33983c28", "last_affected_version": "3.18.0", "last_modified": "2020-08-20", "nvd_text": "The d_walk function in fs/dcache.c in the Linux kernel through 3.17.2 does not properly maintain the semantics of rename_lock, which allows local users to cause a denial of service (deadlock and system hang) via a crafted application.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-8559", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-8559", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-8559", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-8559", "SUSE": "https://www.suse.com/security/cve/CVE-2014-8559", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-8559" } }, "CVE-2014-8709": { "affected_versions": "v2.6.30-rc1 to v3.14-rc3", "breaks": "2de8e0d999b8790861cd3749bec2236ccc1c8110", "cmt_msg": "mac80211: fix fragmentation code, particularly for encryption", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "score": "5.0" }, "cwe": "Information Leak / Disclosure", "fixes": "338f977f4eb441e69bb9a46eaa0ac715c931a67f", "last_affected_version": "3.12.12", "nvd_text": "The ieee80211_fragment function in net/mac80211/tx.c in the Linux kernel before 3.13.5 does not properly maintain a certain tail pointer, which allows remote attackers to obtain sensitive cleartext information by reading packets.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-8709", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-8709", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-8709", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-8709", "SUSE": "https://www.suse.com/security/cve/CVE-2014-8709", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-8709" } }, "CVE-2014-8884": { "affected_versions": "v2.6.12-rc2 to v3.18-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "[media] ttusb-dec: buffer overflow in ioctl", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "score": "6.1" }, "cwe": "Buffer Errors", "fixes": "f2e323ec96077642d397bb1c355def536d489d16", "last_affected_version": "3.16.34", "nvd_text": "Stack-based buffer overflow in the ttusbdecfe_dvbs_diseqc_send_master_cmd function in drivers/media/usb/ttusb-dec/ttusbdecfe.c in the Linux kernel before 3.17.4 allows local users to cause a denial of service (system crash) or possibly gain privileges via a large message length in an ioctl call.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-8884", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-8884", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-8884", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-8884", "SUSE": "https://www.suse.com/security/cve/CVE-2014-8884", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-8884" } }, "CVE-2014-8989": { "affected_versions": "v2.6.12-rc2 to v3.19-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "userns: Don't allow setgroups until a gid mapping has been setablished", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "score": "4.6" }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "273d2c67c3e179adb1e74f403d1e9a06e3f841b5", "last_affected_version": "3.18.1", "nvd_text": "The Linux kernel through 3.17.4 does not properly restrict dropping of supplemental group memberships in certain namespace scenarios, which allows local users to bypass intended file permissions by leveraging a POSIX ACL containing an entry for the group category that is more restrictive than the entry for the other category, aka a \"negative groups\" issue, related to kernel/groups.c, kernel/uid16.c, and kernel/user_namespace.c.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-8989", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-8989", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-8989", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-8989", "SUSE": "https://www.suse.com/security/cve/CVE-2014-8989", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-8989" } }, "CVE-2014-9090": { "affected_versions": "v2.6.12-rc2 to v3.18-rc6", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "x86_64, traps: Stop using IST for #SS", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "4.9" }, "cwe": "Code", "fixes": "6f442be2fb22be02cafa606f1769fa1e6f894441", "last_affected_version": "3.16.34", "nvd_text": "The do_double_fault function in arch/x86/kernel/traps.c in the Linux kernel through 3.17.4 does not properly handle faults associated with the Stack Segment (SS) segment register, which allows local users to cause a denial of service (panic) via a modify_ldt system call, as demonstrated by sigreturn_32 in the linux-clock-tests test suite.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-9090", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-9090", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-9090", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-9090", "SUSE": "https://www.suse.com/security/cve/CVE-2014-9090", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-9090" } }, "CVE-2014-9322": { "affected_versions": "v2.6.12-rc2 to v3.18-rc6", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "x86_64, traps: Stop using IST for #SS", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "7.2" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "6f442be2fb22be02cafa606f1769fa1e6f894441", "last_affected_version": "3.16.34", "last_modified": "2020-08-20", "nvd_text": "arch/x86/kernel/entry_64.S in the Linux kernel before 3.17.5 does not properly handle faults associated with the Stack Segment (SS) segment register, which allows local users to gain privileges by triggering an IRET instruction that leads to access to a GS Base address from the wrong space.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-9322", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-9322", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-9322", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-9322", "SUSE": "https://www.suse.com/security/cve/CVE-2014-9322", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-9322" } }, "CVE-2014-9419": { "affected_versions": "v2.6.12-rc2 to v3.19-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "x86_64, switch_to(): Load TLS descriptors before switching DS and ES", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "score": "2.1" }, "cwe": "Information Leak / Disclosure", "fixes": "f647d7c155f069c1a068030255c300663516420e", "last_affected_version": "3.18.1", "nvd_text": "The __switch_to function in arch/x86/kernel/process_64.c in the Linux kernel through 3.18.1 does not ensure that Thread Local Storage (TLS) descriptors are loaded before proceeding with other steps, which makes it easier for local users to bypass the ASLR protection mechanism via a crafted application that reads a TLS base address.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-9419", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-9419", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-9419", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-9419", "SUSE": "https://www.suse.com/security/cve/CVE-2014-9419", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-9419" } }, "CVE-2014-9420": { "affected_versions": "v2.6.12-rc2 to v3.19-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "isofs: Fix infinite looping over CE entries", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "4.9" }, "cwe": "Resource Management Errors", "fixes": "f54e18f1b831c92f6512d2eedb224cd63d607d3d", "last_affected_version": "3.18.1", "nvd_text": "The rock_continue function in fs/isofs/rock.c in the Linux kernel through 3.18.1 does not restrict the number of Rock Ridge continuation entries, which allows local users to cause a denial of service (infinite loop, and system crash or hang) via a crafted iso9660 image.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-9420", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-9420", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-9420", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-9420", "SUSE": "https://www.suse.com/security/cve/CVE-2014-9420", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-9420" } }, "CVE-2014-9428": { "affected_versions": "v3.13-rc1 to v3.19-rc3", "breaks": "610bfc6bc99bc83680d190ebc69359a05fc7f605", "cmt_msg": "batman-adv: Calculate extra tail size based on queued fragments", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "7.8" }, "cwe": "Resource Management Errors", "fixes": "5b6698b0e4a37053de35cc24ee695b98a7eb712b", "last_affected_version": "3.18.3", "nvd_text": "The batadv_frag_merge_packets function in net/batman-adv/fragmentation.c in the B.A.T.M.A.N. implementation in the Linux kernel through 3.18.1 uses an incorrect length field during a calculation of an amount of memory, which allows remote attackers to cause a denial of service (mesh-node system crash) via fragmented packets.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-9428", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-9428", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-9428", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-9428", "SUSE": "https://www.suse.com/security/cve/CVE-2014-9428", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-9428" } }, "CVE-2014-9529": { "affected_versions": "v2.6.12-rc2 to v3.19-rc4", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "KEYS: close race between key lookup and freeing", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "7.2" }, "cwe": "Race Conditions", "fixes": "a3a8784454692dd72e5d5d34dcdab17b4420e74c", "last_affected_version": "3.18.4", "nvd_text": "Race condition in the key_gc_unused_keys function in security/keys/gc.c in the Linux kernel through 3.18.2 allows local users to cause a denial of service (memory corruption or panic) or possibly have unspecified other impact via keyctl commands that trigger access to a key structure member during garbage collection of a key.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-9529", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-9529", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-9529", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-9529", "SUSE": "https://www.suse.com/security/cve/CVE-2014-9529", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-9529" } }, "CVE-2014-9584": { "affected_versions": "v2.6.12-rc2 to v3.19-rc3", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "isofs: Fix unchecked printing of ER records", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "score": "2.1" }, "cwe": "Input Validation", "fixes": "4e2024624e678f0ebb916e6192bd23c1f9fdf696", "last_affected_version": "3.18.1", "nvd_text": "The parse_rock_ridge_inode_internal function in fs/isofs/rock.c in the Linux kernel before 3.18.2 does not validate a length value in the Extensions Reference (ER) System Use Field, which allows local users to obtain sensitive information from kernel memory via a crafted iso9660 image.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-9584", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-9584", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-9584", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-9584", "SUSE": "https://www.suse.com/security/cve/CVE-2014-9584", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-9584" } }, "CVE-2014-9585": { "affected_versions": "v2.6.12-rc2 to v3.19-rc4", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "x86_64, vdso: Fix the vdso address randomization algorithm", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "None", "Integrity Impact": "Partial", "score": "2.1" }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "394f56fe480140877304d342dec46d50dc823d46", "last_affected_version": "3.18.2", "nvd_text": "The vdso_addr function in arch/x86/vdso/vma.c in the Linux kernel through 3.18.2 does not properly choose memory locations for the vDSO area, which makes it easier for local users to bypass the ASLR protection mechanism by guessing a location at the end of a PMD.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-9585", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-9585", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-9585", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-9585", "SUSE": "https://www.suse.com/security/cve/CVE-2014-9585", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-9585" } }, "CVE-2014-9644": { "affected_versions": "v2.6.38-rc1 to v3.19-rc1", "breaks": "03c8efc1ffeb6b82a22c1af8dd908af349563314", "cmt_msg": "crypto: include crypto- module prefix in template", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "None", "Integrity Impact": "Partial", "score": "2.1" }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "4943ba16bbc2db05115707b3ff7b4874e9e3c560", "last_affected_version": "3.18.4", "nvd_text": "The Crypto API in the Linux kernel before 3.18.5 allows local users to load arbitrary kernel modules via a bind system call for an AF_ALG socket with a parenthesized module template expression in the salg_name field, as demonstrated by the vfat(aes) expression, a different vulnerability than CVE-2013-7421.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-9644", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-9644", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-9644", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-9644", "SUSE": "https://www.suse.com/security/cve/CVE-2014-9644", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-9644" } }, "CVE-2014-9683": { "affected_versions": "v2.6.12-rc2 to v3.19-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "eCryptfs: Remove buggy and unnecessary write in file name decode routine", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "Partial", "score": "3.6" }, "cwe": "Numeric Errors", "fixes": "942080643bce061c3dd9d5718d3b745dcb39a8bc", "last_affected_version": "3.18.1", "nvd_text": "Off-by-one error in the ecryptfs_decode_from_filename function in fs/ecryptfs/crypto.c in the eCryptfs subsystem in the Linux kernel before 3.18.2 allows local users to cause a denial of service (buffer overflow and system crash) or possibly gain privileges via a crafted filename.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-9683", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-9683", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-9683", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-9683", "SUSE": "https://www.suse.com/security/cve/CVE-2014-9683", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-9683" } }, "CVE-2014-9710": { "affected_versions": "v2.6.12-rc2 to v3.19-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "Btrfs: make xattr replace operations atomic", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "6.9" }, "cwe": "Race Conditions", "fixes": "5f5bc6b1e2d5a6f827bc860ef2dc5b6f365d1339", "last_affected_version": "3.18.18", "nvd_text": "The Btrfs implementation in the Linux kernel before 3.19 does not ensure that the visible xattr state is consistent with a requested replacement, which allows local users to bypass intended ACL settings and gain privileges via standard filesystem operations (1) during an xattr-replacement time window, related to a race condition, or (2) after an xattr-replacement attempt that fails because the data does not fit.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-9710", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-9710", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-9710", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-9710", "SUSE": "https://www.suse.com/security/cve/CVE-2014-9710", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-9710" } }, "CVE-2014-9715": { "affected_versions": "v3.6-rc5 to v3.15-rc1", "breaks": "5b423f6a40a0327f9d40bc8b97ce9be266f74368", "cmt_msg": "netfilter: nf_conntrack: reserve two bytes for nf_ct_ext->len", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "4.9" }, "cwe": "Other", "fixes": "223b02d923ecd7c84cf9780bb3686f455d279279", "last_affected_version": "3.14.4", "nvd_text": "include/net/netfilter/nf_conntrack_extend.h in the netfilter subsystem in the Linux kernel before 3.14.5 uses an insufficiently large data type for certain extension data, which allows local users to cause a denial of service (NULL pointer dereference and OOPS) via outbound network traffic that triggers extension loading, as demonstrated by configuring a PPTP tunnel in a NAT environment.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-9715", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-9715", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-9715", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-9715", "SUSE": "https://www.suse.com/security/cve/CVE-2014-9715", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-9715" } }, "CVE-2014-9717": { "affected_versions": "v2.6.12-rc2 to v4.1-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "mnt: Update detach_mounts to leave mounts connected", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "score": "3.6" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "Low", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "score": "6.1" }, "cwe": "Improper Access Control", "fixes": "e0c9c0afd2fc958ffa34b697972721d81df8a56f", "nvd_text": "fs/namespace.c in the Linux kernel before 4.0.2 processes MNT_DETACH umount2 system calls without verifying that the MNT_LOCKED flag is unset, which allows local users to bypass intended access restrictions and navigate to filesystem locations beneath a mount by calling umount2 within a user namespace.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-9717", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-9717", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-9717", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-9717", "SUSE": "https://www.suse.com/security/cve/CVE-2014-9717", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-9717" } }, "CVE-2014-9728": { "affected_versions": "v2.6.12-rc2 to v3.19-rc3", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "udf: Verify i_size when loading inode", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "4.9" }, "cwe": "Buffer Errors", "fixes": "e159332b9af4b04d882dbcfe1bb0117f0a6d4b58", "last_affected_version": "3.18.1", "nvd_text": "The UDF filesystem implementation in the Linux kernel before 3.18.2 does not validate certain lengths, which allows local users to cause a denial of service (buffer over-read and system crash) via a crafted filesystem image, related to fs/udf/inode.c and fs/udf/symlink.c.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-9728", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-9728", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-9728", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-9728", "SUSE": "https://www.suse.com/security/cve/CVE-2014-9728", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-9728" } }, "CVE-2014-9729": { "affected_versions": "v2.6.12-rc2 to v3.19-rc3", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "udf: Verify i_size when loading inode", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "4.9" }, "cwe": "Insufficient Information", "fixes": "e159332b9af4b04d882dbcfe1bb0117f0a6d4b58", "last_affected_version": "3.18.1", "nvd_text": "The udf_read_inode function in fs/udf/inode.c in the Linux kernel before 3.18.2 does not ensure a certain data-structure size consistency, which allows local users to cause a denial of service (system crash) via a crafted UDF filesystem image.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-9729", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-9729", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-9729", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-9729", "SUSE": "https://www.suse.com/security/cve/CVE-2014-9729", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-9729" } }, "CVE-2014-9730": { "affected_versions": "v2.6.12-rc2 to v3.19-rc3", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "udf: Check component length before reading it", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "4.9" }, "cwe": "Insufficient Information", "fixes": "e237ec37ec154564f8690c5bd1795339955eeef9", "last_affected_version": "3.18.1", "nvd_text": "The udf_pc_to_char function in fs/udf/symlink.c in the Linux kernel before 3.18.2 relies on component lengths that are unused, which allows local users to cause a denial of service (system crash) via a crafted UDF filesystem image.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-9730", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-9730", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-9730", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-9730", "SUSE": "https://www.suse.com/security/cve/CVE-2014-9730", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-9730" } }, "CVE-2014-9731": { "affected_versions": "v2.6.12-rc2 to v3.19-rc3", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "udf: Check path length when reading symlink", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "score": "2.1" }, "cwe": "Code", "fixes": "0e5cc9a40ada6046e6bc3bdfcd0c0d7e4b706b14", "last_affected_version": "3.18.1", "nvd_text": "The UDF filesystem implementation in the Linux kernel before 3.18.2 does not ensure that space is available for storing a symlink target's name along with a trailing \\0 character, which allows local users to obtain sensitive information via a crafted filesystem image, related to fs/udf/symlink.c and fs/udf/unicode.c.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-9731", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-9731", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-9731", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-9731", "SUSE": "https://www.suse.com/security/cve/CVE-2014-9731", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-9731" } }, "CVE-2014-9777": { "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "9.3" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "score": "7.8" }, "cwe": "Buffer Errors", "fixes": "17bfaf64ad503d2e6607d2d3e0956f25bf07eb43", "nvd_text": "The vid_dec_set_meta_buffers function in drivers/video/msm/vidc/common/dec/vdec.c in the Qualcomm components in Android before 2016-07-05 on Nexus 5 and 7 (2013) devices does not validate the number of buffers, which allows attackers to gain privileges via a crafted application, aka Android internal bug 28598501 and Qualcomm internal bug CR563654.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-9777", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-9777", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-9777", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-9777", "SUSE": "https://www.suse.com/security/cve/CVE-2014-9777", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-9777" }, "vendor_specific": true }, "CVE-2014-9778": { "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "9.3" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "score": "7.8" }, "cwe": "Buffer Errors", "fixes": "af85054aa6a1bcd38be2354921f2f80aef1440", "nvd_text": "The vid_dec_set_h264_mv_buffers function in drivers/video/msm/vidc/common/dec/vdec.c in the Qualcomm components in Android before 2016-07-05 on Nexus 5 and 7 (2013) devices does not validate the number of buffers, which allows attackers to gain privileges via a crafted application, aka Android internal bug 28598515 and Qualcomm internal bug CR563694.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-9778", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-9778", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-9778", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-9778", "SUSE": "https://www.suse.com/security/cve/CVE-2014-9778", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-9778" }, "vendor_specific": true }, "CVE-2014-9779": { "breaks": "", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "9.3" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "score": "7.8" }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "", "nvd_text": "arch/arm/mach-msm/qdsp6v2/msm_audio_ion.c in the Qualcomm components in Android before 2016-07-05 on Nexus 5 devices allows attackers to obtain sensitive information from kernel memory via a crafted offset, aka Android internal bug 28598347 and Qualcomm internal bug CR548679.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-9779", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-9779", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-9779", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-9779", "SUSE": "https://www.suse.com/security/cve/CVE-2014-9779", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-9779" }, "vendor_specific": true }, "CVE-2014-9780": { "breaks": "", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "9.3" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "score": "7.8" }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "", "nvd_text": "drivers/video/msm/mdss/mdp3_ctrl.c in the Qualcomm components in Android before 2016-07-05 on Nexus 5, 5X, and 6P devices does not validate start and length values, which allows attackers to gain privileges via a crafted application, aka Android internal bug 28602014 and Qualcomm internal bug CR542222.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-9780", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-9780", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-9780", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-9780", "SUSE": "https://www.suse.com/security/cve/CVE-2014-9780", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-9780" }, "vendor_specific": true }, "CVE-2014-9781": { "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "9.3" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "score": "7.8" }, "cwe": "Buffer Errors", "fixes": "a2b5237ad265ec634489c8b296d870827b2a1b13", "nvd_text": "Buffer overflow in drivers/video/fbcmap.c in the Qualcomm components in Android before 2016-07-05 on Nexus 7 (2013) devices allows attackers to gain privileges via a crafted application, aka Android internal bug 28410333 and Qualcomm internal bug CR556471.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-9781", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-9781", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-9781", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-9781", "SUSE": "https://www.suse.com/security/cve/CVE-2014-9781", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-9781" }, "vendor_specific": true }, "CVE-2014-9782": { "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "9.3" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "score": "7.8" }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "2e57a46ab2ba7299d99d9cdc1382bd1e612963fb", "nvd_text": "drivers/media/platform/msm/camera_v2/sensor/actuator/msm_actuator.c in the Qualcomm components in Android before 2016-07-05 on Nexus 5 and 7 (2013) devices does not validate direction and step parameters, which allows attackers to gain privileges via a crafted application, aka Android internal bug 28431531 and Qualcomm internal bug CR511349.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-9782", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-9782", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-9782", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-9782", "SUSE": "https://www.suse.com/security/cve/CVE-2014-9782", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-9782" }, "vendor_specific": true }, "CVE-2014-9783": { "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "9.3" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "score": "7.8" }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "2b1050b49a9a5f7bb57006648d145e001a3eaa8b", "nvd_text": "drivers/media/platform/msm/camera_v2/sensor/cci/msm_cci.c in the Qualcomm components in Android before 2016-07-05 on Nexus 7 (2013) devices does not validate certain values, which allows attackers to gain privileges via a crafted application, aka Android internal bug 28441831 and Qualcomm internal bug CR511382.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-9783", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-9783", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-9783", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-9783", "SUSE": "https://www.suse.com/security/cve/CVE-2014-9783", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-9783" }, "vendor_specific": true }, "CVE-2014-9784": { "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "9.3" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "score": "7.8" }, "cwe": "Buffer Errors", "fixes": "36503d639cedcc73880974ed92132247576e72ba", "nvd_text": "Multiple buffer overflows in drivers/char/diag/diag_debugfs.c in the Qualcomm components in Android before 2016-07-05 on Nexus 5 and 7 (2013) devices allow attackers to gain privileges via a crafted application, aka Android internal bug 28442449 and Qualcomm internal bug CR585147.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-9784", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-9784", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-9784", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-9784", "SUSE": "https://www.suse.com/security/cve/CVE-2014-9784", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-9784" }, "vendor_specific": true }, "CVE-2014-9785": { "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "9.3" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "score": "7.8" }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "b4338420db61f029ca6713a89c41b3a5852b20ce", "nvd_text": "drivers/misc/qseecom.c in the Qualcomm components in Android before 2016-07-05 on Nexus 7 (2013) devices does not validate addresses before copying data, which allows attackers to gain privileges via a crafted application, aka Android internal bug 28469042 and Qualcomm internal bug CR545747.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-9785", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-9785", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-9785", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-9785", "SUSE": "https://www.suse.com/security/cve/CVE-2014-9785", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-9785" }, "vendor_specific": true }, "CVE-2014-9786": { "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "9.3" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "score": "7.8" }, "cwe": "Buffer Errors", "fixes": "2fb303d9c6ca080f253b10ed9384293ca69ad32b", "nvd_text": "Heap-based buffer overflow in drivers/media/platform/msm/camera_v2/sensor/actuator/msm_actuator.c in the Qualcomm components in Android before 2016-07-05 on Nexus 5 and 7 (2013) devices allows attackers to gain privileges via a crafted application, aka Android internal bug 28557260 and Qualcomm internal bug CR545979.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-9786", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-9786", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-9786", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-9786", "SUSE": "https://www.suse.com/security/cve/CVE-2014-9786", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-9786" }, "vendor_specific": true }, "CVE-2014-9787": { "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "9.3" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "score": "7.8" }, "cwe": "Numeric Errors", "fixes": "528400ae4cba715f6c9ff4a2657dafd913f30b8b", "nvd_text": "Integer overflow in drivers/misc/qseecom.c in the Qualcomm components in Android before 2016-07-05 on Nexus 7 (2013) devices allows attackers to gain privileges via a crafted application, aka Android internal bug 28571496 and Qualcomm internal bug CR545764.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-9787", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-9787", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-9787", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-9787", "SUSE": "https://www.suse.com/security/cve/CVE-2014-9787", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-9787" }, "vendor_specific": true }, "CVE-2014-9788": { "breaks": "", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "9.3" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "score": "7.8" }, "cwe": "Buffer Errors", "fixes": "", "nvd_text": "Multiple buffer overflows in the voice drivers in the Qualcomm components in Android before 2016-07-05 on Nexus 5 devices allow attackers to gain privileges via a crafted application, aka Android internal bug 28573112 and Qualcomm internal bug CR548872.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-9788", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-9788", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-9788", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-9788", "SUSE": "https://www.suse.com/security/cve/CVE-2014-9788", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-9788" }, "vendor_specific": true }, "CVE-2014-9789": { "breaks": "", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "9.3" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "score": "7.8" }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "", "nvd_text": "The (1) alloc and (2) free APIs in arch/arm/mach-msm/qdsp6v2/msm_audio_ion.c in the Qualcomm components in Android before 2016-07-05 on Nexus 5 devices do not validate parameters, which allows attackers to gain privileges via a crafted application, aka Android internal bug 28749392 and Qualcomm internal bug CR556425.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-9789", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-9789", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-9789", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-9789", "SUSE": "https://www.suse.com/security/cve/CVE-2014-9789", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-9789" }, "vendor_specific": true }, "CVE-2014-9803": { "affected_versions": "v3.16-rc1 to v3.16-rc1", "backport": true, "breaks": "bc07c2c6e9ed125d362af0214b6313dca180cb08", "cmt_msg": "Revert \"arm64: Introduce execute-only page access permissions\"", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "9.3" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "score": "7.8" }, "cwe": "Data Handling", "fixes": "5a0fdfada3a2aa50d7b947a2e958bf00cbe0d830", "last_modified": "2021-07-08", "nvd_text": "arch/arm64/include/asm/pgtable.h in the Linux kernel before 3.15-rc5-next-20140519, as used in Android before 2016-07-05 on Nexus 5X and 6P devices, mishandles execute-only pages, which allows attackers to gain privileges via a crafted application, aka Android internal bug 28557020.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-9803", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-9803", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-9803", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-9803", "SUSE": "https://www.suse.com/security/cve/CVE-2014-9803", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-9803" } }, "CVE-2014-9863": { "breaks": "", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "9.3" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "score": "7.8" }, "cwe": "Integer Overflow or Wraparound", "fixes": "", "nvd_text": "Integer underflow in the diag driver in the Qualcomm components in Android before 2016-08-05 on Nexus 5 and 7 (2013) devices allows attackers to gain privileges or obtain sensitive information via a crafted application, aka Android internal bug 28768146 and Qualcomm internal bug CR549470.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-9863", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-9863", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-9863", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-9863", "SUSE": "https://www.suse.com/security/cve/CVE-2014-9863", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-9863" }, "vendor_specific": true }, "CVE-2014-9864": { "breaks": "", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "9.3" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "score": "7.8" }, "cwe": "Input Validation", "fixes": "", "nvd_text": "drivers/misc/qseecom.c in the Qualcomm components in Android before 2016-08-05 on Nexus 5 and 7 (2013) devices does not validate ioctl calls, which allows attackers to gain privileges via a crafted application, aka Android internal bug 28747998 and Qualcomm internal bug CR561841.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-9864", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-9864", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-9864", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-9864", "SUSE": "https://www.suse.com/security/cve/CVE-2014-9864", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-9864" }, "vendor_specific": true }, "CVE-2014-9865": { "breaks": "", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "9.3" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "score": "7.8" }, "cwe": "Improper Access Control", "fixes": "", "nvd_text": "drivers/misc/qseecom.c in the Qualcomm components in Android before 2016-08-05 on Nexus 5 and 7 (2013) devices does not properly restrict user-space input, which allows attackers to gain privileges via a crafted application, aka Android internal bug 28748271 and Qualcomm internal bug CR550013.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-9865", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-9865", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-9865", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-9865", "SUSE": "https://www.suse.com/security/cve/CVE-2014-9865", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-9865" }, "vendor_specific": true }, "CVE-2014-9866": { "breaks": "", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "9.3" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "score": "7.8" }, "cwe": "Input Validation", "fixes": "", "nvd_text": "drivers/media/platform/msm/camera_v2/sensor/csid/msm_csid.c in the Qualcomm components in Android before 2016-08-05 on Nexus 5 and 7 (2013) devices does not validate a certain parameter, which allows attackers to gain privileges via a crafted application, aka Android internal bug 28747684 and Qualcomm internal bug CR511358.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-9866", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-9866", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-9866", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-9866", "SUSE": "https://www.suse.com/security/cve/CVE-2014-9866", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-9866" }, "vendor_specific": true }, "CVE-2014-9867": { "breaks": "", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "9.3" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "score": "7.8" }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "", "nvd_text": "drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.c in the Qualcomm components in Android before 2016-08-05 on Nexus 5 and 7 (2013) devices does not validate the number of streams, which allows attackers to gain privileges via a crafted application, aka Android internal bug 28749629 and Qualcomm internal bug CR514702.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-9867", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-9867", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-9867", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-9867", "SUSE": "https://www.suse.com/security/cve/CVE-2014-9867", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-9867" }, "vendor_specific": true }, "CVE-2014-9868": { "breaks": "", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "6.9" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "score": "7.8" }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "", "nvd_text": "drivers/media/platform/msm/camera_v2/sensor/csiphy/msm_csiphy.c in the Qualcomm components in Android before 2016-08-05 on Nexus 5 and 7 (2013) devices allows attackers to gain privileges via an application that provides a crafted mask value, aka Android internal bug 28749721 and Qualcomm internal bug CR511976.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-9868", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-9868", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-9868", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-9868", "SUSE": "https://www.suse.com/security/cve/CVE-2014-9868", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-9868" }, "vendor_specific": true }, "CVE-2014-9869": { "breaks": "", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "9.3" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "score": "7.8" }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "", "nvd_text": "drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c in the Qualcomm components in Android before 2016-08-05 on Nexus 5 and 7 (2013) devices does not validate certain index values, which allows attackers to gain privileges via a crafted application, aka Android internal bug 28749728 and Qualcomm internal bug CR514711.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-9869", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-9869", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-9869", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-9869", "SUSE": "https://www.suse.com/security/cve/CVE-2014-9869", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-9869" }, "vendor_specific": true }, "CVE-2014-9870": { "affected_versions": "v3.4-rc6 to v3.11-rc1", "breaks": "6a1c53124aa161eb624ce7b1e40ade728186d34c", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "9.3" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "score": "7.8" }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "a4780adeefd042482f624f5e0d577bf9cdcbb760", "nvd_text": "The Linux kernel before 3.11 on ARM platforms, as used in Android before 2016-08-05 on Nexus 5 and 7 (2013) devices, does not properly consider user-space access to the TPIDRURW register, which allows local users to gain privileges via a crafted application, aka Android internal bug 28749743 and Qualcomm internal bug CR561044.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-9870", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-9870", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-9870", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-9870", "SUSE": "https://www.suse.com/security/cve/CVE-2014-9870", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-9870" } }, "CVE-2014-9871": { "breaks": "", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "9.3" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "score": "7.8" }, "cwe": "Buffer Errors", "fixes": "", "nvd_text": "Multiple buffer overflows in drivers/media/platform/msm/camera_v2/isp/msm_isp_util.c in the Qualcomm components in Android before 2016-08-05 on Nexus 5 and 7 (2013) devices allow attackers to gain privileges via a crafted application, aka Android internal bug 28749803 and Qualcomm internal bug CR514717.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-9871", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-9871", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-9871", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-9871", "SUSE": "https://www.suse.com/security/cve/CVE-2014-9871", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-9871" }, "vendor_specific": true }, "CVE-2014-9872": { "breaks": "", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "score": "6.8" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "score": "7.8" }, "cwe": "Input Validation", "fixes": "", "nvd_text": "The diag driver in the Qualcomm components in Android before 2016-08-05 on Nexus 5 devices does not ensure unique identifiers in a DCI client table, which allows attackers to gain privileges via a crafted application, aka Android internal bug 28750155 and Qualcomm internal bug CR590721.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-9872", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-9872", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-9872", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-9872", "SUSE": "https://www.suse.com/security/cve/CVE-2014-9872", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-9872" }, "vendor_specific": true }, "CVE-2014-9873": { "breaks": "", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "score": "6.8" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "score": "7.8" }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "", "nvd_text": "Integer underflow in drivers/char/diag/diag_dci.c in the Qualcomm components in Android before 2016-08-05 on Nexus 5 and 7 (2013) devices allows attackers to gain privileges or obtain sensitive information via a crafted application, aka Android internal bug 28750726 and Qualcomm internal bug CR556860.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-9873", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-9873", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-9873", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-9873", "SUSE": "https://www.suse.com/security/cve/CVE-2014-9873", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-9873" }, "vendor_specific": true }, "CVE-2014-9874": { "breaks": "", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "score": "6.8" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "score": "7.8" }, "cwe": "Buffer Errors", "fixes": "", "nvd_text": "Buffer overflow in the Qualcomm components in Android before 2016-08-05 on Nexus 5, 5X, 6P, and 7 (2013) devices allows attackers to gain privileges via a crafted application, related to arch/arm/mach-msm/qdsp6v2/audio_utils.c and sound/soc/msm/qdsp6v2/q6asm.c, aka Android internal bug 28751152 and Qualcomm internal bug CR563086.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-9874", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-9874", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-9874", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-9874", "SUSE": "https://www.suse.com/security/cve/CVE-2014-9874", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-9874" }, "vendor_specific": true }, "CVE-2014-9875": { "breaks": "", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "score": "6.8" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "score": "7.8" }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "", "nvd_text": "drivers/char/diag/diag_dci.c in the Qualcomm components in Android before 2016-08-05 on Nexus 7 (2013) devices allows attackers to gain privileges via a crafted application that sends short DCI request packets, aka Android internal bug 28767589 and Qualcomm internal bug CR483310.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-9875", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-9875", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-9875", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-9875", "SUSE": "https://www.suse.com/security/cve/CVE-2014-9875", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-9875" }, "vendor_specific": true }, "CVE-2014-9876": { "breaks": "", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "score": "6.8" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "score": "7.8" }, "cwe": "Numeric Errors", "fixes": "", "nvd_text": "drivers/char/diag/diagfwd.c in the Qualcomm components in Android before 2016-08-05 on Nexus 5, 5X, 6, 6P, and 7 (2013) devices mishandles certain integer values, which allows attackers to gain privileges via a crafted application, aka Android internal bug 28767796 and Qualcomm internal bug CR483408.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-9876", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-9876", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-9876", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-9876", "SUSE": "https://www.suse.com/security/cve/CVE-2014-9876", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-9876" }, "vendor_specific": true }, "CVE-2014-9877": { "breaks": "", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "score": "6.8" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "score": "7.8" }, "cwe": "Data Handling", "fixes": "", "nvd_text": "drivers/media/platform/msm/camera_v2/sensor/actuator/msm_actuator.c in the Qualcomm components in Android before 2016-08-05 on Nexus 5 and 7 (2013) devices mishandles a user-space pointer, which allows attackers to gain privileges via a crafted application, aka Android internal bug 28768281 and Qualcomm internal bug CR547231.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-9877", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-9877", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-9877", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-9877", "SUSE": "https://www.suse.com/security/cve/CVE-2014-9877", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-9877" }, "vendor_specific": true }, "CVE-2014-9878": { "breaks": "", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "score": "6.8" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "score": "7.8" }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "", "nvd_text": "drivers/mmc/card/mmc_block_test.c in the Qualcomm components in Android before 2016-08-05 on Nexus 5 devices does not reject kernel-space buffer addresses, which allows attackers to gain privileges via a crafted application, aka Android internal bug 28769208 and Qualcomm internal bug CR547479.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-9878", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-9878", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-9878", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-9878", "SUSE": "https://www.suse.com/security/cve/CVE-2014-9878", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-9878" }, "vendor_specific": true }, "CVE-2014-9879": { "breaks": "", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "score": "6.8" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "score": "7.8" }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "", "nvd_text": "The mdss mdp3 driver in the Qualcomm components in Android before 2016-08-05 on Nexus 5 devices does not validate user-space data, which allows attackers to gain privileges via a crafted application, aka Android internal bug 28769221 and Qualcomm internal bug CR524490.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-9879", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-9879", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-9879", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-9879", "SUSE": "https://www.suse.com/security/cve/CVE-2014-9879", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-9879" }, "vendor_specific": true }, "CVE-2014-9880": { "breaks": "", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "score": "6.8" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "score": "7.8" }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "", "nvd_text": "drivers/video/msm/vidc/common/enc/venc.c in the Qualcomm components in Android before 2016-08-05 on Nexus 7 (2013) devices does not validate VEN_IOCTL_GET_SEQUENCE_HDR ioctl calls, which allows attackers to gain privileges via a crafted application, aka Android internal bug 28769352 and Qualcomm internal bug CR556356.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-9880", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-9880", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-9880", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-9880", "SUSE": "https://www.suse.com/security/cve/CVE-2014-9880", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-9880" }, "vendor_specific": true }, "CVE-2014-9881": { "breaks": "", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "score": "6.8" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "score": "7.8" }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "", "nvd_text": "drivers/media/radio/radio-iris.c in the Qualcomm components in Android before 2016-08-05 on Nexus 7 (2013) devices uses an incorrect integer data type, which allows attackers to gain privileges or cause a denial of service (buffer overflow) via a crafted application, aka Android internal bug 28769368 and Qualcomm internal bug CR539008.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-9881", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-9881", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-9881", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-9881", "SUSE": "https://www.suse.com/security/cve/CVE-2014-9881", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-9881" }, "vendor_specific": true }, "CVE-2014-9882": { "breaks": "", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "score": "6.8" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "score": "7.8" }, "cwe": "Buffer Errors", "fixes": "", "nvd_text": "Buffer overflow in drivers/media/radio/radio-iris.c in the Qualcomm components in Android before 2016-08-05 on Nexus 7 (2013) devices allows attackers to gain privileges via a crafted application, aka Android internal bug 28769546 and Qualcomm internal bug CR552329.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-9882", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-9882", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-9882", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-9882", "SUSE": "https://www.suse.com/security/cve/CVE-2014-9882", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-9882" }, "vendor_specific": true }, "CVE-2014-9883": { "breaks": "", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "score": "6.8" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "score": "7.8" }, "cwe": "Integer Underflow (Wrap or Wraparound)", "fixes": "", "nvd_text": "Integer overflow in drivers/char/diag/diag_dci.c in the Qualcomm components in Android before 2016-08-05 on Nexus 5 and 7 (2013) devices allows attackers to gain privileges or obtain sensitive information via a crafted application, aka Android internal bug 28769912 and Qualcomm internal bug CR565160.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-9883", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-9883", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-9883", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-9883", "SUSE": "https://www.suse.com/security/cve/CVE-2014-9883", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-9883" }, "vendor_specific": true }, "CVE-2014-9884": { "breaks": "", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "score": "6.8" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "score": "7.8" }, "cwe": "Input Validation", "fixes": "", "nvd_text": "drivers/misc/qseecom.c in the Qualcomm components in Android before 2016-08-05 on Nexus 5 and 7 (2013) devices does not validate certain pointers, which allows attackers to gain privileges via a crafted application, aka Android internal bug 28769920 and Qualcomm internal bug CR580740.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-9884", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-9884", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-9884", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-9884", "SUSE": "https://www.suse.com/security/cve/CVE-2014-9884", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-9884" }, "vendor_specific": true }, "CVE-2014-9885": { "breaks": "", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "score": "6.8" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "score": "7.8" }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "", "nvd_text": "Format string vulnerability in drivers/thermal/qpnp-adc-tm.c in the Qualcomm components in Android before 2016-08-05 on Nexus 5 devices allows attackers to gain privileges via a crafted application that provides format string specifiers in a name, aka Android internal bug 28769959 and Qualcomm internal bug CR562261.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-9885", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-9885", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-9885", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-9885", "SUSE": "https://www.suse.com/security/cve/CVE-2014-9885", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-9885" }, "vendor_specific": true }, "CVE-2014-9886": { "breaks": "", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "score": "6.8" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "score": "7.8" }, "cwe": "Input Validation", "fixes": "", "nvd_text": "arch/arm/mach-msm/qdsp6v2/ultrasound/usf.c in the Qualcomm components in Android before 2016-08-05 on Nexus 5 and 7 (2013) devices does not properly validate input parameters, which allows attackers to gain privileges via a crafted application, aka Android internal bug 28815575 and Qualcomm internal bug CR555030.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-9886", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-9886", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-9886", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-9886", "SUSE": "https://www.suse.com/security/cve/CVE-2014-9886", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-9886" }, "vendor_specific": true }, "CVE-2014-9887": { "breaks": "", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "9.3" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "score": "7.8" }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "", "nvd_text": "drivers/misc/qseecom.c in the Qualcomm components in Android before 2016-08-05 on Nexus 5 and 7 (2013) devices does not validate certain length values, which allows attackers to gain privileges via a crafted application, aka Android internal bug 28804057 and Qualcomm internal bug CR636633.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-9887", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-9887", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-9887", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-9887", "SUSE": "https://www.suse.com/security/cve/CVE-2014-9887", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-9887" }, "vendor_specific": true }, "CVE-2014-9888": { "affected_versions": "v2.6.12-rc2 to v3.13-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "ARM: dma-mapping: don't allow DMA mappings to be marked executable", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "7.2" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "score": "7.8" }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "0ea1ec713f04bdfac343c9702b21cd3a7c711826", "last_affected_version": "3.2.84", "nvd_text": "arch/arm/mm/dma-mapping.c in the Linux kernel before 3.13 on ARM platforms, as used in Android before 2016-08-05 on Nexus 5 and 7 (2013) devices, does not prevent executable DMA mappings, which might allow local users to gain privileges via a crafted application, aka Android internal bug 28803642 and Qualcomm internal bug CR642735.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-9888", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-9888", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-9888", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-9888", "SUSE": "https://www.suse.com/security/cve/CVE-2014-9888", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-9888" } }, "CVE-2014-9889": { "breaks": "", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "score": "6.8" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "score": "7.8" }, "cwe": "Input Validation", "fixes": "", "nvd_text": "drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c in the Qualcomm components in Android before 2016-08-05 on Nexus 5 devices does not validate CPP frame messages, which allows attackers to gain privileges via a crafted application, aka Android internal bug 28803645 and Qualcomm internal bug CR674712.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-9889", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-9889", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-9889", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-9889", "SUSE": "https://www.suse.com/security/cve/CVE-2014-9889", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-9889" }, "vendor_specific": true }, "CVE-2014-9890": { "breaks": "", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "9.3" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "score": "7.8" }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "", "nvd_text": "Off-by-one error in drivers/media/platform/msm/camera_v2/sensor/cci/msm_cci.c in the Qualcomm components in Android before 2016-08-05 on Nexus 5 and 7 (2013) devices allows attackers to gain privileges via a crafted application that sends an I2C command, aka Android internal bug 28770207 and Qualcomm internal bug CR529177.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-9890", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-9890", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-9890", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-9890", "SUSE": "https://www.suse.com/security/cve/CVE-2014-9890", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-9890" }, "vendor_specific": true }, "CVE-2014-9891": { "breaks": "", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "9.3" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "score": "7.8" }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "", "nvd_text": "drivers/misc/qseecom.c in the Qualcomm components in Android before 2016-08-05 on Nexus 5 devices does not validate certain buffer addresses, which allows attackers to gain privileges via a crafted application that makes an ioctl call, aka Android internal bug 28749283 and Qualcomm internal bug CR550061.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-9891", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-9891", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-9891", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-9891", "SUSE": "https://www.suse.com/security/cve/CVE-2014-9891", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-9891" }, "vendor_specific": true }, "CVE-2014-9892": { "breaks": "b21c60a4edd22e26fbebe7dd7078349a8cfa7273", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "score": "4.3" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "score": "5.5" }, "cwe": "Information Leak / Disclosure", "fixes": "-", "nvd_text": "The snd_compr_tstamp function in sound/core/compress_offload.c in the Linux kernel through 4.7, as used in Android before 2016-08-05 on Nexus 5 and 7 (2013) devices, does not properly initialize a timestamp data structure, which allows attackers to obtain sensitive information via a crafted application, aka Android internal bug 28770164 and Qualcomm internal bug CR568717.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-9892", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-9892", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-9892", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-9892", "SUSE": "https://www.suse.com/security/cve/CVE-2014-9892", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-9892" }, "vendor_specific": true }, "CVE-2014-9893": { "breaks": "", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "score": "4.3" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "score": "5.5" }, "cwe": "Information Leak / Disclosure", "fixes": "", "nvd_text": "drivers/video/msm/mdss/mdss_mdp_pp.c in the Qualcomm components in Android before 2016-08-05 on Nexus 5 devices does not properly determine the size of Gamut LUT data, which allows attackers to obtain sensitive information via a crafted application, aka Android internal bug 28747914 and Qualcomm internal bug CR542223.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-9893", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-9893", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-9893", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-9893", "SUSE": "https://www.suse.com/security/cve/CVE-2014-9893", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-9893" }, "vendor_specific": true }, "CVE-2014-9894": { "breaks": "", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "score": "4.3" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "score": "5.5" }, "cwe": "Information Leak / Disclosure", "fixes": "", "nvd_text": "drivers/misc/qseecom.c in the Qualcomm components in Android before 2016-08-05 on Nexus 7 (2013) devices does not ensure that certain name strings end in a '\\0' character, which allows attackers to obtain sensitive information via a crafted application, aka Android internal bug 28749708 and Qualcomm internal bug CR545736.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-9894", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-9894", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-9894", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-9894", "SUSE": "https://www.suse.com/security/cve/CVE-2014-9894", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-9894" }, "vendor_specific": true }, "CVE-2014-9895": { "affected_versions": "v2.6.39-rc1 to v3.11-rc1", "breaks": "1651333b09743887bc2dd3d158a11853a2be3fe7", "cmt_msg": "[media] media: info leak in __media_device_enum_links()", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "score": "4.3" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "score": "5.5" }, "cwe": "Information Leak / Disclosure", "fixes": "c88e739b1fad662240e99ecbd0bdaac871717987", "last_affected_version": "3.2.84", "nvd_text": "drivers/media/media-device.c in the Linux kernel before 3.11, as used in Android before 2016-08-05 on Nexus 5 and 7 (2013) devices, does not properly initialize certain data structures, which allows local users to obtain sensitive information via a crafted application, aka Android internal bug 28750150 and Qualcomm internal bug CR570757, a different vulnerability than CVE-2014-1739.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-9895", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-9895", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-9895", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-9895", "SUSE": "https://www.suse.com/security/cve/CVE-2014-9895", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-9895" } }, "CVE-2014-9896": { "breaks": "", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "score": "4.3" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "score": "5.5" }, "cwe": "Information Leak / Disclosure", "fixes": "", "nvd_text": "drivers/char/adsprpc.c in the Qualcomm components in Android before 2016-08-05 on Nexus 5 and 7 (2013) devices does not properly validate parameters and return values, which allows attackers to obtain sensitive information via a crafted application, aka Android internal bug 28767593 and Qualcomm internal bug CR551795.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-9896", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-9896", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-9896", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-9896", "SUSE": "https://www.suse.com/security/cve/CVE-2014-9896", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-9896" }, "vendor_specific": true }, "CVE-2014-9897": { "breaks": "", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "score": "4.3" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "score": "5.5" }, "cwe": "Information Leak / Disclosure", "fixes": "", "nvd_text": "sound/soc/msm/qdsp6v2/msm-lsm-client.c in the Qualcomm components in Android before 2016-08-05 on Nexus 5 devices does not validate certain user-space data, which allows attackers to obtain sensitive information via a crafted application, aka Android internal bug 28769856 and Qualcomm internal bug CR563752.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-9897", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-9897", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-9897", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-9897", "SUSE": "https://www.suse.com/security/cve/CVE-2014-9897", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-9897" }, "vendor_specific": true }, "CVE-2014-9898": { "breaks": "", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "score": "4.3" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "score": "5.5" }, "cwe": "Information Leak / Disclosure", "fixes": "", "nvd_text": "arch/arm/mach-msm/qdsp6v2/ultrasound/usf.c in the Qualcomm components in Android before 2016-08-05 on Nexus 5 and 7 (2013) devices does not properly validate input parameters, which allows attackers to obtain sensitive information via a crafted application, aka Android internal bug 28814690 and Qualcomm internal bug CR554575.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-9898", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-9898", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-9898", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-9898", "SUSE": "https://www.suse.com/security/cve/CVE-2014-9898", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-9898" }, "vendor_specific": true }, "CVE-2014-9899": { "breaks": "", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "score": "4.3" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "score": "5.5" }, "cwe": "Information Leak / Disclosure", "fixes": "", "nvd_text": "drivers/usb/host/ehci-msm2.c in the Qualcomm components in Android before 2016-08-05 on Nexus 5 devices omits certain minimum calculations before copying data, which allows attackers to obtain sensitive information via a crafted application, aka Android internal bug 28803909 and Qualcomm internal bug CR547910.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-9899", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-9899", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-9899", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-9899", "SUSE": "https://www.suse.com/security/cve/CVE-2014-9899", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-9899" }, "vendor_specific": true }, "CVE-2014-9900": { "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "score": "4.3" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "score": "5.5" }, "cwe": "Information Leak / Disclosure", "fixes": "-", "nvd_text": "The ethtool_get_wol function in net/core/ethtool.c in the Linux kernel through 4.7, as used in Android before 2016-08-05 on Nexus 5 and 7 (2013) devices, does not initialize a certain data structure, which allows local users to obtain sensitive information via a crafted application, aka Android internal bug 28803952 and Qualcomm internal bug CR570754.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-9900", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-9900", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-9900", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-9900", "SUSE": "https://www.suse.com/security/cve/CVE-2014-9900", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-9900" }, "vendor_specific": true }, "CVE-2014-9903": { "affected_versions": "v3.14-rc1 to v3.14-rc4", "breaks": "d50dde5a10f305253cbc3855307f608f8a3c5f73", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "score": "2.1" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "score": "5.5" }, "cwe": "Information Leak / Disclosure", "fixes": "4efbc454ba68def5ef285b26ebfcfdb605b52755", "nvd_text": "The sched_read_attr function in kernel/sched/core.c in the Linux kernel 3.14-rc before 3.14-rc4 uses an incorrect size, which allows local users to obtain sensitive information from kernel stack memory via a crafted sched_getattr system call.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-9903", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-9903", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-9903", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-9903", "SUSE": "https://www.suse.com/security/cve/CVE-2014-9903", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-9903" } }, "CVE-2014-9904": { "affected_versions": "v3.7-rc1 to v3.17-rc1", "breaks": "b35cc8225845112a616e3a2266d2fde5ab13d3ab", "cmt_msg": "ALSA: compress: fix an integer overflow check", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "7.2" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "score": "7.8" }, "cwe": "Other", "fixes": "6217e5ede23285ddfee10d2e4ba0cc2d4c046205", "last_affected_version": "3.16.36", "nvd_text": "The snd_compress_check_input function in sound/core/compress_offload.c in the ALSA subsystem in the Linux kernel before 3.17 does not properly check for an integer overflow, which allows local users to cause a denial of service (insufficient memory allocation) or possibly have unspecified other impact via a crafted SNDRV_COMPRESS_SET_PARAMS ioctl call.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-9904", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-9904", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-9904", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-9904", "SUSE": "https://www.suse.com/security/cve/CVE-2014-9904", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-9904" } }, "CVE-2014-9914": { "affected_versions": "v2.6.12-rc2 to v3.16-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "ipv4: fix a race in ip4_datagram_release_cb()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "7.2" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "score": "7.8" }, "cwe": "Race Conditions", "fixes": "9709674e68646cee5a24e3000b3558d25412203a", "last_affected_version": "3.14.8", "nvd_text": "Race condition in the ip4_datagram_release_cb function in net/ipv4/datagram.c in the Linux kernel before 3.15.2 allows local users to gain privileges or cause a denial of service (use-after-free) by leveraging incorrect expectations about locking during multithreaded access to internal data structures for IPv4 UDP sockets.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-9914", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-9914", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-9914", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-9914", "SUSE": "https://www.suse.com/security/cve/CVE-2014-9914", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-9914" } }, "CVE-2014-9922": { "affected_versions": "v2.6.19-rc1 to v3.18-rc2", "breaks": "237fead619984cc48818fe12ee0ceada3f55b012", "cmt_msg": "fs: limit filesystem stacking depth", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "9.3" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "score": "7.8" }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "69c433ed2ecd2d3264efd7afec4439524b319121", "last_affected_version": "3.16.36", "nvd_text": "The eCryptfs subsystem in the Linux kernel before 3.18 allows local users to gain privileges via a large filesystem stack that includes an overlayfs layer, related to fs/ecryptfs/main.c and fs/overlayfs/super.c.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-9922", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-9922", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-9922", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-9922", "SUSE": "https://www.suse.com/security/cve/CVE-2014-9922", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-9922" } }, "CVE-2014-9940": { "affected_versions": "v3.10-rc1 to v3.19-rc1", "breaks": "f19b00da8ed37db4e3891fe534fcf3a605a0e562", "cmt_msg": "regulator: core: Fix regualtor_ena_gpio_free not to access pin after freeing", "cvss2": { "Access Complexity": "High", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "7.6" }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "score": "7.0" }, "cwe": "Use After Free", "fixes": "60a2362f769cf549dc466134efe71c8bf9fbaaba", "last_affected_version": "3.18.51", "nvd_text": "The regulator_ena_gpio_free function in drivers/regulator/core.c in the Linux kernel before 3.19 allows local users to gain privileges or cause a denial of service (use-after-free) via a crafted application.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2014-9940", "ExploitDB": "https://www.exploit-db.com/search?cve=2014-9940", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2014-9940", "Red Hat": "https://access.redhat.com/security/cve/CVE-2014-9940", "SUSE": "https://www.suse.com/security/cve/CVE-2014-9940", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-9940" } }, "CVE-2015-0239": { "affected_versions": "v2.6.12-rc2 to v3.19-rc6", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "KVM: x86: SYSENTER emulation is broken", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "score": 4.4 }, "cwe": "Race Conditions", "fixes": "f3747379accba8e95d70cec0eae0582c8c182050", "last_affected_version": "3.18.4", "last_modified": "2023-12-06", "nvd_text": "The em_sysenter function in arch/x86/kvm/emulate.c in the Linux kernel before 3.18.5, when the guest OS lacks SYSENTER MSR initialization, allows guest OS users to gain guest OS privileges or cause a denial of service (guest OS crash) by triggering use of a 16-bit code segment for emulation of a SYSENTER instruction.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2015-0239", "ExploitDB": "https://www.exploit-db.com/search?cve=2015-0239", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2015-0239", "Red Hat": "https://access.redhat.com/security/cve/CVE-2015-0239", "SUSE": "https://www.suse.com/security/cve/CVE-2015-0239", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-0239" } }, "CVE-2015-0274": { "affected_versions": "v3.11-rc1 to v3.15-rc5", "breaks": "e461fcb194172b3f709e0b478d2ac1bdac7ab9a3", "cmt_msg": "xfs: remote attribute overwrite causes transaction overrun", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cwe": "Data Handling", "fixes": "8275cdd0e7ac550dcce2b3ef6d2fb3b808c1ae59", "last_modified": "2023-12-06", "nvd_text": "The XFS implementation in the Linux kernel before 3.15 improperly uses an old size value during remote attribute replacement, which allows local users to cause a denial of service (transaction overrun and data corruption) or possibly gain privileges by leveraging XFS filesystem access.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2015-0274", "ExploitDB": "https://www.exploit-db.com/search?cve=2015-0274", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2015-0274", "Red Hat": "https://access.redhat.com/security/cve/CVE-2015-0274", "SUSE": "https://www.suse.com/security/cve/CVE-2015-0274", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-0274" } }, "CVE-2015-0275": { "affected_versions": "v3.15-rc1 to v4.1-rc1", "breaks": "b8a8684502a0fc852afa0056c6bb2a9273f6fcc0", "cmt_msg": "ext4: allocate entire range in zero range", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cwe": "Code", "fixes": "0f2af21aae11972fa924374ddcf52e88347cf5a8", "last_affected_version": "3.18.24", "last_modified": "2023-12-06", "nvd_text": "The ext4_zero_range function in fs/ext4/extents.c in the Linux kernel before 4.1 allows local users to cause a denial of service (BUG) via a crafted fallocate zero-range request.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2015-0275", "ExploitDB": "https://www.exploit-db.com/search?cve=2015-0275", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2015-0275", "Red Hat": "https://access.redhat.com/security/cve/CVE-2015-0275", "SUSE": "https://www.suse.com/security/cve/CVE-2015-0275", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-0275" } }, "CVE-2015-0777": { "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "score": "2.1" }, "cwe": "Information Leak / Disclosure", "fixes": "-", "last_modified": "2023-12-06", "nvd_text": "drivers/xen/usbback/usbback.c in linux-2.6.18-xen-3.4.0 (aka the Xen 3.4.x support patches for the Linux kernel 2.6.18), as used in the Linux kernel 2.6.x and 3.x in SUSE Linux distributions, allows guest OS users to obtain sensitive information from uninitialized locations in host OS kernel memory via unspecified vectors.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2015-0777", "ExploitDB": "https://www.exploit-db.com/search?cve=2015-0777", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2015-0777", "Red Hat": "https://access.redhat.com/security/cve/CVE-2015-0777", "SUSE": "https://www.suse.com/security/cve/CVE-2015-0777", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-0777" }, "vendor_specific": true }, "CVE-2015-1328": { "breaks": "", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "7.2" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "score": "7.8" }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "", "last_modified": "2023-12-06", "nvd_text": "The overlayfs implementation in the linux (aka Linux kernel) package before 3.19.0-21.21 in Ubuntu through 15.04 does not properly check permissions for file creation in the upper filesystem directory, which allows local users to obtain root access by leveraging a configuration in which overlayfs is permitted in an arbitrary mount namespace.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2015-1328", "ExploitDB": "https://www.exploit-db.com/search?cve=2015-1328", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2015-1328", "Red Hat": "https://access.redhat.com/security/cve/CVE-2015-1328", "SUSE": "https://www.suse.com/security/cve/CVE-2015-1328", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-1328" }, "vendor_specific": true }, "CVE-2015-1333": { "affected_versions": "v3.13-rc1 to v4.2-rc5", "breaks": "034faeb9ef390d58239e1dce748143f6b35a0d9b", "cmt_msg": "KEYS: ensure we free the assoc array edit if edit is valid", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "4.9" }, "cwe": "Buffer Errors", "fixes": "ca4da5dd1f99fe9c59f1709fb43e818b18ad20e0", "last_affected_version": "4.1.3", "last_modified": "2023-12-06", "nvd_text": "Memory leak in the __key_link_end function in security/keys/keyring.c in the Linux kernel before 4.1.4 allows local users to cause a denial of service (memory consumption) via many add_key system calls that refer to existing keys.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2015-1333", "ExploitDB": "https://www.exploit-db.com/search?cve=2015-1333", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2015-1333", "Red Hat": "https://access.redhat.com/security/cve/CVE-2015-1333", "SUSE": "https://www.suse.com/security/cve/CVE-2015-1333", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-1333" } }, "CVE-2015-1339": { "affected_versions": "v4.2-rc1 to v4.4-rc5", "breaks": "cc080e9e9be16ccf26135d366d7d2b65209f1d56", "cmt_msg": "cuse: fix memory leak", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 6.2 }, "cwe": "Resource Management Errors", "fixes": "2c5816b4beccc8ba709144539f6fdd764f8fa49c", "last_modified": "2023-12-06", "nvd_text": "Memory leak in the cuse_channel_release function in fs/fuse/cuse.c in the Linux kernel before 4.4 allows local users to cause a denial of service (memory consumption) or possibly have unspecified other impact by opening /dev/cuse many times.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2015-1339", "ExploitDB": "https://www.exploit-db.com/search?cve=2015-1339", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2015-1339", "Red Hat": "https://access.redhat.com/security/cve/CVE-2015-1339", "SUSE": "https://www.suse.com/security/cve/CVE-2015-1339", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-1339" } }, "CVE-2015-1350": { "affected_versions": "v2.6.24-rc1 to v4.9-rc1", "breaks": "b53767719b6cd8789392ea3e7e2eb7b8906898f0", "cmt_msg": "fs: Avoid premature clearing of capabilities", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "030b533c4fd4d2ec3402363323de4bb2983c9cee", "last_affected_version": "4.1.36", "last_modified": "2023-12-06", "nvd_text": "The VFS subsystem in the Linux kernel 3.x provides an incomplete set of requirements for setattr operations that underspecifies removing extended privilege attributes, which allows local users to cause a denial of service (capability stripping) via a failed invocation of a system call, as demonstrated by using chown to remove a capability from the ping or Wireshark dumpcap program.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2015-1350", "ExploitDB": "https://www.exploit-db.com/search?cve=2015-1350", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2015-1350", "Red Hat": "https://access.redhat.com/security/cve/CVE-2015-1350", "SUSE": "https://www.suse.com/security/cve/CVE-2015-1350", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-1350" } }, "CVE-2015-1420": { "affected_versions": "v2.6.39-rc1 to v4.1-rc7", "breaks": "becfd1f37544798cbdfd788f32c827160fab98c1", "cmt_msg": "vfs: read file_handle only once in handle_to_path", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "score": 1.9 }, "cwe": "Race Conditions", "fixes": "161f873b89136eb1e69477c847d5a5033239d9ba", "last_affected_version": "3.18.14", "last_modified": "2023-12-06", "nvd_text": "Race condition in the handle_to_path function in fs/fhandle.c in the Linux kernel through 3.19.1 allows local users to bypass intended size restrictions and trigger read operations on additional memory locations by changing the handle_bytes value of a file handle during the execution of this function.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2015-1420", "ExploitDB": "https://www.exploit-db.com/search?cve=2015-1420", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2015-1420", "Red Hat": "https://access.redhat.com/security/cve/CVE-2015-1420", "SUSE": "https://www.suse.com/security/cve/CVE-2015-1420", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-1420" } }, "CVE-2015-1421": { "affected_versions": "v2.6.12-rc2 to v3.19-rc7", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "net: sctp: fix slab corruption from use after free on INIT collisions", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "score": 10.0 }, "cwe": "Unspecified", "fixes": "600ddd6825543962fb807884169e57b580dba208", "last_affected_version": "3.18.7", "last_modified": "2023-12-06", "nvd_text": "Use-after-free vulnerability in the sctp_assoc_update function in net/sctp/associola.c in the Linux kernel before 3.18.8 allows remote attackers to cause a denial of service (slab corruption and panic) or possibly have unspecified other impact by triggering an INIT collision that leads to improper handling of shared-key data.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2015-1421", "ExploitDB": "https://www.exploit-db.com/search?cve=2015-1421", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2015-1421", "Red Hat": "https://access.redhat.com/security/cve/CVE-2015-1421", "SUSE": "https://www.suse.com/security/cve/CVE-2015-1421", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-1421" } }, "CVE-2015-1465": { "affected_versions": "v3.16-rc3 to v3.19-rc7", "breaks": "f88649721268999bdff09777847080a52004f691", "cmt_msg": "ipv4: try to cache dst_entries which would cause a redirect", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "score": 7.8 }, "cwe": "Code", "fixes": "df4d92549f23e1c037e83323aff58a21b3de7fe0", "last_affected_version": "3.18.7", "last_modified": "2023-12-06", "nvd_text": "The IPv4 implementation in the Linux kernel before 3.18.8 does not properly consider the length of the Read-Copy Update (RCU) grace period for redirecting lookups in the absence of caching, which allows remote attackers to cause a denial of service (memory consumption or system crash) via a flood of packets.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2015-1465", "ExploitDB": "https://www.exploit-db.com/search?cve=2015-1465", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2015-1465", "Red Hat": "https://access.redhat.com/security/cve/CVE-2015-1465", "SUSE": "https://www.suse.com/security/cve/CVE-2015-1465", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-1465" } }, "CVE-2015-1573": { "affected_versions": "v3.18-rc1 to v3.19-rc5", "breaks": "b9ac12ef099707f405d7478009564302d7ed8393", "cmt_msg": "netfilter: nf_tables: fix flush ruleset chain dependencies", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Data Handling", "fixes": "a2f18db0c68fec96631c10cad9384c196e9008ac", "last_affected_version": "3.18.4", "last_modified": "2023-12-06", "nvd_text": "The nft_flush_table function in net/netfilter/nf_tables_api.c in the Linux kernel before 3.18.5 mishandles the interaction between cross-chain jumps and ruleset flushes, which allows local users to cause a denial of service (panic) by leveraging the CAP_NET_ADMIN capability.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2015-1573", "ExploitDB": "https://www.exploit-db.com/search?cve=2015-1573", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2015-1573", "Red Hat": "https://access.redhat.com/security/cve/CVE-2015-1573", "SUSE": "https://www.suse.com/security/cve/CVE-2015-1573", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-1573" } }, "CVE-2015-1593": { "affected_versions": "v2.6.12-rc2 to v4.0-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "x86, mm/ASLR: Fix stack randomization on 64-bit systems", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "score": 5.0 }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "4e7c22d447bb6d7e37bfe39ff658486ae78e8d77", "last_affected_version": "3.18.8", "last_modified": "2023-12-06", "nvd_text": "The stack randomization feature in the Linux kernel before 3.19.1 on 64-bit platforms uses incorrect data types for the results of bitwise left-shift operations, which makes it easier for attackers to bypass the ASLR protection mechanism by predicting the address of the top of the stack, related to the randomize_stack_top function in fs/binfmt_elf.c and the stack_maxrandom_size function in arch/x86/mm/mmap.c.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2015-1593", "ExploitDB": "https://www.exploit-db.com/search?cve=2015-1593", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2015-1593", "Red Hat": "https://access.redhat.com/security/cve/CVE-2015-1593", "SUSE": "https://www.suse.com/security/cve/CVE-2015-1593", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-1593" } }, "CVE-2015-1805": { "affected_versions": "v2.6.12-rc2 to v3.16-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "new helper: copy_page_from_iter()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cwe": "Code", "fixes": "f0d1bec9d58d4c038d0ac958c9af82be6eb18045", "last_modified": "2023-12-06", "nvd_text": "The (1) pipe_read and (2) pipe_write implementations in fs/pipe.c in the Linux kernel before 3.16 do not properly consider the side effects of failed __copy_to_user_inatomic and __copy_from_user_inatomic calls, which allows local users to cause a denial of service (system crash) or possibly gain privileges via a crafted application, aka an \"I/O vector array overrun.\"", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2015-1805", "ExploitDB": "https://www.exploit-db.com/search?cve=2015-1805", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2015-1805", "Red Hat": "https://access.redhat.com/security/cve/CVE-2015-1805", "SUSE": "https://www.suse.com/security/cve/CVE-2015-1805", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-1805" } }, "CVE-2015-2041": { "affected_versions": "v2.6.14-rc3 to v3.19-rc7", "breaks": "590232a7150674b2036291eaefce085f3f9659c8", "cmt_msg": "net: llc: use correct size for sysctl timeout entries", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cwe": "Code", "fixes": "6b8d9117ccb4f81b1244aafa7bc70ef8fa45fc49", "last_affected_version": "3.16.34", "last_modified": "2023-12-06", "nvd_text": "net/llc/sysctl_net_llc.c in the Linux kernel before 3.19 uses an incorrect data type in a sysctl table, which allows local users to obtain potentially sensitive information from kernel memory or possibly have unspecified other impact by accessing a sysctl entry.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2015-2041", "ExploitDB": "https://www.exploit-db.com/search?cve=2015-2041", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2015-2041", "Red Hat": "https://access.redhat.com/security/cve/CVE-2015-2041", "SUSE": "https://www.suse.com/security/cve/CVE-2015-2041", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-2041" } }, "CVE-2015-2042": { "affected_versions": "v2.6.30-rc1 to v3.19", "breaks": "3e5048495c8569bfdd552750e0315973c61e7c93", "cmt_msg": "net: rds: use correct size for max unacked packets and bytes", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "score": "4.6" }, "cwe": "Code", "fixes": "db27ebb111e9f69efece08e4cb6a34ff980f8896", "last_affected_version": "3.16.34", "last_modified": "2023-12-06", "nvd_text": "net/rds/sysctl.c in the Linux kernel before 3.19 uses an incorrect data type in a sysctl table, which allows local users to obtain potentially sensitive information from kernel memory or possibly have unspecified other impact by accessing a sysctl entry.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2015-2042", "ExploitDB": "https://www.exploit-db.com/search?cve=2015-2042", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2015-2042", "Red Hat": "https://access.redhat.com/security/cve/CVE-2015-2042", "SUSE": "https://www.suse.com/security/cve/CVE-2015-2042", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-2042" } }, "CVE-2015-2150": { "affected_versions": "v2.6.12-rc2 to v4.0-rc4", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "xen-pciback: limit guest control of command register", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "4.9" }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "af6fc858a35b90e89ea7a7ee58e66628c55c776b", "last_affected_version": "3.18.10", "last_modified": "2023-12-06", "nvd_text": "Xen 3.3.x through 4.5.x and the Linux kernel through 3.19.1 do not properly restrict access to PCI command registers, which might allow local guest OS users to cause a denial of service (non-maskable interrupt and host crash) by disabling the (1) memory or (2) I/O decoding for a PCI Express device and then accessing the device, which triggers an Unsupported Request (UR) response.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2015-2150", "ExploitDB": "https://www.exploit-db.com/search?cve=2015-2150", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2015-2150", "Red Hat": "https://access.redhat.com/security/cve/CVE-2015-2150", "SUSE": "https://www.suse.com/security/cve/CVE-2015-2150", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-2150" } }, "CVE-2015-2666": { "affected_versions": "v3.9-rc1 to v4.0-rc1", "breaks": "ec400ddeff200b068ddc6c70f7321f49ecf32ed5", "cmt_msg": "x86/microcode/intel: Guard against stack overflow in the loader", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "score": 6.9 }, "cwe": "Buffer Errors", "fixes": "f84598bd7c851f8b0bf8cd0d7c3be0d73c432ff4", "last_affected_version": "3.18.18", "last_modified": "2023-12-06", "nvd_text": "Stack-based buffer overflow in the get_matching_model_microcode function in arch/x86/kernel/cpu/microcode/intel_early.c in the Linux kernel before 4.0 allows context-dependent attackers to gain privileges by constructing a crafted microcode header and leveraging root privileges for write access to the initrd.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2015-2666", "ExploitDB": "https://www.exploit-db.com/search?cve=2015-2666", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2015-2666", "Red Hat": "https://access.redhat.com/security/cve/CVE-2015-2666", "SUSE": "https://www.suse.com/security/cve/CVE-2015-2666", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-2666" } }, "CVE-2015-2672": { "affected_versions": "v3.17-rc1 to v4.0-rc3", "breaks": "f31a9f7c71691569359fa7fb8b0acaa44bce0324", "cmt_msg": "x86/fpu/xsaves: Fix improper uses of __ex_table", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Input Validation", "fixes": "06c8173eb92bbfc03a0fe8bb64315857d0badd06", "last_affected_version": "3.18.9", "last_modified": "2023-12-06", "nvd_text": "The xsave/xrstor implementation in arch/x86/include/asm/xsave.h in the Linux kernel before 3.19.2 creates certain .altinstr_replacement pointers and consequently does not provide any protection against instruction faulting, which allows local users to cause a denial of service (panic) by triggering a fault, as demonstrated by an unaligned memory operand or a non-canonical address memory operand.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2015-2672", "ExploitDB": "https://www.exploit-db.com/search?cve=2015-2672", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2015-2672", "Red Hat": "https://access.redhat.com/security/cve/CVE-2015-2672", "SUSE": "https://www.suse.com/security/cve/CVE-2015-2672", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-2672" } }, "CVE-2015-2686": { "affected_versions": "v3.19-rc1 to v4.0-rc6", "breaks": "c0371da6047abd261bc483c744dbc7d81a116172", "cmt_msg": "net: validate the range we feed to iov_iter_init() in sys_sendto/sys_recvfrom", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "4de930efc23b92ddf88ce91c405ee645fe6e27ea", "last_modified": "2023-12-06", "nvd_text": "net/socket.c in the Linux kernel 3.19 before 3.19.3 does not validate certain range data for (1) sendto and (2) recvfrom system calls, which allows local users to gain privileges by leveraging a subsystem that uses the copy_from_iter function in the iov_iter interface, as demonstrated by the Bluetooth subsystem.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2015-2686", "ExploitDB": "https://www.exploit-db.com/search?cve=2015-2686", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2015-2686", "Red Hat": "https://access.redhat.com/security/cve/CVE-2015-2686", "SUSE": "https://www.suse.com/security/cve/CVE-2015-2686", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-2686" } }, "CVE-2015-2830": { "affected_versions": "v2.6.12-rc2 to v4.0-rc3", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "x86/asm/entry/64: Remove a bogus 'ret_from_fork' optimization", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "None", "Integrity Impact": "Partial", "score": "1.9" }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "956421fbb74c3a6261903f3836c0740187cf038b", "last_affected_version": "3.18.9", "last_modified": "2023-12-06", "nvd_text": "arch/x86/kernel/entry_64.S in the Linux kernel before 3.19.2 does not prevent the TS_COMPAT flag from reaching a user-mode task, which might allow local users to bypass the seccomp or audit protection mechanism via a crafted application that uses the (1) fork or (2) close system call, as demonstrated by an attack against seccomp before 3.16.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2015-2830", "ExploitDB": "https://www.exploit-db.com/search?cve=2015-2830", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2015-2830", "Red Hat": "https://access.redhat.com/security/cve/CVE-2015-2830", "SUSE": "https://www.suse.com/security/cve/CVE-2015-2830", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-2830" } }, "CVE-2015-2877": { "affected_versions": "unk to unk", "breaks": "", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "score": "2.1" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "Low", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "score": "3.3" }, "cwe": "Information Leak / Disclosure", "fixes": "", "last_modified": "2023-12-06", "nvd_text": "Kernel Samepage Merging (KSM) in the Linux kernel 2.6.32 through 4.x does not prevent use of a write-timing side channel, which allows guest OS users to defeat the ASLR protection mechanism on other guest OS instances via a Cross-VM ASL INtrospection (CAIN) attack. NOTE: the vendor states \"Basically if you care about this attack vector, disable deduplication.\" Share-until-written approaches for memory conservation among mutually untrusting tenants are inherently detectable for information disclosure, and can be classified as potentially misunderstood behaviors rather than vulnerabilities", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2015-2877", "ExploitDB": "https://www.exploit-db.com/search?cve=2015-2877", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2015-2877", "Red Hat": "https://access.redhat.com/security/cve/CVE-2015-2877", "SUSE": "https://www.suse.com/security/cve/CVE-2015-2877", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-2877" } }, "CVE-2015-2922": { "affected_versions": "v2.6.12-rc2 to v4.0-rc7", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "ipv6: Don't reduce hop limit for an interface", "cvss2": { "Access Complexity": "Low", "Access Vector": "Adjacent Network", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "3.3" }, "cwe": "Code", "fixes": "6fd99094de2b83d1d4c8457f2c83483b2828e75a", "last_affected_version": "3.18.12", "last_modified": "2023-12-06", "nvd_text": "The ndisc_router_discovery function in net/ipv6/ndisc.c in the Neighbor Discovery (ND) protocol implementation in the IPv6 stack in the Linux kernel before 3.19.6 allows remote attackers to reconfigure a hop-limit setting via a small hop_limit value in a Router Advertisement (RA) message.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2015-2922", "ExploitDB": "https://www.exploit-db.com/search?cve=2015-2922", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2015-2922", "Red Hat": "https://access.redhat.com/security/cve/CVE-2015-2922", "SUSE": "https://www.suse.com/security/cve/CVE-2015-2922", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-2922" } }, "CVE-2015-2925": { "affected_versions": "v2.6.12-rc2 to v4.3-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "dcache: Handle escaped paths in prepend_path", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "score": 6.9 }, "cwe": "Security Features", "fixes": "cde93be45a8a90d8c264c776fab63487b5038a65", "last_affected_version": "4.1.10", "last_modified": "2023-12-06", "nvd_text": "The prepend_path function in fs/dcache.c in the Linux kernel before 4.2.4 does not properly handle rename actions inside a bind mount, which allows local users to bypass an intended container protection mechanism by renaming a directory, related to a \"double-chroot attack.\"", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2015-2925", "ExploitDB": "https://www.exploit-db.com/search?cve=2015-2925", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2015-2925", "Red Hat": "https://access.redhat.com/security/cve/CVE-2015-2925", "SUSE": "https://www.suse.com/security/cve/CVE-2015-2925", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-2925" } }, "CVE-2015-3212": { "affected_versions": "v3.1-rc1 to v4.2-rc1", "breaks": "9f7d653b67aed2d92540fbb0a8adaf32fcf352ae", "cmt_msg": "sctp: fix ASCONF list handling", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cwe": "Race Conditions", "fixes": "2d45a02d0166caf2627fe91897c6ffc3b19514c4", "last_affected_version": "4.1.1", "last_modified": "2023-12-06", "nvd_text": "Race condition in net/sctp/socket.c in the Linux kernel before 4.1.2 allows local users to cause a denial of service (list corruption and panic) via a rapid series of system calls related to sockets, as demonstrated by setsockopt calls.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2015-3212", "ExploitDB": "https://www.exploit-db.com/search?cve=2015-3212", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2015-3212", "Red Hat": "https://access.redhat.com/security/cve/CVE-2015-3212", "SUSE": "https://www.suse.com/security/cve/CVE-2015-3212", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-3212" } }, "CVE-2015-3214": { "affected_versions": "unk to v2.6.33-rc8", "breaks": "", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "6.9" }, "cwe": "Buffer Errors", "fixes": "ee73f656a604d5aa9df86a97102e4e462dd79924", "last_modified": "2023-12-06", "nvd_text": "The pit_ioport_read in i8254.c in the Linux kernel before 2.6.33 and QEMU before 2.3.1 does not distinguish between read lengths and write lengths, which might allow guest OS users to execute arbitrary code on the host OS by triggering use of an invalid index.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2015-3214", "ExploitDB": "https://www.exploit-db.com/search?cve=2015-3214", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2015-3214", "Red Hat": "https://access.redhat.com/security/cve/CVE-2015-3214", "SUSE": "https://www.suse.com/security/cve/CVE-2015-3214", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-3214" } }, "CVE-2015-3288": { "affected_versions": "v2.6.12-rc2 to v4.2-rc2", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "mm: avoid setting up anonymous pages into file mapping", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "7.2" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "score": "7.8" }, "cwe": "Input Validation", "fixes": "6b7339f4c31ad69c8e9c0b2859276e22cf72176d", "last_affected_version": "4.1.3", "last_modified": "2023-12-06", "nvd_text": "mm/memory.c in the Linux kernel before 4.1.4 mishandles anonymous pages, which allows local users to gain privileges or cause a denial of service (page tainting) via a crafted application that triggers writing to page zero.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2015-3288", "ExploitDB": "https://www.exploit-db.com/search?cve=2015-3288", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2015-3288", "Red Hat": "https://access.redhat.com/security/cve/CVE-2015-3288", "SUSE": "https://www.suse.com/security/cve/CVE-2015-3288", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-3288" } }, "CVE-2015-3290": { "affected_versions": "v2.6.12-rc2 to v4.2-rc3", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "x86/nmi/64: Switch stacks on userspace NMI entry", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "7.2" }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "9b6e6a8334d56354853f9c255d1395c2ba570e0a", "last_affected_version": "4.1.5", "last_modified": "2023-12-06", "nvd_text": "arch/x86/entry/entry_64.S in the Linux kernel before 4.1.6 on the x86_64 platform improperly relies on espfix64 during nested NMI processing, which allows local users to gain privileges by triggering an NMI within a certain instruction window.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2015-3290", "ExploitDB": "https://www.exploit-db.com/search?cve=2015-3290", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2015-3290", "Red Hat": "https://access.redhat.com/security/cve/CVE-2015-3290", "SUSE": "https://www.suse.com/security/cve/CVE-2015-3290", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-3290" } }, "CVE-2015-3291": { "affected_versions": "v3.3-rc1 to v4.2-rc3", "breaks": "3f3c8b8c4b2a34776c3470142a7c8baafcda6eb0", "cmt_msg": "x86/nmi/64: Use DF to avoid userspace RSP confusing nested NMI detection", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "2.1" }, "cwe": "Code", "fixes": "810bc075f78ff2c221536eb3008eac6a492dba2d", "last_affected_version": "4.1.5", "last_modified": "2023-12-06", "nvd_text": "arch/x86/entry/entry_64.S in the Linux kernel before 4.1.6 on the x86_64 platform does not properly determine when nested NMI processing is occurring, which allows local users to cause a denial of service (skipped NMI) by modifying the rsp register, issuing a syscall instruction, and triggering an NMI.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2015-3291", "ExploitDB": "https://www.exploit-db.com/search?cve=2015-3291", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2015-3291", "Red Hat": "https://access.redhat.com/security/cve/CVE-2015-3291", "SUSE": "https://www.suse.com/security/cve/CVE-2015-3291", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-3291" } }, "CVE-2015-3331": { "affected_versions": "v2.6.38-rc1 to v4.0-rc5", "breaks": "0bd82f5f6355775fbaf7d3c664432ce1b862be1e", "cmt_msg": "crypto: aesni - fix memory usage in GCM decryption", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "score": 9.3 }, "cwe": "Buffer Errors", "fixes": "ccfe8c3f7e52ae83155cb038753f4c75b774ca8a", "last_affected_version": "3.18.10", "last_modified": "2023-12-06", "nvd_text": "The __driver_rfc4106_decrypt function in arch/x86/crypto/aesni-intel_glue.c in the Linux kernel before 3.19.3 does not properly determine the memory locations used for encrypted data, which allows context-dependent attackers to cause a denial of service (buffer overflow and system crash) or possibly execute arbitrary code by triggering a crypto API call, as demonstrated by use of a libkcapi test program with an AF_ALG(aead) socket.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2015-3331", "ExploitDB": "https://www.exploit-db.com/search?cve=2015-3331", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2015-3331", "Red Hat": "https://access.redhat.com/security/cve/CVE-2015-3331", "SUSE": "https://www.suse.com/security/cve/CVE-2015-3331", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-3331" } }, "CVE-2015-3332": { "backport": true, "breaks": "355a901e6cf1b2b763ec85caa2a9f04fbcc4ab4a", "cmt_msg": "tcp: Fix crash in TCP Fast Open", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cwe": "Resource Management Errors", "fixes": "b2776bf7149bddd1f4161f14f79520f17fc1d71d", "last_affected_version": "3.16.34", "last_modified": "2023-12-06", "nvd_text": "A certain backport in the TCP Fast Open implementation for the Linux kernel before 3.18 does not properly maintain a count value, which allow local users to cause a denial of service (system crash) via the Fast Open feature, as demonstrated by visiting the chrome://flags/#enable-tcp-fast-open URL when using certain 3.10.x through 3.16.x kernel builds, including longterm-maintenance releases and ckt (aka Canonical Kernel Team) builds.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2015-3332", "ExploitDB": "https://www.exploit-db.com/search?cve=2015-3332", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2015-3332", "Red Hat": "https://access.redhat.com/security/cve/CVE-2015-3332", "SUSE": "https://www.suse.com/security/cve/CVE-2015-3332", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-3332" } }, "CVE-2015-3339": { "affected_versions": "unk to v4.1-rc1", "breaks": "", "cmt_msg": "fs: take i_mutex during prepare_binprm for set[ug]id executables", "cvss2": { "Access Complexity": "High", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "6.2" }, "cwe": "Race Conditions", "fixes": "8b01fc86b9f425899f8a3a8fc1c47d73c2c20543", "last_affected_version": "3.14.40", "last_modified": "2023-12-06", "nvd_text": "Race condition in the prepare_binprm function in fs/exec.c in the Linux kernel before 3.19.6 allows local users to gain privileges by executing a setuid program at a time instant when a chown to root is in progress, and the ownership is changed but the setuid bit is not yet stripped.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2015-3339", "ExploitDB": "https://www.exploit-db.com/search?cve=2015-3339", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2015-3339", "Red Hat": "https://access.redhat.com/security/cve/CVE-2015-3339", "SUSE": "https://www.suse.com/security/cve/CVE-2015-3339", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-3339" } }, "CVE-2015-3636": { "affected_versions": "v3.0-rc1 to v4.1-rc2", "breaks": "c319b4d76b9e583a5d88d6bf190e079c4e43213d", "cmt_msg": "ipv4: Missing sk_nulls_node_init() in ping_unhash().", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "4.9" }, "cwe": "Other", "fixes": "a134f083e79fb4c3d0a925691e732c56911b4326", "last_affected_version": "3.18.13", "last_modified": "2023-12-06", "nvd_text": "The ping_unhash function in net/ipv4/ping.c in the Linux kernel before 4.0.3 does not initialize a certain list data structure during an unhash operation, which allows local users to gain privileges or cause a denial of service (use-after-free and system crash) by leveraging the ability to make a SOCK_DGRAM socket system call for the IPPROTO_ICMP or IPPROTO_ICMPV6 protocol, and then making a connect system call after a disconnect.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2015-3636", "ExploitDB": "https://www.exploit-db.com/search?cve=2015-3636", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2015-3636", "Red Hat": "https://access.redhat.com/security/cve/CVE-2015-3636", "SUSE": "https://www.suse.com/security/cve/CVE-2015-3636", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-3636" } }, "CVE-2015-4001": { "affected_versions": "v3.4-rc1 to v4.1-rc7", "breaks": "ae926051d7eb8f80dba9513db70d2e2fc8385d3a", "cmt_msg": "ozwpan: Use unsigned ints to prevent heap overflow", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:N/AC:L/Au:N/C:P/I:P/A:C", "score": 9.0 }, "cwe": "Numeric Errors", "fixes": "b1bb5b49373b61bf9d2c73a4d30058ba6f069e4c", "last_affected_version": "3.16.34", "last_modified": "2023-12-06", "nvd_text": "Integer signedness error in the oz_hcd_get_desc_cnf function in drivers/staging/ozwpan/ozhcd.c in the OZWPAN driver in the Linux kernel through 4.0.5 allows remote attackers to cause a denial of service (system crash) or possibly execute arbitrary code via a crafted packet.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2015-4001", "ExploitDB": "https://www.exploit-db.com/search?cve=2015-4001", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2015-4001", "Red Hat": "https://access.redhat.com/security/cve/CVE-2015-4001", "SUSE": "https://www.suse.com/security/cve/CVE-2015-4001", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-4001" } }, "CVE-2015-4002": { "affected_versions": "v3.4-rc1 to v4.1-rc7", "breaks": "ae926051d7eb8f80dba9513db70d2e2fc8385d3a", "cmt_msg": "ozwpan: Use proper check to prevent heap overflow", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:N/AC:L/Au:N/C:P/I:P/A:C", "score": 9.0 }, "cwe": "Buffer Errors", "fixes": "d114b9fe78c8d6fc6e70808c2092aa307c36dc8e", "last_affected_version": "3.18.17", "last_modified": "2023-12-06", "nvd_text": "drivers/staging/ozwpan/ozusbsvc1.c in the OZWPAN driver in the Linux kernel through 4.0.5 does not ensure that certain length values are sufficiently large, which allows remote attackers to cause a denial of service (system crash or large loop) or possibly execute arbitrary code via a crafted packet, related to the (1) oz_usb_rx and (2) oz_usb_handle_ep_data functions.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2015-4002", "ExploitDB": "https://www.exploit-db.com/search?cve=2015-4002", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2015-4002", "Red Hat": "https://access.redhat.com/security/cve/CVE-2015-4002", "SUSE": "https://www.suse.com/security/cve/CVE-2015-4002", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-4002" } }, "CVE-2015-4003": { "affected_versions": "v3.4-rc1 to v4.1-rc7", "breaks": "ae926051d7eb8f80dba9513db70d2e2fc8385d3a", "cmt_msg": "ozwpan: divide-by-zero leading to panic", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "score": 7.8 }, "cwe": "Numeric Errors", "fixes": "04bf464a5dfd9ade0dda918e44366c2c61fce80b", "last_affected_version": "3.18.17", "last_modified": "2023-12-06", "nvd_text": "The oz_usb_handle_ep_data function in drivers/staging/ozwpan/ozusbsvc1.c in the OZWPAN driver in the Linux kernel through 4.0.5 allows remote attackers to cause a denial of service (divide-by-zero error and system crash) via a crafted packet.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2015-4003", "ExploitDB": "https://www.exploit-db.com/search?cve=2015-4003", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2015-4003", "Red Hat": "https://access.redhat.com/security/cve/CVE-2015-4003", "SUSE": "https://www.suse.com/security/cve/CVE-2015-4003", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-4003" } }, "CVE-2015-4004": { "affected_versions": "v3.4-rc1 to v4.3-rc1", "breaks": "ae926051d7eb8f80dba9513db70d2e2fc8385d3a", "cmt_msg": "staging: ozwpan: Remove from tree", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "score": "8.5" }, "cwe": "Buffer Errors", "fixes": "a73e99cb67e7438e5ab0c524ae63a8a27616c839", "last_modified": "2023-12-06", "nvd_text": "The OZWPAN driver in the Linux kernel through 4.0.5 relies on an untrusted length field during packet parsing, which allows remote attackers to obtain sensitive information from kernel memory or cause a denial of service (out-of-bounds read and system crash) via a crafted packet.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2015-4004", "ExploitDB": "https://www.exploit-db.com/search?cve=2015-4004", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2015-4004", "Red Hat": "https://access.redhat.com/security/cve/CVE-2015-4004", "SUSE": "https://www.suse.com/security/cve/CVE-2015-4004", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-4004" } }, "CVE-2015-4036": { "affected_versions": "v3.6-rc2 to v4.0-rc1", "breaks": "057cbf49a1f08297877e46c82f707b1bfea806a8", "cmt_msg": "vhost/scsi: potential memory corruption", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "7.2" }, "cwe": "Buffer Errors", "fixes": "59c816c1f24df0204e01851431d3bab3eb76719c", "last_affected_version": "3.18.24", "last_modified": "2023-12-06", "nvd_text": "Array index error in the tcm_vhost_make_tpg function in drivers/vhost/scsi.c in the Linux kernel before 4.0 might allow guest OS users to cause a denial of service (memory corruption) or possibly have unspecified other impact via a crafted VHOST_SCSI_SET_ENDPOINT ioctl call. NOTE: the affected function was renamed to vhost_scsi_make_tpg before the vulnerability was announced.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2015-4036", "ExploitDB": "https://www.exploit-db.com/search?cve=2015-4036", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2015-4036", "Red Hat": "https://access.redhat.com/security/cve/CVE-2015-4036", "SUSE": "https://www.suse.com/security/cve/CVE-2015-4036", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-4036" } }, "CVE-2015-4167": { "affected_versions": "v2.6.12-rc2 to v4.0-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "udf: Check length of extended attributes and allocation descriptors", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "4.7" }, "cwe": "Numeric Errors", "fixes": "23b133bdc452aa441fcb9b82cbf6dd05cfd342d0", "last_affected_version": "3.18.8", "last_modified": "2023-12-06", "nvd_text": "The udf_read_inode function in fs/udf/inode.c in the Linux kernel before 3.19.1 does not validate certain length values, which allows local users to cause a denial of service (incorrect data representation or integer overflow, and OOPS) via a crafted UDF filesystem.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2015-4167", "ExploitDB": "https://www.exploit-db.com/search?cve=2015-4167", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2015-4167", "Red Hat": "https://access.redhat.com/security/cve/CVE-2015-4167", "SUSE": "https://www.suse.com/security/cve/CVE-2015-4167", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-4167" } }, "CVE-2015-4170": { "affected_versions": "v3.11-rc1 to v3.13-rc5", "breaks": "4898e640caf03fdbaf2122d5a33949bf3e4a5b34", "cmt_msg": "tty: Fix hang at ldsem_down_read()", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "4.7" }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "score": "4.7" }, "cwe": "Race Conditions", "fixes": "cf872776fc84128bb779ce2b83a37c884c3203ae", "last_affected_version": "3.12.6", "last_modified": "2023-12-06", "nvd_text": "Race condition in the ldsem_cmpxchg function in drivers/tty/tty_ldsem.c in the Linux kernel before 3.13-rc4-next-20131218 allows local users to cause a denial of service (ldsem_down_read and ldsem_down_write deadlock) by establishing a new tty thread during shutdown of a previous tty thread.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2015-4170", "ExploitDB": "https://www.exploit-db.com/search?cve=2015-4170", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2015-4170", "Red Hat": "https://access.redhat.com/security/cve/CVE-2015-4170", "SUSE": "https://www.suse.com/security/cve/CVE-2015-4170", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-4170" } }, "CVE-2015-4176": { "affected_versions": "v4.1-rc1 to v4.1-rc1", "backport": true, "breaks": "ce07d891a0891d3c0d0c2d73d577490486b809e1", "cmt_msg": "mnt: Update detach_mounts to leave mounts connected", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "None", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.5 }, "cwe": "Information Leak / Disclosure", "fixes": "e0c9c0afd2fc958ffa34b697972721d81df8a56f", "last_modified": "2023-12-06", "nvd_text": "fs/namespace.c in the Linux kernel before 4.0.2 does not properly support mount connectivity, which allows local users to read arbitrary files by leveraging user-namespace root access for deletion of a file or directory.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2015-4176", "ExploitDB": "https://www.exploit-db.com/search?cve=2015-4176", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2015-4176", "Red Hat": "https://access.redhat.com/security/cve/CVE-2015-4176", "SUSE": "https://www.suse.com/security/cve/CVE-2015-4176", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-4176" } }, "CVE-2015-4177": { "affected_versions": "v4.1-rc1 to v4.1-rc1", "backport": true, "breaks": "ce07d891a0891d3c0d0c2d73d577490486b809e1", "cmt_msg": "mnt: Fail collect_mounts when applied to unmounted mounts", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Unspecified", "fixes": "cd4a40174b71acd021877341684d8bb1dc8ea4ae", "last_affected_version": "3.18.14", "last_modified": "2023-12-06", "nvd_text": "The collect_mounts function in fs/namespace.c in the Linux kernel before 4.0.5 does not properly consider that it may execute after a path has been unmounted, which allows local users to cause a denial of service (system crash) by leveraging user-namespace root access for an MNT_DETACH umount2 system call.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2015-4177", "ExploitDB": "https://www.exploit-db.com/search?cve=2015-4177", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2015-4177", "Red Hat": "https://access.redhat.com/security/cve/CVE-2015-4177", "SUSE": "https://www.suse.com/security/cve/CVE-2015-4177", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-4177" } }, "CVE-2015-4178": { "affected_versions": "v4.1-rc1 to v4.1-rc1", "backport": true, "breaks": "ce07d891a0891d3c0d0c2d73d577490486b809e1", "cmt_msg": "fs_pin: Allow for the possibility that m_list or s_list go unused.", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "4.9" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "score": "5.5" }, "cwe": "Other", "fixes": "820f9f147dcce2602eefd9b575bbbd9ea14f0953", "last_affected_version": "3.18.14", "last_modified": "2023-12-06", "nvd_text": "The fs_pin implementation in the Linux kernel before 4.0.5 does not ensure the internal consistency of a certain list data structure, which allows local users to cause a denial of service (system crash) by leveraging user-namespace root access for an MNT_DETACH umount2 system call, related to fs/fs_pin.c and include/linux/fs_pin.h.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2015-4178", "ExploitDB": "https://www.exploit-db.com/search?cve=2015-4178", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2015-4178", "Red Hat": "https://access.redhat.com/security/cve/CVE-2015-4178", "SUSE": "https://www.suse.com/security/cve/CVE-2015-4178", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-4178" } }, "CVE-2015-4692": { "affected_versions": "v3.10-rc1 to v4.2-rc1", "breaks": "66450a21f99636af4fafac2afd33f1a40631bc3a", "cmt_msg": "kvm: x86: fix kvm_apic_has_events to check for NULL pointer", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "4.9" }, "cwe": "Other", "fixes": "ce40cd3fc7fa40a6119e5fe6c0f2bc0eb4541009", "last_affected_version": "4.1.5", "last_modified": "2023-12-06", "nvd_text": "The kvm_apic_has_events function in arch/x86/kvm/lapic.h in the Linux kernel through 4.1.3 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by leveraging /dev/kvm access for an ioctl call.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2015-4692", "ExploitDB": "https://www.exploit-db.com/search?cve=2015-4692", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2015-4692", "Red Hat": "https://access.redhat.com/security/cve/CVE-2015-4692", "SUSE": "https://www.suse.com/security/cve/CVE-2015-4692", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-4692" } }, "CVE-2015-4700": { "affected_versions": "v3.0-rc1 to v4.1-rc6", "breaks": "0a14842f5a3c0e88a1e59fac5c3025db39721f74", "cmt_msg": "x86: bpf_jit: fix compilation of large bpf programs", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "4.9" }, "cwe": "Code", "fixes": "3f7352bf21f8fd7ba3e2fcef9488756f188e12be", "last_affected_version": "3.18.16", "last_modified": "2023-12-06", "nvd_text": "The bpf_int_jit_compile function in arch/x86/net/bpf_jit_comp.c in the Linux kernel before 4.0.6 allows local users to cause a denial of service (system crash) by creating a packet filter and then loading crafted BPF instructions that trigger late convergence by the JIT compiler.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2015-4700", "ExploitDB": "https://www.exploit-db.com/search?cve=2015-4700", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2015-4700", "Red Hat": "https://access.redhat.com/security/cve/CVE-2015-4700", "SUSE": "https://www.suse.com/security/cve/CVE-2015-4700", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-4700" } }, "CVE-2015-5156": { "affected_versions": "v2.6.12-rc2 to v4.2-rc7", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "virtio-net: drop NETIF_F_FRAGLIST", "cvss2": { "Access Complexity": "Low", "Access Vector": "Adjacent Network", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "6.1" }, "cwe": "Buffer Errors", "fixes": "48900cb6af4282fa0fb6ff4d72a81aa3dadb5c39", "last_affected_version": "4.1.13", "last_modified": "2023-12-06", "nvd_text": "The virtnet_probe function in drivers/net/virtio_net.c in the Linux kernel before 4.2 attempts to support a FRAGLIST feature without proper memory allocation, which allows guest OS users to cause a denial of service (buffer overflow and memory corruption) via a crafted sequence of fragmented packets.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2015-5156", "ExploitDB": "https://www.exploit-db.com/search?cve=2015-5156", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2015-5156", "Red Hat": "https://access.redhat.com/security/cve/CVE-2015-5156", "SUSE": "https://www.suse.com/security/cve/CVE-2015-5156", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-5156" } }, "CVE-2015-5157": { "affected_versions": "v2.6.12-rc2 to v4.2-rc3", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "x86/nmi/64: Switch stacks on userspace NMI entry", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "9b6e6a8334d56354853f9c255d1395c2ba570e0a", "last_affected_version": "4.1.5", "last_modified": "2023-12-06", "nvd_text": "arch/x86/entry/entry_64.S in the Linux kernel before 4.1.6 on the x86_64 platform mishandles IRET faults in processing NMIs that occurred during userspace execution, which might allow local users to gain privileges by triggering an NMI.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2015-5157", "ExploitDB": "https://www.exploit-db.com/search?cve=2015-5157", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2015-5157", "Red Hat": "https://access.redhat.com/security/cve/CVE-2015-5157", "SUSE": "https://www.suse.com/security/cve/CVE-2015-5157", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-5157" } }, "CVE-2015-5257": { "affected_versions": "v2.6.12-rc2 to v4.3-rc3", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "USB: whiteheat: fix potential null-deref at probe", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cwe": "Unspecified", "fixes": "cbb4be652d374f64661137756b8f357a1827d6a4", "last_affected_version": "4.1.10", "last_modified": "2023-12-06", "nvd_text": "drivers/usb/serial/whiteheat.c in the Linux kernel before 4.2.4 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and OOPS) or possibly have unspecified other impact via a crafted USB device. NOTE: this ID was incorrectly used for an Apache Cordova issue that has the correct ID of CVE-2015-8320.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2015-5257", "ExploitDB": "https://www.exploit-db.com/search?cve=2015-5257", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2015-5257", "Red Hat": "https://access.redhat.com/security/cve/CVE-2015-5257", "SUSE": "https://www.suse.com/security/cve/CVE-2015-5257", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-5257" } }, "CVE-2015-5283": { "affected_versions": "v3.7-rc1 to v4.3-rc3", "breaks": "4db67e808640e3934d82ce61ee8e2e89fd877ba8", "cmt_msg": "sctp: fix race on protocol/netns initialization", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "score": 4.7 }, "cwe": "Buffer Errors", "fixes": "8e2d61e0aed2b7c4ecb35844fe07e0b2b762dee4", "last_affected_version": "4.1.9", "last_modified": "2023-12-06", "nvd_text": "The sctp_init function in net/sctp/protocol.c in the Linux kernel before 4.2.3 has an incorrect sequence of protocol-initialization steps, which allows local users to cause a denial of service (panic or memory corruption) by creating SCTP sockets before all of the steps have finished.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2015-5283", "ExploitDB": "https://www.exploit-db.com/search?cve=2015-5283", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2015-5283", "Red Hat": "https://access.redhat.com/security/cve/CVE-2015-5283", "SUSE": "https://www.suse.com/security/cve/CVE-2015-5283", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-5283" } }, "CVE-2015-5307": { "affected_versions": "v2.6.12-rc2 to v4.4-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "KVM: x86: work around infinite loop in microcode when #AC is delivered", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cwe": "Resource Management Errors", "fixes": "54a20552e1eae07aa240fa370a0293e006b5faed", "last_affected_version": "4.3.0", "last_modified": "2023-12-06", "nvd_text": "The KVM subsystem in the Linux kernel through 4.2.6, and Xen 4.3.x through 4.6.x, allows guest OS users to cause a denial of service (host OS panic or hang) by triggering many #AC (aka Alignment Check) exceptions, related to svm.c and vmx.c.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2015-5307", "ExploitDB": "https://www.exploit-db.com/search?cve=2015-5307", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2015-5307", "Red Hat": "https://access.redhat.com/security/cve/CVE-2015-5307", "SUSE": "https://www.suse.com/security/cve/CVE-2015-5307", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-5307" } }, "CVE-2015-5327": { "affected_versions": "v4.3-rc1 to v4.4-rc1", "breaks": "fd19a3d195be23e8d9d0d66576b96ea25eea8323", "cmt_msg": "X.509: Fix the time validation [ver #2]", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "Single", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "score": 4.0 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 6.5 }, "cwe": "Out-of-bounds Read", "fixes": "cc25b994acfbc901429da682d0f73c190e960206", "last_affected_version": "4.3.1", "last_modified": "2023-12-06", "nvd_text": "Out-of-bounds memory read in the x509_decode_time function in x509_cert_parser.c in Linux kernels 4.3-rc1 and after.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2015-5327", "ExploitDB": "https://www.exploit-db.com/search?cve=2015-5327", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2015-5327", "Red Hat": "https://access.redhat.com/security/cve/CVE-2015-5327", "SUSE": "https://www.suse.com/security/cve/CVE-2015-5327", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-5327" } }, "CVE-2015-5364": { "affected_versions": "v2.6.12-rc2 to v4.1-rc7", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "udp: fix behavior of wrong checksums", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "score": 7.8 }, "cwe": "Resource Management Errors", "fixes": "beb39db59d14990e401e235faf66a6b9b31240b0", "last_affected_version": "3.18.16", "last_modified": "2023-12-06", "nvd_text": "The (1) udp_recvmsg and (2) udpv6_recvmsg functions in the Linux kernel before 4.0.6 do not properly consider yielding a processor, which allows remote attackers to cause a denial of service (system hang) via incorrect checksums within a UDP packet flood.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2015-5364", "ExploitDB": "https://www.exploit-db.com/search?cve=2015-5364", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2015-5364", "Red Hat": "https://access.redhat.com/security/cve/CVE-2015-5364", "SUSE": "https://www.suse.com/security/cve/CVE-2015-5364", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-5364" } }, "CVE-2015-5366": { "affected_versions": "v2.6.12-rc2 to v4.1-rc7", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "udp: fix behavior of wrong checksums", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "score": 5.0 }, "cwe": "Resource Management Errors", "fixes": "beb39db59d14990e401e235faf66a6b9b31240b0", "last_affected_version": "3.18.16", "last_modified": "2023-12-06", "nvd_text": "The (1) udp_recvmsg and (2) udpv6_recvmsg functions in the Linux kernel before 4.0.6 provide inappropriate -EAGAIN return values, which allows remote attackers to cause a denial of service (EPOLLET epoll application read outage) via an incorrect checksum in a UDP packet, a different vulnerability than CVE-2015-5364.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2015-5366", "ExploitDB": "https://www.exploit-db.com/search?cve=2015-5366", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2015-5366", "Red Hat": "https://access.redhat.com/security/cve/CVE-2015-5366", "SUSE": "https://www.suse.com/security/cve/CVE-2015-5366", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-5366" } }, "CVE-2015-5697": { "affected_versions": "v2.6.12-rc2 to v4.2-rc6", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "md: use kzalloc() when bitmap is disabled", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cwe": "Information Leak / Disclosure", "fixes": "b6878d9e03043695dbf3fa1caa6dfc09db225b16", "last_affected_version": "4.1.5", "last_modified": "2023-12-06", "nvd_text": "The get_bitmap_file function in drivers/md/md.c in the Linux kernel before 4.1.6 does not initialize a certain bitmap data structure, which allows local users to obtain sensitive information from kernel memory via a GET_BITMAP_FILE ioctl call.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2015-5697", "ExploitDB": "https://www.exploit-db.com/search?cve=2015-5697", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2015-5697", "Red Hat": "https://access.redhat.com/security/cve/CVE-2015-5697", "SUSE": "https://www.suse.com/security/cve/CVE-2015-5697", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-5697" } }, "CVE-2015-5706": { "affected_versions": "v3.11-rc1 to v4.1-rc3", "breaks": "60545d0d4610b02e55f65d141c95b18ccf855b6e", "cmt_msg": "path_openat(): fix double fput()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cwe": "Other", "fixes": "f15133df088ecadd141ea1907f2c96df67c729f0", "last_affected_version": "3.18.14", "last_modified": "2023-12-06", "nvd_text": "Use-after-free vulnerability in the path_openat function in fs/namei.c in the Linux kernel 3.x and 4.x before 4.0.4 allows local users to cause a denial of service or possibly have unspecified other impact via O_TMPFILE filesystem operations that leverage a duplicate cleanup operation.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2015-5706", "ExploitDB": "https://www.exploit-db.com/search?cve=2015-5706", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2015-5706", "Red Hat": "https://access.redhat.com/security/cve/CVE-2015-5706", "SUSE": "https://www.suse.com/security/cve/CVE-2015-5706", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-5706" } }, "CVE-2015-5707": { "affected_versions": "v2.6.28-rc1 to v4.1-rc1", "breaks": "10db10d144c0248f285242f79daf6b9de6b00a62", "cmt_msg": "sg_start_req(): make sure that there's not too many elements in iovec", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cwe": "Numeric Errors", "fixes": "451a2886b6bf90e2fb378f7c46c655450fb96e81", "last_affected_version": "3.18.20", "last_modified": "2023-12-06", "nvd_text": "Integer overflow in the sg_start_req function in drivers/scsi/sg.c in the Linux kernel 2.6.x through 4.x before 4.1 allows local users to cause a denial of service or possibly have unspecified other impact via a large iov_count value in a write request.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2015-5707", "ExploitDB": "https://www.exploit-db.com/search?cve=2015-5707", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2015-5707", "Red Hat": "https://access.redhat.com/security/cve/CVE-2015-5707", "SUSE": "https://www.suse.com/security/cve/CVE-2015-5707", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-5707" } }, "CVE-2015-6252": { "affected_versions": "v2.6.12-rc2 to v4.2-rc5", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "vhost: actually track log eventfd file", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "score": 2.1 }, "cwe": "Resource Management Errors", "fixes": "7932c0bd7740f4cd2aa168d3ce0199e7af7d72d5", "last_affected_version": "4.1.4", "last_modified": "2023-12-06", "nvd_text": "The vhost_dev_ioctl function in drivers/vhost/vhost.c in the Linux kernel before 4.1.5 allows local users to cause a denial of service (memory consumption) via a VHOST_SET_LOG_FD ioctl call that triggers permanent file-descriptor allocation.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2015-6252", "ExploitDB": "https://www.exploit-db.com/search?cve=2015-6252", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2015-6252", "Red Hat": "https://access.redhat.com/security/cve/CVE-2015-6252", "SUSE": "https://www.suse.com/security/cve/CVE-2015-6252", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-6252" } }, "CVE-2015-6526": { "affected_versions": "v2.6.12-rc2 to v4.1-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "powerpc/perf: Cap 64bit userspace backtraces to PERF_MAX_STACK_DEPTH", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cwe": "Resource Management Errors", "fixes": "9a5cbce421a283e6aea3c4007f141735bf9da8c3", "last_affected_version": "3.18.13", "last_modified": "2023-12-06", "nvd_text": "The perf_callchain_user_64 function in arch/powerpc/perf/callchain.c in the Linux kernel before 4.0.2 on ppc64 platforms allows local users to cause a denial of service (infinite loop) via a deep 64-bit userspace backtrace.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2015-6526", "ExploitDB": "https://www.exploit-db.com/search?cve=2015-6526", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2015-6526", "Red Hat": "https://access.redhat.com/security/cve/CVE-2015-6526", "SUSE": "https://www.suse.com/security/cve/CVE-2015-6526", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-6526" } }, "CVE-2015-6619": { "affected_versions": "unk to unk", "breaks": "", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "score": 9.3 }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "", "last_modified": "2023-12-06", "nvd_text": "The kernel in Android before 5.1.1 LMY48Z and 6.0 before 2015-12-01 allows attackers to gain privileges via a crafted application, aka internal bug 23520714.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2015-6619", "ExploitDB": "https://www.exploit-db.com/search?cve=2015-6619", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2015-6619", "Red Hat": "https://access.redhat.com/security/cve/CVE-2015-6619", "SUSE": "https://www.suse.com/security/cve/CVE-2015-6619", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-6619" }, "vendor_specific": true }, "CVE-2015-6646": { "affected_versions": "unk to unk", "breaks": "", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "score": 7.8 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 6.2 }, "cwe": "Resource Management Errors", "fixes": "", "last_modified": "2023-12-06", "nvd_text": "The System V IPC implementation in the kernel in Android before 6.0 2016-01-01 allows attackers to cause a denial of service (global kernel resource consumption) by leveraging improper interaction between IPC resource allocation and the memory manager, aka internal bug 22300191, a different vulnerability than CVE-2015-7613.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2015-6646", "ExploitDB": "https://www.exploit-db.com/search?cve=2015-6646", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2015-6646", "Red Hat": "https://access.redhat.com/security/cve/CVE-2015-6646", "SUSE": "https://www.suse.com/security/cve/CVE-2015-6646", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-6646" }, "vendor_specific": true }, "CVE-2015-6937": { "affected_versions": "v2.6.12-rc2 to v4.3-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "RDS: verify the underlying transport exists before creating a connection", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "4.9" }, "cwe": "Other", "fixes": "74e98eb085889b0d2d4908f59f6e00026063014f", "last_affected_version": "4.1.13", "last_modified": "2023-12-06", "nvd_text": "The __rds_conn_create function in net/rds/connection.c in the Linux kernel through 4.2.3 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by using a socket that was not properly bound.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2015-6937", "ExploitDB": "https://www.exploit-db.com/search?cve=2015-6937", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2015-6937", "Red Hat": "https://access.redhat.com/security/cve/CVE-2015-6937", "SUSE": "https://www.suse.com/security/cve/CVE-2015-6937", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-6937" } }, "CVE-2015-7312": { "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "score": "4.4" }, "cwe": "Race Conditions", "fixes": "", "last_modified": "2023-12-06", "nvd_text": "Multiple race conditions in the Advanced Union Filesystem (aufs) aufs3-mmap.patch and aufs4-mmap.patch patches for the Linux kernel 3.x and 4.x allow local users to cause a denial of service (use-after-free and BUG) or possibly gain privileges via a (1) madvise or (2) msync system call, related to mm/madvise.c and mm/msync.c.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2015-7312", "ExploitDB": "https://www.exploit-db.com/search?cve=2015-7312", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2015-7312", "Red Hat": "https://access.redhat.com/security/cve/CVE-2015-7312", "SUSE": "https://www.suse.com/security/cve/CVE-2015-7312", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-7312" }, "vendor_specific": true }, "CVE-2015-7509": { "affected_versions": "v2.6.12-rc2 to v3.7-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "ext4: make orphan functions be no-op in no-journal mode", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "4.9" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "score": "4.4" }, "cwe": "Input Validation", "fixes": "c9b92530a723ac5ef8e352885a1862b18f31b2f5", "last_affected_version": "3.2.65", "last_modified": "2023-12-06", "nvd_text": "fs/ext4/namei.c in the Linux kernel before 3.7 allows physically proximate attackers to cause a denial of service (system crash) via a crafted no-journal filesystem, a related issue to CVE-2013-2015.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2015-7509", "ExploitDB": "https://www.exploit-db.com/search?cve=2015-7509", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2015-7509", "Red Hat": "https://access.redhat.com/security/cve/CVE-2015-7509", "SUSE": "https://www.suse.com/security/cve/CVE-2015-7509", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-7509" } }, "CVE-2015-7513": { "affected_versions": "v2.6.12-rc2 to v4.4-rc7", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "KVM: x86: Reload pit counters for all channels when restoring state", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "4.9" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Changed", "User Interaction": "None", "score": "6.5" }, "cwe": "Other", "fixes": "0185604c2d82c560dab2f2933a18f797e74ab5a8", "last_affected_version": "4.1.21", "last_modified": "2023-12-06", "nvd_text": "arch/x86/kvm/x86.c in the Linux kernel before 4.4 does not reset the PIT counter values during state restoration, which allows guest OS users to cause a denial of service (divide-by-zero error and host OS crash) via a zero value, related to the kvm_vm_ioctl_set_pit and kvm_vm_ioctl_set_pit2 functions.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2015-7513", "ExploitDB": "https://www.exploit-db.com/search?cve=2015-7513", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2015-7513", "Red Hat": "https://access.redhat.com/security/cve/CVE-2015-7513", "SUSE": "https://www.suse.com/security/cve/CVE-2015-7513", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-7513" } }, "CVE-2015-7515": { "affected_versions": "v2.6.12-rc2 to v4.4-rc6", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "Input: aiptek - fix crash on detecting device without endpoints", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Physical", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 4.6 }, "cwe": "Other", "fixes": "8e20cf2bce122ce9262d6034ee5d5b76fbb92f96", "last_affected_version": "3.16.34", "last_modified": "2023-12-06", "nvd_text": "The aiptek_probe function in drivers/input/tablet/aiptek.c in the Linux kernel before 4.4 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted USB device that lacks endpoints.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2015-7515", "ExploitDB": "https://www.exploit-db.com/search?cve=2015-7515", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2015-7515", "Red Hat": "https://access.redhat.com/security/cve/CVE-2015-7515", "SUSE": "https://www.suse.com/security/cve/CVE-2015-7515", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-7515" } }, "CVE-2015-7550": { "affected_versions": "v2.6.12-rc2 to v4.4-rc8", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "KEYS: Fix race between read and revoke", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Race Conditions", "fixes": "b4a1b4f5047e4f54e194681125c74c0aa64d637d", "last_affected_version": "4.3.3", "last_modified": "2023-12-06", "nvd_text": "The keyctl_read_key function in security/keys/keyctl.c in the Linux kernel before 4.3.4 does not properly use a semaphore, which allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted application that leverages a race condition between keyctl_revoke and keyctl_read calls.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2015-7550", "ExploitDB": "https://www.exploit-db.com/search?cve=2015-7550", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2015-7550", "Red Hat": "https://access.redhat.com/security/cve/CVE-2015-7550", "SUSE": "https://www.suse.com/security/cve/CVE-2015-7550", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-7550" } }, "CVE-2015-7553": { "breaks": "", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "score": 4.7 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 4.7 }, "cwe": "Race Conditions", "fixes": "", "last_modified": "2023-12-06", "nvd_text": "Race condition in the kernel in Red Hat Enterprise Linux 7, kernel-rt and Red Hat Enterprise MRG 2, when the nfnetlink_log module is loaded, allows local users to cause a denial of service (panic) by creating netlink sockets.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2015-7553", "ExploitDB": "https://www.exploit-db.com/search?cve=2015-7553", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2015-7553", "Red Hat": "https://access.redhat.com/security/cve/CVE-2015-7553", "SUSE": "https://www.suse.com/security/cve/CVE-2015-7553", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-7553" }, "vendor_specific": true }, "CVE-2015-7566": { "affected_versions": "v2.6.37-rc1 to v4.5-rc2", "breaks": "cfb8da8f69b81d367b766888e83ec0483a31bf01", "cmt_msg": "USB: serial: visor: fix crash on detecting device without write_urbs", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Physical", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 4.6 }, "cwe": "Unspecified", "fixes": "cb3232138e37129e88240a98a1d2aba2187ff57c", "last_affected_version": "4.4.1", "last_modified": "2023-12-06", "nvd_text": "The clie_5_attach function in drivers/usb/serial/visor.c in the Linux kernel through 4.4.1 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by inserting a USB device that lacks a bulk-out endpoint.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2015-7566", "ExploitDB": "https://www.exploit-db.com/search?cve=2015-7566", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2015-7566", "Red Hat": "https://access.redhat.com/security/cve/CVE-2015-7566", "SUSE": "https://www.suse.com/security/cve/CVE-2015-7566", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-7566" } }, "CVE-2015-7613": { "affected_versions": "v2.6.12-rc2 to v4.3-rc4", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "Initialize msg/shm IPC objects before doing ipc_addid()", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "score": 6.9 }, "cwe": "Race Conditions", "fixes": "b9a532277938798b53178d5a66af6e2915cb27cf", "last_affected_version": "4.1.10", "last_modified": "2023-12-06", "nvd_text": "Race condition in the IPC object implementation in the Linux kernel through 4.2.3 allows local users to gain privileges by triggering an ipc_addid call that leads to uid and gid comparisons against uninitialized data, related to msg.c, shm.c, and util.c.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2015-7613", "ExploitDB": "https://www.exploit-db.com/search?cve=2015-7613", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2015-7613", "Red Hat": "https://access.redhat.com/security/cve/CVE-2015-7613", "SUSE": "https://www.suse.com/security/cve/CVE-2015-7613", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-7613" } }, "CVE-2015-7799": { "affected_versions": "v2.6.12-rc2 to v4.4-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "isdn_ppp: Add checks for allocation failure in isdn_ppp_open()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cwe": "Unspecified", "fixes": "0baa57d8dc32db78369d8b5176ef56c5e2e18ab3", "last_affected_version": "4.3.4", "last_modified": "2023-12-06", "nvd_text": "The slhc_init function in drivers/net/slip/slhc.c in the Linux kernel through 4.2.3 does not ensure that certain slot numbers are valid, which allows local users to cause a denial of service (NULL pointer dereference and system crash) via a crafted PPPIOCSMAXCID ioctl call.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2015-7799", "ExploitDB": "https://www.exploit-db.com/search?cve=2015-7799", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2015-7799", "Red Hat": "https://access.redhat.com/security/cve/CVE-2015-7799", "SUSE": "https://www.suse.com/security/cve/CVE-2015-7799", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-7799" } }, "CVE-2015-7833": { "affected_versions": "v4.5-rc1 to v4.6-rc6", "breaks": "588afcc1c0e45358159090d95bf7b246fb67565f", "cmt_msg": "[media] usbvision: revert commit 588afcc1", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cwe": "Code", "fixes": "d5468d7afaa9c9e961e150f0455a14a9f4872a98", "last_affected_version": "4.5.2", "last_modified": "2023-12-06", "nvd_text": "The usbvision driver in the Linux kernel package 3.10.0-123.20.1.el7 through 3.10.0-229.14.1.el7 in Red Hat Enterprise Linux (RHEL) 7.1 allows physically proximate attackers to cause a denial of service (panic) via a nonzero bInterfaceNumber value in a USB device descriptor.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2015-7833", "ExploitDB": "https://www.exploit-db.com/search?cve=2015-7833", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2015-7833", "Red Hat": "https://access.redhat.com/security/cve/CVE-2015-7833", "SUSE": "https://www.suse.com/security/cve/CVE-2015-7833", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-7833" } }, "CVE-2015-7837": { "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "None", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "None", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "score": 5.5 }, "cwe": "Security Features", "fixes": "", "last_modified": "2023-12-06", "nvd_text": "The Linux kernel, as used in Red Hat Enterprise Linux 7, kernel-rt, and Enterprise MRG 2 and when booted with UEFI Secure Boot enabled, allows local users to bypass intended securelevel/secureboot restrictions by leveraging improper handling of secure_boot flag across kexec reboot.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2015-7837", "ExploitDB": "https://www.exploit-db.com/search?cve=2015-7837", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2015-7837", "Red Hat": "https://access.redhat.com/security/cve/CVE-2015-7837", "SUSE": "https://www.suse.com/security/cve/CVE-2015-7837", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-7837" }, "vendor_specific": true }, "CVE-2015-7872": { "affected_versions": "v2.6.12-rc2 to v4.3-rc7", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "KEYS: Fix crash when attempt to garbage collect an uninstantiated keyring", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "2.1" }, "cwe": "Input Validation", "fixes": "f05819df10d7b09f6d1eb6f8534a8f68e5a4fe61", "last_affected_version": "4.1.15", "last_modified": "2023-12-06", "nvd_text": "The key_gc_unused_keys function in security/keys/gc.c in the Linux kernel through 4.2.6 allows local users to cause a denial of service (OOPS) via crafted keyctl commands.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2015-7872", "ExploitDB": "https://www.exploit-db.com/search?cve=2015-7872", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2015-7872", "Red Hat": "https://access.redhat.com/security/cve/CVE-2015-7872", "SUSE": "https://www.suse.com/security/cve/CVE-2015-7872", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-7872" } }, "CVE-2015-7884": { "affected_versions": "v3.18-rc1 to v4.4-rc1", "breaks": "ad4e02d5081d9da38b5b91886e5fa71f0505d607", "cmt_msg": "[media] media/vivid-osd: fix info leak in ioctl", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "score": "1.9" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "Low", "Integrity": "None", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "score": "2.3" }, "cwe": "Information Leak / Disclosure", "fixes": "eda98796aff0d9bf41094b06811f5def3b4c333c", "last_affected_version": "4.3.4", "last_modified": "2023-12-06", "nvd_text": "The vivid_fb_ioctl function in drivers/media/platform/vivid/vivid-osd.c in the Linux kernel through 4.3.3 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel memory via a crafted application.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2015-7884", "ExploitDB": "https://www.exploit-db.com/search?cve=2015-7884", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2015-7884", "Red Hat": "https://access.redhat.com/security/cve/CVE-2015-7884", "SUSE": "https://www.suse.com/security/cve/CVE-2015-7884", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-7884" } }, "CVE-2015-7885": { "affected_versions": "v3.12-rc1 to v4.4-rc1", "breaks": "0b99d58902dd82fa51216eb8e0d6ddd8c43e90e4", "cmt_msg": "staging/dgnc: fix info leak in ioctl", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "score": "2.1" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "Low", "Integrity": "None", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "score": "2.3" }, "cwe": "Information Leak / Disclosure", "fixes": "4b6184336ebb5c8dc1eae7f7ab46ee608a748b05", "last_affected_version": "3.16.34", "last_modified": "2023-12-06", "nvd_text": "The dgnc_mgmt_ioctl function in drivers/staging/dgnc/dgnc_mgmt.c in the Linux kernel through 4.3.3 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel memory via a crafted application.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2015-7885", "ExploitDB": "https://www.exploit-db.com/search?cve=2015-7885", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2015-7885", "Red Hat": "https://access.redhat.com/security/cve/CVE-2015-7885", "SUSE": "https://www.suse.com/security/cve/CVE-2015-7885", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-7885" } }, "CVE-2015-7990": { "affected_versions": "v4.3-rc1 to v4.4-rc4", "breaks": "74e98eb085889b0d2d4908f59f6e00026063014f", "cmt_msg": "RDS: fix race condition when sending a message on unbound socket", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "score": "5.9" }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "Low", "Integrity": "Low", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "score": "5.8" }, "cwe": "Race Conditions", "fixes": "8c7188b23474cca017b3ef354c4a58456f68303a", "last_affected_version": "4.3.2", "last_modified": "2023-12-06", "nvd_text": "Race condition in the rds_sendmsg function in net/rds/sendmsg.c in the Linux kernel before 4.3.3 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by using a socket that was not properly bound. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-6937.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2015-7990", "ExploitDB": "https://www.exploit-db.com/search?cve=2015-7990", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2015-7990", "Red Hat": "https://access.redhat.com/security/cve/CVE-2015-7990", "SUSE": "https://www.suse.com/security/cve/CVE-2015-7990", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-7990" } }, "CVE-2015-8019": { "backport": true, "breaks": "89c22d8c3b278212eef6a8cc66b570bc840a6f5a", "cmt_msg": "net: add length argument to skb_copy_and_csum_datagram_iovec", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "7.2" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "score": "7.8" }, "cwe": "Input Validation", "fixes": "bfa76d49576599a4b9f9b7a71f23d73d6dcff735", "last_affected_version": "3.16.34", "last_modified": "2023-12-06", "nvd_text": "The skb_copy_and_csum_datagram_iovec function in net/core/datagram.c in the Linux kernel 3.14.54 and 3.18.22 does not accept a length argument, which allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact via a write system call followed by a recvmsg system call.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2015-8019", "ExploitDB": "https://www.exploit-db.com/search?cve=2015-8019", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2015-8019", "Red Hat": "https://access.redhat.com/security/cve/CVE-2015-8019", "SUSE": "https://www.suse.com/security/cve/CVE-2015-8019", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-8019" } }, "CVE-2015-8104": { "affected_versions": "v2.6.12-rc2 to v4.4-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "KVM: svm: unconditionally intercept #DB", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "4.7" }, "cwe": "Resource Management Errors", "fixes": "cbdb967af3d54993f5814f1cee0ed311a055377d", "last_affected_version": "4.3.4", "last_modified": "2023-12-06", "nvd_text": "The KVM subsystem in the Linux kernel through 4.2.6, and Xen 4.3.x through 4.6.x, allows guest OS users to cause a denial of service (host OS panic or hang) by triggering many #DB (aka Debug) exceptions, related to svm.c.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2015-8104", "ExploitDB": "https://www.exploit-db.com/search?cve=2015-8104", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2015-8104", "Red Hat": "https://access.redhat.com/security/cve/CVE-2015-8104", "SUSE": "https://www.suse.com/security/cve/CVE-2015-8104", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-8104" } }, "CVE-2015-8215": { "affected_versions": "v2.6.12-rc2 to v4.0-rc3", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "ipv6: addrconf: validate new MTU before applying it", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "score": 5.0 }, "cwe": "Input Validation", "fixes": "77751427a1ff25b27d47a4c36b12c3c8667855ac", "last_affected_version": "3.18.24", "last_modified": "2023-12-06", "nvd_text": "net/ipv6/addrconf.c in the IPv6 stack in the Linux kernel before 4.0 does not validate attempted changes to the MTU value, which allows context-dependent attackers to cause a denial of service (packet loss) via a value that is (1) smaller than the minimum compliant value or (2) larger than the MTU of an interface, as demonstrated by a Router Advertisement (RA) message that is not validated by a daemon, a different vulnerability than CVE-2015-0272. NOTE: the scope of CVE-2015-0272 is limited to the NetworkManager product.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2015-8215", "ExploitDB": "https://www.exploit-db.com/search?cve=2015-8215", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2015-8215", "Red Hat": "https://access.redhat.com/security/cve/CVE-2015-8215", "SUSE": "https://www.suse.com/security/cve/CVE-2015-8215", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-8215" } }, "CVE-2015-8324": { "affected_versions": "v2.6.12-rc2 to v2.6.34-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Physical", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 4.6 }, "cwe": "Unspecified", "fixes": "744692dc059845b2a3022119871846e74d4f6e11", "last_modified": "2023-12-06", "nvd_text": "The ext4 implementation in the Linux kernel before 2.6.34 does not properly track the initialization of certain data structures, which allows physically proximate attackers to cause a denial of service (NULL pointer dereference and panic) via a crafted USB device, related to the ext4_fill_super function.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2015-8324", "ExploitDB": "https://www.exploit-db.com/search?cve=2015-8324", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2015-8324", "Red Hat": "https://access.redhat.com/security/cve/CVE-2015-8324", "SUSE": "https://www.suse.com/security/cve/CVE-2015-8324", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-8324" } }, "CVE-2015-8374": { "affected_versions": "v2.6.29-rc1 to v4.4-rc1", "breaks": "f2eb0a241f0e5c135d93243b0236cb1f14c305e0", "cmt_msg": "Btrfs: fix truncation of compressed and inlined extents", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "Low", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "score": 4.0 }, "cwe": "Information Leak / Disclosure", "fixes": "0305cd5f7fca85dae392b9ba85b116896eb7c1c7", "last_affected_version": "4.3.2", "last_modified": "2023-12-06", "nvd_text": "fs/btrfs/inode.c in the Linux kernel before 4.3.3 mishandles compressed inline extents, which allows local users to obtain sensitive pre-truncation information from a file via a clone action.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2015-8374", "ExploitDB": "https://www.exploit-db.com/search?cve=2015-8374", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2015-8374", "Red Hat": "https://access.redhat.com/security/cve/CVE-2015-8374", "SUSE": "https://www.suse.com/security/cve/CVE-2015-8374", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-8374" } }, "CVE-2015-8539": { "affected_versions": "v4.4-rc1 to v4.4-rc3", "breaks": "146aa8b1453bd8f1ff2304ffb71b4ee0eb9acdcc", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "7.2" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "score": "7.8" }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "096fe9eaea40a17e125569f9e657e34cdb6d73bd", "last_modified": "2023-12-06", "nvd_text": "The KEYS subsystem in the Linux kernel before 4.4 allows local users to gain privileges or cause a denial of service (BUG) via crafted keyctl commands that negatively instantiate a key, related to security/keys/encrypted-keys/encrypted.c, security/keys/trusted.c, and security/keys/user_defined.c.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2015-8539", "ExploitDB": "https://www.exploit-db.com/search?cve=2015-8539", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2015-8539", "Red Hat": "https://access.redhat.com/security/cve/CVE-2015-8539", "SUSE": "https://www.suse.com/security/cve/CVE-2015-8539", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-8539" } }, "CVE-2015-8543": { "affected_versions": "v2.6.12-rc2 to v4.4-rc6", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "net: add validation for the socket syscall protocol argument", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "score": 6.9 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.0 }, "cwe": "Unspecified", "fixes": "79462ad02e861803b3840cc782248c7359451cd9", "last_affected_version": "4.3.3", "last_modified": "2023-12-06", "nvd_text": "The networking implementation in the Linux kernel through 4.3.3, as used in Android and other products, does not validate protocol identifiers for certain protocol families, which allows local users to cause a denial of service (NULL function pointer dereference and system crash) or possibly gain privileges by leveraging CLONE_NEWUSER support to execute a crafted SOCK_RAW application.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2015-8543", "ExploitDB": "https://www.exploit-db.com/search?cve=2015-8543", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2015-8543", "Red Hat": "https://access.redhat.com/security/cve/CVE-2015-8543", "SUSE": "https://www.suse.com/security/cve/CVE-2015-8543", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-8543" } }, "CVE-2015-8550": { "affected_versions": "v2.6.12-rc2 to v4.4-rc6", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "xen: Add RING_COPY_REQUEST()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "Single", "Availability Impact": "Complete", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:S/C:P/I:P/A:C", "score": 5.7 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "High", "Scope": "Changed", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "score": 8.2 }, "cwe": "Improper Access Control", "fixes": "454d5d882c7e412b840e3c99010fe81a9862f6fb", "last_affected_version": "3.16.34", "last_modified": "2023-12-06", "nvd_text": "Xen, when used on a system providing PV backends, allows local guest OS administrators to cause a denial of service (host OS crash) or gain privileges by writing to memory shared between the frontend and backend, aka a double fetch vulnerability.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2015-8550", "ExploitDB": "https://www.exploit-db.com/search?cve=2015-8550", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2015-8550", "Red Hat": "https://access.redhat.com/security/cve/CVE-2015-8550", "SUSE": "https://www.suse.com/security/cve/CVE-2015-8550", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-8550" } }, "CVE-2015-8551": { "affected_versions": "v2.6.12-rc2 to v4.4-rc6", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "xen/pciback: Return error on XEN_PCI_OP_enable_msi when device has MSI or MSI-X enabled", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "score": 4.7 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "High", "Scope": "Changed", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H", "score": 6.0 }, "cwe": "Other", "fixes": "56441f3c8e5bd45aab10dd9f8c505dd4bec03b0d", "last_affected_version": "3.16.34", "last_modified": "2023-12-06", "nvd_text": "The PCI backend driver in Xen, when running on an x86 system and using Linux 3.1.x through 4.3.x as the driver domain, allows local guest administrators to hit BUG conditions and cause a denial of service (NULL pointer dereference and host OS crash) by leveraging a system with access to a passed-through MSI or MSI-X capable physical PCI device and a crafted sequence of XEN_PCI_OP_* operations, aka \"Linux pciback missing sanity checks.\"", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2015-8551", "ExploitDB": "https://www.exploit-db.com/search?cve=2015-8551", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2015-8551", "Red Hat": "https://access.redhat.com/security/cve/CVE-2015-8551", "SUSE": "https://www.suse.com/security/cve/CVE-2015-8551", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-8551" } }, "CVE-2015-8552": { "affected_versions": "v2.6.12-rc2 to v4.4-rc6", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "xen/pciback: Return error on XEN_PCI_OP_enable_msi when device has MSI or MSI-X enabled", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "Single", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:S/C:N/I:N/A:P", "score": 1.7 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "score": 4.4 }, "cwe": "Input Validation", "fixes": "56441f3c8e5bd45aab10dd9f8c505dd4bec03b0d", "last_affected_version": "3.16.34", "last_modified": "2023-12-06", "nvd_text": "The PCI backend driver in Xen, when running on an x86 system and using Linux 3.1.x through 4.3.x as the driver domain, allows local guest administrators to generate a continuous stream of WARN messages and cause a denial of service (disk consumption) by leveraging a system with access to a passed-through MSI or MSI-X capable physical PCI device and XEN_PCI_OP_enable_msi operations, aka \"Linux pciback missing sanity checks.\"", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2015-8552", "ExploitDB": "https://www.exploit-db.com/search?cve=2015-8552", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2015-8552", "Red Hat": "https://access.redhat.com/security/cve/CVE-2015-8552", "SUSE": "https://www.suse.com/security/cve/CVE-2015-8552", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-8552" } }, "CVE-2015-8553": { "affected_versions": "v2.6.12-rc2 to v4.4-rc6", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "xen/pciback: Don't allow MSI-X ops if PCI_COMMAND_MEMORY is not set.", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Changed", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "score": 6.5 }, "cwe": "Information Leak / Disclosure", "fixes": "408fb0e5aa7fda0059db282ff58c3b2a4278baa0", "last_affected_version": "4.1.19", "last_modified": "2023-12-06", "nvd_text": "Xen allows guest OS users to obtain sensitive information from uninitialized locations in host OS kernel memory by not enabling memory and I/O decoding control bits. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-0777.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2015-8553", "ExploitDB": "https://www.exploit-db.com/search?cve=2015-8553", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2015-8553", "Red Hat": "https://access.redhat.com/security/cve/CVE-2015-8553", "SUSE": "https://www.suse.com/security/cve/CVE-2015-8553", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-8553" } }, "CVE-2015-8569": { "affected_versions": "v2.6.12-rc2 to v4.4-rc6", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "pptp: verify sockaddr_len in pptp_bind() and pptp_connect()", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "score": "1.9" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "Low", "Integrity": "None", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "score": "2.3" }, "cwe": "Information Leak / Disclosure", "fixes": "09ccfd238e5a0e670d8178cf50180ea81ae09ae1", "last_affected_version": "4.3.3", "last_modified": "2023-12-06", "nvd_text": "The (1) pptp_bind and (2) pptp_connect functions in drivers/net/ppp/pptp.c in the Linux kernel through 4.3.3 do not verify an address length, which allows local users to obtain sensitive information from kernel memory and bypass the KASLR protection mechanism via a crafted application.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2015-8569", "ExploitDB": "https://www.exploit-db.com/search?cve=2015-8569", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2015-8569", "Red Hat": "https://access.redhat.com/security/cve/CVE-2015-8569", "SUSE": "https://www.suse.com/security/cve/CVE-2015-8569", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-8569" } }, "CVE-2015-8575": { "affected_versions": "v2.6.12-rc2 to v4.4-rc6", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "bluetooth: Validate socket address length in sco_sock_bind().", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "Low", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "score": 4.0 }, "cwe": "Information Leak / Disclosure", "fixes": "5233252fce714053f0151680933571a2da9cbfb4", "last_affected_version": "4.3.3", "last_modified": "2023-12-06", "nvd_text": "The sco_sock_bind function in net/bluetooth/sco.c in the Linux kernel before 4.3.4 does not verify an address length, which allows local users to obtain sensitive information from kernel memory and bypass the KASLR protection mechanism via a crafted application.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2015-8575", "ExploitDB": "https://www.exploit-db.com/search?cve=2015-8575", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2015-8575", "Red Hat": "https://access.redhat.com/security/cve/CVE-2015-8575", "SUSE": "https://www.suse.com/security/cve/CVE-2015-8575", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-8575" } }, "CVE-2015-8660": { "affected_versions": "v3.18-rc2 to v4.4-rc4", "breaks": "e9be9d5e76e34872f0c37d72e25bc27fe9e2c54c", "cmt_msg": "ovl: fix permission checking for setattr", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "score": 6.7 }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "acff81ec2c79492b180fade3c2894425cd35a545", "last_affected_version": "4.1.21", "last_modified": "2023-12-06", "nvd_text": "The ovl_setattr function in fs/overlayfs/inode.c in the Linux kernel through 4.3.3 attempts to merge distinct setattr operations, which allows local users to bypass intended access restrictions and modify the attributes of arbitrary overlay files via a crafted application.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2015-8660", "ExploitDB": "https://www.exploit-db.com/search?cve=2015-8660", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2015-8660", "Red Hat": "https://access.redhat.com/security/cve/CVE-2015-8660", "SUSE": "https://www.suse.com/security/cve/CVE-2015-8660", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-8660" } }, "CVE-2015-8709": { "affected_versions": "v2.6.39-rc1 to v4.10-rc1", "breaks": "8409cca7056113bee3236cb6a8e4d8d4d1eef102", "cmt_msg": "mm: Add a user_ns owner to mm_struct and fix ptrace permission checks", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "score": 6.9 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.0 }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "bfedb589252c01fa505ac9f6f2a3d5d68d707ef4", "last_affected_version": "4.9.0", "last_modified": "2023-12-06", "nvd_text": "kernel/ptrace.c in the Linux kernel through 4.4.1 mishandles uid and gid mappings, which allows local users to gain privileges by establishing a user namespace, waiting for a root process to enter that namespace with an unsafe uid or gid, and then using the ptrace system call. NOTE: the vendor states \"there is no kernel bug here.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2015-8709", "ExploitDB": "https://www.exploit-db.com/search?cve=2015-8709", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2015-8709", "Red Hat": "https://access.redhat.com/security/cve/CVE-2015-8709", "SUSE": "https://www.suse.com/security/cve/CVE-2015-8709", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-8709" } }, "CVE-2015-8746": { "affected_versions": "v3.13-rc1 to v4.3-rc1", "breaks": "ec011fe847347b40c60fdb5085f65227762e2e08", "cmt_msg": "NFS: Fix a NULL pointer dereference of migration recovery ops for v4.2 client", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "score": 5.0 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 7.5 }, "cwe": "Unspecified", "fixes": "18e3b739fdc826481c6a1335ce0c5b19b3d415da", "last_affected_version": "4.1.8", "last_modified": "2023-12-06", "nvd_text": "fs/nfs/nfs4proc.c in the NFS client in the Linux kernel before 4.2.2 does not properly initialize memory for migration recovery operations, which allows remote NFS servers to cause a denial of service (NULL pointer dereference and panic) via crafted network traffic.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2015-8746", "ExploitDB": "https://www.exploit-db.com/search?cve=2015-8746", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2015-8746", "Red Hat": "https://access.redhat.com/security/cve/CVE-2015-8746", "SUSE": "https://www.suse.com/security/cve/CVE-2015-8746", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-8746" } }, "CVE-2015-8767": { "affected_versions": "v2.6.12-rc2 to v4.3-rc4", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "sctp: Prevent soft lockup when sctp_accept() is called during a timeout event", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 6.2 }, "cwe": "Race Conditions", "fixes": "635682a14427d241bab7bbdeebb48a7d7b91638e", "last_affected_version": "4.1.16", "last_modified": "2023-12-06", "nvd_text": "net/sctp/sm_sideeffect.c in the Linux kernel before 4.3 does not properly manage the relationship between a lock and a socket, which allows local users to cause a denial of service (deadlock) via a crafted sctp_accept call.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2015-8767", "ExploitDB": "https://www.exploit-db.com/search?cve=2015-8767", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2015-8767", "Red Hat": "https://access.redhat.com/security/cve/CVE-2015-8767", "SUSE": "https://www.suse.com/security/cve/CVE-2015-8767", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-8767" } }, "CVE-2015-8785": { "affected_versions": "v2.6.26-rc1 to v4.4-rc5", "breaks": "ea9b9907b82a09bd1a708004454f7065de77c5b0", "cmt_msg": "fuse: break infinite loop in fuse_fill_write_pages()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 6.2 }, "cwe": "Resource Management Errors", "fixes": "3ca8138f014a913f98e6ef40e939868e1e9ea876", "last_affected_version": "4.1.21", "last_modified": "2023-12-06", "nvd_text": "The fuse_fill_write_pages function in fs/fuse/file.c in the Linux kernel before 4.4 allows local users to cause a denial of service (infinite loop) via a writev system call that triggers a zero length for the first segment of an iov.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2015-8785", "ExploitDB": "https://www.exploit-db.com/search?cve=2015-8785", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2015-8785", "Red Hat": "https://access.redhat.com/security/cve/CVE-2015-8785", "SUSE": "https://www.suse.com/security/cve/CVE-2015-8785", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-8785" } }, "CVE-2015-8787": { "affected_versions": "v3.19-rc1 to v4.4-rc1", "breaks": "8b13eddfdf04cbfa561725cfc42d6868fe896f56", "cmt_msg": "netfilter: nf_nat_redirect: add missing NULL pointer check", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "score": 10.0 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "score": 9.8 }, "cwe": "Other", "fixes": "94f9cd81436c85d8c3a318ba92e236ede73752fc", "last_affected_version": "4.1.30", "last_modified": "2023-12-06", "nvd_text": "The nf_nat_redirect_ipv4 function in net/netfilter/nf_nat_redirect.c in the Linux kernel before 4.4 allows remote attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by sending certain IPv4 packets to an incompletely configured interface, a related issue to CVE-2003-1604.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2015-8787", "ExploitDB": "https://www.exploit-db.com/search?cve=2015-8787", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2015-8787", "Red Hat": "https://access.redhat.com/security/cve/CVE-2015-8787", "SUSE": "https://www.suse.com/security/cve/CVE-2015-8787", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-8787" } }, "CVE-2015-8812": { "affected_versions": "v2.6.30-rc2 to v4.5-rc1", "breaks": "04b5d028f50ff05a8f9ae049ee71f8fdfcf1f5de", "cmt_msg": "iw_cxgb3: Fix incorrectly returning error on success", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "score": 10.0 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "score": 9.8 }, "cwe": "Unspecified", "fixes": "67f1aee6f45059fd6b0f5b0ecb2c97ad0451f6b3", "last_affected_version": "4.4.3", "last_modified": "2023-12-06", "nvd_text": "drivers/infiniband/hw/cxgb3/iwch_cm.c in the Linux kernel before 4.5 does not properly identify error conditions, which allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free) via crafted packets.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2015-8812", "ExploitDB": "https://www.exploit-db.com/search?cve=2015-8812", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2015-8812", "Red Hat": "https://access.redhat.com/security/cve/CVE-2015-8812", "SUSE": "https://www.suse.com/security/cve/CVE-2015-8812", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-8812" } }, "CVE-2015-8816": { "affected_versions": "v2.6.28-rc1 to v4.4-rc6", "breaks": "8520f38099ccfdac2147a0852f84ee7a8ee5e197", "cmt_msg": "USB: fix invalid memory access in hub_activate()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "7.2" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Physical", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "score": "6.8" }, "cwe": "Other", "fixes": "e50293ef9775c5f1cf3fcc093037dd6a8c5684ea", "last_affected_version": "4.3.4", "last_modified": "2023-12-06", "nvd_text": "The hub_activate function in drivers/usb/core/hub.c in the Linux kernel before 4.3.5 does not properly maintain a hub-interface data structure, which allows physically proximate attackers to cause a denial of service (invalid memory access and system crash) or possibly have unspecified other impact by unplugging a USB hub device.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2015-8816", "ExploitDB": "https://www.exploit-db.com/search?cve=2015-8816", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2015-8816", "Red Hat": "https://access.redhat.com/security/cve/CVE-2015-8816", "SUSE": "https://www.suse.com/security/cve/CVE-2015-8816", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-8816" } }, "CVE-2015-8830": { "affected_versions": "v3.10-rc1 to v4.1-rc1", "breaks": "41ef4eb8eef8d06bc1399e7b00c940d771554711", "cmt_msg": "aio: lift iov_iter_init() into aio_setup_..._rw()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "7.2" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "score": "7.8" }, "cwe": "Other", "fixes": "4c185ce06dca14f5cea192f5a2c981ef50663f2b", "last_modified": "2023-12-06", "nvd_text": "Integer overflow in the aio_setup_single_vector function in fs/aio.c in the Linux kernel 4.0 allows local users to cause a denial of service or possibly have unspecified other impact via a large AIO iovec. NOTE: this vulnerability exists because of a CVE-2012-6701 regression.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2015-8830", "ExploitDB": "https://www.exploit-db.com/search?cve=2015-8830", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2015-8830", "Red Hat": "https://access.redhat.com/security/cve/CVE-2015-8830", "SUSE": "https://www.suse.com/security/cve/CVE-2015-8830", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-8830" } }, "CVE-2015-8839": { "affected_versions": "v2.6.12-rc2 to v4.5-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "ext4: fix races between page faults and hole punching", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:M/Au:N/C:N/I:N/A:P", "score": 1.9 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 5.1 }, "cwe": "Race Conditions", "fixes": "ea3d7209ca01da209cda6f0dea8be9cc4b7a933b", "last_affected_version": "4.4.8", "last_modified": "2023-12-06", "nvd_text": "Multiple race conditions in the ext4 filesystem implementation in the Linux kernel before 4.5 allow local users to cause a denial of service (disk corruption) by writing to a page that is associated with a different user's file after unsynchronized hole punching and page-fault handling.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2015-8839", "ExploitDB": "https://www.exploit-db.com/search?cve=2015-8839", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2015-8839", "Red Hat": "https://access.redhat.com/security/cve/CVE-2015-8839", "SUSE": "https://www.suse.com/security/cve/CVE-2015-8839", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-8839" } }, "CVE-2015-8844": { "affected_versions": "v3.9-rc1 to v4.4-rc3", "breaks": "2b0a576d15e0e14751f00f9c87e46bad27f217e7", "cmt_msg": "powerpc/tm: Block signal return setting invalid MSR state", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "score": 4.7 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "raw": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Input Validation", "fixes": "d2b9d2a5ad5ef04ff978c9923d19730cb05efd55", "last_affected_version": "4.3.4", "last_modified": "2023-12-06", "nvd_text": "The signal implementation in the Linux kernel before 4.3.5 on powerpc platforms does not check for an MSR with both the S and T bits set, which allows local users to cause a denial of service (TM Bad Thing exception and panic) via a crafted application.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2015-8844", "ExploitDB": "https://www.exploit-db.com/search?cve=2015-8844", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2015-8844", "Red Hat": "https://access.redhat.com/security/cve/CVE-2015-8844", "SUSE": "https://www.suse.com/security/cve/CVE-2015-8844", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-8844" } }, "CVE-2015-8845": { "affected_versions": "v3.9-rc1 to v4.4-rc3", "breaks": "fb09692e71f13af7298eb603a1975850b1c7a8d8", "cmt_msg": "powerpc/tm: Check for already reclaimed tasks", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Improper Access Control", "fixes": "7f821fc9c77a9b01fe7b1d6e72717b33d8d64142", "last_affected_version": "4.3.4", "last_modified": "2023-12-06", "nvd_text": "The tm_reclaim_thread function in arch/powerpc/kernel/process.c in the Linux kernel before 4.4.1 on powerpc platforms does not ensure that TM suspend mode exists before proceeding with a tm_reclaim call, which allows local users to cause a denial of service (TM Bad Thing exception and panic) via a crafted application.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2015-8845", "ExploitDB": "https://www.exploit-db.com/search?cve=2015-8845", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2015-8845", "Red Hat": "https://access.redhat.com/security/cve/CVE-2015-8845", "SUSE": "https://www.suse.com/security/cve/CVE-2015-8845", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-8845" } }, "CVE-2015-8937": { "breaks": "", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "score": 6.8 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "raw": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Data Handling", "fixes": "", "last_modified": "2023-12-06", "nvd_text": "drivers/char/diag/diagchar_core.c in the Qualcomm components in Android before 2016-08-05 on Nexus 5, 6, and 7 (2013) devices mishandles a socket process, which allows attackers to gain privileges via a crafted application, aka Android internal bug 28803962 and Qualcomm internal bug CR770548.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2015-8937", "ExploitDB": "https://www.exploit-db.com/search?cve=2015-8937", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2015-8937", "Red Hat": "https://access.redhat.com/security/cve/CVE-2015-8937", "SUSE": "https://www.suse.com/security/cve/CVE-2015-8937", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-8937" }, "vendor_specific": true }, "CVE-2015-8938": { "breaks": "", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "9.3" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "score": "7.8" }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "", "last_modified": "2023-12-06", "nvd_text": "The MSM camera driver in the Qualcomm components in Android before 2016-08-05 on Nexus 6 devices does not validate input parameters, which allows attackers to gain privileges via a crafted application, aka Android internal bug 28804030 and Qualcomm internal bug CR766022.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2015-8938", "ExploitDB": "https://www.exploit-db.com/search?cve=2015-8938", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2015-8938", "Red Hat": "https://access.redhat.com/security/cve/CVE-2015-8938", "SUSE": "https://www.suse.com/security/cve/CVE-2015-8938", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-8938" }, "vendor_specific": true }, "CVE-2015-8939": { "breaks": "", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "9.3" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "score": "7.8" }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "", "last_modified": "2023-12-06", "nvd_text": "drivers/video/msm/mdp4_util.c in the Qualcomm components in Android before 2016-08-05 on Nexus 7 (2013) devices does not validate r stages, g stages, or b stages data, which allows attackers to gain privileges via a crafted application, aka Android internal bug 28398884 and Qualcomm internal bug CR779021.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2015-8939", "ExploitDB": "https://www.exploit-db.com/search?cve=2015-8939", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2015-8939", "Red Hat": "https://access.redhat.com/security/cve/CVE-2015-8939", "SUSE": "https://www.suse.com/security/cve/CVE-2015-8939", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-8939" }, "vendor_specific": true }, "CVE-2015-8940": { "breaks": "", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "score": 9.3 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "raw": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "", "last_modified": "2023-12-06", "nvd_text": "Integer overflow in sound/soc/msm/qdsp6v2/q6lsm.c in the Qualcomm components in Android before 2016-08-05 on Nexus 6 devices allows attackers to gain privileges via a crafted application, aka Android internal bug 28813987 and Qualcomm internal bug CR792367.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2015-8940", "ExploitDB": "https://www.exploit-db.com/search?cve=2015-8940", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2015-8940", "Red Hat": "https://access.redhat.com/security/cve/CVE-2015-8940", "SUSE": "https://www.suse.com/security/cve/CVE-2015-8940", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-8940" }, "vendor_specific": true }, "CVE-2015-8941": { "breaks": "", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "score": 9.3 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "raw": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "", "last_modified": "2023-12-06", "nvd_text": "drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.c in the Qualcomm components in Android before 2016-08-05 on Nexus 6 and 7 (2013) devices does not properly validate array indexes, which allows attackers to gain privileges via a crafted application, aka Android internal bug 28814502 and Qualcomm internal bug CR792473.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2015-8941", "ExploitDB": "https://www.exploit-db.com/search?cve=2015-8941", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2015-8941", "Red Hat": "https://access.redhat.com/security/cve/CVE-2015-8941", "SUSE": "https://www.suse.com/security/cve/CVE-2015-8941", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-8941" }, "vendor_specific": true }, "CVE-2015-8942": { "breaks": "", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "score": 9.3 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "raw": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "", "last_modified": "2023-12-06", "nvd_text": "drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c in the Qualcomm components in Android before 2016-08-05 on Nexus 6 devices does not validate the stream state, which allows attackers to gain privileges via a crafted application, aka Android internal bug 28814652 and Qualcomm internal bug CR803246.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2015-8942", "ExploitDB": "https://www.exploit-db.com/search?cve=2015-8942", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2015-8942", "Red Hat": "https://access.redhat.com/security/cve/CVE-2015-8942", "SUSE": "https://www.suse.com/security/cve/CVE-2015-8942", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-8942" }, "vendor_specific": true }, "CVE-2015-8943": { "breaks": "", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "score": 6.8 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "raw": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "", "last_modified": "2023-12-06", "nvd_text": "drivers/video/msm/mdss/mdss_mdp_util.c in the Qualcomm components in Android before 2016-08-05 on Nexus 5 devices does not verify that a mapping exists before proceeding with an unmap operation, which allows attackers to gain privileges via a crafted application, aka Android internal bug 28815158 and Qualcomm internal bugs CR794217 and CR836226.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2015-8943", "ExploitDB": "https://www.exploit-db.com/search?cve=2015-8943", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2015-8943", "Red Hat": "https://access.redhat.com/security/cve/CVE-2015-8943", "SUSE": "https://www.suse.com/security/cve/CVE-2015-8943", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-8943" }, "vendor_specific": true }, "CVE-2015-8944": { "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "/proc/iomem: only expose physical resource addresses to privileged users", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "score": 4.3 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "raw": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "score": 5.5 }, "cwe": "Information Leak / Disclosure", "fixes": "51d7b120418e99d6b3bf8df9eb3cc31e8171dee4", "last_modified": "2023-12-06", "nvd_text": "The ioresources_init function in kernel/resource.c in the Linux kernel through 4.7, as used in Android before 2016-08-05 on Nexus 6 and 7 (2013) devices, uses weak permissions for /proc/iomem, which allows local users to obtain sensitive information by reading this file, aka Android internal bug 28814213 and Qualcomm internal bug CR786116. NOTE: the permissions may be intentional in most non-Android contexts.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2015-8944", "ExploitDB": "https://www.exploit-db.com/search?cve=2015-8944", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2015-8944", "Red Hat": "https://access.redhat.com/security/cve/CVE-2015-8944", "SUSE": "https://www.suse.com/security/cve/CVE-2015-8944", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-8944" }, "vendor_specific": true }, "CVE-2015-8950": { "affected_versions": "v2.6.12-rc2 to v4.1-rc2", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "arm64: dma-mapping: always clear allocated buffers", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "score": "4.3" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "score": "5.5" }, "cwe": "Information Leak / Disclosure", "fixes": "6829e274a623187c24f7cfc0e3d35f25d087fcc5", "last_affected_version": "3.18.13", "last_modified": "2023-12-06", "nvd_text": "arch/arm64/mm/dma-mapping.c in the Linux kernel before 4.0.3, as used in the ION subsystem in Android and other products, does not initialize certain data structures, which allows local users to obtain sensitive information from kernel memory by triggering a dma_mmap call.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2015-8950", "ExploitDB": "https://www.exploit-db.com/search?cve=2015-8950", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2015-8950", "Red Hat": "https://access.redhat.com/security/cve/CVE-2015-8950", "SUSE": "https://www.suse.com/security/cve/CVE-2015-8950", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-8950" } }, "CVE-2015-8952": { "affected_versions": "v2.6.12-rc2 to v4.6-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "ext2: convert to mbcache2", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "2.1" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "score": "5.5" }, "cwe": "Data Handling", "fixes": "be0726d33cb8f411945884664924bed3cb8c70ee", "last_modified": "2023-12-06", "nvd_text": "The mbcache feature in the ext2 and ext4 filesystem implementations in the Linux kernel before 4.6 mishandles xattr block caching, which allows local users to cause a denial of service (soft lockup) via filesystem operations in environments that use many attributes, as demonstrated by Ceph and Samba.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2015-8952", "ExploitDB": "https://www.exploit-db.com/search?cve=2015-8952", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2015-8952", "Red Hat": "https://access.redhat.com/security/cve/CVE-2015-8952", "SUSE": "https://www.suse.com/security/cve/CVE-2015-8952", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-8952" } }, "CVE-2015-8953": { "affected_versions": "v3.18-rc2 to v4.3", "breaks": "e9be9d5e76e34872f0c37d72e25bc27fe9e2c54c", "cmt_msg": "ovl: fix dentry reference leak", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Resource Management Errors", "fixes": "ab79efab0a0ba01a74df782eb7fa44b044dae8b5", "last_affected_version": "4.2", "last_modified": "2023-12-06", "nvd_text": "fs/overlayfs/copy_up.c in the Linux kernel before 4.2.6 uses an incorrect cleanup code path, which allows local users to cause a denial of service (dentry reference leak) via filesystem operations on a large file in a lower overlayfs layer.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2015-8953", "ExploitDB": "https://www.exploit-db.com/search?cve=2015-8953", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2015-8953", "Red Hat": "https://access.redhat.com/security/cve/CVE-2015-8953", "SUSE": "https://www.suse.com/security/cve/CVE-2015-8953", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-8953" } }, "CVE-2015-8955": { "affected_versions": "v2.6.12-rc2 to v4.1-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "arm64: perf: reject groups spanning multiple HW PMUs", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "score": 6.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "Required", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "score": 7.3 }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "8fff105e13041e49b82f92eef034f363a6b1c071", "last_affected_version": "3.18.53", "last_modified": "2023-12-06", "nvd_text": "arch/arm64/kernel/perf_event.c in the Linux kernel before 4.1 on arm64 platforms allows local users to gain privileges or cause a denial of service (invalid pointer dereference) via vectors involving events that are mishandled during a span of multiple HW PMUs.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2015-8955", "ExploitDB": "https://www.exploit-db.com/search?cve=2015-8955", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2015-8955", "Red Hat": "https://access.redhat.com/security/cve/CVE-2015-8955", "SUSE": "https://www.suse.com/security/cve/CVE-2015-8955", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-8955" } }, "CVE-2015-8956": { "affected_versions": "v3.15-rc1 to v4.2-rc1", "breaks": "b1765e7afe8710ef4366dc722cc5bd487eb07973", "cmt_msg": "Bluetooth: Fix potential NULL dereference in RFCOMM bind callback", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:P", "score": 3.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "Low", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L", "score": 6.1 }, "cwe": "NULL Pointer Dereference", "fixes": "951b6a0717db97ce420547222647bcc40bf1eacd", "last_affected_version": "4.1.36", "last_modified": "2023-12-06", "nvd_text": "The rfcomm_sock_bind function in net/bluetooth/rfcomm/sock.c in the Linux kernel before 4.2 allows local users to obtain sensitive information or cause a denial of service (NULL pointer dereference) via vectors involving a bind system call on a Bluetooth RFCOMM socket.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2015-8956", "ExploitDB": "https://www.exploit-db.com/search?cve=2015-8956", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2015-8956", "Red Hat": "https://access.redhat.com/security/cve/CVE-2015-8956", "SUSE": "https://www.suse.com/security/cve/CVE-2015-8956", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-8956" } }, "CVE-2015-8961": { "affected_versions": "v4.2-rc2 to v4.4-rc1", "breaks": "9705acd63b125dee8b15c705216d7186daea4625", "cmt_msg": "ext4: fix potential use after free in __ext4_journal_stop", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "score": 9.3 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "raw": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Use After Free", "fixes": "6934da9238da947628be83635e365df41064b09b", "last_affected_version": "4.3.2", "last_modified": "2023-12-06", "nvd_text": "The __ext4_journal_stop function in fs/ext4/ext4_jbd2.c in the Linux kernel before 4.3.3 allows local users to gain privileges or cause a denial of service (use-after-free) by leveraging improper access to a certain error field.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2015-8961", "ExploitDB": "https://www.exploit-db.com/search?cve=2015-8961", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2015-8961", "Red Hat": "https://access.redhat.com/security/cve/CVE-2015-8961", "SUSE": "https://www.suse.com/security/cve/CVE-2015-8961", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-8961" } }, "CVE-2015-8962": { "affected_versions": "v2.6.12-rc2 to v4.4-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "sg: Fix double-free when drives detach during SG_IO", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "score": 9.3 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "Required", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "score": 7.3 }, "cwe": "Double Free", "fixes": "f3951a3709ff50990bf3e188c27d346792103432", "last_affected_version": "3.18.53", "last_modified": "2023-12-06", "nvd_text": "Double free vulnerability in the sg_common_write function in drivers/scsi/sg.c in the Linux kernel before 4.4 allows local users to gain privileges or cause a denial of service (memory corruption and system crash) by detaching a device during an SG_IO ioctl call.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2015-8962", "ExploitDB": "https://www.exploit-db.com/search?cve=2015-8962", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2015-8962", "Red Hat": "https://access.redhat.com/security/cve/CVE-2015-8962", "SUSE": "https://www.suse.com/security/cve/CVE-2015-8962", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-8962" } }, "CVE-2015-8963": { "affected_versions": "v2.6.12-rc2 to v4.4", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "perf: Fix race in swevent hash", "cvss2": { "Access Complexity": "High", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "7.6" }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "score": "7.0" }, "cwe": "Race Conditions", "fixes": "12ca6ad2e3a896256f086497a7c7406a547ee373", "last_affected_version": "4.3", "last_modified": "2023-12-06", "nvd_text": "Race condition in kernel/events/core.c in the Linux kernel before 4.4 allows local users to gain privileges or cause a denial of service (use-after-free) by leveraging incorrect handling of an swevent data structure during a CPU unplug operation.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2015-8963", "ExploitDB": "https://www.exploit-db.com/search?cve=2015-8963", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2015-8963", "Red Hat": "https://access.redhat.com/security/cve/CVE-2015-8963", "SUSE": "https://www.suse.com/security/cve/CVE-2015-8963", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-8963" } }, "CVE-2015-8964": { "affected_versions": "v2.6.12-rc2 to v4.5-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "tty: Prevent ldisc drivers from re-using stale tty fields", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Complete", "Integrity Impact": "None", "raw": "AV:N/AC:M/Au:N/C:C/I:N/A:N", "score": 7.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "raw": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "score": 5.5 }, "cwe": "Information Leak / Disclosure", "fixes": "dd42bf1197144ede075a9d4793123f7689e164bc", "last_affected_version": "4.4.33", "last_modified": "2023-12-06", "nvd_text": "The tty_set_termios_ldisc function in drivers/tty/tty_ldisc.c in the Linux kernel before 4.5 allows local users to obtain sensitive information from kernel memory by reading a tty data structure.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2015-8964", "ExploitDB": "https://www.exploit-db.com/search?cve=2015-8964", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2015-8964", "Red Hat": "https://access.redhat.com/security/cve/CVE-2015-8964", "SUSE": "https://www.suse.com/security/cve/CVE-2015-8964", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-8964" } }, "CVE-2015-8966": { "affected_versions": "v2.6.12-rc2 to v4.4-rc8", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "[PATCH] arm: fix handling of F_OFD_... in oabi_fcntl64()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "76cc404bfdc0d419c720de4daaf2584542734f42", "last_affected_version": "4.1.32", "last_modified": "2023-12-06", "nvd_text": "arch/arm/kernel/sys_oabi-compat.c in the Linux kernel before 4.4 allows local users to gain privileges via a crafted (1) F_OFD_GETLK, (2) F_OFD_SETLK, or (3) F_OFD_SETLKW command in an fcntl64 system call.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2015-8966", "ExploitDB": "https://www.exploit-db.com/search?cve=2015-8966", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2015-8966", "Red Hat": "https://access.redhat.com/security/cve/CVE-2015-8966", "SUSE": "https://www.suse.com/security/cve/CVE-2015-8966", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-8966" } }, "CVE-2015-8967": { "affected_versions": "v2.6.12-rc2 to v4.0-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "arm64: make sys_call_table const", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "score": 9.3 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "raw": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "c623b33b4e9599c6ac5076f7db7369eb9869aa04", "last_affected_version": "3.18.53", "last_modified": "2023-12-06", "nvd_text": "arch/arm64/kernel/sys.c in the Linux kernel before 4.0 allows local users to bypass the \"strict page permissions\" protection mechanism and modify the system-call table, and consequently gain privileges, by leveraging write access.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2015-8967", "ExploitDB": "https://www.exploit-db.com/search?cve=2015-8967", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2015-8967", "Red Hat": "https://access.redhat.com/security/cve/CVE-2015-8967", "SUSE": "https://www.suse.com/security/cve/CVE-2015-8967", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-8967" } }, "CVE-2015-8970": { "affected_versions": "v2.6.12-rc2 to v4.5-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "crypto: algif_skcipher - Require setkey before accept(2)", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "NULL Pointer Dereference", "fixes": "dd504589577d8e8e70f51f997ad487a4cb6c026f", "last_affected_version": "4.4.1", "last_modified": "2023-12-06", "nvd_text": "crypto/algif_skcipher.c in the Linux kernel before 4.4.2 does not verify that a setkey operation has been performed on an AF_ALG socket before an accept system call is processed, which allows local users to cause a denial of service (NULL pointer dereference and system crash) via a crafted application that does not supply a key, related to the lrw_crypt function in crypto/lrw.c.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2015-8970", "ExploitDB": "https://www.exploit-db.com/search?cve=2015-8970", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2015-8970", "Red Hat": "https://access.redhat.com/security/cve/CVE-2015-8970", "SUSE": "https://www.suse.com/security/cve/CVE-2015-8970", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-8970" } }, "CVE-2015-9004": { "affected_versions": "v2.6.12-rc2 to v3.19-rc7", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "perf: Tighten (and fix) the grouping condition", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "9.3" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "score": "7.8" }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "c3c87e770458aa004bd7ed3f29945ff436fd6511", "last_affected_version": "3.18.51", "last_modified": "2023-12-06", "nvd_text": "kernel/events/core.c in the Linux kernel before 3.19 mishandles counter grouping, which allows local users to gain privileges via a crafted application, related to the perf_pmu_register and perf_event_open functions.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2015-9004", "ExploitDB": "https://www.exploit-db.com/search?cve=2015-9004", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2015-9004", "Red Hat": "https://access.redhat.com/security/cve/CVE-2015-9004", "SUSE": "https://www.suse.com/security/cve/CVE-2015-9004", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-9004" } }, "CVE-2015-9016": { "affected_versions": "v2.6.12-rc2 to v4.3-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "blk-mq: fix race between timeout and freeing request", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "score": 6.9 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.0 }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "0048b4837affd153897ed1222283492070027aa9", "last_affected_version": "3.18.79", "last_modified": "2023-12-06", "nvd_text": "In blk_mq_tag_to_rq in blk-mq.c in the upstream kernel, there is a possible use after free due to a race condition when a request has been previously freed by blk_mq_complete_request. This could lead to local escalation of privilege. Product: Android. Versions: Android kernel. Android ID: A-63083046.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2015-9016", "ExploitDB": "https://www.exploit-db.com/search?cve=2015-9016", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2015-9016", "Red Hat": "https://access.redhat.com/security/cve/CVE-2015-9016", "SUSE": "https://www.suse.com/security/cve/CVE-2015-9016", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-9016" } }, "CVE-2015-9289": { "affected_versions": "v2.6.28-rc1 to v4.2-rc1", "breaks": "0d46748c3f874defbbbf98bcf40c7b18964abbc0", "cmt_msg": "[media] cx24116: fix a buffer overflow when checking userspace params", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Complete", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:C/I:N/A:N", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.5 }, "cwe": "Improper Restriction of Operations within the Bounds of a Memory Buffer", "fixes": "1fa2337a315a2448c5434f41e00d56b01a22283c", "last_affected_version": "4.1.3", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel before 4.1.4, a buffer overflow occurs when checking userspace params in drivers/media/dvb-frontends/cx24116.c. The maximum size for a DiSEqC command is 6, according to the userspace API. However, the code allows larger values such as 23.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2015-9289", "ExploitDB": "https://www.exploit-db.com/search?cve=2015-9289", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2015-9289", "Red Hat": "https://access.redhat.com/security/cve/CVE-2015-9289", "SUSE": "https://www.suse.com/security/cve/CVE-2015-9289", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-9289" } }, "CVE-2016-0617": { "affected_versions": "v4.3-rc1 to v4.5-rc1", "breaks": "1bfad99ab42569807d0ca1698449cae5e8c0334a", "cmt_msg": "fs/hugetlbfs/inode.c: fix bugs in hugetlb_vmtruncate_list()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "Single", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:S/C:N/I:N/A:C", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Unspecified", "fixes": "9aacdd354d197ad64685941b36d28ea20ab88757", "last_affected_version": "4.4.2", "last_modified": "2023-12-06", "nvd_text": "Unspecified vulnerability in the kernel-uek component in Oracle Linux 6 allows local users to affect availability via unknown vectors.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-0617", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-0617", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-0617", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-0617", "SUSE": "https://www.suse.com/security/cve/CVE-2016-0617", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-0617" } }, "CVE-2016-0723": { "affected_versions": "v2.6.12-rc2 to v4.5-rc2", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "tty: Fix unsafe ldisc reference via ioctl(TIOCGETD)", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "score": "5.6" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "Low", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "score": "6.8" }, "cwe": "Information Leak / Disclosure", "fixes": "5c17c861a357e9458001f021a7afa7aab9937439", "last_affected_version": "4.4.1", "last_modified": "2023-12-06", "nvd_text": "Race condition in the tty_ioctl function in drivers/tty/tty_io.c in the Linux kernel through 4.4.1 allows local users to obtain sensitive information from kernel memory or cause a denial of service (use-after-free and system crash) by making a TIOCGETD ioctl call during processing of a TIOCSETD ioctl call.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-0723", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-0723", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-0723", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-0723", "SUSE": "https://www.suse.com/security/cve/CVE-2016-0723", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-0723" } }, "CVE-2016-0728": { "affected_versions": "v3.8-rc1 to v4.5-rc1", "breaks": "3a50597de8635cd05133bd12c95681c82fe7b878", "cmt_msg": "KEYS: Fix keyring ref leak in join_session_keyring()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Unspecified", "fixes": "23567fd052a9abb6d67fe8e7a9ccdd9800a540f2", "last_affected_version": "4.4.0", "last_modified": "2023-12-06", "nvd_text": "The join_session_keyring function in security/keys/process_keys.c in the Linux kernel before 4.4.1 mishandles object references in a certain error case, which allows local users to gain privileges or cause a denial of service (integer overflow and use-after-free) via crafted keyctl commands.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-0728", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-0728", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-0728", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-0728", "SUSE": "https://www.suse.com/security/cve/CVE-2016-0728", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-0728" } }, "CVE-2016-0758": { "affected_versions": "v3.7-rc1 to v4.6", "breaks": "42d5ec27f873c654a68f7f865dcd7737513e9508", "cmt_msg": "KEYS: Fix ASN.1 indefinite length object parsing", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Unspecified", "fixes": "23c8a812dc3c621009e4f0e5342aa4e2ede1ceaa", "last_affected_version": "4.5", "last_modified": "2023-12-06", "nvd_text": "Integer overflow in lib/asn1_decoder.c in the Linux kernel before 4.6 allows local users to gain privileges via crafted ASN.1 data.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-0758", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-0758", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-0758", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-0758", "SUSE": "https://www.suse.com/security/cve/CVE-2016-0758", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-0758" } }, "CVE-2016-0774": { "breaks": "", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:C", "score": 5.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "Low", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H", "score": 6.8 }, "cwe": "Input Validation", "fixes": "", "last_modified": "2023-12-06", "nvd_text": "The (1) pipe_read and (2) pipe_write implementations in fs/pipe.c in a certain Linux kernel backport in the linux package before 3.2.73-2+deb7u3 on Debian wheezy and the kernel package before 3.10.0-229.26.2 on Red Hat Enterprise Linux (RHEL) 7.1 do not properly consider the side effects of failed __copy_to_user_inatomic and __copy_from_user_inatomic calls, which allows local users to cause a denial of service (system crash) or possibly gain privileges via a crafted application, aka an \"I/O vector array overrun.\" NOTE: this vulnerability exists because of an incorrect fix for CVE-2015-1805.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-0774", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-0774", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-0774", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-0774", "SUSE": "https://www.suse.com/security/cve/CVE-2016-0774", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-0774" }, "vendor_specific": true }, "CVE-2016-0821": { "affected_versions": "v2.6.12-rc2 to v4.3-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "include/linux/poison.h: fix LIST_POISON{1,2} offset", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "None", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "None", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "score": 5.5 }, "cwe": "Security Features", "fixes": "8a5e5e02fc83aaf67053ab53b359af08c6c49aaf", "last_affected_version": "4.1.21", "last_modified": "2023-12-06", "nvd_text": "The LIST_POISON feature in include/linux/poison.h in the Linux kernel before 4.3, as used in Android 6.0.1 before 2016-03-01, does not properly consider the relationship to the mmap_min_addr value, which makes it easier for attackers to bypass a poison-pointer protection mechanism by triggering the use of an uninitialized list entry, aka Android internal bug 26186802, a different vulnerability than CVE-2015-3636.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-0821", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-0821", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-0821", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-0821", "SUSE": "https://www.suse.com/security/cve/CVE-2016-0821", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-0821" } }, "CVE-2016-0823": { "affected_versions": "v2.6.12-rc2 to v4.0-rc5", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "pagemap: do not leak physical addresses to non-privileged userspace", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "Low", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "score": 4.0 }, "cwe": "Information Leak / Disclosure", "fixes": "ab676b7d6fbf4b294bf198fb27ade5b0e865c7ce", "last_affected_version": "3.18.10", "last_modified": "2023-12-06", "nvd_text": "The pagemap_open function in fs/proc/task_mmu.c in the Linux kernel before 3.19.3, as used in Android 6.0.1 before 2016-03-01, allows local users to obtain sensitive physical-address information by reading a pagemap file, aka Android internal bug 25739721.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-0823", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-0823", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-0823", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-0823", "SUSE": "https://www.suse.com/security/cve/CVE-2016-0823", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-0823" } }, "CVE-2016-10044": { "affected_versions": "v2.6.12-rc2 to v4.8-rc7", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "aio: mark AIO pseudo-fs noexec", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "22f6b4d34fcf039c63a94e7670e0da24f8575a5a", "last_affected_version": "4.7.6", "last_modified": "2023-12-06", "nvd_text": "The aio_mount function in fs/aio.c in the Linux kernel before 4.7.7 does not properly restrict execute access, which makes it easier for local users to bypass intended SELinux W^X policy restrictions, and consequently gain privileges, via an io_setup system call.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-10044", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-10044", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-10044", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-10044", "SUSE": "https://www.suse.com/security/cve/CVE-2016-10044", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-10044" } }, "CVE-2016-10088": { "affected_versions": "v2.6.12-rc2 to v4.10-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "sg_write()/bsg_write() is not fit to be called under KERNEL_DS", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "score": 6.9 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.0 }, "cwe": "Use After Free", "fixes": "128394eff343fc6d2f32172f03e24829539c5835", "last_affected_version": "4.9.1", "last_modified": "2023-12-06", "nvd_text": "The sg implementation in the Linux kernel through 4.9 does not properly restrict write operations in situations where the KERNEL_DS option is set, which allows local users to read or write to arbitrary kernel memory locations or cause a denial of service (use-after-free) by leveraging access to a /dev/sg device, related to block/bsg.c and drivers/scsi/sg.c. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-9576.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-10088", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-10088", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-10088", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-10088", "SUSE": "https://www.suse.com/security/cve/CVE-2016-10088", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-10088" } }, "CVE-2016-10147": { "affected_versions": "v2.6.12-rc2 to v4.9", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "crypto: mcryptd - Check mcryptd algorithm compatibility", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "NULL Pointer Dereference", "fixes": "48a992727d82cb7db076fa15d372178743b1f4cd", "last_affected_version": "4.8", "last_modified": "2023-12-06", "nvd_text": "crypto/mcryptd.c in the Linux kernel before 4.8.15 allows local users to cause a denial of service (NULL pointer dereference and system crash) by using an AF_ALG socket with an incompatible algorithm, as demonstrated by mcryptd(md5).", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-10147", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-10147", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-10147", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-10147", "SUSE": "https://www.suse.com/security/cve/CVE-2016-10147", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-10147" } }, "CVE-2016-10150": { "affected_versions": "v4.8-rc2 to v4.9-rc8", "breaks": "a28ebea2adc4a2bef5989a5a181ec238f59fbcad", "cmt_msg": "KVM: use after free in kvm_ioctl_create_device()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "score": 10.0 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "score": 9.8 }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "a0f1d21c1ccb1da66629627a74059dd7f5ac9c61", "last_affected_version": "4.8.12", "last_modified": "2023-12-06", "nvd_text": "Use-after-free vulnerability in the kvm_ioctl_create_device function in virt/kvm/kvm_main.c in the Linux kernel before 4.8.13 allows host OS users to cause a denial of service (host OS crash) or possibly gain privileges via crafted ioctl calls on the /dev/kvm device.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-10150", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-10150", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-10150", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-10150", "SUSE": "https://www.suse.com/security/cve/CVE-2016-10150", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-10150" } }, "CVE-2016-10153": { "affected_versions": "v4.9-rc1 to v4.10-rc1", "breaks": "e37e43a497d5a8b7c0cc1736d56986f432c394c9", "cmt_msg": "libceph: introduce ceph_crypt() for in-place en/decryption", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Resource Management Errors", "fixes": "a45f795c65b479b4ba107b6ccde29b896d51ee98", "last_affected_version": "4.9.5", "last_modified": "2023-12-06", "nvd_text": "The crypto scatterlist API in the Linux kernel 4.9.x before 4.9.6 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging reliance on earlier net/ceph/crypto.c code.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-10153", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-10153", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-10153", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-10153", "SUSE": "https://www.suse.com/security/cve/CVE-2016-10153", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-10153" } }, "CVE-2016-10154": { "affected_versions": "v4.9-rc1 to v4.10-rc1", "breaks": "e37e43a497d5a8b7c0cc1736d56986f432c394c9", "cmt_msg": "cifs: Fix smbencrypt() to stop pointing a scatterlist at the stack", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Buffer Errors", "fixes": "06deeec77a5a689cc94b21a8a91a76e42176685d", "last_affected_version": "4.9.0", "last_modified": "2023-12-06", "nvd_text": "The smbhash function in fs/cifs/smbencrypt.c in the Linux kernel 4.9.x before 4.9.1 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a scatterlist.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-10154", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-10154", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-10154", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-10154", "SUSE": "https://www.suse.com/security/cve/CVE-2016-10154", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-10154" } }, "CVE-2016-10200": { "affected_versions": "v2.6.12-rc2 to v4.9-rc7", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "l2tp: fix racy SOCK_ZAPPED flag check in l2tp_ip{,6}_bind()", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "score": 6.9 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.0 }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "32c231164b762dddefa13af5a0101032c70b50ef", "last_affected_version": "4.8.13", "last_modified": "2023-12-06", "nvd_text": "Race condition in the L2TPv3 IP Encapsulation feature in the Linux kernel before 4.8.14 allows local users to gain privileges or cause a denial of service (use-after-free) by making multiple bind system calls without properly ascertaining whether a socket has the SOCK_ZAPPED status, related to net/l2tp/l2tp_ip.c and net/l2tp/l2tp_ip6.c.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-10200", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-10200", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-10200", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-10200", "SUSE": "https://www.suse.com/security/cve/CVE-2016-10200", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-10200" } }, "CVE-2016-10208": { "affected_versions": "v3.6-rc1 to v4.10-rc1", "breaks": "952fc18ef9ec707ebdc16c0786ec360295e5ff15", "cmt_msg": "ext4: validate s_first_meta_bg at mount time", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Physical", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:P/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 4.3 }, "cwe": "Out-of-bounds Read", "fixes": "3a4b77cd47bb837b8557595ec7425f281f2ca1fe", "last_affected_version": "4.9.8", "last_modified": "2023-12-06", "nvd_text": "The ext4_fill_super function in fs/ext4/super.c in the Linux kernel through 4.9.8 does not properly validate meta block groups, which allows physically proximate attackers to cause a denial of service (out-of-bounds read and system crash) via a crafted ext4 image.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-10208", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-10208", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-10208", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-10208", "SUSE": "https://www.suse.com/security/cve/CVE-2016-10208", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-10208" } }, "CVE-2016-10229": { "affected_versions": "v2.6.12-rc2 to v4.5-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "udp: properly support MSG_PEEK with truncated buffers", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "score": 10.0 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "score": 9.8 }, "cwe": "Improperly Implemented Security Check for Standard", "fixes": "197c949e7798fbf28cfadc69d9ca0c2abbf93191", "last_affected_version": "4.4.20", "last_modified": "2023-12-06", "nvd_text": "udp.c in the Linux kernel before 4.5 allows remote attackers to execute arbitrary code via UDP traffic that triggers an unsafe second checksum calculation during execution of a recv system call with the MSG_PEEK flag.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-10229", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-10229", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-10229", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-10229", "SUSE": "https://www.suse.com/security/cve/CVE-2016-10229", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-10229" } }, "CVE-2016-10318": { "affected_versions": "v4.1-rc1 to v4.8-rc6", "breaks": "9bd8212f981ea6375911fe055382ad7529be5b28", "cmt_msg": "fscrypto: add authorization check for setting encryption policy", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "Single", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:N/AC:L/Au:S/C:N/I:N/A:P", "score": 4.0 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 6.5 }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "163ae1c6ad6299b19e22b4a35d5ab24a89791a98", "last_affected_version": "4.7.3", "last_modified": "2023-12-06", "nvd_text": "A missing authorization check in the fscrypt_process_policy function in fs/crypto/policy.c in the ext4 and f2fs filesystem encryption support in the Linux kernel before 4.7.4 allows a user to assign an encryption policy to a directory owned by a different user, potentially creating a denial of service.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-10318", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-10318", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-10318", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-10318", "SUSE": "https://www.suse.com/security/cve/CVE-2016-10318", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-10318" } }, "CVE-2016-10723": { "affected_versions": "v2.6.12-rc2 to v4.19-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "mm, oom: remove sleep from under oom_lock", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Resource Management Errors", "fixes": "9bfe5ded054b8e28a94c78580f233d6879a00146", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel through 4.17.2. Since the page allocator does not yield CPU resources to the owner of the oom_lock mutex, a local unprivileged user can trivially lock up the system forever by wasting CPU resources from the page allocator (e.g., via concurrent page fault events) when the global OOM killer is invoked. NOTE: the software maintainer has not accepted certain proposed patches, in part because of a viewpoint that \"the underlying problem is non-trivial to handle.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-10723", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-10723", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-10723", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-10723", "SUSE": "https://www.suse.com/security/cve/CVE-2016-10723", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-10723" } }, "CVE-2016-10741": { "affected_versions": "v2.6.12-rc2 to v4.10-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "xfs: don't BUG() on mixed direct and mapped I/O", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "score": 4.7 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 4.7 }, "cwe": "Race Conditions", "fixes": "04197b341f23b908193308b8d63d17ff23232598", "last_affected_version": "4.9.2", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel before 4.9.3, fs/xfs/xfs_aops.c allows local users to cause a denial of service (system crash) because there is a race condition between direct and memory-mapped I/O (associated with a hole) that is handled with BUG_ON instead of an I/O failure.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-10741", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-10741", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-10741", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-10741", "SUSE": "https://www.suse.com/security/cve/CVE-2016-10741", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-10741" } }, "CVE-2016-10764": { "affected_versions": "v4.8-rc1 to v4.10-rc1", "breaks": "140623410536905fa6ab737b625decfde6c64a72", "cmt_msg": "mtd: spi-nor: Off by one in cqspi_setup_flash()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "score": 7.5 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "score": 9.8 }, "cwe": "Improper Restriction of Operations within the Bounds of a Memory Buffer", "fixes": "193e87143c290ec16838f5368adc0e0bc94eb931", "last_affected_version": "4.9.5", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel before 4.9.6, there is an off by one in the drivers/mtd/spi-nor/cadence-quadspi.c cqspi_setup_flash() function. There are CQSPI_MAX_CHIPSELECT elements in the ->f_pdata array so the \">\" should be \">=\" instead.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-10764", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-10764", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-10764", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-10764", "SUSE": "https://www.suse.com/security/cve/CVE-2016-10764", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-10764" } }, "CVE-2016-10905": { "affected_versions": "v3.4-rc3 to v4.8-rc1", "breaks": "c1ac539ed43f273cd4d92bf7350ffd783b920184", "cmt_msg": "GFS2: don't set rgrp gl_object until it's inserted into rgrp tree", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:C", "score": 6.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Use After Free", "fixes": "36e4ad0316c017d5b271378ed9a1c9a4b77fab5f", "last_affected_version": "4.4.190", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in fs/gfs2/rgrp.c in the Linux kernel before 4.8. A use-after-free is caused by the functions gfs2_clear_rgrpd and read_rindex_entry.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-10905", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-10905", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-10905", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-10905", "SUSE": "https://www.suse.com/security/cve/CVE-2016-10905", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-10905" } }, "CVE-2016-10906": { "affected_versions": "v3.11-rc1 to v4.5-rc6", "breaks": "e4f2379db6c6823c5d4a4c2c912df00c65de51d7", "cmt_msg": "net: arc_emac: fix koops caused by sk_buff free", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "score": 4.4 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.0 }, "cwe": "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", "fixes": "c278c253f3d992c6994d08aa0efb2b6806ca396f", "last_affected_version": "4.4.190", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in drivers/net/ethernet/arc/emac_main.c in the Linux kernel before 4.5. A use-after-free is caused by a race condition between the functions arc_emac_tx and arc_emac_tx_clean.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-10906", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-10906", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-10906", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-10906", "SUSE": "https://www.suse.com/security/cve/CVE-2016-10906", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-10906" } }, "CVE-2016-10907": { "affected_versions": "v4.8-rc1 to v4.9-rc1", "breaks": "c947459979c6c9c8aff9c9b5027b31dbf8055106", "cmt_msg": "iio: ad5755: fix off-by-one on devnr limit check", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Out-of-bounds Write", "fixes": "9d47964bfd471f0dd4c89f28556aec68bffa0020", "last_affected_version": "4.8.5", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in drivers/iio/dac/ad5755.c in the Linux kernel before 4.8.6. There is an out of bounds write in the function ad5755_parse_dt.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-10907", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-10907", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-10907", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-10907", "SUSE": "https://www.suse.com/security/cve/CVE-2016-10907", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-10907" } }, "CVE-2016-1237": { "affected_versions": "v3.14-rc1 to v4.7-rc5", "breaks": "4ac7249ea5a0ceef9f8269f63f33cc873c3fac61", "cmt_msg": "posix_acl: Add set_posix_acl", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Complete", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:C/I:N/A:N", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.5 }, "cwe": "Improper Access Control", "fixes": "485e71e8fb6356c08c7fc6bcce4bf02c9a9a663f", "last_affected_version": "4.6.4", "last_modified": "2023-12-06", "nvd_text": "nfsd in the Linux kernel through 4.6.3 allows local users to bypass intended file-permission restrictions by setting a POSIX ACL, related to nfs2acl.c, nfs3acl.c, and nfs4acl.c.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-1237", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-1237", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-1237", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-1237", "SUSE": "https://www.suse.com/security/cve/CVE-2016-1237", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-1237" } }, "CVE-2016-1575": { "affected_versions": "v3.18-rc2 to v4.5-rc1", "breaks": "e9be9d5e76e34872f0c37d72e25bc27fe9e2c54c", "cmt_msg": "ovl: setattr: check permissions before copy-up", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "cf9a6784f7c1b5ee2b9159a1246e327c331c5697", "last_affected_version": "4.4.2", "last_modified": "2023-12-06", "nvd_text": "The overlayfs implementation in the Linux kernel through 4.5.2 does not properly maintain POSIX ACL xattr data, which allows local users to gain privileges by leveraging a group-writable setgid directory.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-1575", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-1575", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-1575", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-1575", "SUSE": "https://www.suse.com/security/cve/CVE-2016-1575", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-1575" } }, "CVE-2016-1576": { "affected_versions": "v3.18-rc2 to v4.5-rc1", "breaks": "e9be9d5e76e34872f0c37d72e25bc27fe9e2c54c", "cmt_msg": "ovl: setattr: check permissions before copy-up", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Unspecified", "fixes": "cf9a6784f7c1b5ee2b9159a1246e327c331c5697", "last_affected_version": "4.4.2", "last_modified": "2023-12-06", "nvd_text": "The overlayfs implementation in the Linux kernel through 4.5.2 does not properly restrict the mount namespace, which allows local users to gain privileges by mounting an overlayfs filesystem on top of a FUSE filesystem, and then executing a crafted setuid program.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-1576", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-1576", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-1576", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-1576", "SUSE": "https://www.suse.com/security/cve/CVE-2016-1576", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-1576" } }, "CVE-2016-1583": { "affected_versions": "v2.6.12-rc2 to v4.7-rc3", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "proc: prevent stacking filesystems on top", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Buffer Errors", "fixes": "e54ad7f1ee263ffa5a2de9c609d58dfa27b21cd9", "last_affected_version": "4.6.2", "last_modified": "2023-12-06", "nvd_text": "The ecryptfs_privileged_open function in fs/ecryptfs/kthread.c in the Linux kernel before 4.6.3 allows local users to gain privileges or cause a denial of service (stack memory consumption) via vectors involving crafted mmap calls for /proc pathnames, leading to recursive pagefault handling.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-1583", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-1583", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-1583", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-1583", "SUSE": "https://www.suse.com/security/cve/CVE-2016-1583", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-1583" } }, "CVE-2016-2053": { "affected_versions": "v3.13-rc1 to v4.3-rc1", "breaks": "3d167d68e3805ee45ed2e8412fc03ed919c54c24", "cmt_msg": "ASN.1: Fix non-match detection failure on data overrun", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "score": 4.7 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 4.7 }, "cwe": "Cryptographic Issues", "fixes": "0d62e9dd6da45bbf0f33a8617afc5fe774c8f45f", "last_affected_version": "3.18.53", "last_modified": "2023-12-06", "nvd_text": "The asn1_ber_decoder function in lib/asn1_decoder.c in the Linux kernel before 4.3 allows attackers to cause a denial of service (panic) via an ASN.1 BER file that lacks a public key, leading to mishandling by the public_key_verify_signature function in crypto/asymmetric_keys/public_key.c.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-2053", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-2053", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-2053", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-2053", "SUSE": "https://www.suse.com/security/cve/CVE-2016-2053", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-2053" } }, "CVE-2016-2069": { "affected_versions": "v2.6.12-rc2 to v4.5-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "x86/mm: Add barriers and document switch_mm()-vs-flush synchronization", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "score": 4.4 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "score": 7.4 }, "cwe": "Race Conditions", "fixes": "71b3c126e61177eb693423f2e18a1914205b165e", "last_affected_version": "4.4.0", "last_modified": "2023-12-06", "nvd_text": "Race condition in arch/x86/mm/tlb.c in the Linux kernel before 4.4.1 allows local users to gain privileges by triggering access to a paging structure by a different CPU.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-2069", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-2069", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-2069", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-2069", "SUSE": "https://www.suse.com/security/cve/CVE-2016-2069", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-2069" } }, "CVE-2016-2070": { "affected_versions": "v4.3-rc1 to v4.4", "breaks": "3759824da87b30ce7a35b4873b62b0ba38905ef5", "cmt_msg": "tcp: fix zero cwnd in tcp_cwnd_reduction", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "score": 7.8 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 7.5 }, "cwe": "Numeric Errors", "fixes": "8b8a321ff72c785ed5e8b4cf6eda20b35d427390", "last_affected_version": "4.3", "last_modified": "2023-12-06", "nvd_text": "The tcp_cwnd_reduction function in net/ipv4/tcp_input.c in the Linux kernel before 4.3.5 allows remote attackers to cause a denial of service (divide-by-zero error and system crash) via crafted TCP traffic.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-2070", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-2070", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-2070", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-2070", "SUSE": "https://www.suse.com/security/cve/CVE-2016-2070", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-2070" } }, "CVE-2016-2085": { "affected_versions": "v3.3-rc1 to v4.5-rc4", "breaks": "15647eb3985ef30dfd657038924dc85c03026733", "cmt_msg": "EVM: Use crypto_memneq() for digest comparisons", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "None", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "None", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "score": 5.5 }, "cwe": "Data Handling", "fixes": "613317bd212c585c20796c10afe5daaa95d4b0a1", "last_affected_version": "4.4.1", "last_modified": "2023-12-06", "nvd_text": "The evm_verify_hmac function in security/integrity/evm/evm_main.c in the Linux kernel before 4.5 does not properly copy data, which makes it easier for local users to forge MAC values via a timing side-channel attack.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-2085", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-2085", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-2085", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-2085", "SUSE": "https://www.suse.com/security/cve/CVE-2016-2085", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-2085" } }, "CVE-2016-2117": { "affected_versions": "v3.10-rc1 to v4.6-rc5", "breaks": "ec5f061564238892005257c83565a0b58ec79295", "cmt_msg": "atl2: Disable unimplemented scatter/gather feature", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "score": 5.0 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "score": 7.5 }, "cwe": "Information Leak / Disclosure", "fixes": "f43bfaeddc79effbf3d0fcb53ca477cca66f3db8", "last_affected_version": "4.5.4", "last_modified": "2023-12-06", "nvd_text": "The atl2_probe function in drivers/net/ethernet/atheros/atlx/atl2.c in the Linux kernel through 4.5.2 incorrectly enables scatter/gather I/O, which allows remote attackers to obtain sensitive information from kernel memory by reading packet data.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-2117", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-2117", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-2117", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-2117", "SUSE": "https://www.suse.com/security/cve/CVE-2016-2117", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-2117" } }, "CVE-2016-2143": { "affected_versions": "v2.6.25-rc1 to v4.5", "breaks": "6252d702c5311ce916caf75ed82e5c8245171c92", "cmt_msg": "s390/mm: four page table levels vs. fork", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "score": 6.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "raw": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Input Validation", "fixes": "3446c13b268af86391d06611327006b059b8bab1", "last_affected_version": "4.4", "last_modified": "2023-12-06", "nvd_text": "The fork implementation in the Linux kernel before 4.5 on s390 platforms mishandles the case of four page-table levels, which allows local users to cause a denial of service (system crash) or possibly have unspecified other impact via a crafted application, related to arch/s390/include/asm/mmu_context.h and arch/s390/include/asm/pgalloc.h.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-2143", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-2143", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-2143", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-2143", "SUSE": "https://www.suse.com/security/cve/CVE-2016-2143", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-2143" } }, "CVE-2016-2184": { "affected_versions": "v2.6.12-rc2 to v4.6-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "ALSA: usb-audio: Fix NULL dereference in create_fixed_stream_quirk()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Physical", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 4.6 }, "cwe": "Unspecified", "fixes": "0f886ca12765d20124bd06291c82951fd49a33be", "last_affected_version": "4.5.0", "last_modified": "2023-12-06", "nvd_text": "The create_fixed_stream_quirk function in sound/usb/quirks.c in the snd-usb-audio driver in the Linux kernel before 4.5.1 allows physically proximate attackers to cause a denial of service (NULL pointer dereference or double free, and system crash) via a crafted endpoints value in a USB device descriptor.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-2184", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-2184", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-2184", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-2184", "SUSE": "https://www.suse.com/security/cve/CVE-2016-2184", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-2184" } }, "CVE-2016-2185": { "affected_versions": "v2.6.12-rc2 to v4.6-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "Input: ati_remote2 - fix crashes on detecting device with invalid descriptor", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Physical", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 4.6 }, "cwe": "Unspecified", "fixes": "950336ba3e4a1ffd2ca60d29f6ef386dd2c7351d", "last_affected_version": "4.5.0", "last_modified": "2023-12-06", "nvd_text": "The ati_remote2_probe function in drivers/input/misc/ati_remote2.c in the Linux kernel before 4.5.1 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-2185", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-2185", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-2185", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-2185", "SUSE": "https://www.suse.com/security/cve/CVE-2016-2185", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-2185" } }, "CVE-2016-2186": { "affected_versions": "v2.6.12-rc2 to v4.6-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "Input: powermate - fix oops with malicious USB descriptors", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "4.9" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Physical", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "score": "4.6" }, "cwe": "Other", "fixes": "9c6ba456711687b794dcf285856fc14e2c76074f", "last_affected_version": "4.5.0", "last_modified": "2023-12-06", "nvd_text": "The powermate_probe function in drivers/input/misc/powermate.c in the Linux kernel before 4.5.1 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-2186", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-2186", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-2186", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-2186", "SUSE": "https://www.suse.com/security/cve/CVE-2016-2186", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-2186" } }, "CVE-2016-2187": { "affected_versions": "v2.6.12-rc2 to v4.6-rc5", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "Input: gtco - fix crash on detecting device without endpoints", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "4.9" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Physical", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "score": "4.6" }, "cwe": "Unspecified", "fixes": "162f98dea487206d9ab79fc12ed64700667a894d", "last_affected_version": "4.5.2", "last_modified": "2023-12-06", "nvd_text": "The gtco_probe function in drivers/input/tablet/gtco.c in the Linux kernel through 4.5.2 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-2187", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-2187", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-2187", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-2187", "SUSE": "https://www.suse.com/security/cve/CVE-2016-2187", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-2187" } }, "CVE-2016-2188": { "affected_versions": "v2.6.12-rc2 to v4.11-rc2", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "USB: iowarrior: fix NULL-deref at probe", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Physical", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 4.6 }, "cwe": "Unspecified", "fixes": "b7321e81fc369abe353cf094d4f0dc2fe11ab95f", "last_affected_version": "4.10.3", "last_modified": "2023-12-06", "nvd_text": "The iowarrior_probe function in drivers/usb/misc/iowarrior.c in the Linux kernel before 4.5.1 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-2188", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-2188", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-2188", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-2188", "SUSE": "https://www.suse.com/security/cve/CVE-2016-2188", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-2188" } }, "CVE-2016-2383": { "affected_versions": "v4.1-rc1 to v4.5-rc4", "breaks": "9bac3d6d548e5cc925570b263f35b70a00a00ffd", "cmt_msg": "bpf: fix branch offset adjustment on backjumps after patching ctx expansion", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.5 }, "cwe": "Unspecified", "fixes": "a1b14d27ed0965838350f1377ff97c93ee383492", "last_affected_version": "4.4.3", "last_modified": "2023-12-06", "nvd_text": "The adjust_branches function in kernel/bpf/verifier.c in the Linux kernel before 4.5 does not consider the delta in the backward-jump case, which allows local users to obtain sensitive information from kernel memory by creating a packet filter and then loading crafted BPF instructions.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-2383", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-2383", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-2383", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-2383", "SUSE": "https://www.suse.com/security/cve/CVE-2016-2383", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-2383" } }, "CVE-2016-2384": { "affected_versions": "v2.6.12-rc2 to v4.5-rc4", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "ALSA: usb-audio: avoid freeing umidi object twice", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Physical", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 4.6 }, "cwe": "Unspecified", "fixes": "07d86ca93db7e5cdf4743564d98292042ec21af7", "last_affected_version": "4.4.1", "last_modified": "2023-12-06", "nvd_text": "Double free vulnerability in the snd_usbmidi_create function in sound/usb/midi.c in the Linux kernel before 4.5 allows physically proximate attackers to cause a denial of service (panic) or possibly have unspecified other impact via vectors involving an invalid USB descriptor.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-2384", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-2384", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-2384", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-2384", "SUSE": "https://www.suse.com/security/cve/CVE-2016-2384", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-2384" } }, "CVE-2016-2543": { "affected_versions": "v2.6.12-rc2 to v4.5-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "ALSA: seq: Fix missing NULL check at remove_events ioctl", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 6.2 }, "cwe": "Unspecified", "fixes": "030e2c78d3a91dd0d27fef37e91950dde333eba1", "last_affected_version": "4.4.0", "last_modified": "2023-12-06", "nvd_text": "The snd_seq_ioctl_remove_events function in sound/core/seq/seq_clientmgr.c in the Linux kernel before 4.4.1 does not verify FIFO assignment before proceeding with FIFO clearing, which allows local users to cause a denial of service (NULL pointer dereference and OOPS) via a crafted ioctl call.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-2543", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-2543", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-2543", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-2543", "SUSE": "https://www.suse.com/security/cve/CVE-2016-2543", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-2543" } }, "CVE-2016-2544": { "affected_versions": "v2.6.12-rc2 to v4.5-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "ALSA: seq: Fix race at timer setup and close", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "score": 4.7 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 5.1 }, "cwe": "Race Conditions", "fixes": "3567eb6af614dac436c4b16a8d426f9faed639b3", "last_affected_version": "4.4.0", "last_modified": "2023-12-06", "nvd_text": "Race condition in the queue_delete function in sound/core/seq/seq_queue.c in the Linux kernel before 4.4.1 allows local users to cause a denial of service (use-after-free and system crash) by making an ioctl call at a certain time.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-2544", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-2544", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-2544", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-2544", "SUSE": "https://www.suse.com/security/cve/CVE-2016-2544", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-2544" } }, "CVE-2016-2545": { "affected_versions": "v2.6.12-rc2 to v4.5-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "ALSA: timer: Fix double unlink of active_list", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "score": 4.7 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 5.1 }, "cwe": "Race Conditions", "fixes": "ee8413b01045c74340aa13ad5bdf905de32be736", "last_affected_version": "4.4.0", "last_modified": "2023-12-06", "nvd_text": "The snd_timer_interrupt function in sound/core/timer.c in the Linux kernel before 4.4.1 does not properly maintain a certain linked list, which allows local users to cause a denial of service (race condition and system crash) via a crafted ioctl call.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-2545", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-2545", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-2545", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-2545", "SUSE": "https://www.suse.com/security/cve/CVE-2016-2545", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-2545" } }, "CVE-2016-2546": { "affected_versions": "v2.6.12-rc2 to v4.5-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "ALSA: timer: Fix race among timer ioctls", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "score": 4.7 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 5.1 }, "cwe": "Race Conditions", "fixes": "af368027a49a751d6ff4ee9e3f9961f35bb4fede", "last_affected_version": "4.4.0", "last_modified": "2023-12-06", "nvd_text": "sound/core/timer.c in the Linux kernel before 4.4.1 uses an incorrect type of mutex, which allows local users to cause a denial of service (race condition, use-after-free, and system crash) via a crafted ioctl call.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-2546", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-2546", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-2546", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-2546", "SUSE": "https://www.suse.com/security/cve/CVE-2016-2546", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-2546" } }, "CVE-2016-2547": { "affected_versions": "v2.6.12-rc2 to v4.5-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "ALSA: timer: Harden slave timer list handling", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "score": 4.7 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 5.1 }, "cwe": "Race Conditions", "fixes": "b5a663aa426f4884c71cd8580adae73f33570f0d", "last_affected_version": "4.4.0", "last_modified": "2023-12-06", "nvd_text": "sound/core/timer.c in the Linux kernel before 4.4.1 employs a locking approach that does not consider slave timer instances, which allows local users to cause a denial of service (race condition, use-after-free, and system crash) via a crafted ioctl call.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-2547", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-2547", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-2547", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-2547", "SUSE": "https://www.suse.com/security/cve/CVE-2016-2547", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-2547" } }, "CVE-2016-2548": { "affected_versions": "v2.6.12-rc2 to v4.5-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "ALSA: timer: Harden slave timer list handling", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 6.2 }, "cwe": "Input Validation", "fixes": "b5a663aa426f4884c71cd8580adae73f33570f0d", "last_affected_version": "4.4.0", "last_modified": "2023-12-06", "nvd_text": "sound/core/timer.c in the Linux kernel before 4.4.1 retains certain linked lists after a close or stop action, which allows local users to cause a denial of service (system crash) via a crafted ioctl call, related to the (1) snd_timer_close and (2) _snd_timer_stop functions.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-2548", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-2548", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-2548", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-2548", "SUSE": "https://www.suse.com/security/cve/CVE-2016-2548", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-2548" } }, "CVE-2016-2549": { "affected_versions": "v2.6.12-rc2 to v4.5-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "ALSA: hrtimer: Fix stall by hrtimer_cancel()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 6.2 }, "cwe": "Input Validation", "fixes": "2ba1fe7a06d3624f9a7586d672b55f08f7c670f3", "last_affected_version": "4.4.0", "last_modified": "2023-12-06", "nvd_text": "sound/core/hrtimer.c in the Linux kernel before 4.4.1 does not prevent recursive callback access, which allows local users to cause a denial of service (deadlock) via a crafted ioctl call.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-2549", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-2549", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-2549", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-2549", "SUSE": "https://www.suse.com/security/cve/CVE-2016-2549", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-2549" } }, "CVE-2016-2550": { "affected_versions": "v4.5-rc1 to v4.5-rc4", "breaks": "712f4aad406bb1ed67f3f98d04c044191f0ff593", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Resource Management Errors", "fixes": "415e3d3e90ce9e18727e8843ae343eda5a58fad6", "last_modified": "2023-12-06", "nvd_text": "The Linux kernel before 4.5 allows local users to bypass file-descriptor limits and cause a denial of service (memory consumption) by leveraging incorrect tracking of descriptor ownership and sending each descriptor over a UNIX socket before closing it. NOTE: this vulnerability exists because of an incorrect fix for CVE-2013-4312.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-2550", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-2550", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-2550", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-2550", "SUSE": "https://www.suse.com/security/cve/CVE-2016-2550", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-2550" } }, "CVE-2016-2782": { "affected_versions": "v2.6.12-rc2 to v4.5-rc2", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "USB: visor: fix null-deref at probe", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Physical", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 4.6 }, "cwe": "Other", "fixes": "cac9b50b0d75a1d50d6c056ff65c005f3224c8e0", "last_affected_version": "4.4.1", "last_modified": "2023-12-06", "nvd_text": "The treo_attach function in drivers/usb/serial/visor.c in the Linux kernel before 4.5 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by inserting a USB device that lacks a (1) bulk-in or (2) interrupt-in endpoint.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-2782", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-2782", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-2782", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-2782", "SUSE": "https://www.suse.com/security/cve/CVE-2016-2782", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-2782" } }, "CVE-2016-2847": { "affected_versions": "v2.6.12-rc2 to v4.5-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "pipe: limit the per-user amount of pages allocated in pipes", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 6.2 }, "cwe": "Resource Management Errors", "fixes": "759c01142a5d0f364a462346168a56de28a80f52", "last_affected_version": "4.4.12", "last_modified": "2023-12-06", "nvd_text": "fs/pipe.c in the Linux kernel before 4.5 does not limit the amount of unread data in pipes, which allows local users to cause a denial of service (memory consumption) by creating many pipes with non-default sizes.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-2847", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-2847", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-2847", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-2847", "SUSE": "https://www.suse.com/security/cve/CVE-2016-2847", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-2847" } }, "CVE-2016-2853": { "breaks": "", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "score": 4.4 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Improper Access Control", "fixes": "", "last_modified": "2023-12-06", "nvd_text": "The aufs module for the Linux kernel 3.x and 4.x does not properly restrict the mount namespace, which allows local users to gain privileges by mounting an aufs filesystem on top of a FUSE filesystem, and then executing a crafted setuid program.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-2853", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-2853", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-2853", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-2853", "SUSE": "https://www.suse.com/security/cve/CVE-2016-2853", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-2853" }, "vendor_specific": true }, "CVE-2016-2854": { "breaks": "", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "", "last_modified": "2023-12-06", "nvd_text": "The aufs module for the Linux kernel 3.x and 4.x does not properly maintain POSIX ACL xattr data, which allows local users to gain privileges by leveraging a group-writable setgid directory.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-2854", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-2854", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-2854", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-2854", "SUSE": "https://www.suse.com/security/cve/CVE-2016-2854", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-2854" }, "vendor_specific": true }, "CVE-2016-3044": { "affected_versions": "v3.14-rc1 to v4.5", "breaks": "b005255e12a311d2c87ea70a7c7b192b2187c22c", "cmt_msg": "KVM: PPC: Book3S HV: Sanitize special-purpose register values on guest exit", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Changed", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H", "score": 6.5 }, "cwe": "Input Validation", "fixes": "ccec44563b18a0ce90e2d4f332784b3cb25c8e9c", "last_affected_version": "4.4", "last_modified": "2023-12-06", "nvd_text": "The Linux kernel component in IBM PowerKVM 2.1 before 2.1.1.3-65.10 and 3.1 before 3.1.0.2 allows guest OS users to cause a denial of service (host OS infinite loop and hang) via unspecified vectors.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-3044", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-3044", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-3044", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-3044", "SUSE": "https://www.suse.com/security/cve/CVE-2016-3044", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-3044" } }, "CVE-2016-3070": { "affected_versions": "v2.6.12-rc2 to v4.4-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "mm: migrate dirty page without clear_page_dirty_for_io etc", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "NULL Pointer Dereference", "fixes": "42cb14b110a5698ccf26ce59c4441722605a3743", "last_affected_version": "3.16.35", "last_modified": "2023-12-06", "nvd_text": "The trace_writeback_dirty_page implementation in include/trace/events/writeback.h in the Linux kernel before 4.4 improperly interacts with mm/migrate.c, which allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by triggering a certain page move.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-3070", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-3070", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-3070", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-3070", "SUSE": "https://www.suse.com/security/cve/CVE-2016-3070", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-3070" } }, "CVE-2016-3134": { "affected_versions": "v2.6.12-rc2 to v4.6-rc2", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "netfilter: x_tables: fix unconditional helper", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "score": 8.4 }, "cwe": "Buffer Errors", "fixes": "54d83fc74aa9ec72794373cb47432c5f7fb1a309", "last_affected_version": "4.4.13", "last_modified": "2023-12-06", "nvd_text": "The netfilter subsystem in the Linux kernel through 4.5.2 does not validate certain offset fields, which allows local users to gain privileges or cause a denial of service (heap memory corruption) via an IPT_SO_SET_REPLACE setsockopt call.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-3134", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-3134", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-3134", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-3134", "SUSE": "https://www.suse.com/security/cve/CVE-2016-3134", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-3134" } }, "CVE-2016-3135": { "affected_versions": "v4.2-rc1 to v4.6-rc1", "breaks": "711bdde6a884354ddae8da2fcb495b2a9364cc90", "cmt_msg": "netfilter: x_tables: check for size overflow", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Numeric Errors", "fixes": "d157bd761585605b7882935ffb86286919f62ea1", "last_affected_version": "4.4.20", "last_modified": "2023-12-06", "nvd_text": "Integer overflow in the xt_alloc_table_info function in net/netfilter/x_tables.c in the Linux kernel through 4.5.2 on 32-bit platforms allows local users to gain privileges or cause a denial of service (heap memory corruption) via an IPT_SO_SET_REPLACE setsockopt call.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-3135", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-3135", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-3135", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-3135", "SUSE": "https://www.suse.com/security/cve/CVE-2016-3135", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-3135" } }, "CVE-2016-3136": { "affected_versions": "v2.6.12-rc2 to v4.6-rc3", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "USB: mct_u232: add sanity checking in probe", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Physical", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 4.6 }, "cwe": "Unspecified", "fixes": "4e9a0b05257f29cf4b75f3209243ed71614d062e", "last_affected_version": "4.5.0", "last_modified": "2023-12-06", "nvd_text": "The mct_u232_msr_to_state function in drivers/usb/serial/mct_u232.c in the Linux kernel before 4.5.1 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted USB device without two interrupt-in endpoint descriptors.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-3136", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-3136", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-3136", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-3136", "SUSE": "https://www.suse.com/security/cve/CVE-2016-3136", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-3136" } }, "CVE-2016-3137": { "affected_versions": "v2.6.12-rc2 to v4.6-rc3", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "USB: cypress_m8: add endpoint sanity check", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Physical", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 4.6 }, "cwe": "Unspecified", "fixes": "c55aee1bf0e6b6feec8b2927b43f7a09a6d5f754", "last_affected_version": "4.5.0", "last_modified": "2023-12-06", "nvd_text": "drivers/usb/serial/cypress_m8.c in the Linux kernel before 4.5.1 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a USB device without both an interrupt-in and an interrupt-out endpoint descriptor, related to the cypress_generic_port_probe and cypress_open functions.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-3137", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-3137", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-3137", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-3137", "SUSE": "https://www.suse.com/security/cve/CVE-2016-3137", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-3137" } }, "CVE-2016-3138": { "affected_versions": "v2.6.12-rc2 to v4.6-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "USB: cdc-acm: more sanity checking", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Physical", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 4.6 }, "cwe": "Unspecified", "fixes": "8835ba4a39cf53f705417b3b3a94eb067673f2c9", "last_affected_version": "4.5.0", "last_modified": "2023-12-06", "nvd_text": "The acm_probe function in drivers/usb/class/cdc-acm.c in the Linux kernel before 4.5.1 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a USB device without both a control and a data endpoint descriptor.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-3138", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-3138", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-3138", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-3138", "SUSE": "https://www.suse.com/security/cve/CVE-2016-3138", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-3138" } }, "CVE-2016-3139": { "affected_versions": "unk to v3.17-rc1", "breaks": "", "cmt_msg": "Input: wacom - compute the HID report size to get the actual packet size", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Physical", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 4.6 }, "cwe": "Unspecified", "fixes": "01c846f9539c194c7a6e34af036b1115b8ed822a", "last_modified": "2023-12-06", "nvd_text": "The wacom_probe function in drivers/input/tablet/wacom_sys.c in the Linux kernel before 3.17 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-3139", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-3139", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-3139", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-3139", "SUSE": "https://www.suse.com/security/cve/CVE-2016-3139", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-3139" } }, "CVE-2016-3140": { "affected_versions": "v2.6.12-rc2 to v4.6-rc3", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "USB: digi_acceleport: do sanity checking for the number of ports", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Physical", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 4.6 }, "cwe": "Unspecified", "fixes": "5a07975ad0a36708c6b0a5b9fea1ff811d0b0c1f", "last_affected_version": "4.5.0", "last_modified": "2023-12-06", "nvd_text": "The digi_port_init function in drivers/usb/serial/digi_acceleport.c in the Linux kernel before 4.5.1 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-3140", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-3140", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-3140", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-3140", "SUSE": "https://www.suse.com/security/cve/CVE-2016-3140", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-3140" } }, "CVE-2016-3156": { "affected_versions": "v2.6.12-rc2 to v4.6-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "ipv4: Don't do expensive useless work during inetdev destroy.", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "2.1" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "score": "5.5" }, "cwe": "Resource Management Errors", "fixes": "fbd40ea0180a2d328c5adc61414dc8bab9335ce2", "last_affected_version": "4.5.1", "last_modified": "2023-12-06", "nvd_text": "The IPv4 implementation in the Linux kernel before 4.5.2 mishandles destruction of device objects, which allows guest OS users to cause a denial of service (host OS networking outage) by arranging for a large number of IP addresses.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-3156", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-3156", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-3156", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-3156", "SUSE": "https://www.suse.com/security/cve/CVE-2016-3156", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-3156" } }, "CVE-2016-3157": { "affected_versions": "v2.6.12-rc2 to v4.6-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "x86/iopl/64: Properly context-switch IOPL on Xen PV", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "b7a584598aea7ca73140cb87b40319944dd3393f", "last_affected_version": "4.5.0", "last_modified": "2023-12-06", "nvd_text": "The __switch_to function in arch/x86/kernel/process_64.c in the Linux kernel does not properly context-switch IOPL on 64-bit PV Xen guests, which allows local guest OS users to gain privileges, cause a denial of service (guest OS crash), or obtain sensitive information by leveraging I/O port access.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-3157", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-3157", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-3157", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-3157", "SUSE": "https://www.suse.com/security/cve/CVE-2016-3157", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-3157" } }, "CVE-2016-3672": { "affected_versions": "v2.6.12-rc2 to v4.6-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "x86/mm/32: Enable full randomization on i386 and X86_32", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Security Features", "fixes": "8b8addf891de8a00e4d39fc32f93f7c5eb8feceb", "last_affected_version": "4.4.17", "last_modified": "2023-12-06", "nvd_text": "The arch_pick_mmap_layout function in arch/x86/mm/mmap.c in the Linux kernel through 4.5.2 does not properly randomize the legacy base address, which makes it easier for local users to defeat the intended restrictions on the ADDR_NO_RANDOMIZE flag, and bypass the ASLR protection mechanism for a setuid or setgid program, by disabling stack-consumption resource limits.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-3672", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-3672", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-3672", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-3672", "SUSE": "https://www.suse.com/security/cve/CVE-2016-3672", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-3672" } }, "CVE-2016-3689": { "affected_versions": "v3.10-rc1 to v4.6-rc1", "breaks": "628329d52474323938a03826941e166bc7c8eff4", "cmt_msg": "Input: ims-pcu - sanity check against missing interfaces", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Physical", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 4.6 }, "cwe": "Unspecified", "fixes": "a0ad220c96692eda76b2e3fd7279f3dcd1d8a8ff", "last_affected_version": "4.5.0", "last_modified": "2023-12-06", "nvd_text": "The ims_pcu_parse_cdc_data function in drivers/input/misc/ims-pcu.c in the Linux kernel before 4.5.1 allows physically proximate attackers to cause a denial of service (system crash) via a USB device without both a master and a slave interface.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-3689", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-3689", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-3689", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-3689", "SUSE": "https://www.suse.com/security/cve/CVE-2016-3689", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-3689" } }, "CVE-2016-3695": { "breaks": "", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Injection", "fixes": "", "last_modified": "2023-12-06", "nvd_text": "The einj_error_inject function in drivers/acpi/apei/einj.c in the Linux kernel allows local users to simulate hardware errors and consequently cause a denial of service by leveraging failure to disable APEI error injection through EINJ when securelevel is set.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-3695", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-3695", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-3695", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-3695", "SUSE": "https://www.suse.com/security/cve/CVE-2016-3695", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-3695" }, "vendor_specific": true }, "CVE-2016-3699": { "breaks": "", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "score": 6.9 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "score": 7.4 }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "", "last_modified": "2023-12-06", "nvd_text": "The Linux kernel, as used in Red Hat Enterprise Linux 7.2 and Red Hat Enterprise MRG 2 and when booted with UEFI Secure Boot enabled, allows local users to bypass intended Secure Boot restrictions and execute untrusted code by appending ACPI tables to the initrd.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-3699", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-3699", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-3699", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-3699", "SUSE": "https://www.suse.com/security/cve/CVE-2016-3699", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-3699" }, "vendor_specific": true }, "CVE-2016-3707": { "breaks": "", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "score": 6.8 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "score": 8.1 }, "cwe": "Improper Access Control", "fixes": "", "last_modified": "2023-12-06", "nvd_text": "The icmp_check_sysrq function in net/ipv4/icmp.c in the kernel.org projects/rt patches for the Linux kernel, as used in the kernel-rt package before 3.10.0-327.22.1 in Red Hat Enterprise Linux for Real Time 7 and other products, allows remote attackers to execute SysRq commands via crafted ICMP Echo Request packets, as demonstrated by a brute-force attack to discover a cookie, or an attack that occurs after reading the local icmp_echo_sysrq file.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-3707", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-3707", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-3707", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-3707", "SUSE": "https://www.suse.com/security/cve/CVE-2016-3707", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-3707" }, "vendor_specific": true }, "CVE-2016-3713": { "affected_versions": "v4.2-rc1 to v4.7-rc1", "breaks": "910a6aae4e2e45855efc4a268e43eed2d8445575", "cmt_msg": "KVM: MTRR: remove MSR 0x2f8", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "score": "5.6" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "score": "7.1" }, "cwe": "Improper Access Control", "fixes": "9842df62004f366b9fed2423e24df10542ee0dc5", "last_affected_version": "4.6.0", "last_modified": "2023-12-06", "nvd_text": "The msr_mtrr_valid function in arch/x86/kvm/mtrr.c in the Linux kernel before 4.6.1 supports MSR 0x2f8, which allows guest OS users to read or write to the kvm_arch_vcpu data structure, and consequently obtain sensitive information or cause a denial of service (system crash), via a crafted ioctl call.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-3713", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-3713", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-3713", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-3713", "SUSE": "https://www.suse.com/security/cve/CVE-2016-3713", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-3713" } }, "CVE-2016-3775": { "affected_versions": "unk to unk", "breaks": "", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "9.3" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "score": "7.8" }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "", "last_modified": "2023-12-06", "nvd_text": "The kernel filesystem implementation in Android before 2016-07-05 on Nexus 5X, Nexus 6, Nexus 6P, Nexus Player, and Pixel C devices allows attackers to gain privileges via a crafted application, aka internal bug 28588279.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-3775", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-3775", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-3775", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-3775", "SUSE": "https://www.suse.com/security/cve/CVE-2016-3775", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-3775" }, "vendor_specific": true }, "CVE-2016-3802": { "affected_versions": "unk to unk", "breaks": "", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "score": 9.3 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "raw": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "", "last_modified": "2023-12-06", "nvd_text": "The kernel filesystem implementation in Android before 2016-07-05 on Nexus 9 devices allows attackers to gain privileges via a crafted application, aka internal bug 28271368.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-3802", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-3802", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-3802", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-3802", "SUSE": "https://www.suse.com/security/cve/CVE-2016-3802", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-3802" }, "vendor_specific": true }, "CVE-2016-3803": { "affected_versions": "unk to unk", "breaks": "", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "score": 9.3 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "raw": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "", "last_modified": "2023-12-06", "nvd_text": "The kernel filesystem implementation in Android before 2016-07-05 on Nexus 5X and 6P devices allows attackers to gain privileges via a crafted application, aka internal bug 28588434.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-3803", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-3803", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-3803", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-3803", "SUSE": "https://www.suse.com/security/cve/CVE-2016-3803", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-3803" }, "vendor_specific": true }, "CVE-2016-3841": { "affected_versions": "v2.6.12-rc2 to v4.4-rc4", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "ipv6: add complete rcu protection around np->opt", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "Required", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "score": 7.3 }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "45f6fad84cc305103b28d73482b344d7f5b76f39", "last_affected_version": "4.3.2", "last_modified": "2023-12-06", "nvd_text": "The IPv6 stack in the Linux kernel before 4.3.3 mishandles options data, which allows local users to gain privileges or cause a denial of service (use-after-free and system crash) via a crafted sendmsg system call.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-3841", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-3841", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-3841", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-3841", "SUSE": "https://www.suse.com/security/cve/CVE-2016-3841", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-3841" } }, "CVE-2016-3857": { "affected_versions": "v2.6.12-rc2 to v4.8-rc2", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "arm: oabi compat: add missing access checks", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "score": 9.3 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "raw": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "7de249964f5578e67b99699c5f0b405738d820a2", "last_affected_version": "4.7.0", "last_modified": "2023-12-06", "nvd_text": "The kernel in Android before 2016-08-05 on Nexus 7 (2013) devices allows attackers to gain privileges via a crafted application, aka internal bug 28522518.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-3857", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-3857", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-3857", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-3857", "SUSE": "https://www.suse.com/security/cve/CVE-2016-3857", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-3857" } }, "CVE-2016-3951": { "affected_versions": "v3.10-rc1 to v4.5", "breaks": "8a34b0ae8778f6b42ed38857486b769a224e2536", "cmt_msg": "cdc_ncm: do not call usbnet_link_change from cdc_ncm_bind", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Physical", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 4.6 }, "cwe": "Unspecified", "fixes": "4d06dd537f95683aba3651098ae288b7cbff8274", "last_affected_version": "4.4", "last_modified": "2023-12-06", "nvd_text": "Double free vulnerability in drivers/net/usb/cdc_ncm.c in the Linux kernel before 4.5 allows physically proximate attackers to cause a denial of service (system crash) or possibly have unspecified other impact by inserting a USB device with an invalid USB descriptor.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-3951", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-3951", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-3951", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-3951", "SUSE": "https://www.suse.com/security/cve/CVE-2016-3951", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-3951" } }, "CVE-2016-3955": { "affected_versions": "v2.6.12-rc2 to v4.6-rc3", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "USB: usbip: fix potential out-of-bounds write", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "score": 10.0 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "score": 9.8 }, "cwe": "Buffer Errors", "fixes": "b348d7dddb6c4fbfc810b7a0626e8ec9e29f7cbb", "last_affected_version": "4.5.2", "last_modified": "2023-12-06", "nvd_text": "The usbip_recv_xbuff function in drivers/usb/usbip/usbip_common.c in the Linux kernel before 4.5.3 allows remote attackers to cause a denial of service (out-of-bounds write) or possibly have unspecified other impact via a crafted length value in a USB/IP packet.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-3955", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-3955", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-3955", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-3955", "SUSE": "https://www.suse.com/security/cve/CVE-2016-3955", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-3955" } }, "CVE-2016-3961": { "affected_versions": "v2.6.12-rc2 to v4.6-rc5", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "x86/mm/xen: Suppress hugetlbfs in PV guests", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "2.1" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "score": "5.5" }, "cwe": "Input Validation", "fixes": "103f6112f253017d7062cd74d17f4a514ed4485c", "last_affected_version": "4.5.2", "last_modified": "2023-12-06", "nvd_text": "Xen and the Linux kernel through 4.5.x do not properly suppress hugetlbfs support in x86 PV guests, which allows local PV guest OS users to cause a denial of service (guest OS crash) by attempting to access a hugetlbfs mapped area.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-3961", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-3961", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-3961", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-3961", "SUSE": "https://www.suse.com/security/cve/CVE-2016-3961", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-3961" } }, "CVE-2016-4440": { "affected_versions": "v4.5-rc1 to v4.7-rc1", "breaks": "5c919412fe61c35947816fdbd5f7bd09fe0dd073", "cmt_msg": "kvm:vmx: more complete state update on APICv on/off", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "score": "7.2" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "score": "7.8" }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "3ce424e45411cf5a13105e0386b6ecf6eeb4f66f", "last_modified": "2023-12-06", "nvd_text": "arch/x86/kvm/vmx.c in the Linux kernel through 4.6.3 mishandles the APICv on/off state, which allows guest OS users to obtain direct APIC MSR access on the host OS, and consequently cause a denial of service (host OS crash) or possibly execute arbitrary code on the host OS, via x2APIC mode.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-4440", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-4440", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-4440", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-4440", "SUSE": "https://www.suse.com/security/cve/CVE-2016-4440", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-4440" } }, "CVE-2016-4470": { "affected_versions": "v2.6.35-rc1 to v4.7-rc4", "breaks": "f70e2e06196ad4c1c762037da2f75354f6c16b81", "cmt_msg": "KEYS: potential uninitialized variable", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Unspecified", "fixes": "38327424b40bcebe2de92d07312c89360ac9229a", "last_affected_version": "4.6.4", "last_modified": "2023-12-06", "nvd_text": "The key_reject_and_link function in security/keys/key.c in the Linux kernel through 4.6.3 does not ensure that a certain data structure is initialized, which allows local users to cause a denial of service (system crash) via vectors involving a crafted keyctl request2 command.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-4470", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-4470", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-4470", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-4470", "SUSE": "https://www.suse.com/security/cve/CVE-2016-4470", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-4470" } }, "CVE-2016-4482": { "affected_versions": "v2.6.12-rc2 to v4.7-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "USB: usbfs: fix potential infoleak in devio", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "score": 6.2 }, "cwe": "Information Leak / Disclosure", "fixes": "681fef8380eb818c0b845fca5d2ab1dcbab114ee", "last_affected_version": "4.4.18", "last_modified": "2023-12-06", "nvd_text": "The proc_connectinfo function in drivers/usb/core/devio.c in the Linux kernel through 4.6 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel stack memory via a crafted USBDEVFS_CONNECTINFO ioctl call.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-4482", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-4482", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-4482", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-4482", "SUSE": "https://www.suse.com/security/cve/CVE-2016-4482", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-4482" } }, "CVE-2016-4485": { "affected_versions": "v2.6.12-rc2 to v4.6", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "net: fix infoleak in llc", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "score": 5.0 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "score": 7.5 }, "cwe": "Information Leak / Disclosure", "fixes": "b8670c09f37bdf2847cc44f36511a53afc6161fd", "last_affected_version": "4.5", "last_modified": "2023-12-06", "nvd_text": "The llc_cmsg_rcv function in net/llc/af_llc.c in the Linux kernel before 4.5.5 does not initialize a certain data structure, which allows attackers to obtain sensitive information from kernel stack memory by reading a message.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-4485", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-4485", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-4485", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-4485", "SUSE": "https://www.suse.com/security/cve/CVE-2016-4485", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-4485" } }, "CVE-2016-4486": { "affected_versions": "v2.6.12-rc2 to v4.6", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "net: fix infoleak in rtnetlink", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "Low", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "score": 3.3 }, "cwe": "Information Leak / Disclosure", "fixes": "5f8e44741f9f216e33736ea4ec65ca9ac03036e6", "last_affected_version": "4.5", "last_modified": "2023-12-06", "nvd_text": "The rtnl_fill_link_ifmap function in net/core/rtnetlink.c in the Linux kernel before 4.5.5 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel stack memory by reading a Netlink message.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-4486", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-4486", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-4486", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-4486", "SUSE": "https://www.suse.com/security/cve/CVE-2016-4486", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-4486" } }, "CVE-2016-4557": { "affected_versions": "v4.4-rc1 to v4.6-rc6", "breaks": "1be7f75d1668d6296b80bf35dcf6762393530afc", "cmt_msg": "bpf: fix double-fdput in replace_map_fd_with_map_ptr()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Unspecified", "fixes": "8358b02bf67d3a5d8a825070e1aa73f25fb2e4c7", "last_affected_version": "4.5.4", "last_modified": "2023-12-06", "nvd_text": "The replace_map_fd_with_map_ptr function in kernel/bpf/verifier.c in the Linux kernel before 4.5.5 does not properly maintain an fd data structure, which allows local users to gain privileges or cause a denial of service (use-after-free) via crafted BPF instructions that reference an incorrect file descriptor.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-4557", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-4557", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-4557", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-4557", "SUSE": "https://www.suse.com/security/cve/CVE-2016-4557", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-4557" } }, "CVE-2016-4558": { "affected_versions": "v4.4-rc1 to v4.6-rc7", "breaks": "1be7f75d1668d6296b80bf35dcf6762393530afc", "cmt_msg": "bpf: fix refcnt overflow", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "score": 6.9 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.0 }, "cwe": "Unspecified", "fixes": "92117d8443bc5afacc8d5ba82e541946310f106e", "last_affected_version": "4.5.4", "last_modified": "2023-12-06", "nvd_text": "The BPF subsystem in the Linux kernel before 4.5.5 mishandles reference counts, which allows local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via a crafted application on (1) a system with more than 32 Gb of memory, related to the program reference count or (2) a 1 Tb system, related to the map reference count.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-4558", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-4558", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-4558", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-4558", "SUSE": "https://www.suse.com/security/cve/CVE-2016-4558", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-4558" } }, "CVE-2016-4565": { "affected_versions": "v2.6.12-rc2 to v4.6-rc6", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "IB/security: Restrict use of the write() interface", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "e6bd18f57aad1a2d1ef40e646d03ed0f2515c9e3", "last_affected_version": "4.5.2", "last_modified": "2023-12-06", "nvd_text": "The InfiniBand (aka IB) stack in the Linux kernel before 4.5.3 incorrectly relies on the write system call, which allows local users to cause a denial of service (kernel memory write operation) or possibly have unspecified other impact via a uAPI interface.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-4565", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-4565", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-4565", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-4565", "SUSE": "https://www.suse.com/security/cve/CVE-2016-4565", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-4565" } }, "CVE-2016-4568": { "affected_versions": "v4.4-rc1 to v4.6-rc6", "breaks": "b0e0e1f83de31aa0428c38b692c590cc0ecd3f03", "cmt_msg": "[media] videobuf2-v4l2: Verify planes array in buffer dequeueing", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Buffer Errors", "fixes": "2c1f6951a8a82e6de0d82b1158b5e493fc6c54ab", "last_affected_version": "4.5.2", "last_modified": "2023-12-06", "nvd_text": "drivers/media/v4l2-core/videobuf2-v4l2.c in the Linux kernel before 4.5.3 allows local users to cause a denial of service (kernel memory write operation) or possibly have unspecified other impact via a crafted number of planes in a VIDIOC_DQBUF ioctl call.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-4568", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-4568", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-4568", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-4568", "SUSE": "https://www.suse.com/security/cve/CVE-2016-4568", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-4568" } }, "CVE-2016-4569": { "affected_versions": "v2.6.12-rc2 to v4.7-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "ALSA: timer: Fix leak in SNDRV_TIMER_IOCTL_PARAMS", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.5 }, "cwe": "Information Leak / Disclosure", "fixes": "cec8f96e49d9be372fdb0c3836dcf31ec71e457e", "last_affected_version": "4.6.5", "last_modified": "2023-12-06", "nvd_text": "The snd_timer_user_params function in sound/core/timer.c in the Linux kernel through 4.6 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel stack memory via crafted use of the ALSA timer interface.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-4569", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-4569", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-4569", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-4569", "SUSE": "https://www.suse.com/security/cve/CVE-2016-4569", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-4569" } }, "CVE-2016-4578": { "affected_versions": "v2.6.12-rc2 to v4.7-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "ALSA: timer: Fix leak in events via snd_timer_user_ccallback", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.5 }, "cwe": "Information Leak / Disclosure", "fixes": "9a47e9cff994f37f7f0dbd9ae23740d0f64f9fe6", "last_affected_version": "4.6.5", "last_modified": "2023-12-06", "nvd_text": "sound/core/timer.c in the Linux kernel through 4.6 does not initialize certain r1 data structures, which allows local users to obtain sensitive information from kernel stack memory via crafted use of the ALSA timer interface, related to the (1) snd_timer_user_ccallback and (2) snd_timer_user_tinterrupt functions.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-4578", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-4578", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-4578", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-4578", "SUSE": "https://www.suse.com/security/cve/CVE-2016-4578", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-4578" } }, "CVE-2016-4580": { "affected_versions": "v2.6.12-rc2 to v4.6", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "net: fix a kernel infoleak in x25 module", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "score": 5.0 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "score": 7.5 }, "cwe": "Information Leak / Disclosure", "fixes": "79e48650320e6fba48369fccf13fd045315b19b8", "last_affected_version": "4.5", "last_modified": "2023-12-06", "nvd_text": "The x25_negotiate_facilities function in net/x25/x25_facilities.c in the Linux kernel before 4.5.5 does not properly initialize a certain data structure, which allows attackers to obtain sensitive information from kernel stack memory via an X.25 Call Request.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-4580", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-4580", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-4580", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-4580", "SUSE": "https://www.suse.com/security/cve/CVE-2016-4580", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-4580" } }, "CVE-2016-4581": { "affected_versions": "v3.15-rc1 to v4.6-rc7", "breaks": "f2ebb3a921c1ca1e2ddd9242e95a1989a50c4c68", "cmt_msg": "propogate_mnt: Handle the first propogated copy being a slave", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Unspecified", "fixes": "5ec0811d30378ae104f250bfc9b3640242d81e3f", "last_affected_version": "4.5.3", "last_modified": "2023-12-06", "nvd_text": "fs/pnode.c in the Linux kernel before 4.5.4 does not properly traverse a mount propagation tree in a certain case involving a slave mount, which allows local users to cause a denial of service (NULL pointer dereference and OOPS) via a crafted series of mount system calls.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-4581", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-4581", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-4581", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-4581", "SUSE": "https://www.suse.com/security/cve/CVE-2016-4581", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-4581" } }, "CVE-2016-4794": { "affected_versions": "v3.18-rc1 to v4.7-rc4", "breaks": "9c824b6a172c8d44a6b037946bae90127c969b1b", "cmt_msg": "percpu: fix synchronization between chunk->map_extend_work and chunk destruction", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Unspecified", "fixes": "4f996e234dad488e5d9ba0858bc1bae12eff82c3", "last_affected_version": "4.6.4", "last_modified": "2023-12-06", "nvd_text": "Use-after-free vulnerability in mm/percpu.c in the Linux kernel through 4.6 allows local users to cause a denial of service (BUG) or possibly have unspecified other impact via crafted use of the mmap and bpf system calls.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-4794", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-4794", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-4794", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-4794", "SUSE": "https://www.suse.com/security/cve/CVE-2016-4794", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-4794" } }, "CVE-2016-4805": { "affected_versions": "v2.6.30-rc1 to v4.6-rc1", "breaks": "273ec51dd7ceaa76e038875d85061ec856d8905e", "cmt_msg": "ppp: take reference on channels netns", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Use After Free", "fixes": "1f461dcdd296eecedaffffc6bae2bfa90bd7eb89", "last_affected_version": "4.5.1", "last_modified": "2023-12-06", "nvd_text": "Use-after-free vulnerability in drivers/net/ppp/ppp_generic.c in the Linux kernel before 4.5.2 allows local users to cause a denial of service (memory corruption and system crash, or spinlock) or possibly have unspecified other impact by removing a network namespace, related to the ppp_register_net_channel and ppp_unregister_channel functions.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-4805", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-4805", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-4805", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-4805", "SUSE": "https://www.suse.com/security/cve/CVE-2016-4805", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-4805" } }, "CVE-2016-4913": { "affected_versions": "v2.6.12-rc2 to v4.6", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "get_rock_ridge_filename(): handle malformed NM entries", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Information Leak / Disclosure", "fixes": "99d825822eade8d827a1817357cbf3f889a552d6", "last_affected_version": "4.5", "last_modified": "2023-12-06", "nvd_text": "The get_rock_ridge_filename function in fs/isofs/rock.c in the Linux kernel before 4.5.5 mishandles NM (aka alternate name) entries containing \\0 characters, which allows local users to obtain sensitive information from kernel memory or possibly have unspecified other impact via a crafted isofs filesystem.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-4913", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-4913", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-4913", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-4913", "SUSE": "https://www.suse.com/security/cve/CVE-2016-4913", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-4913" } }, "CVE-2016-4951": { "affected_versions": "v3.19-rc1 to v4.7-rc1", "breaks": "1a1a143daf84db95dd7212086042004a3abb7bc2", "cmt_msg": "tipc: check nl sock before parsing nested attributes", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Unspecified", "fixes": "45e093ae2830cd1264677d47ff9a95a71f5d9f9c", "last_affected_version": "4.6.2", "last_modified": "2023-12-06", "nvd_text": "The tipc_nl_publ_dump function in net/tipc/socket.c in the Linux kernel through 4.6 does not verify socket existence, which allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a dumpit operation.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-4951", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-4951", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-4951", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-4951", "SUSE": "https://www.suse.com/security/cve/CVE-2016-4951", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-4951" } }, "CVE-2016-4997": { "affected_versions": "v2.6.12-rc2 to v4.7-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "netfilter: x_tables: check for bogus target offset", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "ce683e5f9d045e5d67d1312a42b359cb2ab2a13c", "last_affected_version": "4.6.2", "last_modified": "2023-12-06", "nvd_text": "The compat IPT_SO_SET_REPLACE and IP6T_SO_SET_REPLACE setsockopt implementations in the netfilter subsystem in the Linux kernel before 4.6.3 allow local users to gain privileges or cause a denial of service (memory corruption) by leveraging in-container root access to provide a crafted offset value that triggers an unintended decrement.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-4997", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-4997", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-4997", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-4997", "SUSE": "https://www.suse.com/security/cve/CVE-2016-4997", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-4997" } }, "CVE-2016-4998": { "affected_versions": "v2.6.12-rc2 to v4.7-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "netfilter: x_tables: check for bogus target offset", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:C", "score": 5.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "score": 7.1 }, "cwe": "Buffer Errors", "fixes": "ce683e5f9d045e5d67d1312a42b359cb2ab2a13c", "last_affected_version": "4.6.2", "last_modified": "2023-12-06", "nvd_text": "The IPT_SO_SET_REPLACE setsockopt implementation in the netfilter subsystem in the Linux kernel before 4.6 allows local users to cause a denial of service (out-of-bounds read) or possibly obtain sensitive information from kernel heap memory by leveraging in-container root access to provide a crafted offset value that leads to crossing a ruleset blob boundary.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-4998", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-4998", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-4998", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-4998", "SUSE": "https://www.suse.com/security/cve/CVE-2016-4998", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-4998" } }, "CVE-2016-5195": { "affected_versions": "v2.6.22-rc1 to v4.9-rc2", "breaks": "0a27a14a62921b438bb6f33772690d345a089be6", "cmt_msg": "mm: remove gup_flags FOLL_WRITE games from __get_user_pages()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Race Conditions", "fixes": "19be0eaffa3ac7d8eb6784ad9bdbc7d67ed8e619", "last_affected_version": "4.8.2", "last_modified": "2023-12-06", "name": "Dirty COW", "nvd_text": "Race condition in mm/gup.c in the Linux kernel 2.x through 4.x before 4.8.3 allows local users to gain privileges by leveraging incorrect handling of a copy-on-write (COW) feature to write to a read-only memory mapping, as exploited in the wild in October 2016, aka \"Dirty COW.\"", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-5195", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-5195", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-5195", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-5195", "SUSE": "https://www.suse.com/security/cve/CVE-2016-5195", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-5195" } }, "CVE-2016-5243": { "affected_versions": "v2.6.12-rc2 to v4.7-rc3", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "tipc: fix an infoleak in tipc_nl_compat_link_dump", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.5 }, "cwe": "Information Leak / Disclosure", "fixes": "5d2be1422e02ccd697ccfcd45c85b4a26e6178e2", "last_affected_version": "4.4.20", "last_modified": "2023-12-06", "nvd_text": "The tipc_nl_compat_link_dump function in net/tipc/netlink_compat.c in the Linux kernel through 4.6.3 does not properly copy a certain string, which allows local users to obtain sensitive information from kernel stack memory by reading a Netlink message.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-5243", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-5243", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-5243", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-5243", "SUSE": "https://www.suse.com/security/cve/CVE-2016-5243", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-5243" } }, "CVE-2016-5244": { "affected_versions": "v2.6.12-rc2 to v4.7-rc3", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "rds: fix an infoleak in rds_inc_info_copy", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "score": "5.0" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "score": "7.5" }, "cwe": "Information Leak / Disclosure", "fixes": "4116def2337991b39919f3b448326e21c40e0dbb", "last_affected_version": "4.4.20", "last_modified": "2023-12-06", "nvd_text": "The rds_inc_info_copy function in net/rds/recv.c in the Linux kernel through 4.6.3 does not initialize a certain structure member, which allows remote attackers to obtain sensitive information from kernel stack memory by reading an RDS message.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-5244", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-5244", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-5244", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-5244", "SUSE": "https://www.suse.com/security/cve/CVE-2016-5244", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-5244" } }, "CVE-2016-5340": { "breaks": "", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Input Validation", "fixes": "", "last_modified": "2023-12-06", "nvd_text": "The is_ashmem_file function in drivers/staging/android/ashmem.c in a certain Qualcomm Innovation Center (QuIC) Android patch for the Linux kernel 3.x mishandles pointer validation within the KGSL Linux Graphics Module, which allows attackers to bypass intended access restrictions by using the /ashmem string as the dentry name.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-5340", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-5340", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-5340", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-5340", "SUSE": "https://www.suse.com/security/cve/CVE-2016-5340", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-5340" }, "vendor_specific": true }, "CVE-2016-5342": { "breaks": "", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Buffer Errors", "fixes": "", "last_modified": "2023-12-06", "nvd_text": "Heap-based buffer overflow in the wcnss_wlan_write function in drivers/net/wireless/wcnss/wcnss_wlan.c in the wcnss_wlan device driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to cause a denial of service or possibly have unspecified other impact by writing to /dev/wcnss_wlan with an unexpected amount of data.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-5342", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-5342", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-5342", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-5342", "SUSE": "https://www.suse.com/security/cve/CVE-2016-5342", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-5342" }, "vendor_specific": true }, "CVE-2016-5343": { "breaks": "", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "score": 7.5 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "score": 9.8 }, "cwe": "Buffer Errors", "fixes": "", "last_modified": "2023-12-06", "nvd_text": "drivers/soc/qcom/qdsp6v2/voice_svc.c in the QDSP6v2 Voice Service driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a write request, as demonstrated by a voice_svc_send_req buffer overflow.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-5343", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-5343", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-5343", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-5343", "SUSE": "https://www.suse.com/security/cve/CVE-2016-5343", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-5343" }, "vendor_specific": true }, "CVE-2016-5344": { "breaks": "", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "score": 7.5 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "score": 9.8 }, "cwe": "Integer Overflow or Wraparound", "fixes": "", "last_modified": "2023-12-06", "nvd_text": "Multiple integer overflows in the MDSS driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allow attackers to cause a denial of service or possibly have unspecified other impact via a large size value, related to mdss_compat_utils.c, mdss_fb.c, and mdss_rotator.c.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-5344", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-5344", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-5344", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-5344", "SUSE": "https://www.suse.com/security/cve/CVE-2016-5344", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-5344" }, "vendor_specific": true }, "CVE-2016-5400": { "affected_versions": "v3.17-rc1 to v4.7", "breaks": "f3e775962ccbc62bd93f2200b82db88af05d0137", "cmt_msg": "media: fix airspy usb probe error path", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Physical", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:P/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 4.3 }, "cwe": "Buffer Errors", "fixes": "aa93d1fee85c890a34f2510a310e55ee76a27848", "last_affected_version": "4.6", "last_modified": "2023-12-06", "nvd_text": "Memory leak in the airspy_probe function in drivers/media/usb/airspy/airspy.c in the airspy USB driver in the Linux kernel before 4.7 allows local users to cause a denial of service (memory consumption) via a crafted USB device that emulates many VFL_TYPE_SDR or VFL_TYPE_SUBDEV devices and performs many connect and disconnect operations.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-5400", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-5400", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-5400", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-5400", "SUSE": "https://www.suse.com/security/cve/CVE-2016-5400", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-5400" } }, "CVE-2016-5412": { "affected_versions": "v3.15-rc1 to v4.8-rc1", "breaks": "e4e38121507a27d2ccc4b28d9e7fc4818a12c44c", "cmt_msg": "KVM: PPC: Book3S HV: Pull out TM state save/restore into separate procedures", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "Single", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:S/C:N/I:N/A:C", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Changed", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H", "score": 6.5 }, "cwe": "Resource Management Errors", "fixes": "f024ee098476a3e620232e4a78cfac505f121245", "last_affected_version": "4.7.1", "last_modified": "2023-12-06", "nvd_text": "arch/powerpc/kvm/book3s_hv_rmhandlers.S in the Linux kernel through 4.7 on PowerPC platforms, when CONFIG_KVM_BOOK3S_64_HV is enabled, allows guest OS users to cause a denial of service (host OS infinite loop) by making a H_CEDE hypercall during the existence of a suspended transaction.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-5412", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-5412", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-5412", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-5412", "SUSE": "https://www.suse.com/security/cve/CVE-2016-5412", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-5412" } }, "CVE-2016-5696": { "affected_versions": "v3.6-rc1 to v4.7", "breaks": "282f23c6ee343126156dd41218b22ece96d747e3", "cmt_msg": "tcp: make challenge acks less predictable", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "Partial", "raw": "AV:N/AC:M/Au:N/C:N/I:P/A:P", "score": 5.8 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Network", "Availability": "Low", "Confidentiality": "None", "Integrity": "Low", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L", "score": 4.8 }, "cwe": "Information Leak / Disclosure", "fixes": "75ff39ccc1bd5d3c455b6822ab09e533c551f758", "last_affected_version": "4.6", "last_modified": "2023-12-06", "nvd_text": "net/ipv4/tcp_input.c in the Linux kernel before 4.7 does not properly determine the rate of challenge ACK segments, which makes it easier for remote attackers to hijack TCP sessions via a blind in-window attack.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-5696", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-5696", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-5696", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-5696", "SUSE": "https://www.suse.com/security/cve/CVE-2016-5696", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-5696" } }, "CVE-2016-5728": { "affected_versions": "v3.13-rc1 to v4.7-rc1", "breaks": "f69bcbf3b4c4b333dcd7a48eaf868bf0c88edab5", "cmt_msg": "misc: mic: Fix for double fetch security bug in VOP driver", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:M/Au:N/C:P/I:N/A:C", "score": 5.4 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:H", "score": 6.3 }, "cwe": "Buffer Errors", "fixes": "9bf292bfca94694a721449e3fd752493856710f6", "last_affected_version": "None", "last_modified": "2023-12-06", "nvd_text": "Race condition in the vop_ioctl function in drivers/misc/mic/vop/vop_vringh.c in the MIC VOP driver in the Linux kernel before 4.6.1 allows local users to obtain sensitive information from kernel memory or cause a denial of service (memory corruption and system crash) by changing a certain header, aka a \"double fetch\" vulnerability.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-5728", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-5728", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-5728", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-5728", "SUSE": "https://www.suse.com/security/cve/CVE-2016-5728", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-5728" } }, "CVE-2016-5828": { "affected_versions": "v3.9-rc1 to v4.7-rc6", "breaks": "bc2a9408fa65195288b41751016c36fd00a75a85", "cmt_msg": "powerpc/tm: Always reclaim in start_thread() for exec() class syscalls", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Input Validation", "fixes": "8e96a87c5431c256feb65bcfc5aec92d9f7839b6", "last_affected_version": "4.6.4", "last_modified": "2023-12-06", "nvd_text": "The start_thread function in arch/powerpc/kernel/process.c in the Linux kernel through 4.6.3 on powerpc platforms mishandles transactional state, which allows local users to cause a denial of service (invalid process state or TM Bad Thing exception, and system crash) or possibly have unspecified other impact by starting and suspending a transaction before an exec system call.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-5828", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-5828", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-5828", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-5828", "SUSE": "https://www.suse.com/security/cve/CVE-2016-5828", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-5828" } }, "CVE-2016-5829": { "affected_versions": "v2.6.12-rc2 to v4.7-rc5", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "HID: hiddev: validate num_values for HIDIOCGUSAGES, HIDIOCSUSAGES commands", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Buffer Errors", "fixes": "93a2001bdfd5376c3dc2158653034c20392d15c5", "last_affected_version": "4.6.4", "last_modified": "2023-12-06", "nvd_text": "Multiple heap-based buffer overflows in the hiddev_ioctl_usage function in drivers/hid/usbhid/hiddev.c in the Linux kernel through 4.6.3 allow local users to cause a denial of service or possibly have unspecified other impact via a crafted (1) HIDIOCGUSAGES or (2) HIDIOCSUSAGES ioctl call.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-5829", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-5829", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-5829", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-5829", "SUSE": "https://www.suse.com/security/cve/CVE-2016-5829", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-5829" } }, "CVE-2016-5870": { "affected_versions": "unk to unk", "breaks": "", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "NULL Pointer Dereference", "fixes": "", "last_modified": "2023-12-06", "nvd_text": "The msm_ipc_router_close function in net/ipc_router/ipc_router_socket.c in the ipc_router component for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allow attackers to cause a denial of service (NULL pointer dereference) or possibly have unspecified other impact by triggering failure of an accept system call for an AF_MSM_IPC socket.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-5870", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-5870", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-5870", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-5870", "SUSE": "https://www.suse.com/security/cve/CVE-2016-5870", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-5870" }, "vendor_specific": true }, "CVE-2016-6130": { "affected_versions": "v3.11-rc1 to v4.6-rc6", "breaks": "d475f942b1dd6a897dac3ad4ed98d6994b275378", "cmt_msg": "s390/sclp_ctl: fix potential information leak with /dev/sclp", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "score": "1.9" }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "score": "4.7" }, "cwe": "Race Conditions", "fixes": "532c34b5fbf1687df63b3fcd5b2846312ac943c6", "last_affected_version": "4.4.20", "last_modified": "2023-12-06", "nvd_text": "Race condition in the sclp_ctl_ioctl_sccb function in drivers/s390/char/sclp_ctl.c in the Linux kernel before 4.6 allows local users to obtain sensitive information from kernel memory by changing a certain length value, aka a \"double fetch\" vulnerability.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-6130", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-6130", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-6130", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-6130", "SUSE": "https://www.suse.com/security/cve/CVE-2016-6130", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-6130" } }, "CVE-2016-6136": { "affected_versions": "v2.6.12-rc2 to v4.8-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "audit: fix a double fetch in audit_log_single_execve_arg()", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "None", "Integrity Impact": "Partial", "raw": "AV:L/AC:M/Au:N/C:N/I:P/A:N", "score": 1.9 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "None", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N", "score": 4.7 }, "cwe": "Race Conditions", "fixes": "43761473c254b45883a64441dd0bc85a42f3645c", "last_affected_version": "4.7.1", "last_modified": "2023-12-06", "nvd_text": "Race condition in the audit_log_single_execve_arg function in kernel/auditsc.c in the Linux kernel through 4.7 allows local users to bypass intended character-set restrictions or disrupt system-call auditing by changing a certain string, aka a \"double fetch\" vulnerability.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-6136", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-6136", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-6136", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-6136", "SUSE": "https://www.suse.com/security/cve/CVE-2016-6136", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-6136" } }, "CVE-2016-6156": { "affected_versions": "v4.2-rc1 to v4.7-rc7", "breaks": "a841178445bb72a3d566b4e6ab9d19e9b002eb47", "cmt_msg": "platform/chrome: cros_ec_dev - double fetch bug in ioctl", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:M/Au:N/C:N/I:N/A:P", "score": 1.9 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 5.1 }, "cwe": "Race Conditions", "fixes": "096cdc6f52225835ff503f987a0d68ef770bb78e", "last_affected_version": "4.6.5", "last_modified": "2023-12-06", "nvd_text": "Race condition in the ec_device_ioctl_xcmd function in drivers/platform/chrome/cros_ec_dev.c in the Linux kernel before 4.7 allows local users to cause a denial of service (out-of-bounds array access) by changing a certain size value, aka a \"double fetch\" vulnerability.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-6156", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-6156", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-6156", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-6156", "SUSE": "https://www.suse.com/security/cve/CVE-2016-6156", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-6156" } }, "CVE-2016-6162": { "affected_versions": "v4.7-rc1 to v4.7", "breaks": "e6afc8ace6dd5cef5e812f26c72579da8806f5ac", "cmt_msg": "udp: prevent bugcheck if filter truncates packet too much", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Input Validation", "fixes": "a612769774a30e4fc143c4cb6395c12573415660", "last_affected_version": "4.6", "last_modified": "2023-12-06", "nvd_text": "net/core/skbuff.c in the Linux kernel 4.7-rc6 allows local users to cause a denial of service (panic) or possibly have unspecified other impact via certain IPv6 socket operations.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-6162", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-6162", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-6162", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-6162", "SUSE": "https://www.suse.com/security/cve/CVE-2016-6162", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-6162" } }, "CVE-2016-6187": { "affected_versions": "v4.5-rc1 to v4.7-rc7", "breaks": "bb646cdb12e75d82258c2f2e7746d5952d3e321a", "cmt_msg": "apparmor: fix oops, validate buffer size in apparmor_setprocattr()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Buffer Errors", "fixes": "30a46a4647fd1df9cf52e43bf467f0d9265096ca", "last_affected_version": "4.6.4", "last_modified": "2023-12-06", "nvd_text": "The apparmor_setprocattr function in security/apparmor/lsm.c in the Linux kernel before 4.6.5 does not validate the buffer size, which allows local users to gain privileges by triggering an AppArmor setprocattr hook.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-6187", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-6187", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-6187", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-6187", "SUSE": "https://www.suse.com/security/cve/CVE-2016-6187", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-6187" } }, "CVE-2016-6197": { "affected_versions": "v2.6.12-rc2 to v4.6-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "ovl: verify upper dentry before unlink and rename", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Input Validation", "fixes": "11f3710417d026ea2f4fcf362d866342c5274185", "last_affected_version": "4.4.15", "last_modified": "2023-12-06", "nvd_text": "fs/overlayfs/dir.c in the OverlayFS filesystem implementation in the Linux kernel before 4.6 does not properly verify the upper dentry before proceeding with unlink and rename system-call processing, which allows local users to cause a denial of service (system crash) via a rename system call that specifies a self-hardlink.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-6197", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-6197", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-6197", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-6197", "SUSE": "https://www.suse.com/security/cve/CVE-2016-6197", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-6197" } }, "CVE-2016-6198": { "affected_versions": "v2.6.12-rc2 to v4.6", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "vfs: add vfs_select_inode() helper", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Improper Access Control", "fixes": "54d5ca871e72f2bb172ec9323497f01cd5091ec7", "last_affected_version": "4.5", "last_modified": "2023-12-06", "nvd_text": "The filesystem layer in the Linux kernel before 4.5.5 proceeds with post-rename operations after an OverlayFS file is renamed to a self-hardlink, which allows local users to cause a denial of service (system crash) via a rename system call, related to fs/namei.c and fs/open.c.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-6198", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-6198", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-6198", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-6198", "SUSE": "https://www.suse.com/security/cve/CVE-2016-6198", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-6198" } }, "CVE-2016-6213": { "affected_versions": "v2.6.12-rc2 to v4.9-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "mnt: Add a per mount namespace limit on the number of mounts", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "score": 4.7 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 4.7 }, "cwe": "Uncontrolled Resource Consumption ('Resource Exhaustion')", "fixes": "d29216842a85c7970c536108e093963f02714498", "last_affected_version": "4.4.64", "last_modified": "2023-12-06", "nvd_text": "fs/namespace.c in the Linux kernel before 4.9 does not restrict how many mounts may exist in a mount namespace, which allows local users to cause a denial of service (memory consumption and deadlock) via MS_BIND mount system calls, as demonstrated by a loop that triggers exponential growth in the number of mounts.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-6213", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-6213", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-6213", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-6213", "SUSE": "https://www.suse.com/security/cve/CVE-2016-6213", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-6213" } }, "CVE-2016-6327": { "affected_versions": "v3.8-rc1 to v4.6-rc1", "breaks": "3e4f574857eebce60bb56d7524f3f9eaa2a126d0", "cmt_msg": "IB/srpt: Simplify srpt_handle_tsk_mgmt()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "NULL Pointer Dereference", "fixes": "51093254bf879bc9ce96590400a87897c7498463", "last_affected_version": "4.5.0", "last_modified": "2023-12-06", "nvd_text": "drivers/infiniband/ulp/srpt/ib_srpt.c in the Linux kernel before 4.5.1 allows local users to cause a denial of service (NULL pointer dereference and system crash) by using an ABORT_TASK command to abort a device write operation.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-6327", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-6327", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-6327", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-6327", "SUSE": "https://www.suse.com/security/cve/CVE-2016-6327", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-6327" } }, "CVE-2016-6480": { "affected_versions": "v2.6.13-rc1 to v4.8-rc3", "breaks": "7c00ffa314bf0fb0e23858bbebad33b48b6abbb9", "cmt_msg": "aacraid: Check size values after double-fetch from user", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "score": 4.7 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 5.1 }, "cwe": "Race Conditions", "fixes": "fa00c437eef8dc2e7b25f8cd868cfa405fcc2bb3", "last_affected_version": "4.7.2", "last_modified": "2023-12-06", "nvd_text": "Race condition in the ioctl_send_fib function in drivers/scsi/aacraid/commctrl.c in the Linux kernel through 4.7 allows local users to cause a denial of service (out-of-bounds access or system crash) by changing a certain size value, aka a \"double fetch\" vulnerability.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-6480", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-6480", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-6480", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-6480", "SUSE": "https://www.suse.com/security/cve/CVE-2016-6480", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-6480" } }, "CVE-2016-6516": { "affected_versions": "v4.5-rc1 to v4.8-rc1", "breaks": "54dbc15172375641ef03399e8f911d7165eb90fb", "cmt_msg": "vfs: ioctl: prevent double-fetch in dedupe ioctl", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "score": 4.4 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "score": 7.4 }, "cwe": "Buffer Errors", "fixes": "10eec60ce79187686e052092e5383c99b4420a20", "last_affected_version": "4.7.0", "last_modified": "2023-12-06", "nvd_text": "Race condition in the ioctl_file_dedupe_range function in fs/ioctl.c in the Linux kernel through 4.7 allows local users to cause a denial of service (heap-based buffer overflow) or possibly gain privileges by changing a certain count value, aka a \"double fetch\" vulnerability.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-6516", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-6516", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-6516", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-6516", "SUSE": "https://www.suse.com/security/cve/CVE-2016-6516", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-6516" } }, "CVE-2016-6753": { "breaks": "", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "score": 4.3 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "raw": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "score": 5.5 }, "cwe": "Information Leak / Disclosure", "fixes": "", "last_modified": "2023-12-06", "nvd_text": "An information disclosure vulnerability in kernel components, including the process-grouping subsystem and the networking subsystem, in Android before 2016-11-05 could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Android ID: A-30149174.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-6753", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-6753", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-6753", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-6753", "SUSE": "https://www.suse.com/security/cve/CVE-2016-6753", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-6753" }, "vendor_specific": true }, "CVE-2016-6786": { "affected_versions": "v2.6.12-rc2 to v4.0-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "perf: Fix event->ctx locking", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "score": 6.9 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.0 }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "f63a8daa5812afef4f06c962351687e1ff9ccb2b", "last_affected_version": "3.18.53", "last_modified": "2023-12-06", "nvd_text": "kernel/events/core.c in the performance subsystem in the Linux kernel before 4.0 mismanages locks during certain migrations, which allows local users to gain privileges via a crafted application, aka Android internal bug 30955111.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-6786", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-6786", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-6786", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-6786", "SUSE": "https://www.suse.com/security/cve/CVE-2016-6786", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-6786" } }, "CVE-2016-6787": { "affected_versions": "v2.6.12-rc2 to v4.0-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "perf: Fix event->ctx locking", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "score": 6.9 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.0 }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "f63a8daa5812afef4f06c962351687e1ff9ccb2b", "last_affected_version": "3.18.53", "last_modified": "2023-12-06", "nvd_text": "kernel/events/core.c in the performance subsystem in the Linux kernel before 4.0 mismanages locks during certain migrations, which allows local users to gain privileges via a crafted application, aka Android internal bug 31095224.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-6787", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-6787", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-6787", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-6787", "SUSE": "https://www.suse.com/security/cve/CVE-2016-6787", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-6787" } }, "CVE-2016-6828": { "affected_versions": "v2.6.25-rc1 to v4.8-rc5", "breaks": "6859d49475d4f32abe640372117e4b687906e6b6", "cmt_msg": "tcp: fix use after free in tcp_xmit_retransmit_queue()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Use After Free", "fixes": "bb1fceca22492109be12640d49f5ea5a544c6bb4", "last_affected_version": "4.7.4", "last_modified": "2023-12-06", "nvd_text": "The tcp_check_send_head function in include/net/tcp.h in the Linux kernel before 4.7.5 does not properly maintain certain SACK state after a failed data copy, which allows local users to cause a denial of service (tcp_xmit_retransmit_queue use-after-free and system crash) via a crafted SACK option.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-6828", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-6828", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-6828", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-6828", "SUSE": "https://www.suse.com/security/cve/CVE-2016-6828", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-6828" } }, "CVE-2016-7039": { "affected_versions": "v4.0-rc1 to v4.9-rc4", "breaks": "9b174d88c257150562b0101fcc6cb6c3cb74275c", "cmt_msg": "net: add recursion limit to GRO", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "score": 7.8 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 7.5 }, "cwe": "Resource Management Errors", "fixes": "fcd91dd449867c6bfe56a81cabba76b829fd05cd", "last_affected_version": "4.8.7", "last_modified": "2023-12-06", "nvd_text": "The IP stack in the Linux kernel through 4.8.2 allows remote attackers to cause a denial of service (stack consumption and panic) or possibly have unspecified other impact by triggering use of the GRO path for large crafted packets, as demonstrated by packets that contain only VLAN headers, a related issue to CVE-2016-8666.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-7039", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-7039", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-7039", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-7039", "SUSE": "https://www.suse.com/security/cve/CVE-2016-7039", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-7039" } }, "CVE-2016-7042": { "affected_versions": "v2.6.12-rc2 to v4.9-rc3", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "KEYS: Fix short sprintf buffer in /proc/keys show function", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 6.2 }, "cwe": "Buffer Errors", "fixes": "03dab869b7b239c4e013ec82aea22e181e441cfc", "last_affected_version": "4.8.6", "last_modified": "2023-12-06", "nvd_text": "The proc_keys_show function in security/keys/proc.c in the Linux kernel through 4.8.2, when the GNU Compiler Collection (gcc) stack protector is enabled, uses an incorrect buffer size for certain timeout data, which allows local users to cause a denial of service (stack memory corruption and panic) by reading the /proc/keys file.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-7042", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-7042", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-7042", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-7042", "SUSE": "https://www.suse.com/security/cve/CVE-2016-7042", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-7042" } }, "CVE-2016-7097": { "affected_versions": "v2.6.12-rc2 to v4.9-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "posix_acl: Clear SGID bit when setting file permissions", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:N", "score": 3.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "Low", "Integrity": "Low", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "score": 4.4 }, "cwe": "Improper Authorization", "fixes": "073931017b49d9458aa351605b43a7e34598caef", "last_affected_version": "4.8.5", "last_modified": "2023-12-06", "nvd_text": "The filesystem implementation in the Linux kernel through 4.8.2 preserves the setgid bit during a setxattr call, which allows local users to gain group privileges by leveraging the existence of a setgid program with restrictions on execute permissions.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-7097", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-7097", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-7097", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-7097", "SUSE": "https://www.suse.com/security/cve/CVE-2016-7097", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-7097" } }, "CVE-2016-7117": { "affected_versions": "v2.6.33-rc1 to v4.6-rc1", "breaks": "a2e2725541fad72416326798c2d7fa4dafb7d337", "cmt_msg": "net: Fix use after free in the recvmmsg exit path", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "score": 10.0 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "score": 9.8 }, "cwe": "Data Handling", "fixes": "34b88a68f26a75e4fded796f1a49c40f82234b7d", "last_affected_version": "4.5.1", "last_modified": "2023-12-06", "nvd_text": "Use-after-free vulnerability in the __sys_recvmmsg function in net/socket.c in the Linux kernel before 4.5.2 allows remote attackers to execute arbitrary code via vectors involving a recvmmsg system call that is mishandled during error processing.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-7117", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-7117", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-7117", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-7117", "SUSE": "https://www.suse.com/security/cve/CVE-2016-7117", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-7117" } }, "CVE-2016-7118": { "breaks": "", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "NULL Pointer Dereference", "fixes": "", "last_modified": "2023-12-06", "nvd_text": "fs/fcntl.c in the \"aufs 3.2.x+setfl-debian\" patch in the linux-image package 3.2.0-4 (kernel 3.2.81-1) in Debian wheezy mishandles F_SETFL fcntl calls on directories, which allows local users to cause a denial of service (NULL pointer dereference and system crash) via standard filesystem operations, as demonstrated by scp from an AUFS filesystem.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-7118", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-7118", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-7118", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-7118", "SUSE": "https://www.suse.com/security/cve/CVE-2016-7118", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-7118" }, "vendor_specific": true }, "CVE-2016-7425": { "affected_versions": "v2.6.12-rc2 to v4.9-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "scsi: arcmsr: Buffer overflow in arcmsr_iop_message_xfer()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Buffer Errors", "fixes": "7bc2b55a5c030685b399bb65b6baa9ccc3d1f167", "last_affected_version": "4.8.3", "last_modified": "2023-12-06", "nvd_text": "The arcmsr_iop_message_xfer function in drivers/scsi/arcmsr/arcmsr_hba.c in the Linux kernel through 4.8.2 does not restrict a certain length field, which allows local users to gain privileges or cause a denial of service (heap-based buffer overflow) via an ARCMSR_MESSAGE_WRITE_WQBUFFER control code.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-7425", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-7425", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-7425", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-7425", "SUSE": "https://www.suse.com/security/cve/CVE-2016-7425", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-7425" } }, "CVE-2016-7910": { "affected_versions": "v2.6.12-rc2 to v4.8-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "block: fix use-after-free in seq file", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "score": 9.3 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "raw": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Use After Free", "fixes": "77da160530dd1dc94f6ae15a981f24e5f0021e84", "last_affected_version": "4.7.0", "last_modified": "2023-12-06", "nvd_text": "Use-after-free vulnerability in the disk_seqf_stop function in block/genhd.c in the Linux kernel before 4.7.1 allows local users to gain privileges by leveraging the execution of a certain stop operation even if the corresponding start operation had failed.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-7910", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-7910", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-7910", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-7910", "SUSE": "https://www.suse.com/security/cve/CVE-2016-7910", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-7910" } }, "CVE-2016-7911": { "affected_versions": "v2.6.12-rc2 to v4.7-rc7", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "block: fix use-after-free in sys_ioprio_get()", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "score": 9.3 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "raw": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Race Conditions", "fixes": "8ba8682107ee2ca3347354e018865d8e1967c5f4", "last_affected_version": "4.6.5", "last_modified": "2023-12-06", "nvd_text": "Race condition in the get_task_ioprio function in block/ioprio.c in the Linux kernel before 4.6.6 allows local users to gain privileges or cause a denial of service (use-after-free) via a crafted ioprio_get system call.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-7911", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-7911", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-7911", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-7911", "SUSE": "https://www.suse.com/security/cve/CVE-2016-7911", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-7911" } }, "CVE-2016-7912": { "affected_versions": "v3.15-rc1 to v4.6-rc5", "breaks": "2e4c7553cd6f9c68bb741582dcb614edcbeca70f", "cmt_msg": "usb: gadget: f_fs: Fix use-after-free", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "score": 9.3 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "raw": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Use After Free", "fixes": "38740a5b87d53ceb89eb2c970150f6e94e00373a", "last_affected_version": "4.5.2", "last_modified": "2023-12-06", "nvd_text": "Use-after-free vulnerability in the ffs_user_copy_worker function in drivers/usb/gadget/function/f_fs.c in the Linux kernel before 4.5.3 allows local users to gain privileges by accessing an I/O data structure after a certain callback call.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-7912", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-7912", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-7912", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-7912", "SUSE": "https://www.suse.com/security/cve/CVE-2016-7912", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-7912" } }, "CVE-2016-7913": { "affected_versions": "v3.6-rc1 to v4.6-rc1", "breaks": "61a96113de51e1f8f43ac98cbeadb54e60045905", "cmt_msg": "[media] xc2028: avoid use after free", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "score": 9.3 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "raw": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Use After Free", "fixes": "8dfbcc4351a0b6d2f2d77f367552f48ffefafe18", "last_affected_version": "4.4.64", "last_modified": "2023-12-06", "nvd_text": "The xc2028_set_config function in drivers/media/tuners/tuner-xc2028.c in the Linux kernel before 4.6 allows local users to gain privileges or cause a denial of service (use-after-free) via vectors involving omission of the firmware name from a certain data structure.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-7913", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-7913", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-7913", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-7913", "SUSE": "https://www.suse.com/security/cve/CVE-2016-7913", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-7913" } }, "CVE-2016-7914": { "affected_versions": "v3.13-rc1 to v4.6-rc4", "breaks": "3cb989501c2688cacbb7dc4b0d353faf838f53a1", "cmt_msg": "assoc_array: don't call compare_object() on a node", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Complete", "Integrity Impact": "None", "raw": "AV:N/AC:M/Au:N/C:C/I:N/A:N", "score": 7.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "raw": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "score": 5.5 }, "cwe": "Out-of-bounds Read", "fixes": "8d4a2ec1e0b41b0cf9a0c5cd4511da7f8e4f3de2", "last_affected_version": "4.5.2", "last_modified": "2023-12-06", "nvd_text": "The assoc_array_insert_into_terminal_node function in lib/assoc_array.c in the Linux kernel before 4.5.3 does not check whether a slot is a leaf, which allows local users to obtain sensitive information from kernel memory or cause a denial of service (invalid pointer dereference and out-of-bounds read) via an application that uses associative-array data structures, as demonstrated by the keyutils test suite.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-7914", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-7914", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-7914", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-7914", "SUSE": "https://www.suse.com/security/cve/CVE-2016-7914", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-7914" } }, "CVE-2016-7915": { "affected_versions": "v2.6.12-rc2 to v4.6-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "HID: core: prevent out-of-bound readings", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "score": "4.3" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "score": "5.5" }, "cwe": "Out-of-bounds Read", "fixes": "50220dead1650609206efe91f0cc116132d59b3f", "last_affected_version": "4.4.20", "last_modified": "2023-12-06", "nvd_text": "The hid_input_field function in drivers/hid/hid-core.c in the Linux kernel before 4.6 allows physically proximate attackers to obtain sensitive information from kernel memory or cause a denial of service (out-of-bounds read) by connecting a device, as demonstrated by a Logitech DJ receiver.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-7915", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-7915", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-7915", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-7915", "SUSE": "https://www.suse.com/security/cve/CVE-2016-7915", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-7915" } }, "CVE-2016-7916": { "affected_versions": "v2.6.12-rc2 to v4.6-rc7", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "proc: prevent accessing /proc//environ until it's ready", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Complete", "Integrity Impact": "None", "raw": "AV:L/AC:M/Au:N/C:C/I:N/A:N", "score": 4.7 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "raw": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "score": 5.5 }, "cwe": "Race Conditions", "fixes": "8148a73c9901a8794a50f950083c00ccf97d43b3", "last_affected_version": "4.5.3", "last_modified": "2023-12-06", "nvd_text": "Race condition in the environ_read function in fs/proc/base.c in the Linux kernel before 4.5.4 allows local users to obtain sensitive information from kernel memory by reading a /proc/*/environ file during a process-setup time interval in which environment-variable copying is incomplete.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-7916", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-7916", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-7916", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-7916", "SUSE": "https://www.suse.com/security/cve/CVE-2016-7916", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-7916" } }, "CVE-2016-7917": { "affected_versions": "v3.19-rc5 to v4.5-rc6", "backport": true, "breaks": "9ea2aa8b7dba9e99544c4187cc298face254569f", "cmt_msg": "netfilter: nfnetlink: correctly validate length of batch messages", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "score": 4.3 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "Required", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N", "score": 5.0 }, "cwe": "Out-of-bounds Read", "fixes": "c58d6c93680f28ac58984af61d0a7ebf4319c241", "last_affected_version": "4.4.64", "last_modified": "2023-12-06", "nvd_text": "The nfnetlink_rcv_batch function in net/netfilter/nfnetlink.c in the Linux kernel before 4.5 does not check whether a batch message's length field is large enough, which allows local users to obtain sensitive information from kernel memory or cause a denial of service (infinite loop or out-of-bounds read) by leveraging the CAP_NET_ADMIN capability.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-7917", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-7917", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-7917", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-7917", "SUSE": "https://www.suse.com/security/cve/CVE-2016-7917", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-7917" } }, "CVE-2016-8399": { "affected_versions": "v3.19-rc1 to v4.9", "breaks": "c0371da6047abd261bc483c744dbc7d81a116172", "cmt_msg": "net: ping: check minimum size on ICMP header length", "cvss2": { "Access Complexity": "High", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "score": 7.6 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "raw": "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "score": 7.0 }, "cwe": "Improper Access Control", "fixes": "0eab121ef8750a5c8637d51534d5e9143fb0633f", "last_affected_version": "4.8", "last_modified": "2023-12-06", "nvd_text": "An elevation of privilege vulnerability in the kernel networking subsystem could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Moderate because it first requires compromising a privileged process and current compiler optimizations restrict access to the vulnerable code. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-31349935.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-8399", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-8399", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-8399", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-8399", "SUSE": "https://www.suse.com/security/cve/CVE-2016-8399", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-8399" } }, "CVE-2016-8401": { "breaks": "", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "score": 4.3 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "raw": "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N", "score": 4.7 }, "cwe": "Information Leak / Disclosure", "fixes": "", "last_modified": "2023-12-06", "nvd_text": "An information disclosure vulnerability in kernel components including the ION subsystem, Binder, USB driver and networking subsystem could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-31494725.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-8401", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-8401", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-8401", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-8401", "SUSE": "https://www.suse.com/security/cve/CVE-2016-8401", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-8401" }, "vendor_specific": true }, "CVE-2016-8402": { "breaks": "", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "score": 4.3 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "raw": "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N", "score": 4.7 }, "cwe": "Information Leak / Disclosure", "fixes": "", "last_modified": "2023-12-06", "nvd_text": "An information disclosure vulnerability in kernel components including the ION subsystem, Binder, USB driver and networking subsystem could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-31495231.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-8402", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-8402", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-8402", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-8402", "SUSE": "https://www.suse.com/security/cve/CVE-2016-8402", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-8402" }, "vendor_specific": true }, "CVE-2016-8403": { "breaks": "", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "score": 4.3 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "raw": "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N", "score": 4.7 }, "cwe": "Information Leak / Disclosure", "fixes": "", "last_modified": "2023-12-06", "nvd_text": "An information disclosure vulnerability in kernel components including the ION subsystem, Binder, USB driver and networking subsystem could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10. Android ID: A-31495348.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-8403", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-8403", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-8403", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-8403", "SUSE": "https://www.suse.com/security/cve/CVE-2016-8403", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-8403" }, "vendor_specific": true }, "CVE-2016-8404": { "breaks": "", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "score": 4.3 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "raw": "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N", "score": 4.7 }, "cwe": "Information Leak / Disclosure", "fixes": "", "last_modified": "2023-12-06", "nvd_text": "An information disclosure vulnerability in kernel components including the ION subsystem, Binder, USB driver and networking subsystem could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10. Android ID: A-31496950.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-8404", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-8404", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-8404", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-8404", "SUSE": "https://www.suse.com/security/cve/CVE-2016-8404", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-8404" }, "vendor_specific": true }, "CVE-2016-8405": { "affected_versions": "v2.6.12-rc2 to v4.10-rc6", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "fbdev: color map copying bounds checking", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "score": 4.3 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "raw": "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N", "score": 4.7 }, "cwe": "Information Leak / Disclosure", "fixes": "2dc705a9930b4806250fbf5a76e55266e59389f2", "last_affected_version": "4.9.6", "last_modified": "2023-12-06", "nvd_text": "An information disclosure vulnerability in kernel components including the ION subsystem, Binder, USB driver and networking subsystem could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-31651010.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-8405", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-8405", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-8405", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-8405", "SUSE": "https://www.suse.com/security/cve/CVE-2016-8405", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-8405" } }, "CVE-2016-8406": { "breaks": "", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "score": 4.3 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "raw": "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N", "score": 4.7 }, "cwe": "Information Leak / Disclosure", "fixes": "", "last_modified": "2023-12-06", "nvd_text": "An information disclosure vulnerability in kernel components including the ION subsystem, Binder, USB driver and networking subsystem could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-31796940.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-8406", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-8406", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-8406", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-8406", "SUSE": "https://www.suse.com/security/cve/CVE-2016-8406", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-8406" }, "vendor_specific": true }, "CVE-2016-8407": { "breaks": "", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "score": 4.3 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "raw": "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N", "score": 4.7 }, "cwe": "Information Leak / Disclosure", "fixes": "", "last_modified": "2023-12-06", "nvd_text": "An information disclosure vulnerability in kernel components including the ION subsystem, Binder, USB driver and networking subsystem could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-31802656.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-8407", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-8407", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-8407", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-8407", "SUSE": "https://www.suse.com/security/cve/CVE-2016-8407", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-8407" }, "vendor_specific": true }, "CVE-2016-8630": { "affected_versions": "v3.17-rc1 to v4.9-rc4", "breaks": "41061cdb98a0bec464278b4db8e894a3121671f5", "cmt_msg": "kvm: x86: Check memopp before dereference (CVE-2016-8630)", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Improper Access Control", "fixes": "d9092f52d7e61dd1557f2db2400ddb430e85937e", "last_affected_version": "4.8.6", "last_modified": "2023-12-06", "nvd_text": "The x86_decode_insn function in arch/x86/kvm/emulate.c in the Linux kernel before 4.8.7, when KVM is enabled, allows local users to cause a denial of service (host OS crash) via a certain use of a ModR/M byte in an undefined instruction.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-8630", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-8630", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-8630", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-8630", "SUSE": "https://www.suse.com/security/cve/CVE-2016-8630", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-8630" } }, "CVE-2016-8632": { "affected_versions": "v2.6.16-rc1 to v4.9-rc8", "breaks": "b97bf3fd8f6a16966d4f18983b2c40993ff937d4", "cmt_msg": "tipc: check minimum bearer MTU", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Buffer Errors", "fixes": "3de81b758853f0b29c61e246679d20b513c4cfec", "last_affected_version": "4.8.13", "last_modified": "2023-12-06", "nvd_text": "The tipc_msg_build function in net/tipc/msg.c in the Linux kernel through 4.8.11 does not validate the relationship between the minimum fragment length and the maximum packet size, which allows local users to gain privileges or cause a denial of service (heap-based buffer overflow) by leveraging the CAP_NET_ADMIN capability.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-8632", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-8632", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-8632", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-8632", "SUSE": "https://www.suse.com/security/cve/CVE-2016-8632", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-8632" } }, "CVE-2016-8633": { "affected_versions": "v2.6.12-rc2 to v4.9-rc4", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "firewire: net: guard against rx buffer overflows", "cvss2": { "Access Complexity": "High", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:H/Au:N/C:C/I:C/A:C", "score": 6.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Physical", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "score": 6.8 }, "cwe": "Buffer Errors", "fixes": "667121ace9dbafb368618dbabcf07901c962ddac", "last_affected_version": "4.8.6", "last_modified": "2023-12-06", "nvd_text": "drivers/firewire/net.c in the Linux kernel before 4.8.7, in certain unusual hardware configurations, allows remote attackers to execute arbitrary code via crafted fragmented packets.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-8633", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-8633", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-8633", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-8633", "SUSE": "https://www.suse.com/security/cve/CVE-2016-8633", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-8633" } }, "CVE-2016-8636": { "affected_versions": "v4.8-rc1 to v4.10-rc8", "breaks": "8700e3e7c4857d28ebaa824509934556da0b3e76", "cmt_msg": "IB/rxe: Fix mem_check_range integer overflow", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Integer Overflow or Wraparound", "fixes": "647bf3d8a8e5777319da92af672289b2a6c4dc66", "last_affected_version": "4.9.9", "last_modified": "2023-12-06", "nvd_text": "Integer overflow in the mem_check_range function in drivers/infiniband/sw/rxe/rxe_mr.c in the Linux kernel before 4.9.10 allows local users to cause a denial of service (memory corruption), obtain sensitive information from kernel memory, or possibly have unspecified other impact via a write or read request involving the \"RDMA protocol over infiniband\" (aka Soft RoCE) technology.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-8636", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-8636", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-8636", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-8636", "SUSE": "https://www.suse.com/security/cve/CVE-2016-8636", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-8636" } }, "CVE-2016-8645": { "affected_versions": "v2.6.12-rc2 to v4.9-rc6", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "tcp: take care of truncations done by sk_filter()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Improper Access Control", "fixes": "ac6e780070e30e4c35bd395acfe9191e6268bdd3", "last_affected_version": "4.8.9", "last_modified": "2023-12-06", "nvd_text": "The TCP stack in the Linux kernel before 4.8.10 mishandles skb truncation, which allows local users to cause a denial of service (system crash) via a crafted application that makes sendto system calls, related to net/ipv4/tcp_ipv4.c and net/ipv6/tcp_ipv6.c.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-8645", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-8645", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-8645", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-8645", "SUSE": "https://www.suse.com/security/cve/CVE-2016-8645", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-8645" } }, "CVE-2016-8646": { "affected_versions": "v2.6.12-rc2 to v4.4-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "crypto: algif_hash - Only export and import on sockets with data", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "NULL Pointer Dereference", "fixes": "4afa5f9617927453ac04b24b584f6c718dfb4f45", "last_affected_version": "4.3.5", "last_modified": "2023-12-06", "nvd_text": "The hash_accept function in crypto/algif_hash.c in the Linux kernel before 4.3.6 allows local users to cause a denial of service (OOPS) by attempting to trigger use of in-kernel hash algorithms for a socket that has received zero bytes of data.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-8646", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-8646", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-8646", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-8646", "SUSE": "https://www.suse.com/security/cve/CVE-2016-8646", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-8646" } }, "CVE-2016-8650": { "affected_versions": "v3.3-rc1 to v4.9-rc7", "breaks": "cdec9cb5167ab1113ba9c58e395f664d9d3f9acb", "cmt_msg": "mpi: Fix NULL ptr dereference in mpi_powm() ", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Input Validation", "fixes": "f5527fffff3f002b0a6b376163613b82f69de073", "last_affected_version": "4.8.11", "last_modified": "2023-12-06", "nvd_text": "The mpi_powm function in lib/mpi/mpi-pow.c in the Linux kernel through 4.8.11 does not ensure that memory is allocated for limb data, which allows local users to cause a denial of service (stack memory corruption and panic) via an add_key system call for an RSA key with a zero exponent.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-8650", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-8650", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-8650", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-8650", "SUSE": "https://www.suse.com/security/cve/CVE-2016-8650", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-8650" } }, "CVE-2016-8655": { "affected_versions": "v3.2-rc1 to v4.9-rc8", "breaks": "f6fb8f100b807378fda19e83e5ac6828b638603a", "cmt_msg": "packet: fix race condition in packet_set_ring", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Race Conditions", "fixes": "84ac7260236a49c79eede91617700174c2c19b0c", "last_affected_version": "4.8.13", "last_modified": "2023-12-06", "nvd_text": "Race condition in net/packet/af_packet.c in the Linux kernel through 4.8.12 allows local users to gain privileges or cause a denial of service (use-after-free) by leveraging the CAP_NET_RAW capability to change a socket version, related to the packet_set_ring and packet_setsockopt functions.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-8655", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-8655", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-8655", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-8655", "SUSE": "https://www.suse.com/security/cve/CVE-2016-8655", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-8655" } }, "CVE-2016-8658": { "affected_versions": "v3.7-rc1 to v4.8-rc7", "breaks": "1a87334239757b69eb9885979c32bbf871b3ec88", "cmt_msg": "brcmfmac: avoid potential stack overflow in brcmf_cfg80211_start_ap()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:N/I:P/A:C", "score": 5.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "Low", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H", "score": 6.1 }, "cwe": "Buffer Errors", "fixes": "ded89912156b1a47d940a0c954c43afbabd0c42c", "last_affected_version": "4.7.4", "last_modified": "2023-12-06", "nvd_text": "Stack-based buffer overflow in the brcmf_cfg80211_start_ap function in drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c in the Linux kernel before 4.7.5 allows local users to cause a denial of service (system crash) or possibly have unspecified other impact via a long SSID Information Element in a command to a Netlink socket.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-8658", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-8658", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-8658", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-8658", "SUSE": "https://www.suse.com/security/cve/CVE-2016-8658", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-8658" } }, "CVE-2016-8660": { "affected_versions": "v4.4-rc1 to unk", "breaks": "fc0561cefc04e7803c0f6501ca4f310a502f65b8", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Data Handling", "fixes": "-", "last_modified": "2023-12-06", "nvd_text": "The XFS subsystem in the Linux kernel through 4.8.2 allows local users to cause a denial of service (fdatasync failure and system hang) by using the vfs syscall group in the trinity program, related to a \"page lock order bug in the XFS seek hole/data implementation.\"", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-8660", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-8660", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-8660", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-8660", "SUSE": "https://www.suse.com/security/cve/CVE-2016-8660", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-8660" } }, "CVE-2016-8666": { "affected_versions": "v3.14-rc1 to v4.6-rc1", "breaks": "bf5a755f5e9186406bbf50f4087100af5bd68e40", "cmt_msg": "tunnels: Don't apply GRO to multiple layers of encapsulation.", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "score": 7.8 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 7.5 }, "cwe": "Uncontrolled Resource Consumption ('Resource Exhaustion')", "fixes": "fac8e0f579695a3ecbc4d3cac369139d7f819971", "last_affected_version": "4.4.28", "last_modified": "2023-12-06", "nvd_text": "The IP stack in the Linux kernel before 4.6 allows remote attackers to cause a denial of service (stack consumption and panic) or possibly have unspecified other impact by triggering use of the GRO path for packets with tunnel stacking, as demonstrated by interleaved IPv4 headers and GRE headers, a related issue to CVE-2016-7039.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-8666", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-8666", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-8666", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-8666", "SUSE": "https://www.suse.com/security/cve/CVE-2016-8666", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-8666" } }, "CVE-2016-9083": { "affected_versions": "v3.6-rc1 to v4.9-rc4", "breaks": "89e1f7d4c66d85f42c3d52ea3866eb10cadf6153", "cmt_msg": "vfio/pci: Fix integer overflows, bitmask check", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Buffer Errors", "fixes": "05692d7005a364add85c6e25a6c4447ce08f913a", "last_affected_version": "4.4.64", "last_modified": "2023-12-06", "nvd_text": "drivers/vfio/pci/vfio_pci.c in the Linux kernel through 4.8.11 allows local users to bypass integer overflow checks, and cause a denial of service (memory corruption) or have unspecified other impact, by leveraging access to a vfio PCI device file for a VFIO_DEVICE_SET_IRQS ioctl call, aka a \"state machine confusion bug.\"", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-9083", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-9083", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-9083", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-9083", "SUSE": "https://www.suse.com/security/cve/CVE-2016-9083", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-9083" } }, "CVE-2016-9084": { "affected_versions": "v3.6-rc1 to v4.9-rc4", "breaks": "89e1f7d4c66d85f42c3d52ea3866eb10cadf6153", "cmt_msg": "vfio/pci: Fix integer overflows, bitmask check", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Integer Overflow or Wraparound", "fixes": "05692d7005a364add85c6e25a6c4447ce08f913a", "last_affected_version": "4.4.64", "last_modified": "2023-12-06", "nvd_text": "drivers/vfio/pci/vfio_pci_intrs.c in the Linux kernel through 4.8.11 misuses the kzalloc function, which allows local users to cause a denial of service (integer overflow) or have unspecified other impact by leveraging access to a vfio PCI device file.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-9084", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-9084", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-9084", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-9084", "SUSE": "https://www.suse.com/security/cve/CVE-2016-9084", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-9084" } }, "CVE-2016-9120": { "affected_versions": "v2.6.12-rc2 to v4.6-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "staging/android/ion : fix a race condition in the ion driver", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "score": 9.3 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "raw": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "9590232bb4f4cc824f3425a6e1349afbe6d6d2b7", "last_affected_version": "4.4.64", "last_modified": "2023-12-06", "nvd_text": "Race condition in the ion_ioctl function in drivers/staging/android/ion/ion.c in the Linux kernel before 4.6 allows local users to gain privileges or cause a denial of service (use-after-free) by calling ION_IOC_FREE on two CPUs at the same time.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-9120", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-9120", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-9120", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-9120", "SUSE": "https://www.suse.com/security/cve/CVE-2016-9120", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-9120" } }, "CVE-2016-9178": { "affected_versions": "v2.6.12-rc2 to v4.8-rc7", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "fix minor infoleak in get_user_ex()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.5 }, "cwe": "Information Leak / Disclosure", "fixes": "1c109fabbd51863475cd12ac206bdd249aee35af", "last_affected_version": "4.7.4", "last_modified": "2023-12-06", "nvd_text": "The __get_user_asm_ex macro in arch/x86/include/asm/uaccess.h in the Linux kernel before 4.7.5 does not initialize a certain integer variable, which allows local users to obtain sensitive information from kernel stack memory by triggering failure of a get_user_ex call.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-9178", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-9178", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-9178", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-9178", "SUSE": "https://www.suse.com/security/cve/CVE-2016-9178", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-9178" } }, "CVE-2016-9191": { "affected_versions": "v3.11-rc1 to v4.10-rc4", "breaks": "f0c3b5093addc8bfe9fe3a5b01acb7ec7969eafa", "cmt_msg": "sysctl: Drop reference added by grab_header in proc_sys_readdir", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Input Validation", "fixes": "93362fa47fe98b62e4a34ab408c4a418432e7939", "last_affected_version": "4.9.4", "last_modified": "2023-12-06", "nvd_text": "The cgroup offline implementation in the Linux kernel through 4.8.11 mishandles certain drain operations, which allows local users to cause a denial of service (system hang) by leveraging access to a container environment for executing a crafted application, as demonstrated by trinity.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-9191", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-9191", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-9191", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-9191", "SUSE": "https://www.suse.com/security/cve/CVE-2016-9191", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-9191" } }, "CVE-2016-9313": { "affected_versions": "v4.7-rc1 to v4.9-rc3", "breaks": "13100a72f40f5748a04017e0ab3df4cf27c809ef", "cmt_msg": "KEYS: Sort out big_key initialisation", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "score": 9.3 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "raw": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "NULL Pointer Dereference", "fixes": "7df3e59c3d1df4f87fe874c7956ef7a3d2f4d5fb", "last_affected_version": "4.8.6", "last_modified": "2023-12-06", "nvd_text": "security/keys/big_key.c in the Linux kernel before 4.8.7 mishandles unsuccessful crypto registration in conjunction with successful key-type registration, which allows local users to cause a denial of service (NULL pointer dereference and panic) or possibly have unspecified other impact via a crafted application that uses the big_key data type.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-9313", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-9313", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-9313", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-9313", "SUSE": "https://www.suse.com/security/cve/CVE-2016-9313", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-9313" } }, "CVE-2016-9555": { "affected_versions": "v2.6.12-rc2 to v4.9-rc4", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "sctp: validate chunk len before actually using it", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "score": 10.0 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "score": 9.8 }, "cwe": "Out-of-bounds Read", "fixes": "bf911e985d6bbaa328c20c3e05f4eb03de11fdd6", "last_affected_version": "4.8.7", "last_modified": "2023-12-06", "nvd_text": "The sctp_sf_ootb function in net/sctp/sm_statefuns.c in the Linux kernel before 4.8.8 lacks chunk-length checking for the first chunk, which allows remote attackers to cause a denial of service (out-of-bounds slab access) or possibly have unspecified other impact via crafted SCTP data.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-9555", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-9555", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-9555", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-9555", "SUSE": "https://www.suse.com/security/cve/CVE-2016-9555", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-9555" } }, "CVE-2016-9576": { "affected_versions": "v4.9-rc7 to v4.9", "breaks": "16ae16c6e5616c084168740990fc508bda6655d4", "cmt_msg": "Don't feed anything but regular iovec's to blk_rq_map_user_iov", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Use After Free", "fixes": "a0ac402cfcdc904f9772e1762b3fda112dcc56a0", "last_affected_version": "4.8", "last_modified": "2023-12-06", "nvd_text": "The blk_rq_map_user_iov function in block/blk-map.c in the Linux kernel before 4.8.14 does not properly restrict the type of iterator, which allows local users to read or write to arbitrary kernel memory locations or cause a denial of service (use-after-free) by leveraging access to a /dev/sg device.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-9576", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-9576", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-9576", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-9576", "SUSE": "https://www.suse.com/security/cve/CVE-2016-9576", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-9576" } }, "CVE-2016-9588": { "affected_versions": "v2.6.12-rc2 to v4.10-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "kvm: nVMX: Allow L1 to intercept software exceptions (#BP and #OF)", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Error Handling", "fixes": "ef85b67385436ddc1998f45f1d6a210f935b3388", "last_affected_version": "4.9.1", "last_modified": "2023-12-06", "nvd_text": "arch/x86/kvm/vmx.c in the Linux kernel through 4.9 mismanages the #BP and #OF exceptions, which allows guest OS users to cause a denial of service (guest OS crash) by declining to handle an exception thrown by an L2 guest.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-9588", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-9588", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-9588", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-9588", "SUSE": "https://www.suse.com/security/cve/CVE-2016-9588", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-9588" } }, "CVE-2016-9604": { "affected_versions": "v2.6.12-rc2 to v4.11-rc8", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "KEYS: Disallow keyrings beginning with '.' to be joined as session keyrings", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "None", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "None", "Integrity": "High", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N", "score": 4.4 }, "cwe": "Improper Verification of Cryptographic Signature", "fixes": "ee8f844e3c5a73b999edf733df1c529d6503ec2f", "last_affected_version": "4.10.12", "last_modified": "2023-12-06", "nvd_text": "It was discovered in the Linux kernel before 4.11-rc8 that root can gain direct access to an internal keyring, such as '.dns_resolver' in RHEL-7 or '.builtin_trusted_keys' upstream, by joining it as its session keyring. This allows root to bypass module signature verification by adding a new public key of its own devising to the keyring.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-9604", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-9604", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-9604", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-9604", "SUSE": "https://www.suse.com/security/cve/CVE-2016-9604", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-9604" } }, "CVE-2016-9644": { "backport": true, "breaks": "1c109fabbd51863475cd12ac206bdd249aee35af", "cmt_msg": "x86/mm: Expand the exception table logic to allow new handling options", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "score": 9.3 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "raw": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "548acf19234dbda5a52d5a8e7e205af46e9da840", "last_affected_version": "4.4.28", "last_modified": "2023-12-06", "nvd_text": "The __get_user_asm_ex macro in arch/x86/include/asm/uaccess.h in the Linux kernel 4.4.22 through 4.4.28 contains extended asm statements that are incompatible with the exception table, which allows local users to obtain root access on non-SMEP platforms via a crafted application. NOTE: this vulnerability exists because of incorrect backporting of the CVE-2016-9178 patch to older kernels.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-9644", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-9644", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-9644", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-9644", "SUSE": "https://www.suse.com/security/cve/CVE-2016-9644", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-9644" } }, "CVE-2016-9685": { "affected_versions": "v2.6.12-rc2 to v4.6-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "xfs: fix two memory leaks in xfs_attr_list.c error paths", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Uncontrolled Resource Consumption ('Resource Exhaustion')", "fixes": "2e83b79b2d6c78bf1b4aa227938a214dcbddc83f", "last_affected_version": "4.5.0", "last_modified": "2023-12-06", "nvd_text": "Multiple memory leaks in error paths in fs/xfs/xfs_attr_list.c in the Linux kernel before 4.5.1 allow local users to cause a denial of service (memory consumption) via crafted XFS filesystem operations.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-9685", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-9685", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-9685", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-9685", "SUSE": "https://www.suse.com/security/cve/CVE-2016-9685", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-9685" } }, "CVE-2016-9754": { "affected_versions": "v2.6.12-rc2 to v4.7-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "ring-buffer: Prevent overflow of size in ring_buffer_resize()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Integer Overflow or Wraparound", "fixes": "59643d1535eb220668692a5359de22545af579f6", "last_affected_version": "4.6.0", "last_modified": "2023-12-06", "nvd_text": "The ring_buffer_resize function in kernel/trace/ring_buffer.c in the profiling subsystem in the Linux kernel before 4.6.1 mishandles certain integer calculations, which allows local users to gain privileges by writing to the /sys/kernel/debug/tracing/buffer_size_kb file.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-9754", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-9754", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-9754", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-9754", "SUSE": "https://www.suse.com/security/cve/CVE-2016-9754", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-9754" } }, "CVE-2016-9755": { "affected_versions": "v4.5-rc1 to v4.9-rc8", "breaks": "029f7f3b8701cc7aca8bdb31f0c7edd6a479e357", "cmt_msg": "netfilter: ipv6: nf_defrag: drop mangled skb on ream error", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Out-of-bounds Write", "fixes": "9b57da0630c9fd36ed7a20fc0f98dc82cc0777fa", "last_modified": "2023-12-06", "nvd_text": "The netfilter subsystem in the Linux kernel before 4.9 mishandles IPv6 reassembly, which allows local users to cause a denial of service (integer overflow, out-of-bounds write, and GPF) or possibly have unspecified other impact via a crafted application that makes socket, connect, and writev system calls, related to net/ipv6/netfilter/nf_conntrack_reasm.c and net/ipv6/netfilter/nf_defrag_ipv6_hooks.c.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-9755", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-9755", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-9755", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-9755", "SUSE": "https://www.suse.com/security/cve/CVE-2016-9755", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-9755" } }, "CVE-2016-9756": { "affected_versions": "v3.18-rc2 to v4.9-rc7", "breaks": "d1442d85cc30ea75f7d399474ca738e0bc96f715", "cmt_msg": "KVM: x86: drop error recovery in em_jmp_far and em_ret_far", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.5 }, "cwe": "Information Leak / Disclosure", "fixes": "2117d5398c81554fbf803f5fd1dc55eb78216c0c", "last_affected_version": "4.8.11", "last_modified": "2023-12-06", "nvd_text": "arch/x86/kvm/emulate.c in the Linux kernel before 4.8.12 does not properly initialize Code Segment (CS) in certain error cases, which allows local users to obtain sensitive information from kernel stack memory via a crafted application.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-9756", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-9756", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-9756", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-9756", "SUSE": "https://www.suse.com/security/cve/CVE-2016-9756", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-9756" } }, "CVE-2016-9777": { "affected_versions": "v4.8-rc1 to v4.9-rc7", "breaks": "af1bae5497b98cb99d6b0492e6981f060420a00c", "cmt_msg": "KVM: x86: fix out-of-bounds accesses of rtc_eoi map", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "score": 6.9 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Changed", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Out-of-bounds Read", "fixes": "81cdb259fb6d8c1c4ecfeea389ff5a73c07f5755", "last_affected_version": "4.8.11", "last_modified": "2023-12-06", "nvd_text": "KVM in the Linux kernel before 4.8.12, when I/O APIC is enabled, does not properly restrict the VCPU index, which allows guest OS users to gain host OS privileges or cause a denial of service (out-of-bounds array access and host OS crash) via a crafted interrupt request, related to arch/x86/kvm/ioapic.c and arch/x86/kvm/ioapic.h.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-9777", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-9777", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-9777", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-9777", "SUSE": "https://www.suse.com/security/cve/CVE-2016-9777", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-9777" } }, "CVE-2016-9793": { "affected_versions": "v3.5-rc1 to v4.9-rc8", "breaks": "82981930125abfd39d7c8378a9cfdf5e1be2002b", "cmt_msg": "net: avoid signed overflows for SO_{SND|RCV}BUFFORCE", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Buffer Errors", "fixes": "b98b0bc8c431e3ceb4b26b0dfc8db509518fb290", "last_affected_version": "4.8.13", "last_modified": "2023-12-06", "nvd_text": "The sock_setsockopt function in net/core/sock.c in the Linux kernel before 4.8.14 mishandles negative values of sk_sndbuf and sk_rcvbuf, which allows local users to cause a denial of service (memory corruption and system crash) or possibly have unspecified other impact by leveraging the CAP_NET_ADMIN capability for a crafted setsockopt system call with the (1) SO_SNDBUFFORCE or (2) SO_RCVBUFFORCE option.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-9793", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-9793", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-9793", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-9793", "SUSE": "https://www.suse.com/security/cve/CVE-2016-9793", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-9793" } }, "CVE-2016-9794": { "affected_versions": "v2.6.12-rc2 to v4.7-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "ALSA: pcm : Call kill_fasync() in stream lock", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Race Conditions", "fixes": "3aa02cb664c5fb1042958c8d1aa8c35055a2ebc4", "last_affected_version": "4.4.36", "last_modified": "2023-12-06", "nvd_text": "Race condition in the snd_pcm_period_elapsed function in sound/core/pcm_lib.c in the ALSA subsystem in the Linux kernel before 4.7 allows local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via a crafted SNDRV_PCM_TRIGGER_START command.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-9794", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-9794", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-9794", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-9794", "SUSE": "https://www.suse.com/security/cve/CVE-2016-9794", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-9794" } }, "CVE-2016-9806": { "affected_versions": "v3.12-rc1 to v4.7-rc1", "breaks": "16b304f3404f8e0243d5ee2b70b68767b7b59b2b", "cmt_msg": "netlink: Fix dump skb leak/double free", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Race Conditions", "fixes": "92964c79b357efd980812c4de5c1fd2ec8bb5520", "last_affected_version": "4.6.2", "last_modified": "2023-12-06", "nvd_text": "Race condition in the netlink_dump function in net/netlink/af_netlink.c in the Linux kernel before 4.6.3 allows local users to cause a denial of service (double free) or possibly have unspecified other impact via a crafted application that makes sendmsg system calls, leading to a free operation associated with a new dump that started earlier than anticipated.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-9806", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-9806", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-9806", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-9806", "SUSE": "https://www.suse.com/security/cve/CVE-2016-9806", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-9806" } }, "CVE-2016-9919": { "affected_versions": "v4.9-rc6 to v4.9-rc8", "breaks": "5d41ce29e3b91ef305f88d23f72b3359de329cec", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "score": 7.8 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 7.5 }, "cwe": "Input Validation", "fixes": "79dc7e3f1cd323be4c81aa1a94faa1b3ed987fb2", "last_modified": "2023-12-06", "nvd_text": "The icmp6_send function in net/ipv6/icmp.c in the Linux kernel through 4.8.12 omits a certain check of the dst data structure, which allows remote attackers to cause a denial of service (panic) via a fragmented IPv6 packet.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2016-9919", "ExploitDB": "https://www.exploit-db.com/search?cve=2016-9919", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2016-9919", "Red Hat": "https://access.redhat.com/security/cve/CVE-2016-9919", "SUSE": "https://www.suse.com/security/cve/CVE-2016-9919", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-9919" } }, "CVE-2017-0403": { "breaks": "", "cvss2": { "Access Complexity": "High", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "score": 7.6 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "raw": "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "score": 7.0 }, "cwe": "Unspecified", "fixes": "", "last_modified": "2023-12-06", "nvd_text": "An elevation of privilege vulnerability in the kernel performance subsystem could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-32402548.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-0403", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-0403", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-0403", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-0403", "SUSE": "https://www.suse.com/security/cve/CVE-2017-0403", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-0403" }, "vendor_specific": true }, "CVE-2017-0404": { "breaks": "", "cvss2": { "Access Complexity": "High", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "score": 7.6 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "raw": "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "score": 7.0 }, "cwe": "Unspecified", "fixes": "", "last_modified": "2023-12-06", "nvd_text": "An elevation of privilege vulnerability in the kernel sound subsystem could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-32510733.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-0404", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-0404", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-0404", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-0404", "SUSE": "https://www.suse.com/security/cve/CVE-2017-0404", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-0404" }, "vendor_specific": true }, "CVE-2017-0426": { "breaks": "", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "score": 4.3 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "raw": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "score": 5.5 }, "cwe": "Information Leak / Disclosure", "fixes": "", "last_modified": "2023-12-06", "nvd_text": "An information disclosure vulnerability in the Filesystem could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it could be used to access sensitive data without permission. Product: Android. Versions: 7.0, 7.1.1. Android ID: A-32799236.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-0426", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-0426", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-0426", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-0426", "SUSE": "https://www.suse.com/security/cve/CVE-2017-0426", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-0426" }, "vendor_specific": true }, "CVE-2017-0427": { "breaks": "", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "score": 9.3 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "raw": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Unspecified", "fixes": "", "last_modified": "2023-12-06", "nvd_text": "An elevation of privilege vulnerability in the kernel file system could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-31495866.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-0427", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-0427", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-0427", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-0427", "SUSE": "https://www.suse.com/security/cve/CVE-2017-0427", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-0427" }, "vendor_specific": true }, "CVE-2017-0507": { "affected_versions": "unk to unk", "breaks": "", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "score": 9.3 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "raw": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Unspecified", "fixes": "", "last_modified": "2023-12-06", "nvd_text": "An elevation of privilege vulnerability in the kernel ION subsystem could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-31992382.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-0507", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-0507", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-0507", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-0507", "SUSE": "https://www.suse.com/security/cve/CVE-2017-0507", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-0507" }, "vendor_specific": true }, "CVE-2017-0508": { "affected_versions": "unk to unk", "breaks": "", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "score": 9.3 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "raw": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Unspecified", "fixes": "", "last_modified": "2023-12-06", "nvd_text": "An elevation of privilege vulnerability in the kernel ION subsystem could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel-3.18. Android ID: A-33940449.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-0508", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-0508", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-0508", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-0508", "SUSE": "https://www.suse.com/security/cve/CVE-2017-0508", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-0508" }, "vendor_specific": true }, "CVE-2017-0510": { "breaks": "", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "score": 9.3 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "raw": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Unspecified", "fixes": "", "last_modified": "2023-12-06", "nvd_text": "An elevation of privilege vulnerability in the kernel FIQ debugger could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel-3.10. Android ID: A-32402555.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-0510", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-0510", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-0510", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-0510", "SUSE": "https://www.suse.com/security/cve/CVE-2017-0510", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-0510" }, "vendor_specific": true }, "CVE-2017-0528": { "breaks": "", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "score": 9.3 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "raw": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Unspecified", "fixes": "", "last_modified": "2023-12-06", "nvd_text": "An elevation of privilege vulnerability in the kernel security subsystem could enable a local malicious application to to execute code in the context of a privileged process. This issue is rated as High because it is a general bypass for a kernel level defense in depth or exploit mitigation technology. Product: Android. Versions: Kernel-3.18. Android ID: A-33351919.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-0528", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-0528", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-0528", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-0528", "SUSE": "https://www.suse.com/security/cve/CVE-2017-0528", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-0528" }, "vendor_specific": true }, "CVE-2017-0537": { "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cvss2": { "Access Complexity": "High", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:N/AC:H/Au:N/C:P/I:N/A:N", "score": 2.6 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "raw": "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N", "score": 4.7 }, "cwe": "Information Leak / Disclosure", "fixes": "", "last_modified": "2023-12-06", "nvd_text": "An information disclosure vulnerability in the kernel USB gadget driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.18. Android ID: A-31614969.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-0537", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-0537", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-0537", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-0537", "SUSE": "https://www.suse.com/security/cve/CVE-2017-0537", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-0537" }, "vendor_specific": true }, "CVE-2017-0564": { "affected_versions": "unk to unk", "breaks": "", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "score": 9.3 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "raw": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Unspecified", "fixes": "", "last_modified": "2023-12-06", "nvd_text": "An elevation of privilege vulnerability in the kernel ION subsystem could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-34276203.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-0564", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-0564", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-0564", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-0564", "SUSE": "https://www.suse.com/security/cve/CVE-2017-0564", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-0564" }, "vendor_specific": true }, "CVE-2017-0605": { "affected_versions": "v2.6.12-rc2 to v4.12-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "tracing: Use strlcpy() instead of strcpy() in __trace_find_cmdline()", "cvss2": "9.3", "cvss3": "7.8", "fixes": "e09e28671cda63e6308b31798b997639120e2a21", "last_affected_version": "4.9.268", "last_modified": "2023-12-06", "nvd_text": "Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-0605", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-0605", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-0605", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-0605", "SUSE": "https://www.suse.com/security/cve/CVE-2017-0605", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-0605" }, "rejected": true }, "CVE-2017-0627": { "affected_versions": "v2.6.12-rc2 to v4.14-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "media: uvcvideo: Prevent heap overflow when accessing mapped controls", "cvss2": { "Access Complexity": "High", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:N/AC:H/Au:N/C:P/I:N/A:N", "score": 2.6 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "raw": "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N", "score": 4.7 }, "cwe": "Information Leak / Disclosure", "fixes": "7e09f7d5c790278ab98e5f2c22307ebe8ad6e8ba", "last_affected_version": "4.13.3", "last_modified": "2023-12-06", "nvd_text": "An information disclosure vulnerability in the kernel UVC driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-33300353.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-0627", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-0627", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-0627", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-0627", "SUSE": "https://www.suse.com/security/cve/CVE-2017-0627", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-0627" } }, "CVE-2017-0630": { "affected_versions": "unk to unk", "breaks": "", "cvss2": { "Access Complexity": "High", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:N/AC:H/Au:N/C:P/I:N/A:N", "score": 2.6 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "raw": "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N", "score": 4.7 }, "cwe": "Information Leak / Disclosure", "fixes": "", "last_modified": "2023-12-06", "nvd_text": "An information disclosure vulnerability in the kernel trace subsystem could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-34277115.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-0630", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-0630", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-0630", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-0630", "SUSE": "https://www.suse.com/security/cve/CVE-2017-0630", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-0630" }, "vendor_specific": true }, "CVE-2017-0749": { "affected_versions": "unk to unk", "breaks": "", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "score": 6.8 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "raw": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Unspecified", "fixes": "", "last_modified": "2023-12-06", "nvd_text": "A elevation of privilege vulnerability in the Upstream Linux linux kernel. Product: Android. Versions: Android kernel. Android ID: A-36007735.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-0749", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-0749", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-0749", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-0749", "SUSE": "https://www.suse.com/security/cve/CVE-2017-0749", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-0749" }, "vendor_specific": true }, "CVE-2017-0750": { "affected_versions": "v3.8-rc1 to v4.5-rc1", "breaks": "e05df3b115e7308afbca652769b54e4549fcc723", "cmt_msg": "f2fs: do more integrity verification for superblock", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "score": 6.8 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "raw": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "9a59b62fd88196844cee5fff851bee2cfd7afb6e", "last_affected_version": "4.4.65", "last_modified": "2023-12-06", "nvd_text": "A elevation of privilege vulnerability in the Upstream Linux file system. Product: Android. Versions: Android kernel. Android ID: A-36817013.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-0750", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-0750", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-0750", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-0750", "SUSE": "https://www.suse.com/security/cve/CVE-2017-0750", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-0750" } }, "CVE-2017-0786": { "affected_versions": "v2.6.12-rc2 to v4.14-rc4", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "brcmfmac: add length check in brcmf_cfg80211_escan_handler()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Adjacent Network", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:A/AC:L/Au:N/C:P/I:P/A:P", "score": 5.8 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Adjacent", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "score": 8.8 }, "cwe": "Unspecified", "fixes": "17df6453d4be17910456e99c5a85025aa1b7a246", "last_affected_version": "4.13.5", "last_modified": "2023-12-06", "nvd_text": "A elevation of privilege vulnerability in the Broadcom wi-fi driver. Product: Android. Versions: Android kernel. Android ID: A-37351060. References: B-V2017060101.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-0786", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-0786", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-0786", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-0786", "SUSE": "https://www.suse.com/security/cve/CVE-2017-0786", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-0786" } }, "CVE-2017-0861": { "affected_versions": "v2.6.12-rc2 to v4.15-rc3", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "ALSA: pcm: prevent UAF in snd_pcm_info", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "362bca57f5d78220f8b5907b875961af9436e229", "last_affected_version": "4.14.5", "last_modified": "2023-12-06", "nvd_text": "Use-after-free vulnerability in the snd_pcm_info function in the ALSA subsystem in the Linux kernel allows attackers to gain privileges via unspecified vectors.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-0861", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-0861", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-0861", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-0861", "SUSE": "https://www.suse.com/security/cve/CVE-2017-0861", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-0861" } }, "CVE-2017-1000": { "affected_versions": "v2.6.15-rc1 to v4.13-rc5", "breaks": "e89e9cf539a28df7d0eb1d0a545368e9920b34ac", "cmt_msg": "udp: consistently apply ufo or fragmentation", "fixes": "85f1bd9a7b5a79d5baa8bf44af19658f7bf77bfa", "last_affected_version": "4.12.6", "last_modified": "2023-12-06", "nvd_text": "Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2017. Notes: none.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-1000", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-1000", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-1000", "SUSE": "https://www.suse.com/security/cve/CVE-2017-1000", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-1000" }, "rejected": true }, "CVE-2017-1000111": { "affected_versions": "v2.6.27-rc1 to v4.13-rc5", "breaks": "8913336a7e8d56e984109a3137d6c0e3362596a4", "cmt_msg": "packet: fix tp_reserve race in packet_set_ring", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "c27927e372f0785f3303e8fad94b85945e2c97b7", "last_affected_version": "4.12.6", "last_modified": "2023-12-06", "nvd_text": "Linux kernel: heap out-of-bounds in AF_PACKET sockets. This new issue is analogous to previously disclosed CVE-2016-8655. In both cases, a socket option that changes socket state may race with safety checks in packet_set_ring. Previously with PACKET_VERSION. This time with PACKET_RESERVE. The solution is similar: lock the socket for the update. This issue may be exploitable, we did not investigate further. As this issue affects PF_PACKET sockets, it requires CAP_NET_RAW in the process namespace. But note that with user namespaces enabled, any process can create a namespace in which it has CAP_NET_RAW.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-1000111", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-1000111", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000111", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-1000111", "SUSE": "https://www.suse.com/security/cve/CVE-2017-1000111", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-1000111" } }, "CVE-2017-1000112": { "affected_versions": "v2.6.15-rc1 to v4.13-rc5", "breaks": "e89e9cf539a28df7d0eb1d0a545368e9920b34ac", "cmt_msg": "udp: consistently apply ufo or fragmentation", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "score": 6.9 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.0 }, "cwe": "Race Conditions", "fixes": "85f1bd9a7b5a79d5baa8bf44af19658f7bf77bfa", "last_affected_version": "4.12.6", "last_modified": "2023-12-06", "nvd_text": "Linux kernel: Exploitable memory corruption due to UFO to non-UFO path switch. When building a UFO packet with MSG_MORE __ip_append_data() calls ip_ufo_append_data() to append. However in between two send() calls, the append path can be switched from UFO to non-UFO one, which leads to a memory corruption. In case UFO packet lengths exceeds MTU, copy = maxfraglen - skb->len becomes negative on the non-UFO path and the branch to allocate new skb is taken. This triggers fragmentation and computation of fraggap = skb_prev->len - maxfraglen. Fraggap can exceed MTU, causing copy = datalen - transhdrlen - fraggap to become negative. Subsequently skb_copy_and_csum_bits() writes out-of-bounds. A similar issue is present in IPv6 code. The bug was introduced in e89e9cf539a2 (\"[IPv4/IPv6]: UFO Scatter-gather approach\") on Oct 18 2005.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-1000112", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-1000112", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000112", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-1000112", "SUSE": "https://www.suse.com/security/cve/CVE-2017-1000112", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-1000112" } }, "CVE-2017-1000251": { "affected_versions": "v2.6.12-rc2 to v4.14-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "Bluetooth: Properly check L2CAP config option output buffer length", "cvss2": { "Access Complexity": "Low", "Access Vector": "Adjacent Network", "Authentication": "Single", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:A/AC:L/Au:S/C:C/I:C/A:C", "score": 7.7 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Adjacent", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 8.0 }, "cwe": "Buffer Errors", "fixes": "e860d2c904d1a9f38a24eb44c9f34b8f915a6ea3", "last_affected_version": "4.13.1", "last_modified": "2023-12-06", "nvd_text": "The native Bluetooth stack in the Linux Kernel (BlueZ), starting at the Linux kernel version 2.6.32 and up to and including 4.13.1, are vulnerable to a stack overflow vulnerability in the processing of L2CAP configuration responses resulting in Remote code execution in kernel space.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-1000251", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-1000251", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000251", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-1000251", "SUSE": "https://www.suse.com/security/cve/CVE-2017-1000251", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-1000251" } }, "CVE-2017-1000252": { "affected_versions": "v4.4-rc1 to v4.14-rc1", "breaks": "efc644048ecde54f016011fe10110addd0de348f", "cmt_msg": "KVM: VMX: Do not BUG() on out-of-bounds guest IRQ", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Input Validation", "fixes": "3a8b0677fc6180a467e26cc32ce6b0c09a32f9bb", "last_affected_version": "4.13.4", "last_modified": "2023-12-06", "nvd_text": "The KVM subsystem in the Linux kernel through 4.13.3 allows guest OS users to cause a denial of service (assertion failure, and hypervisor hang or crash) via an out-of bounds guest_irq value, related to arch/x86/kvm/vmx.c and virt/kvm/eventfd.c.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-1000252", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-1000252", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000252", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-1000252", "SUSE": "https://www.suse.com/security/cve/CVE-2017-1000252", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-1000252" } }, "CVE-2017-1000253": { "affected_versions": "v2.6.12-rc2 to v4.1-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "fs/binfmt_elf.c: fix bug in loading of PIE binaries", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Buffer Errors", "fixes": "a87938b2e246b81b4fb713edb371a9fa3c5c3c86", "last_affected_version": "3.18.13", "last_modified": "2023-12-06", "nvd_text": "Linux distributions that have not patched their long-term kernels with https://git.kernel.org/linus/a87938b2e246b81b4fb713edb371a9fa3c5c3c86 (committed on April 14, 2015). This kernel vulnerability was fixed in April 2015 by commit a87938b2e246b81b4fb713edb371a9fa3c5c3c86 (backported to Linux 3.10.77 in May 2015), but it was not recognized as a security threat. With CONFIG_ARCH_BINFMT_ELF_RANDOMIZE_PIE enabled, and a normal top-down address allocation strategy, load_elf_binary() will attempt to map a PIE binary into an address range immediately below mm->mmap_base. Unfortunately, load_elf_ binary() does not take account of the need to allocate sufficient space for the entire binary which means that, while the first PT_LOAD segment is mapped below mm->mmap_base, the subsequent PT_LOAD segment(s) end up being mapped above mm->mmap_base into the are that is supposed to be the \"gap\" between the stack and the binary.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-1000253", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-1000253", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000253", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-1000253", "SUSE": "https://www.suse.com/security/cve/CVE-2017-1000253", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-1000253" } }, "CVE-2017-1000255": { "affected_versions": "v4.9-rc1 to v4.14-rc5", "breaks": "5d176f751ee3c6eededd984ad409bff201f436a7", "cmt_msg": "powerpc/64s: Use emergency stack for kernel TM Bad Thing program checks", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:N/I:C/A:C", "score": 6.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "None", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "score": 5.5 }, "cwe": "Out-of-bounds Write", "fixes": "265e60a170d0a0ecfc2d20490134ed2c48dd45ab", "last_affected_version": "4.13.5", "last_modified": "2023-12-06", "nvd_text": "On Linux running on PowerPC hardware (Power8 or later) a user process can craft a signal frame and then do a sigreturn so that the kernel will take an exception (interrupt), and use the r1 value *from the signal frame* as the kernel stack pointer. As part of the exception entry the content of the signal frame is written to the kernel stack, allowing an attacker to overwrite arbitrary locations with arbitrary values. The exception handling does produce an oops, and a panic if panic_on_oops=1, but only after kernel memory has been over written. This flaw was introduced in commit: \"5d176f751ee3 (powerpc: tm: Enable transactional memory (TM) lazily for userspace)\" which was merged upstream into v4.9-rc1. Please note that kernels built with CONFIG_PPC_TRANSACTIONAL_MEM=n are not vulnerable.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-1000255", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-1000255", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000255", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-1000255", "SUSE": "https://www.suse.com/security/cve/CVE-2017-1000255", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-1000255" } }, "CVE-2017-1000363": { "affected_versions": "v2.6.12-rc2 to v4.12-rc2", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "char: lp: fix possible integer overflow in lp_setup()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Out-of-bounds Write", "fixes": "3e21f4af170bebf47c187c1ff8bf155583c9f3b1", "last_affected_version": "4.11.2", "last_modified": "2023-12-06", "nvd_text": "Linux drivers/char/lp.c Out-of-Bounds Write. Due to a missing bounds check, and the fact that parport_ptr integer is static, a 'secure boot' kernel command line adversary (can happen due to bootloader vulns, e.g. Google Nexus 6's CVE-2016-10277, where due to a vulnerability the adversary has partial control over the command line) can overflow the parport_nr array in the following code, by appending many (>LP_NO) 'lp=none' arguments to the command line.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-1000363", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-1000363", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000363", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-1000363", "SUSE": "https://www.suse.com/security/cve/CVE-2017-1000363", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-1000363" } }, "CVE-2017-1000364": { "affected_versions": "v2.6.36-rc1 to v4.12-rc6", "breaks": "320b2b8de12698082609ebbc1a17165727f4c893", "cmt_msg": "mm: larger stack guard gap, between vmas", "cvss2": { "Access Complexity": "High", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:H/Au:N/C:C/I:C/A:C", "score": 6.2 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "score": 7.4 }, "cwe": "Buffer Errors", "fixes": "1be7107fbe18eed3e319a6c3e83c78254b693acb", "last_affected_version": "4.11.6", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the size of the stack guard page on Linux, specifically a 4k stack guard page is not sufficiently large and can be \"jumped\" over (the stack guard page is bypassed), this affects Linux Kernel versions 4.11.5 and earlier (the stackguard page was introduced in 2010).", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-1000364", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-1000364", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000364", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-1000364", "SUSE": "https://www.suse.com/security/cve/CVE-2017-1000364", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-1000364" } }, "CVE-2017-1000365": { "affected_versions": "v2.6.23-rc1 to v4.12-rc7", "breaks": "b6a2fea39318e43fee84fa7b0b90d68bed92d2ba", "cmt_msg": "fs/exec.c: account for argv/envp pointers", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Unspecified", "fixes": "98da7d08850fb8bdeb395d6368ed15753304aa0c", "last_affected_version": "4.11.7", "last_modified": "2023-12-06", "nvd_text": "The Linux Kernel imposes a size restriction on the arguments and environmental strings passed through RLIMIT_STACK/RLIM_INFINITY (1/4 of the size), but does not take the argument and environment pointers into account, which allows attackers to bypass this limitation. This affects Linux Kernel versions 4.11.5 and earlier. It appears that this feature was introduced in the Linux Kernel version 2.6.23.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-1000365", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-1000365", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000365", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-1000365", "SUSE": "https://www.suse.com/security/cve/CVE-2017-1000365", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-1000365" } }, "CVE-2017-1000370": { "affected_versions": "v4.1-rc1 to v4.13-rc1", "breaks": "d1fd836dcf00d2028c700c7e44d2c23404062c90", "cmt_msg": "binfmt_elf: use ELF_ET_DYN_BASE only for PIE", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Unspecified", "fixes": "eab09532d40090698b05a07c1c87f39fdbc5fab5", "last_affected_version": "4.12.2", "last_modified": "2023-12-06", "nvd_text": "The offset2lib patch as used in the Linux Kernel contains a vulnerability that allows a PIE binary to be execve()'ed with 1GB of arguments or environmental strings then the stack occupies the address 0x80000000 and the PIE binary is mapped above 0x40000000 nullifying the protection of the offset2lib patch. This affects Linux Kernel version 4.11.5 and earlier. This is a different issue than CVE-2017-1000371. This issue appears to be limited to i386 based systems.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-1000370", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-1000370", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000370", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-1000370", "SUSE": "https://www.suse.com/security/cve/CVE-2017-1000370", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-1000370" } }, "CVE-2017-1000371": { "affected_versions": "v4.1-rc1 to v4.13-rc1", "breaks": "d1fd836dcf00d2028c700c7e44d2c23404062c90", "cmt_msg": "binfmt_elf: use ELF_ET_DYN_BASE only for PIE", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Unspecified", "fixes": "eab09532d40090698b05a07c1c87f39fdbc5fab5", "last_affected_version": "4.12.2", "last_modified": "2023-12-06", "nvd_text": "The offset2lib patch as used by the Linux Kernel contains a vulnerability, if RLIMIT_STACK is set to RLIM_INFINITY and 1 Gigabyte of memory is allocated (the maximum under the 1/4 restriction) then the stack will be grown down to 0x80000000, and as the PIE binary is mapped above 0x80000000 the minimum distance between the end of the PIE binary's read-write segment and the start of the stack becomes small enough that the stack guard page can be jumped over by an attacker. This affects Linux Kernel version 4.11.5. This is a different issue than CVE-2017-1000370 and CVE-2017-1000365. This issue appears to be limited to i386 based systems.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-1000371", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-1000371", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000371", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-1000371", "SUSE": "https://www.suse.com/security/cve/CVE-2017-1000371", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-1000371" } }, "CVE-2017-1000379": { "affected_versions": "v2.6.12-rc2 to v4.12-rc6", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "mm: larger stack guard gap, between vmas", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Unspecified", "fixes": "1be7107fbe18eed3e319a6c3e83c78254b693acb", "last_affected_version": "4.11.6", "last_modified": "2023-12-06", "nvd_text": "The Linux Kernel running on AMD64 systems will sometimes map the contents of PIE executable, the heap or ld.so to where the stack is mapped allowing attackers to more easily manipulate the stack. Linux Kernel version 4.11.5 is affected.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-1000379", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-1000379", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000379", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-1000379", "SUSE": "https://www.suse.com/security/cve/CVE-2017-1000379", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-1000379" } }, "CVE-2017-1000380": { "affected_versions": "v2.6.12-rc2 to v4.12-rc5", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "ALSA: timer: Fix race between read and ioctl", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.5 }, "cwe": "Information Leak / Disclosure", "fixes": "d11662f4f798b50d8c8743f433842c3e40fe3378", "last_affected_version": "4.11.4", "last_modified": "2023-12-06", "nvd_text": "sound/core/timer.c in the Linux kernel before 4.11.5 is vulnerable to a data race in the ALSA /dev/snd/timer driver resulting in local users being able to read information belonging to other users, i.e., uninitialized memory contents may be disclosed when a read and an ioctl happen at the same time.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-1000380", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-1000380", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000380", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-1000380", "SUSE": "https://www.suse.com/security/cve/CVE-2017-1000380", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-1000380" } }, "CVE-2017-1000405": { "affected_versions": "v4.10-rc6 to v4.15-rc2", "backport": true, "breaks": "8310d48b125d19fcd9521d83b8293e63eb1646aa", "cmt_msg": "mm, thp: Do not make page table dirty unconditionally in touch_p[mu]d()", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "score": 6.9 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.0 }, "cwe": "Race Conditions", "fixes": "a8f97366452ed491d13cf1e44241bc0b5740b1f0", "last_affected_version": "4.14.3", "last_modified": "2023-12-06", "name": "Dirty COW (variant)", "nvd_text": "The Linux Kernel versions 2.6.38 through 4.14 have a problematic use of pmd_mkdirty() in the touch_pmd() function inside the THP implementation. touch_pmd() can be reached by get_user_pages(). In such case, the pmd will become dirty. This scenario breaks the new can_follow_write_pmd()'s logic - pmd can become dirty without going through a COW cycle. This bug is not as severe as the original \"Dirty cow\" because an ext4 file (or any other regular file) cannot be mapped using THP. Nevertheless, it does allow us to overwrite read-only huge pages. For example, the zero huge page and sealed shmem files can be overwritten (since their mapping can be populated using THP). Note that after the first write page-fault to the zero page, it will be replaced with a new fresh (and zeroed) thp.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-1000405", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-1000405", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000405", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-1000405", "SUSE": "https://www.suse.com/security/cve/CVE-2017-1000405", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-1000405" } }, "CVE-2017-1000407": { "affected_versions": "v2.6.12-rc2 to v4.15-rc3", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "KVM: VMX: remove I/O port 0x80 bypass on Intel hosts", "cvss2": { "Access Complexity": "Low", "Access Vector": "Adjacent Network", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:A/AC:L/Au:N/C:N/I:N/A:C", "score": 6.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Adjacent", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Changed", "User Interaction": "None", "raw": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H", "score": 7.4 }, "cwe": "Improper Check for Unusual or Exceptional Conditions", "fixes": "d59d51f088014f25c2562de59b9abff4f42a7468", "last_affected_version": "4.14.5", "last_modified": "2023-12-06", "nvd_text": "The Linux Kernel 2.6.32 and later are affected by a denial of service, by flooding the diagnostic port 0x80 an exception can be triggered leading to a kernel panic.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-1000407", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-1000407", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000407", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-1000407", "SUSE": "https://www.suse.com/security/cve/CVE-2017-1000407", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-1000407" } }, "CVE-2017-1000410": { "affected_versions": "v3.3-rc1 to v4.15-rc8", "breaks": "42dceae2819b5ac6fc9a0d414ae05a8960e2a1d9", "cmt_msg": "Bluetooth: Prevent stack info leak from the EFS element.", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "score": 5.0 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "score": 7.5 }, "cwe": "Exposure of Sensitive Information to an Unauthorized Actor", "fixes": "06e7e776ca4d36547e503279aeff996cbb292c16", "last_affected_version": "4.14.13", "last_modified": "2023-12-06", "nvd_text": "The Linux kernel version 3.3-rc1 and later is affected by a vulnerability lies in the processing of incoming L2CAP commands - ConfigRequest, and ConfigResponse messages. This info leak is a result of uninitialized stack variables that may be returned to an attacker in their uninitialized state. By manipulating the code flows that precede the handling of these configuration messages, an attacker can also gain some control over which data will be held in the uninitialized stack variables. This can allow him to bypass KASLR, and stack canaries protection - as both pointers and stack canaries may be leaked in this manner. Combining this vulnerability (for example) with the previously disclosed RCE vulnerability in L2CAP configuration parsing (CVE-2017-1000251) may allow an attacker to exploit the RCE against kernels which were built with the above mitigations. These are the specifics of this vulnerability: In the function l2cap_parse_conf_rsp and in the function l2cap_parse_conf_req the following variable is declared without initialization: struct l2cap_conf_efs efs; In addition, when parsing input configuration parameters in both of these functions, the switch case for handling EFS elements may skip the memcpy call that will write to the efs variable: ... case L2CAP_CONF_EFS: if (olen == sizeof(efs)) memcpy(&efs, (void *)val, olen); ... The olen in the above if is attacker controlled, and regardless of that if, in both of these functions the efs variable would eventually be added to the outgoing configuration request that is being built: l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs), (unsigned long) &efs); So by sending a configuration request, or response, that contains an L2CAP_CONF_EFS element, but with an element length that is not sizeof(efs) - the memcpy to the uninitialized efs variable can be avoided, and the uninitialized variable would be returned to the attacker (16 bytes).", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-1000410", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-1000410", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000410", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-1000410", "SUSE": "https://www.suse.com/security/cve/CVE-2017-1000410", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-1000410" } }, "CVE-2017-10661": { "affected_versions": "v2.6.12-rc2 to v4.11-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "timerfd: Protect the might cancel mechanism proper", "cvss2": { "Access Complexity": "High", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "score": 7.6 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "raw": "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "score": 7.0 }, "cwe": "Use After Free", "fixes": "1e38da300e1e395a15048b0af1e5305bd91402f6", "last_affected_version": "4.10.14", "last_modified": "2023-12-06", "nvd_text": "Race condition in fs/timerfd.c in the Linux kernel before 4.10.15 allows local users to gain privileges or cause a denial of service (list corruption or use-after-free) via simultaneous file-descriptor operations that leverage improper might_cancel queueing.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-10661", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-10661", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-10661", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-10661", "SUSE": "https://www.suse.com/security/cve/CVE-2017-10661", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-10661" } }, "CVE-2017-10662": { "affected_versions": "v2.6.12-rc2 to v4.12-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "f2fs: sanity check segment count", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Unspecified", "fixes": "b9dd46188edc2f0d1f37328637860bb65a771124", "last_affected_version": "4.11.0", "last_modified": "2023-12-06", "nvd_text": "The sanity_check_raw_super function in fs/f2fs/super.c in the Linux kernel before 4.11.1 does not validate the segment count, which allows local users to gain privileges via unspecified vectors.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-10662", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-10662", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-10662", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-10662", "SUSE": "https://www.suse.com/security/cve/CVE-2017-10662", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-10662" } }, "CVE-2017-10663": { "affected_versions": "v2.6.12-rc2 to v4.13-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "f2fs: sanity check checkpoint segno and blkoff", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Improper Validation of Array Index", "fixes": "15d3042a937c13f5d9244241c7a9c8416ff6e82a", "last_affected_version": "4.12.3", "last_modified": "2023-12-06", "nvd_text": "The sanity_check_ckpt function in fs/f2fs/super.c in the Linux kernel before 4.12.4 does not validate the blkoff and segno arrays, which allows local users to gain privileges via unspecified vectors.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-10663", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-10663", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-10663", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-10663", "SUSE": "https://www.suse.com/security/cve/CVE-2017-10663", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-10663" } }, "CVE-2017-10810": { "affected_versions": "v2.6.12-rc2 to v4.12-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "drm/virtio: don't leak bo on drm_gem_object_init failure", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "score": 7.8 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 7.5 }, "cwe": "Resource Management Errors", "fixes": "385aee965b4e4c36551c362a334378d2985b722a", "last_affected_version": "4.11.9", "last_modified": "2023-12-06", "nvd_text": "Memory leak in the virtio_gpu_object_create function in drivers/gpu/drm/virtio/virtgpu_object.c in the Linux kernel through 4.11.8 allows attackers to cause a denial of service (memory consumption) by triggering object-initialization failures.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-10810", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-10810", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-10810", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-10810", "SUSE": "https://www.suse.com/security/cve/CVE-2017-10810", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-10810" } }, "CVE-2017-10911": { "affected_versions": "v2.6.12-rc2 to v4.12-rc7", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "xen-blkback: don't leak stack data via response ring", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Complete", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:C/I:N/A:N", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Changed", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "score": 6.5 }, "cwe": "Information Leak / Disclosure", "fixes": "089bc0143f489bd3a4578bdff5f4ca68fb26f341", "last_affected_version": "4.11.7", "last_modified": "2023-12-06", "nvd_text": "The make_response function in drivers/block/xen-blkback/blkback.c in the Linux kernel before 4.11.8 allows guest OS users to obtain sensitive information from host OS (or other guest OS) kernel memory by leveraging the copying of uninitialized padding fields in Xen block-interface response structures, aka XSA-216.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-10911", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-10911", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-10911", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-10911", "SUSE": "https://www.suse.com/security/cve/CVE-2017-10911", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-10911" } }, "CVE-2017-11089": { "affected_versions": "v3.9-rc1 to v4.13-rc1", "breaks": "3b1c5a5307fb5277f395efdcf330c064d79df07d", "cmt_msg": "cfg80211: Define nla_policy for NL80211_ATTR_LOCAL_MESH_POWER_MODE", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "score": 5.0 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "score": 7.5 }, "cwe": "Information Leak / Disclosure", "fixes": "8feb69c7bd89513be80eb19198d48f154b254021", "last_affected_version": "4.12.2", "last_modified": "2023-12-06", "nvd_text": "In android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, a buffer overread is observed in nl80211_set_station when user space application sends attribute NL80211_ATTR_LOCAL_MESH_POWER_MODE with data of size less than 4 bytes", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-11089", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-11089", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-11089", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-11089", "SUSE": "https://www.suse.com/security/cve/CVE-2017-11089", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-11089" } }, "CVE-2017-11176": { "affected_versions": "v2.6.12-rc2 to v4.13-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "mqueue: fix a use-after-free in sys_mq_notify()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Use After Free", "fixes": "f991af3daabaecff34684fd51fac80319d1baad1", "last_affected_version": "4.12.1", "last_modified": "2023-12-06", "nvd_text": "The mq_notify function in the Linux kernel through 4.11.9 does not set the sock pointer to NULL upon entry into the retry logic. During a user-space close of a Netlink socket, it allows attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-11176", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-11176", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-11176", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-11176", "SUSE": "https://www.suse.com/security/cve/CVE-2017-11176", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-11176" } }, "CVE-2017-11472": { "affected_versions": "v2.6.12-rc2 to v4.12-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "ACPICA: Namespace: fix operand cache leak", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:N", "score": 3.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "score": 7.1 }, "cwe": "Information Leak / Disclosure", "fixes": "3b2d69114fefa474fca542e51119036dceb4aa6f", "last_affected_version": "4.9.78", "last_modified": "2023-12-06", "nvd_text": "The acpi_ns_terminate() function in drivers/acpi/acpica/nsutils.c in the Linux kernel before 4.12 does not flush the operand cache and causes a kernel stack dump, which allows local users to obtain sensitive information from kernel memory and bypass the KASLR protection mechanism (in the kernel through 4.9) via a crafted ACPI table.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-11472", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-11472", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-11472", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-11472", "SUSE": "https://www.suse.com/security/cve/CVE-2017-11472", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-11472" } }, "CVE-2017-11473": { "affected_versions": "v2.6.12-rc2 to v4.13-rc2", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "x86/acpi: Prevent out of bound access caused by broken ACPI tables", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Buffer Errors", "fixes": "dad5ab0db8deac535d03e3fe3d8f2892173fa6a4", "last_affected_version": "4.12.3", "last_modified": "2023-12-06", "nvd_text": "Buffer overflow in the mp_override_legacy_irq() function in arch/x86/kernel/acpi/boot.c in the Linux kernel through 3.2 allows local users to gain privileges via a crafted ACPI table.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-11473", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-11473", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-11473", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-11473", "SUSE": "https://www.suse.com/security/cve/CVE-2017-11473", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-11473" } }, "CVE-2017-11600": { "affected_versions": "v2.6.21-rc1 to v4.13", "breaks": "80c9abaabf4283f7cf4a0b3597cd302506635b7f", "cmt_msg": "xfrm: policy: check policy direction value", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "score": 6.9 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.0 }, "cwe": "Out-of-bounds Read", "fixes": "7bab09631c2a303f87a7eb7e3d69e888673b9b7e", "last_affected_version": "4.12", "last_modified": "2023-12-06", "nvd_text": "net/xfrm/xfrm_policy.c in the Linux kernel through 4.12.3, when CONFIG_XFRM_MIGRATE is enabled, does not ensure that the dir value of xfrm_userpolicy_id is XFRM_POLICY_MAX or less, which allows local users to cause a denial of service (out-of-bounds access) or possibly have unspecified other impact via an XFRM_MSG_MIGRATE xfrm Netlink message.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-11600", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-11600", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-11600", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-11600", "SUSE": "https://www.suse.com/security/cve/CVE-2017-11600", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-11600" } }, "CVE-2017-12134": { "affected_versions": "v2.6.37-rc1 to v4.13-rc6", "breaks": "d8e0420603cf1ce9cb459c00ea0b7337de41b968", "cmt_msg": "xen: fix bio vec merging", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Changed", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "score": 8.8 }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "462cdace790ac2ed6aad1b19c9c0af0143b6aab0", "last_affected_version": "4.12.8", "last_modified": "2023-12-06", "nvd_text": "The xen_biovec_phys_mergeable function in drivers/xen/biomerge.c in Xen might allow local OS guest users to corrupt block device data streams and consequently obtain sensitive memory information, cause a denial of service, or gain host OS privileges by leveraging incorrect block IO merge-ability calculation.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-12134", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-12134", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-12134", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-12134", "SUSE": "https://www.suse.com/security/cve/CVE-2017-12134", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-12134" } }, "CVE-2017-12146": { "affected_versions": "v3.17-rc1 to v4.13-rc1", "breaks": "3d713e0e382e6fcfb4bba1501645b66c129ad60b", "cmt_msg": "driver core: platform: fix race condition with driver_override", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "score": 6.9 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.0 }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "6265539776a0810b7ce6398c27866ddb9c6bd154", "last_affected_version": "4.12.0", "last_modified": "2023-12-06", "nvd_text": "The driver_override implementation in drivers/base/platform.c in the Linux kernel before 4.12.1 allows local users to gain privileges by leveraging a race condition between a read operation and a store operation that involve different overrides.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-12146", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-12146", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-12146", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-12146", "SUSE": "https://www.suse.com/security/cve/CVE-2017-12146", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-12146" } }, "CVE-2017-12153": { "affected_versions": "v3.1-rc1 to v4.14-rc2", "breaks": "e5497d766adb92bcbd1fa4a147e188f84f34b20a", "cmt_msg": "nl80211: check for the required netlink attributes presence", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "score": 4.4 }, "cwe": "NULL Pointer Dereference", "fixes": "e785fa0a164aa11001cba931367c7f94ffaff888", "last_affected_version": "4.13.4", "last_modified": "2023-12-06", "nvd_text": "A security flaw was discovered in the nl80211_set_rekey_data() function in net/wireless/nl80211.c in the Linux kernel through 4.13.3. This function does not check whether the required attributes are present in a Netlink request. This request can be issued by a user with the CAP_NET_ADMIN capability and may result in a NULL pointer dereference and system crash.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-12153", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-12153", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-12153", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-12153", "SUSE": "https://www.suse.com/security/cve/CVE-2017-12153", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-12153" } }, "CVE-2017-12154": { "affected_versions": "v2.6.12-rc2 to v4.14-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "kvm: nVMX: Don't allow L2 to access the hardware CR8", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:N", "score": 3.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "score": 7.1 }, "cwe": "Unspecified", "fixes": "51aa68e7d57e3217192d88ce90fd5b8ef29ec94f", "last_affected_version": "4.13.4", "last_modified": "2023-12-06", "nvd_text": "The prepare_vmcs02 function in arch/x86/kvm/vmx.c in the Linux kernel through 4.13.3 does not ensure that the \"CR8-load exiting\" and \"CR8-store exiting\" L0 vmcs02 controls exist in cases where L1 omits the \"use TPR shadow\" vmcs12 control, which allows KVM L2 guest OS users to obtain read and write access to the hardware CR8 register.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-12154", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-12154", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-12154", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-12154", "SUSE": "https://www.suse.com/security/cve/CVE-2017-12154", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-12154" } }, "CVE-2017-12168": { "affected_versions": "v2.6.12-rc2 to v4.9-rc6", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "arm64: KVM: pmu: Fix AArch32 cycle counter access", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "High", "Scope": "Changed", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H", "score": 6.0 }, "cwe": "Input Validation", "fixes": "9e3f7a29694049edd728e2400ab57ad7553e5aa9", "last_affected_version": "4.8.10", "last_modified": "2023-12-06", "nvd_text": "The access_pmu_evcntr function in arch/arm64/kvm/sys_regs.c in the Linux kernel before 4.8.11 allows privileged KVM guest OS users to cause a denial of service (assertion failure and host OS crash) by accessing the Performance Monitors Cycle Count Register (PMCCNTR).", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-12168", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-12168", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-12168", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-12168", "SUSE": "https://www.suse.com/security/cve/CVE-2017-12168", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-12168" } }, "CVE-2017-12188": { "affected_versions": "v4.6-rc1 to v4.14-rc5", "breaks": "6bb69c9b69c315200ddc2bc79aee14c0184cf5b2", "cmt_msg": "KVM: nVMX: update last_nonleaf_level when initializing nested EPT", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "score": 6.9 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Changed", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Path Traversal", "fixes": "fd19d3b45164466a4adce7cbff448ba9189e1427", "last_affected_version": "4.13.7", "last_modified": "2023-12-06", "nvd_text": "arch/x86/kvm/mmu.c in the Linux kernel through 4.13.5, when nested virtualisation is used, does not properly traverse guest pagetable entries to resolve a guest virtual address, which allows L1 guest OS users to execute arbitrary code on the host OS or cause a denial of service (incorrect index during page walking, and host OS crash), aka an \"MMU potential stack buffer overrun.\"", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-12188", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-12188", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-12188", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-12188", "SUSE": "https://www.suse.com/security/cve/CVE-2017-12188", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-12188" } }, "CVE-2017-12190": { "affected_versions": "v2.6.12-rc2 to v4.14-rc5", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "fix unbalanced page refcounting in bio_map_user_iov", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Changed", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H", "score": 6.5 }, "cwe": "Buffer Errors", "fixes": "95d78c28b5a85bacbc29b8dba7c04babb9b0d467", "last_affected_version": "4.13.7", "last_modified": "2023-12-06", "nvd_text": "The bio_map_user_iov and bio_unmap_user functions in block/bio.c in the Linux kernel before 4.13.8 do unbalanced refcounting when a SCSI I/O vector has small consecutive buffers belonging to the same page. The bio_add_pc_page function merges them into one, but the page reference is never dropped. This causes a memory leak and possible system lockup (exploitable against the host OS by a guest OS user, if a SCSI disk is passed through to a virtual machine) due to an out-of-memory condition.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-12190", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-12190", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-12190", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-12190", "SUSE": "https://www.suse.com/security/cve/CVE-2017-12190", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-12190" } }, "CVE-2017-12192": { "affected_versions": "v3.13-rc1 to v4.14-rc3", "breaks": "61ea0c0ba904a55f55317d850c1072ff7835ac92", "cmt_msg": "KEYS: prevent KEYCTL_READ on negative key", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "NULL Pointer Dereference", "fixes": "37863c43b2c6464f252862bf2e9768264e961678", "last_affected_version": "4.13.4", "last_modified": "2023-12-06", "nvd_text": "The keyctl_read_key function in security/keys/keyctl.c in the Key Management subcomponent in the Linux kernel before 4.13.5 does not properly consider that a key may be possessed but negatively instantiated, which allows local users to cause a denial of service (OOPS and system crash) via a crafted KEYCTL_READ operation.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-12192", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-12192", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-12192", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-12192", "SUSE": "https://www.suse.com/security/cve/CVE-2017-12192", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-12192" } }, "CVE-2017-12193": { "affected_versions": "v3.13-rc1 to v4.14-rc7", "breaks": "3cb989501c2688cacbb7dc4b0d353faf838f53a1", "cmt_msg": "assoc_array: Fix a buggy node-splitting case", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "NULL Pointer Dereference", "fixes": "ea6789980fdaa610d7eb63602c746bf6ec70cd2b", "last_affected_version": "4.13.10", "last_modified": "2023-12-06", "nvd_text": "The assoc_array_insert_into_terminal_node function in lib/assoc_array.c in the Linux kernel before 4.13.11 mishandles node splitting, which allows local users to cause a denial of service (NULL pointer dereference and panic) via a crafted application, as demonstrated by the keyring key type, and key addition and link creation operations.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-12193", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-12193", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-12193", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-12193", "SUSE": "https://www.suse.com/security/cve/CVE-2017-12193", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-12193" } }, "CVE-2017-12762": { "affected_versions": "v2.6.12-rc2 to v4.13-rc4", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "isdn/i4l: fix buffer overflow", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "score": 10.0 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "score": 9.8 }, "cwe": "Buffer Errors", "fixes": "9f5af546e6acc30f075828cb58c7f09665033967", "last_affected_version": "4.12.4", "last_modified": "2023-12-06", "nvd_text": "In /drivers/isdn/i4l/isdn_net.c: A user-controlled buffer is copied into a local buffer of constant size using strcpy without a length check which can cause a buffer overflow. This affects the Linux kernel 4.9-stable tree, 4.12-stable tree, 3.18-stable tree, and 4.4-stable tree.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-12762", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-12762", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-12762", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-12762", "SUSE": "https://www.suse.com/security/cve/CVE-2017-12762", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-12762" } }, "CVE-2017-13080": { "affected_versions": "unk to v4.14-rc6", "breaks": "", "cmt_msg": "mac80211: accept key reinstall without changing anything", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Adjacent Network", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "None", "Integrity Impact": "Partial", "raw": "AV:A/AC:M/Au:N/C:N/I:P/A:N", "score": 2.9 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Adjacent", "Availability": "None", "Confidentiality": "None", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "score": 5.3 }, "cwe": "Security Features", "fixes": "fdf7cb4185b60c68e1a75e61691c4afdc15dea0e", "last_affected_version": "4.13.13", "last_modified": "2023-12-06", "nvd_text": "Wi-Fi Protected Access (WPA and WPA2) allows reinstallation of the Group Temporal Key (GTK) during the group key handshake, allowing an attacker within radio range to replay frames from access points to clients.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-13080", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-13080", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-13080", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-13080", "SUSE": "https://www.suse.com/security/cve/CVE-2017-13080", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-13080" } }, "CVE-2017-13166": { "affected_versions": "v2.6.32-rc1 to v4.16-rc1", "breaks": "6b5a9492ca0c991bab1ac495624e17520e9edf18", "cmt_msg": "media: v4l2-ioctl.c: use check_fmt for enum/g/s/try_fmt", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "b2469c814fbc8f1f19676dd4912717b798df511e", "last_affected_version": "4.15.3", "last_modified": "2023-12-06", "nvd_text": "An elevation of privilege vulnerability in the kernel v4l2 video driver. Product: Android. Versions: Android kernel. Android ID A-34624167.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-13166", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-13166", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-13166", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-13166", "SUSE": "https://www.suse.com/security/cve/CVE-2017-13166", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-13166" } }, "CVE-2017-13167": { "affected_versions": "v2.6.12-rc2 to v4.5-rc4", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "ALSA: timer: Fix race at concurrent reads", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Unspecified", "fixes": "4dff5c7b7093b19c19d3a100f8a3ad87cb7cd9e7", "last_affected_version": "4.4.1", "last_modified": "2023-12-06", "nvd_text": "An elevation of privilege vulnerability in the kernel sound timer. Product: Android. Versions: Android kernel. Android ID A-37240993.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-13167", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-13167", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-13167", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-13167", "SUSE": "https://www.suse.com/security/cve/CVE-2017-13167", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-13167" } }, "CVE-2017-13168": { "affected_versions": "v2.6.12-rc2 to v4.18-rc4", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "scsi: sg: mitigate read/write abuse", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "26b5b874aff5659a7e26e5b1997e3df2c41fa7fd", "last_affected_version": "4.17.5", "last_modified": "2023-12-06", "nvd_text": "An elevation of privilege vulnerability in the kernel scsi driver. Product: Android. Versions: Android kernel. Android ID A-65023233.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-13168", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-13168", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-13168", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-13168", "SUSE": "https://www.suse.com/security/cve/CVE-2017-13168", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-13168" } }, "CVE-2017-13215": { "affected_versions": "v2.6.38-rc1 to v4.5-rc1", "breaks": "8ff590903d5fc7f5a0a988c38267a3d08e6393a2", "cmt_msg": "crypto: algif_skcipher - Load TX SG list after waiting", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Unspecified", "fixes": "4f0414e54e4d1893c6f08260693f8ef84c929293", "last_affected_version": "4.4.1", "last_modified": "2023-12-06", "nvd_text": "A elevation of privilege vulnerability in the Upstream kernel skcipher. Product: Android. Versions: Android kernel. Android ID: A-64386293. References: Upstream kernel.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-13215", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-13215", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-13215", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-13215", "SUSE": "https://www.suse.com/security/cve/CVE-2017-13215", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-13215" } }, "CVE-2017-13216": { "affected_versions": "v3.3-rc1 to v4.15-rc8", "breaks": "11980c2ac4ccfad21a5f8ee9e12059f1e687bb40", "cmt_msg": "staging: android: ashmem: fix a race condition in ASHMEM_SET_SIZE ioctl", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Out-of-bounds Write", "fixes": "443064cb0b1fb4569fe0a71209da7625129fb760", "last_affected_version": "4.14.13", "last_modified": "2023-12-06", "nvd_text": "In ashmem_ioctl of ashmem.c, there is an out-of-bounds write due to insufficient locking when accessing asma. This could lead to a local elevation of privilege enabling code execution as a privileged process with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android kernel. Android ID: A-66954097.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-13216", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-13216", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-13216", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-13216", "SUSE": "https://www.suse.com/security/cve/CVE-2017-13216", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-13216" } }, "CVE-2017-13220": { "affected_versions": "v3.10-rc1 to v3.19-rc3", "breaks": "b4f34d8d9d26b2428fa7cf7c8f97690a297978e6", "cmt_msg": "Bluetooth: hidp_connection_add() unsafe use of l2cap_pi()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "51bda2bca53b265715ca1852528f38dc67429d9a", "last_affected_version": "3.16.56", "last_modified": "2023-12-06", "nvd_text": "An elevation of privilege vulnerability in the Upstream kernel bluez. Product: Android. Versions: Android kernel. Android ID: A-63527053.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-13220", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-13220", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-13220", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-13220", "SUSE": "https://www.suse.com/security/cve/CVE-2017-13220", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-13220" } }, "CVE-2017-13221": { "affected_versions": "unk to unk", "breaks": "", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Unspecified", "fixes": "", "last_modified": "2023-12-06", "nvd_text": "An elevation of privilege vulnerability in the Upstream kernel wifi driver. Product: Android. Versions: Android kernel. Android ID: A-64709938.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-13221", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-13221", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-13221", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-13221", "SUSE": "https://www.suse.com/security/cve/CVE-2017-13221", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-13221" }, "vendor_specific": true }, "CVE-2017-13222": { "affected_versions": "unk to unk", "breaks": "", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "score": 5.0 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "score": 7.5 }, "cwe": "Information Leak / Disclosure", "fixes": "", "last_modified": "2023-12-06", "nvd_text": "An information disclosure vulnerability in the Upstream kernel kernel. Product: Android. Versions: Android kernel. Android ID: A-38159576.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-13222", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-13222", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-13222", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-13222", "SUSE": "https://www.suse.com/security/cve/CVE-2017-13222", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-13222" }, "vendor_specific": true }, "CVE-2017-13305": { "affected_versions": "v2.6.38-rc1 to v4.12-rc5", "breaks": "7e70cb4978507cf31d76b90e4cfb4c28cad87f0c", "cmt_msg": "KEYS: encrypted: fix buffer overread in valid_master_desc()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:P", "score": 3.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "score": 7.1 }, "cwe": "Information Leak / Disclosure", "fixes": "794b4bc292f5d31739d89c0202c54e7dc9bc3add", "last_affected_version": "4.9.80", "last_modified": "2023-12-06", "nvd_text": "A information disclosure vulnerability in the Upstream kernel encrypted-keys. Product: Android. Versions: Android kernel. Android ID: A-70526974.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-13305", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-13305", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-13305", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-13305", "SUSE": "https://www.suse.com/security/cve/CVE-2017-13305", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-13305" } }, "CVE-2017-13686": { "affected_versions": "v4.13-rc1 to v4.13-rc7", "breaks": "b61798130f1be5bff08712308126c2d7ebe390ef", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "NULL Pointer Dereference", "fixes": "bc3aae2bbac46dd894c89db5d5e98f7f0ef9e205", "last_modified": "2023-12-06", "nvd_text": "net/ipv4/route.c in the Linux kernel 4.13-rc1 through 4.13-rc6 is too late to check for a NULL fi field when RTM_F_FIB_MATCH is set, which allows local users to cause a denial of service (NULL pointer dereference) or possibly have unspecified other impact via crafted system calls. NOTE: this does not affect any stable release.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-13686", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-13686", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-13686", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-13686", "SUSE": "https://www.suse.com/security/cve/CVE-2017-13686", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-13686" } }, "CVE-2017-13693": { "affected_versions": "v2.6.12-rc2 to unk", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Complete", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:C/I:N/A:N", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.5 }, "cwe": "Information Leak / Disclosure", "fixes": "", "last_modified": "2023-12-06", "nvd_text": "The acpi_ds_create_operands() function in drivers/acpi/acpica/dsutils.c in the Linux kernel through 4.12.9 does not flush the operand cache and causes a kernel stack dump, which allows local users to obtain sensitive information from kernel memory and bypass the KASLR protection mechanism (in the kernel through 4.9) via a crafted ACPI table.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-13693", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-13693", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-13693", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-13693", "SUSE": "https://www.suse.com/security/cve/CVE-2017-13693", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-13693" } }, "CVE-2017-13694": { "affected_versions": "v2.6.12-rc2 to unk", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.5 }, "cwe": "Information Leak / Disclosure", "fixes": "", "last_modified": "2023-12-06", "nvd_text": "The acpi_ps_complete_final_op() function in drivers/acpi/acpica/psobject.c in the Linux kernel through 4.12.9 does not flush the node and node_ext caches and causes a kernel stack dump, which allows local users to obtain sensitive information from kernel memory and bypass the KASLR protection mechanism (in the kernel through 4.9) via a crafted ACPI table.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-13694", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-13694", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-13694", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-13694", "SUSE": "https://www.suse.com/security/cve/CVE-2017-13694", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-13694" } }, "CVE-2017-13695": { "affected_versions": "v2.6.12-rc2 to v4.17-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "ACPICA: acpi: acpica: fix acpi operand cache leak in nseval.c", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.5 }, "cwe": "Information Leak / Disclosure", "fixes": "97f3c0a4b0579b646b6b10ae5a3d59f0441cc12c", "last_affected_version": "4.16.12", "last_modified": "2023-12-06", "nvd_text": "The acpi_ns_evaluate() function in drivers/acpi/acpica/nseval.c in the Linux kernel through 4.12.9 does not flush the operand cache and causes a kernel stack dump, which allows local users to obtain sensitive information from kernel memory and bypass the KASLR protection mechanism (in the kernel through 4.9) via a crafted ACPI table.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-13695", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-13695", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-13695", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-13695", "SUSE": "https://www.suse.com/security/cve/CVE-2017-13695", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-13695" } }, "CVE-2017-13715": { "affected_versions": "v4.2-rc1 to v4.3-rc1", "breaks": "b3baa0fbd02a1a9d493d8cb92ae4a4491b9e9d13", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "score": 10.0 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "score": 9.8 }, "cwe": "Input Validation", "fixes": "a6e544b0a88b53114bfa5a57e21b7be7a8dfc9d0", "last_modified": "2023-12-06", "nvd_text": "The __skb_flow_dissect function in net/core/flow_dissector.c in the Linux kernel before 4.3 does not ensure that n_proto, ip_proto, and thoff are initialized, which allows remote attackers to cause a denial of service (system crash) or possibly execute arbitrary code via a single crafted MPLS packet.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-13715", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-13715", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-13715", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-13715", "SUSE": "https://www.suse.com/security/cve/CVE-2017-13715", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-13715" } }, "CVE-2017-14051": { "affected_versions": "v2.6.24-rc1 to v4.14-rc1", "breaks": "b7cc176c9eb3aa6989ac099efd8bdd6d0eaa784a", "cmt_msg": "scsi: qla2xxx: Fix an integer overflow in sysfs code", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "score": 4.4 }, "cwe": "Integer Overflow or Wraparound", "fixes": "e6f77540c067b48dee10f1e33678415bfcc89017", "last_affected_version": "4.13.3", "last_modified": "2023-12-06", "nvd_text": "An integer overflow in the qla2x00_sysfs_write_optrom_ctl function in drivers/scsi/qla2xxx/qla_attr.c in the Linux kernel through 4.12.10 allows local users to cause a denial of service (memory corruption and system crash) by leveraging root access.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-14051", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-14051", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-14051", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-14051", "SUSE": "https://www.suse.com/security/cve/CVE-2017-14051", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-14051" } }, "CVE-2017-14106": { "affected_versions": "v2.6.12-rc2 to v4.12-rc3", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "tcp: initialize rcv_mss to TCP_MIN_MSS instead of 0", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Divide By Zero", "fixes": "499350a5a6e7512d9ed369ed63a4244b6536f4f8", "last_affected_version": "4.9.50", "last_modified": "2023-12-06", "nvd_text": "The tcp_disconnect function in net/ipv4/tcp.c in the Linux kernel before 4.12 allows local users to cause a denial of service (__tcp_select_window divide-by-zero error and system crash) by triggering a disconnect within a certain tcp_recvmsg code path.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-14106", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-14106", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-14106", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-14106", "SUSE": "https://www.suse.com/security/cve/CVE-2017-14106", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-14106" } }, "CVE-2017-14140": { "affected_versions": "v2.6.12-rc2 to v4.13-rc6", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "Sanitize 'move_pages()' permission checks", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.5 }, "cwe": "Information Leak / Disclosure", "fixes": "197e7e521384a23b9e585178f3f11c9fa08274b9", "last_affected_version": "4.12.8", "last_modified": "2023-12-06", "nvd_text": "The move_pages system call in mm/migrate.c in the Linux kernel before 4.12.9 doesn't check the effective uid of the target process, enabling a local attacker to learn the memory layout of a setuid executable despite ASLR.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-14140", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-14140", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-14140", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-14140", "SUSE": "https://www.suse.com/security/cve/CVE-2017-14140", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-14140" } }, "CVE-2017-14156": { "affected_versions": "v2.6.12-rc2 to v4.14-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "video: fbdev: aty: do not leak uninitialized padding in clk to userspace", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.5 }, "cwe": "Information Leak / Disclosure", "fixes": "8e75f7a7a00461ef6d91797a60b606367f6e344d", "last_affected_version": "4.13.4", "last_modified": "2023-12-06", "nvd_text": "The atyfb_ioctl function in drivers/video/fbdev/aty/atyfb_base.c in the Linux kernel through 4.12.10 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel stack memory by reading locations associated with padding bytes.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-14156", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-14156", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-14156", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-14156", "SUSE": "https://www.suse.com/security/cve/CVE-2017-14156", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-14156" } }, "CVE-2017-14340": { "affected_versions": "v2.6.15-rc1 to v4.14-rc1", "breaks": "f538d4da8d521746ca5ebf8c1a8105eb49bfb45e", "cmt_msg": "xfs: XFS_IS_REALTIME_INODE() should be false if no rt device present", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "NULL Pointer Dereference", "fixes": "b31ff3cdf540110da4572e3e29bd172087af65cc", "last_affected_version": "4.13.1", "last_modified": "2023-12-06", "nvd_text": "The XFS_IS_REALTIME_INODE macro in fs/xfs/xfs_linux.h in the Linux kernel before 4.13.2 does not verify that a filesystem has a realtime device, which allows local users to cause a denial of service (NULL pointer dereference and OOPS) via vectors related to setting an RHINHERIT flag on a directory.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-14340", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-14340", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-14340", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-14340", "SUSE": "https://www.suse.com/security/cve/CVE-2017-14340", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-14340" } }, "CVE-2017-14489": { "affected_versions": "v2.6.12-rc2 to v4.14-rc3", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "scsi: scsi_transport_iscsi: fix the issue that iscsi_if_rx doesn't parse nlmsg properly", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Input Validation", "fixes": "c88f0e6b06f4092995688211a631bb436125d77b", "last_affected_version": "4.13.4", "last_modified": "2023-12-06", "nvd_text": "The iscsi_if_rx function in drivers/scsi/scsi_transport_iscsi.c in the Linux kernel through 4.13.2 allows local users to cause a denial of service (panic) by leveraging incorrect length validation.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-14489", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-14489", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-14489", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-14489", "SUSE": "https://www.suse.com/security/cve/CVE-2017-14489", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-14489" } }, "CVE-2017-14497": { "affected_versions": "v4.6-rc1 to v4.13", "breaks": "58d19b19cd99b438541eea4cdbf5c171900b25e5", "cmt_msg": "packet: Don't write vnet header beyond end of buffer", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Buffer Errors", "fixes": "edbd58be15a957f6a760c4a514cd475217eb97fd", "last_affected_version": "4.12", "last_modified": "2023-12-06", "nvd_text": "The tpacket_rcv function in net/packet/af_packet.c in the Linux kernel before 4.13 mishandles vnet headers, which might allow local users to cause a denial of service (buffer overflow, and disk and memory corruption) or possibly have unspecified other impact via crafted system calls.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-14497", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-14497", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-14497", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-14497", "SUSE": "https://www.suse.com/security/cve/CVE-2017-14497", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-14497" } }, "CVE-2017-14954": { "affected_versions": "v4.13-rc1 to v4.14-rc3", "breaks": "ce72a16fa705f960ca2352e95a7c5f4801475e75", "cmt_msg": "fix infoleak in waitid(2)", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.5 }, "cwe": "Information Leak / Disclosure", "fixes": "6c85501f2fabcfc4fc6ed976543d252c4eaf4be9", "last_affected_version": "4.13.4", "last_modified": "2023-12-06", "nvd_text": "The waitid implementation in kernel/exit.c in the Linux kernel through 4.13.4 accesses rusage data structures in unintended cases, which allows local users to obtain sensitive information, and bypass the KASLR protection mechanism, via a crafted system call.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-14954", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-14954", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-14954", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-14954", "SUSE": "https://www.suse.com/security/cve/CVE-2017-14954", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-14954" } }, "CVE-2017-14991": { "affected_versions": "v2.6.12-rc3 to v4.14-rc2", "breaks": "cb59e840838193957a84ad22f7e1465a06a7c10c", "cmt_msg": "scsi: sg: fixup infoleak when using SG_GET_REQUEST_TABLE", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.5 }, "cwe": "Information Leak / Disclosure", "fixes": "3e0097499839e0fe3af380410eababe5a47c4cf9", "last_affected_version": "4.13.3", "last_modified": "2023-12-06", "nvd_text": "The sg_ioctl function in drivers/scsi/sg.c in the Linux kernel before 4.13.4 allows local users to obtain sensitive information from uninitialized kernel heap-memory locations via an SG_GET_REQUEST_TABLE ioctl call for /dev/sg0.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-14991", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-14991", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-14991", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-14991", "SUSE": "https://www.suse.com/security/cve/CVE-2017-14991", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-14991" } }, "CVE-2017-15102": { "affected_versions": "v2.6.12-rc2 to v4.9-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "usb: misc: legousbtower: Fix NULL pointer deference", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "score": 6.9 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Physical", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:P/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 6.3 }, "cwe": "NULL Pointer Dereference", "fixes": "2fae9e5a7babada041e2e161699ade2447a01989", "last_affected_version": "4.8.0", "last_modified": "2023-12-06", "nvd_text": "The tower_probe function in drivers/usb/misc/legousbtower.c in the Linux kernel before 4.8.1 allows local users (who are physically proximate for inserting a crafted USB device) to gain privileges by leveraging a write-what-where condition that occurs after a race condition and a NULL pointer dereference.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-15102", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-15102", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-15102", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-15102", "SUSE": "https://www.suse.com/security/cve/CVE-2017-15102", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-15102" } }, "CVE-2017-15115": { "affected_versions": "v2.6.12-rc2 to v4.14-rc6", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "sctp: do not peel off an assoc from one netns to another one", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Use After Free", "fixes": "df80cd9b28b9ebaa284a41df611dbf3a2d05ca74", "last_affected_version": "4.13.15", "last_modified": "2023-12-06", "nvd_text": "The sctp_do_peeloff function in net/sctp/socket.c in the Linux kernel before 4.14 does not check whether the intended netns is used in a peel-off action, which allows local users to cause a denial of service (use-after-free and system crash) or possibly have unspecified other impact via crafted system calls.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-15115", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-15115", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-15115", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-15115", "SUSE": "https://www.suse.com/security/cve/CVE-2017-15115", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-15115" } }, "CVE-2017-15116": { "affected_versions": "v2.6.12-rc2 to v4.2-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "crypto: rng - Remove old low-level rng interface", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "NULL Pointer Dereference", "fixes": "94f1bb15bed84ad6c893916b7e7b9db6f1d7eec6", "last_modified": "2023-12-06", "nvd_text": "The rngapi_reset function in crypto/rng.c in the Linux kernel before 4.2 allows attackers to cause a denial of service (NULL pointer dereference).", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-15116", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-15116", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-15116", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-15116", "SUSE": "https://www.suse.com/security/cve/CVE-2017-15116", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-15116" } }, "CVE-2017-15121": { "affected_versions": "v2.6.12-rc2 to v3.11-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "mm: teach truncate_inode_pages_range() to handle non page aligned ranges", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Input Validation", "fixes": "5a7203947a1d9b6f3a00a39fda08c2466489555f", "last_modified": "2023-12-06", "nvd_text": "A non-privileged user is able to mount a fuse filesystem on RHEL 6 or 7 and crash a system if an application punches a hole in a file that does not end aligned to a page boundary.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-15121", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-15121", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-15121", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-15121", "SUSE": "https://www.suse.com/security/cve/CVE-2017-15121", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-15121" } }, "CVE-2017-15126": { "affected_versions": "v4.11-rc1 to v4.14-rc4", "breaks": "893e26e61d04eac974ded0c11e1647b335c8cb7b", "cmt_msg": "userfaultfd: non-cooperative: fix fork use after free", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "score": 9.3 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "score": 8.1 }, "cwe": "Use After Free", "fixes": "384632e67e0829deb8015ee6ad916b180049d252", "last_affected_version": "4.13.5", "last_modified": "2023-12-06", "nvd_text": "A use-after-free flaw was found in fs/userfaultfd.c in the Linux kernel before 4.13.6. The issue is related to the handling of fork failure when dealing with event messages. Failure to fork correctly can lead to a situation where a fork event will be removed from an already freed list of events with userfaultfd_ctx_put().", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-15126", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-15126", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-15126", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-15126", "SUSE": "https://www.suse.com/security/cve/CVE-2017-15126", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-15126" } }, "CVE-2017-15127": { "affected_versions": "v4.11-rc1 to v4.13-rc5", "breaks": "1c9e8def43a3452e7af658b340f5f4f4ecde5c38", "cmt_msg": "userfaultfd: hugetlbfs: remove superfluous page unlock in VM_SHARED case", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Data Handling", "fixes": "5af10dfd0afc559bb4b0f7e3e8227a1578333995", "last_modified": "2023-12-06", "nvd_text": "A flaw was found in the hugetlb_mcopy_atomic_pte function in mm/hugetlb.c in the Linux kernel before 4.13. A superfluous implicit page unlock for VM_SHARED hugetlbfs mapping could trigger a local denial of service (BUG).", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-15127", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-15127", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-15127", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-15127", "SUSE": "https://www.suse.com/security/cve/CVE-2017-15127", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-15127" } }, "CVE-2017-15128": { "affected_versions": "v4.11-rc1 to v4.14-rc8", "breaks": "8fb5debc5fcd450470cdd789c2d80ef95ebb8cf4", "cmt_msg": "userfaultfd: hugetlbfs: prevent UFFDIO_COPY to fill beyond the end of i_size", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Buffer Errors", "fixes": "1e3921471354244f70fe268586ff94a97a6dd4df", "last_affected_version": "4.13.11", "last_modified": "2023-12-06", "nvd_text": "A flaw was found in the hugetlb_mcopy_atomic_pte function in mm/hugetlb.c in the Linux kernel before 4.13.12. A lack of size check could cause a denial of service (BUG).", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-15128", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-15128", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-15128", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-15128", "SUSE": "https://www.suse.com/security/cve/CVE-2017-15128", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-15128" } }, "CVE-2017-15129": { "affected_versions": "v4.0-rc1 to v4.15-rc5", "breaks": "0c7aecd4bde4b7302cd41986d3a29e4f0b0ed218", "cmt_msg": "net: Fix double free and memory corruption in get_net_ns_by_id()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Use After Free", "fixes": "21b5944350052d2583e82dd59b19a9ba94a007f0", "last_affected_version": "4.14.10", "last_modified": "2023-12-06", "nvd_text": "A use-after-free vulnerability was found in network namespaces code affecting the Linux kernel before 4.14.11. The function get_net_ns_by_id() in net/core/net_namespace.c does not check for the net::count value after it has found a peer network in netns_ids idr, which could lead to double free and memory corruption. This vulnerability could allow an unprivileged local user to induce kernel memory corruption on the system, leading to a crash. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although it is thought to be unlikely.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-15129", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-15129", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-15129", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-15129", "SUSE": "https://www.suse.com/security/cve/CVE-2017-15129", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-15129" } }, "CVE-2017-15265": { "affected_versions": "v2.6.12-rc2 to v4.14-rc5", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "ALSA: seq: Fix use-after-free at creating a port", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "score": 6.9 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.0 }, "cwe": "Race Conditions", "fixes": "71105998845fb012937332fe2e806d443c09e026", "last_affected_version": "4.13.7", "last_modified": "2023-12-06", "nvd_text": "Race condition in the ALSA subsystem in the Linux kernel before 4.13.8 allows local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via crafted /dev/snd/seq ioctl calls, related to sound/core/seq/seq_clientmgr.c and sound/core/seq/seq_ports.c.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-15265", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-15265", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-15265", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-15265", "SUSE": "https://www.suse.com/security/cve/CVE-2017-15265", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-15265" } }, "CVE-2017-15274": { "affected_versions": "v2.6.12-rc2 to v4.12-rc5", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "KEYS: fix dereferencing NULL payload with nonzero length", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "NULL Pointer Dereference", "fixes": "5649645d725c73df4302428ee4e02c869248b4c5", "last_affected_version": "4.11.4", "last_modified": "2023-12-06", "nvd_text": "security/keys/keyctl.c in the Linux kernel before 4.11.5 does not consider the case of a NULL payload in conjunction with a nonzero length value, which allows local users to cause a denial of service (NULL pointer dereference and OOPS) via a crafted add_key or keyctl system call, a different vulnerability than CVE-2017-12192.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-15274", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-15274", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-15274", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-15274", "SUSE": "https://www.suse.com/security/cve/CVE-2017-15274", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-15274" } }, "CVE-2017-15299": { "affected_versions": "v2.6.12-rc2 to v4.14-rc6", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "KEYS: don't let add_key() update an uninstantiated key", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "NULL Pointer Dereference", "fixes": "60ff5b2f547af3828aebafd54daded44cfb0807a", "last_affected_version": "4.13.9", "last_modified": "2023-12-06", "nvd_text": "The KEYS subsystem in the Linux kernel through 4.13.7 mishandles use of add_key for a key that already exists but is uninstantiated, which allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted system call.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-15299", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-15299", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-15299", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-15299", "SUSE": "https://www.suse.com/security/cve/CVE-2017-15299", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-15299" } }, "CVE-2017-15306": { "affected_versions": "v4.8-rc1 to v4.14-rc7", "breaks": "23528bb21ee2c9b27f3feddd77a2a3351a8df148", "cmt_msg": "KVM: PPC: Fix oops when checking KVM_CAP_PPC_HTM", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "NULL Pointer Dereference", "fixes": "ac64115a66c18c01745bbd3c47a36b124e5fd8c0", "last_affected_version": "4.13.10", "last_modified": "2023-12-06", "nvd_text": "The kvm_vm_ioctl_check_extension function in arch/powerpc/kvm/powerpc.c in the Linux kernel before 4.13.11 allows local users to cause a denial of service (NULL pointer dereference and system crash) via a KVM_CHECK_EXTENSION KVM_CAP_PPC_HTM ioctl call to /dev/kvm.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-15306", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-15306", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-15306", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-15306", "SUSE": "https://www.suse.com/security/cve/CVE-2017-15306", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-15306" } }, "CVE-2017-15537": { "affected_versions": "v2.6.12-rc2 to v4.14-rc3", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "x86/fpu: Don't let userspace set bogus xcomp_bv", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.5 }, "cwe": "Information Leak / Disclosure", "fixes": "814fb7bb7db5433757d76f4c4502c96fc53b0b5e", "last_affected_version": "4.13.4", "last_modified": "2023-12-06", "nvd_text": "The x86/fpu (Floating Point Unit) subsystem in the Linux kernel before 4.13.5, when a processor supports the xsave feature but not the xsaves feature, does not correctly handle attempts to set reserved bits in the xstate header via the ptrace() or rt_sigreturn() system call, allowing local users to read the FPU registers of other processes on the system, related to arch/x86/kernel/fpu/regset.c and arch/x86/kernel/fpu/signal.c.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-15537", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-15537", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-15537", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-15537", "SUSE": "https://www.suse.com/security/cve/CVE-2017-15537", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-15537" } }, "CVE-2017-15649": { "affected_versions": "v3.1-rc1 to v4.14-rc4", "breaks": "dc99f600698dcac69b8f56dda9a8a00d645c5ffc", "cmt_msg": "packet: in packet_do_bind, test fanout with bind_lock held", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Race Conditions", "fixes": "4971613c1639d8e5f102c4e797c3bf8f83a5a69e", "last_affected_version": "4.13.5", "last_modified": "2023-12-06", "nvd_text": "net/packet/af_packet.c in the Linux kernel before 4.13.6 allows local users to gain privileges via crafted system calls that trigger mishandling of packet_fanout data structures, because of a race condition (involving fanout_add and packet_do_bind) that leads to a use-after-free, a different vulnerability than CVE-2017-6346.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-15649", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-15649", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-15649", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-15649", "SUSE": "https://www.suse.com/security/cve/CVE-2017-15649", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-15649" } }, "CVE-2017-15868": { "affected_versions": "v2.6.12-rc2 to v3.19-rc3", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "Bluetooth: bnep: bnep_add_connection() should verify that it's dealing with l2cap socket", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "71bb99a02b32b4cc4265118e85f6035ca72923f0", "last_affected_version": "3.18.63", "last_modified": "2023-12-06", "nvd_text": "The bnep_add_connection function in net/bluetooth/bnep/core.c in the Linux kernel before 3.19 does not ensure that an l2cap socket is available, which allows local users to gain privileges via a crafted application.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-15868", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-15868", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-15868", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-15868", "SUSE": "https://www.suse.com/security/cve/CVE-2017-15868", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-15868" } }, "CVE-2017-15951": { "affected_versions": "v4.4-rc1 to v4.14-rc6", "breaks": "146aa8b1453bd8f1ff2304ffb71b4ee0eb9acdcc", "cmt_msg": "KEYS: Fix race between updating and finding a negative key", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Input Validation", "fixes": "363b02dab09b3226f3bd1420dad9c72b79a42a76", "last_affected_version": "4.13.9", "last_modified": "2023-12-06", "nvd_text": "The KEYS subsystem in the Linux kernel before 4.13.10 does not correctly synchronize the actions of updating versus finding a key in the \"negative\" state to avoid a race condition, which allows local users to cause a denial of service or possibly have unspecified other impact via crafted system calls.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-15951", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-15951", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-15951", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-15951", "SUSE": "https://www.suse.com/security/cve/CVE-2017-15951", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-15951" } }, "CVE-2017-16525": { "affected_versions": "v2.6.18-rc1 to v4.14-rc5", "breaks": "73e487fdb75f8abf230968dbf73a3dc3b16808d3", "cmt_msg": "USB: serial: console: fix use-after-free after failed setup", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Physical", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 6.6 }, "cwe": "Use After Free", "fixes": "299d7572e46f98534033a9e65973f13ad1ce9047", "last_affected_version": "4.13.7", "last_modified": "2023-12-06", "nvd_text": "The usb_serial_console_disconnect function in drivers/usb/serial/console.c in the Linux kernel before 4.13.8 allows local users to cause a denial of service (use-after-free and system crash) or possibly have unspecified other impact via a crafted USB device, related to disconnection and failed setup.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-16525", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-16525", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-16525", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-16525", "SUSE": "https://www.suse.com/security/cve/CVE-2017-16525", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-16525" } }, "CVE-2017-16526": { "affected_versions": "v2.6.28-rc1 to v4.14-rc4", "breaks": "183b9b592a622a7719ee38e275fd7ff3aaf74d0d", "cmt_msg": "uwb: properly check kthread_run return value", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Buffer Errors", "fixes": "bbf26183b7a6236ba602f4d6a2f7cade35bba043", "last_affected_version": "4.13.5", "last_modified": "2023-12-06", "nvd_text": "drivers/uwb/uwbd.c in the Linux kernel before 4.13.6 allows local users to cause a denial of service (general protection fault and system crash) or possibly have unspecified other impact via a crafted USB device.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-16526", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-16526", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-16526", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-16526", "SUSE": "https://www.suse.com/security/cve/CVE-2017-16526", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-16526" } }, "CVE-2017-16527": { "affected_versions": "v2.6.12-rc2 to v4.14-rc5", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "ALSA: usb-audio: Kill stray URB at exiting", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Physical", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 6.6 }, "cwe": "Use After Free", "fixes": "124751d5e63c823092060074bd0abaae61aaa9c4", "last_affected_version": "4.13.7", "last_modified": "2023-12-06", "nvd_text": "sound/usb/mixer.c in the Linux kernel before 4.13.8 allows local users to cause a denial of service (snd_usb_mixer_interrupt use-after-free and system crash) or possibly have unspecified other impact via a crafted USB device.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-16527", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-16527", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-16527", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-16527", "SUSE": "https://www.suse.com/security/cve/CVE-2017-16527", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-16527" } }, "CVE-2017-16528": { "affected_versions": "v2.6.12-rc2 to v4.14-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "ALSA: seq: Cancel pending autoload work at unbinding device", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Physical", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 6.6 }, "cwe": "Use After Free", "fixes": "fc27fe7e8deef2f37cba3f2be2d52b6ca5eb9d57", "last_affected_version": "4.13.3", "last_modified": "2023-12-06", "nvd_text": "sound/core/seq_device.c in the Linux kernel before 4.13.4 allows local users to cause a denial of service (snd_rawmidi_dev_seq_free use-after-free and system crash) or possibly have unspecified other impact via a crafted USB device.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-16528", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-16528", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-16528", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-16528", "SUSE": "https://www.suse.com/security/cve/CVE-2017-16528", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-16528" } }, "CVE-2017-16529": { "affected_versions": "v2.6.12-rc2 to v4.14-rc4", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "ALSA: usb-audio: Check out-of-bounds access by corrupted buffer descriptor", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Physical", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 6.6 }, "cwe": "Out-of-bounds Read", "fixes": "bfc81a8bc18e3c4ba0cbaa7666ff76be2f998991", "last_affected_version": "4.13.5", "last_modified": "2023-12-06", "nvd_text": "The snd_usb_create_streams function in sound/usb/card.c in the Linux kernel before 4.13.6 allows local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-16529", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-16529", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-16529", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-16529", "SUSE": "https://www.suse.com/security/cve/CVE-2017-16529", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-16529" } }, "CVE-2017-16530": { "affected_versions": "v3.15-rc1 to v4.14-rc4", "breaks": "6134041bef0aeb9cb7c8a8daf045b44513cd8396", "cmt_msg": "USB: uas: fix bug in handling of alternate settings", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Physical", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 6.6 }, "cwe": "Out-of-bounds Read", "fixes": "786de92b3cb26012d3d0f00ee37adf14527f35c4", "last_affected_version": "4.13.5", "last_modified": "2023-12-06", "nvd_text": "The uas driver in the Linux kernel before 4.13.6 allows local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device, related to drivers/usb/storage/uas-detect.h and drivers/usb/storage/uas.c.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-16530", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-16530", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-16530", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-16530", "SUSE": "https://www.suse.com/security/cve/CVE-2017-16530", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-16530" } }, "CVE-2017-16531": { "affected_versions": "v2.6.12-rc2 to v4.14-rc4", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "USB: fix out-of-bounds in usb_set_configuration", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Physical", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 6.6 }, "cwe": "Buffer Errors", "fixes": "bd7a3fe770ebd8391d1c7d072ff88e9e76d063eb", "last_affected_version": "4.13.5", "last_modified": "2023-12-06", "nvd_text": "drivers/usb/core/config.c in the Linux kernel before 4.13.6 allows local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device, related to the USB_DT_INTERFACE_ASSOCIATION descriptor.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-16531", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-16531", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-16531", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-16531", "SUSE": "https://www.suse.com/security/cve/CVE-2017-16531", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-16531" } }, "CVE-2017-16532": { "affected_versions": "v2.6.12-rc2 to v4.14-rc5", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "usb: usbtest: fix NULL pointer dereference", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Physical", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 6.6 }, "cwe": "NULL Pointer Dereference", "fixes": "7c80f9e4a588f1925b07134bb2e3689335f6c6d8", "last_affected_version": "4.13.13", "last_modified": "2023-12-06", "nvd_text": "The get_endpoints function in drivers/usb/misc/usbtest.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted USB device.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-16532", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-16532", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-16532", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-16532", "SUSE": "https://www.suse.com/security/cve/CVE-2017-16532", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-16532" } }, "CVE-2017-16533": { "affected_versions": "v2.6.12-rc2 to v4.14-rc5", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "HID: usbhid: fix out-of-bounds bug", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Physical", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 6.6 }, "cwe": "Out-of-bounds Read", "fixes": "f043bfc98c193c284e2cd768fefabe18ac2fed9b", "last_affected_version": "4.13.7", "last_modified": "2023-12-06", "nvd_text": "The usbhid_parse function in drivers/hid/usbhid/hid-core.c in the Linux kernel before 4.13.8 allows local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-16533", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-16533", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-16533", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-16533", "SUSE": "https://www.suse.com/security/cve/CVE-2017-16533", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-16533" } }, "CVE-2017-16534": { "affected_versions": "v4.4-rc1 to v4.14-rc4", "breaks": "c40a2c8817e42273a4627c48c884b805475a733f", "cmt_msg": "USB: core: harden cdc_parse_cdc_header", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Physical", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 6.6 }, "cwe": "Buffer Errors", "fixes": "2e1c42391ff2556387b3cb6308b24f6f65619feb", "last_affected_version": "4.13.5", "last_modified": "2023-12-06", "nvd_text": "The cdc_parse_cdc_header function in drivers/usb/core/message.c in the Linux kernel before 4.13.6 allows local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-16534", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-16534", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-16534", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-16534", "SUSE": "https://www.suse.com/security/cve/CVE-2017-16534", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-16534" } }, "CVE-2017-16535": { "affected_versions": "v3.2-rc1 to v4.14-rc6", "breaks": "3148bf041d169a083aa31bd69bedd5bfb7ffe215", "cmt_msg": "USB: core: fix out-of-bounds access bug in usb_get_bos_descriptor()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Physical", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 6.6 }, "cwe": "Out-of-bounds Read", "fixes": "1c0edc3633b56000e18d82fc241e3995ca18a69e", "last_affected_version": "4.13.9", "last_modified": "2023-12-06", "nvd_text": "The usb_get_bos_descriptor function in drivers/usb/core/config.c in the Linux kernel before 4.13.10 allows local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-16535", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-16535", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-16535", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-16535", "SUSE": "https://www.suse.com/security/cve/CVE-2017-16535", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-16535" } }, "CVE-2017-16536": { "affected_versions": "v2.6.12-rc2 to v4.15-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "[media] cx231xx-cards: fix NULL-deref on missing association descriptor", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Physical", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 6.6 }, "cwe": "NULL Pointer Dereference", "fixes": "6c3b047fa2d2286d5e438bcb470c7b1a49f415f6", "last_affected_version": "4.14.2", "last_modified": "2023-12-06", "nvd_text": "The cx231xx_usb_probe function in drivers/media/usb/cx231xx/cx231xx-cards.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted USB device.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-16536", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-16536", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-16536", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-16536", "SUSE": "https://www.suse.com/security/cve/CVE-2017-16536", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-16536" } }, "CVE-2017-16537": { "affected_versions": "v2.6.12-rc2 to v4.15-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "media: imon: Fix null-ptr-deref in imon_probe", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Physical", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 6.6 }, "cwe": "NULL Pointer Dereference", "fixes": "58fd55e838276a0c13d1dc7c387f90f25063cbf3", "last_affected_version": "4.14.0", "last_modified": "2023-12-06", "nvd_text": "The imon_probe function in drivers/media/rc/imon.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted USB device.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-16537", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-16537", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-16537", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-16537", "SUSE": "https://www.suse.com/security/cve/CVE-2017-16537", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-16537" } }, "CVE-2017-16538": { "affected_versions": "v3.9-rc1 to v4.16-rc1", "breaks": "b858c331cdf402853be2c48c8f4f77173ef04da8", "cmt_msg": "media: dvb-usb-v2: lmedm04: Improve logic checking of warm start", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Physical", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 6.6 }, "cwe": "Input Validation", "fixes": "3d932ee27e852e4904647f15b64dedca51187ad7", "last_affected_version": "4.15.3", "last_modified": "2023-12-06", "nvd_text": "drivers/media/usb/dvb-usb-v2/lmedm04.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (general protection fault and system crash) or possibly have unspecified other impact via a crafted USB device, related to a missing warm-start check and incorrect attach timing (dm04_lme2510_frontend_attach versus dm04_lme2510_tuner).", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-16538", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-16538", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-16538", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-16538", "SUSE": "https://www.suse.com/security/cve/CVE-2017-16538", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-16538" } }, "CVE-2017-16643": { "affected_versions": "v2.6.12-rc2 to v4.14-rc7", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "Input: gtco - fix potential out-of-bound access", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Physical", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 6.6 }, "cwe": "Out-of-bounds Read", "fixes": "a50829479f58416a013a4ccca791336af3c584c7", "last_affected_version": "4.13.10", "last_modified": "2023-12-06", "nvd_text": "The parse_hid_report_descriptor function in drivers/input/tablet/gtco.c in the Linux kernel before 4.13.11 allows local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-16643", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-16643", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-16643", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-16643", "SUSE": "https://www.suse.com/security/cve/CVE-2017-16643", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-16643" } }, "CVE-2017-16644": { "affected_versions": "v4.8-rc1 to v4.16-rc1", "breaks": "5612e191ca1f88e16c48bb373d90d1508196aa95", "cmt_msg": "media: hdpvr: Fix an error handling path in hdpvr_probe()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Physical", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 6.6 }, "cwe": "Error Handling", "fixes": "c0f71bbb810237a38734607ca4599632f7f5d47f", "last_affected_version": "4.15.3", "last_modified": "2023-12-06", "nvd_text": "The hdpvr_probe function in drivers/media/usb/hdpvr/hdpvr-core.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (improper error handling and system crash) or possibly have unspecified other impact via a crafted USB device.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-16644", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-16644", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-16644", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-16644", "SUSE": "https://www.suse.com/security/cve/CVE-2017-16644", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-16644" } }, "CVE-2017-16645": { "affected_versions": "v3.10-rc1 to v4.14-rc6", "breaks": "628329d52474323938a03826941e166bc7c8eff4", "cmt_msg": "Input: ims-psu - check if CDC union descriptor is sane", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Physical", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 6.6 }, "cwe": "Out-of-bounds Read", "fixes": "ea04efee7635c9120d015dcdeeeb6988130cb67a", "last_affected_version": "4.13.13", "last_modified": "2023-12-06", "nvd_text": "The ims_pcu_get_cdc_union_desc function in drivers/input/misc/ims-pcu.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (ims_pcu_parse_cdc_data out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-16645", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-16645", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-16645", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-16645", "SUSE": "https://www.suse.com/security/cve/CVE-2017-16645", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-16645" } }, "CVE-2017-16646": { "affected_versions": "v2.6.12-rc2 to v4.15-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "media: dib0700: fix invalid dvb_detach argument", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Physical", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 6.6 }, "cwe": "NULL Pointer Dereference", "fixes": "eb0c19942288569e0ae492476534d5a485fb8ab4", "last_affected_version": "4.14.0", "last_modified": "2023-12-06", "nvd_text": "drivers/media/usb/dvb-usb/dib0700_devices.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (BUG and system crash) or possibly have unspecified other impact via a crafted USB device.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-16646", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-16646", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-16646", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-16646", "SUSE": "https://www.suse.com/security/cve/CVE-2017-16646", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-16646" } }, "CVE-2017-16647": { "affected_versions": "v4.9-rc1 to v4.14", "breaks": "d9fe64e511144c1ee7d7555b4111f09dde9692ef", "cmt_msg": "net: usb: asix: fill null-ptr-deref in asix_suspend", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Physical", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 6.6 }, "cwe": "NULL Pointer Dereference", "fixes": "8f5624629105589bcc23d0e51cc01bd8103d09a5", "last_affected_version": "4.13", "last_modified": "2023-12-06", "nvd_text": "drivers/net/usb/asix_devices.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted USB device.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-16647", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-16647", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-16647", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-16647", "SUSE": "https://www.suse.com/security/cve/CVE-2017-16647", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-16647" } }, "CVE-2017-16648": { "affected_versions": "v4.15-rc1 to v4.15-rc1", "backport": true, "breaks": "62229de19ff2b7f3e0ebf4d48ad99061127d0281", "cmt_msg": "dvb_frontend: don't use-after-free the frontend struct", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Physical", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 6.6 }, "cwe": "Use After Free", "fixes": "b1cb7372fa822af6c06c8045963571d13ad6348b", "last_affected_version": "4.14.6", "last_modified": "2023-12-06", "nvd_text": "The dvb_frontend_free function in drivers/media/dvb-core/dvb_frontend.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (use-after-free and system crash) or possibly have unspecified other impact via a crafted USB device. NOTE: the function was later renamed __dvb_frontend_free.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-16648", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-16648", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-16648", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-16648", "SUSE": "https://www.suse.com/security/cve/CVE-2017-16648", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-16648" } }, "CVE-2017-16649": { "affected_versions": "v2.6.12-rc2 to v4.14", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "net: cdc_ether: fix divide by 0 on bad descriptors", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Physical", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 6.6 }, "cwe": "Divide By Zero", "fixes": "2cb80187ba065d7decad7c6614e35e07aec8a974", "last_affected_version": "4.13", "last_modified": "2023-12-06", "nvd_text": "The usbnet_generic_cdc_bind function in drivers/net/usb/cdc_ether.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (divide-by-zero error and system crash) or possibly have unspecified other impact via a crafted USB device.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-16649", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-16649", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-16649", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-16649", "SUSE": "https://www.suse.com/security/cve/CVE-2017-16649", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-16649" } }, "CVE-2017-16650": { "affected_versions": "v3.4-rc1 to v4.14", "breaks": "423ce8caab7ea2b13f4a29ce0839369528aafaeb", "cmt_msg": "net: qmi_wwan: fix divide by 0 on bad descriptors", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Physical", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 6.6 }, "cwe": "Divide By Zero", "fixes": "7fd078337201cf7468f53c3d9ef81ff78cb6df3b", "last_affected_version": "4.13", "last_modified": "2023-12-06", "nvd_text": "The qmi_wwan_bind function in drivers/net/usb/qmi_wwan.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (divide-by-zero error and system crash) or possibly have unspecified other impact via a crafted USB device.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-16650", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-16650", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-16650", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-16650", "SUSE": "https://www.suse.com/security/cve/CVE-2017-16650", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-16650" } }, "CVE-2017-16911": { "affected_versions": "v2.6.12-rc2 to v4.15-rc4", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "usbip: prevent vhci_hcd driver from leaking a socket pointer address", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "score": 1.9 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 4.7 }, "cwe": "Information Leak / Disclosure", "fixes": "2f2d0088eb93db5c649d2a5e34a3800a8a935fc5", "last_affected_version": "4.14.7", "last_modified": "2023-12-06", "nvd_text": "The vhci_hcd driver in the Linux Kernel before version 4.14.8 and 4.4.114 allows allows local attackers to disclose kernel memory addresses. Successful exploitation requires that a USB device is attached over IP.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-16911", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-16911", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-16911", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-16911", "SUSE": "https://www.suse.com/security/cve/CVE-2017-16911", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-16911" } }, "CVE-2017-16912": { "affected_versions": "v2.6.12-rc2 to v4.15-rc4", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "usbip: fix stub_rx: get_pipe() to validate endpoint number", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:N/AC:M/Au:N/C:N/I:N/A:C", "score": 7.1 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 5.9 }, "cwe": "Out-of-bounds Read", "fixes": "635f545a7e8be7596b9b2b6a43cab6bbd5a88e43", "last_affected_version": "4.14.7", "last_modified": "2023-12-06", "nvd_text": "The \"get_pipe()\" function (drivers/usb/usbip/stub_rx.c) in the Linux Kernel before version 4.14.8, 4.9.71, and 4.4.114 allows attackers to cause a denial of service (out-of-bounds read) via a specially crafted USB over IP packet.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-16912", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-16912", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-16912", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-16912", "SUSE": "https://www.suse.com/security/cve/CVE-2017-16912", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-16912" } }, "CVE-2017-16913": { "affected_versions": "v2.6.12-rc2 to v4.15-rc4", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "usbip: fix stub_rx: harden CMD_SUBMIT path to handle malicious input", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:N/AC:M/Au:N/C:N/I:N/A:C", "score": 7.1 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 5.9 }, "cwe": "Buffer Errors", "fixes": "c6688ef9f29762e65bce325ef4acd6c675806366", "last_affected_version": "4.14.7", "last_modified": "2023-12-06", "nvd_text": "The \"stub_recv_cmd_submit()\" function (drivers/usb/usbip/stub_rx.c) in the Linux Kernel before version 4.14.8, 4.9.71, and 4.4.114 when handling CMD_SUBMIT packets allows attackers to cause a denial of service (arbitrary memory allocation) via a specially crafted USB over IP packet.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-16913", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-16913", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-16913", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-16913", "SUSE": "https://www.suse.com/security/cve/CVE-2017-16913", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-16913" } }, "CVE-2017-16914": { "affected_versions": "v2.6.12-rc2 to v4.15-rc4", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "usbip: fix stub_send_ret_submit() vulnerability to null transfer_buffer", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:N/AC:M/Au:N/C:N/I:N/A:C", "score": 7.1 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 5.9 }, "cwe": "NULL Pointer Dereference", "fixes": "be6123df1ea8f01ee2f896a16c2b7be3e4557a5a", "last_affected_version": "4.14.7", "last_modified": "2023-12-06", "nvd_text": "The \"stub_send_ret_submit()\" function (drivers/usb/usbip/stub_tx.c) in the Linux Kernel before version 4.14.8, 4.9.71, 4.1.49, and 4.4.107 allows attackers to cause a denial of service (NULL pointer dereference) via a specially crafted USB over IP packet.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-16914", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-16914", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-16914", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-16914", "SUSE": "https://www.suse.com/security/cve/CVE-2017-16914", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-16914" } }, "CVE-2017-16939": { "affected_versions": "v2.6.28-rc1 to v4.14-rc7", "breaks": "12a169e7d8f4b1c95252d8b04ed0f1033ed7cfe2", "cmt_msg": "ipsec: Fix aborted xfrm policy dump crash", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "1137b5e2529a8f5ca8ee709288ecba3e68044df2", "last_affected_version": "4.13.10", "last_modified": "2023-12-06", "nvd_text": "The XFRM dump policy implementation in net/xfrm/xfrm_user.c in the Linux kernel before 4.13.11 allows local users to gain privileges or cause a denial of service (use-after-free) via a crafted SO_RCVBUF setsockopt system call in conjunction with XFRM_MSG_GETPOLICY Netlink messages.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-16939", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-16939", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-16939", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-16939", "SUSE": "https://www.suse.com/security/cve/CVE-2017-16939", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-16939" } }, "CVE-2017-16994": { "affected_versions": "v4.0-rc1 to v4.15-rc1", "breaks": "1e25a271c8ac1c9faebf4eb3fa609189e4e7b1b6", "cmt_msg": "mm/pagewalk.c: report holes in hugetlb ranges", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.5 }, "cwe": "Information Leak / Disclosure", "fixes": "373c4557d2aa362702c4c2d41288fb1e54990b7c", "last_affected_version": "4.14.1", "last_modified": "2023-12-06", "nvd_text": "The walk_hugetlb_range function in mm/pagewalk.c in the Linux kernel before 4.14.2 mishandles holes in hugetlb ranges, which allows local users to obtain sensitive information from uninitialized kernel memory via crafted use of the mincore() system call.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-16994", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-16994", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-16994", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-16994", "SUSE": "https://www.suse.com/security/cve/CVE-2017-16994", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-16994" } }, "CVE-2017-16995": { "affected_versions": "v2.6.12-rc2 to v4.15-rc5", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "bpf: fix incorrect sign extension in check_alu_op()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Buffer Errors", "fixes": "95a762e2c8c942780948091f8f2a4f32fce1ac6f", "last_affected_version": "4.14.8", "last_modified": "2023-12-06", "nvd_text": "The check_alu_op function in kernel/bpf/verifier.c in the Linux kernel through 4.4 allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging incorrect sign extension.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-16995", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-16995", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-16995", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-16995", "SUSE": "https://www.suse.com/security/cve/CVE-2017-16995", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-16995" } }, "CVE-2017-16996": { "affected_versions": "v4.14-rc1 to v4.15-rc5", "breaks": "b03c9f9fdc37dab81ea04d5dacdc5995d4c224c2", "cmt_msg": "bpf: fix incorrect tracking of register size truncation", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Buffer Errors", "fixes": "0c17d1d2c61936401f4702e1846e2c19b200f958", "last_affected_version": "4.14.8", "last_modified": "2023-12-06", "nvd_text": "kernel/bpf/verifier.c in the Linux kernel through 4.14.8 allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging register truncation mishandling.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-16996", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-16996", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-16996", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-16996", "SUSE": "https://www.suse.com/security/cve/CVE-2017-16996", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-16996" } }, "CVE-2017-17052": { "affected_versions": "v4.7-rc1 to v4.13-rc7", "breaks": "7c051267931a9be9c6620cc17b362bc6ee6dedc8", "cmt_msg": "fork: fix incorrect fput of ->exe_file causing use-after-free", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Use After Free", "fixes": "2b7e8665b4ff51c034c55df3cff76518d1a9ee3a", "last_affected_version": "4.12.9", "last_modified": "2023-12-06", "nvd_text": "The mm_init function in kernel/fork.c in the Linux kernel before 4.12.10 does not clear the ->exe_file member of a new process's mm_struct, allowing a local attacker to achieve a use-after-free or possibly have unspecified other impact by running a specially crafted program.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-17052", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-17052", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-17052", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-17052", "SUSE": "https://www.suse.com/security/cve/CVE-2017-17052", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-17052" } }, "CVE-2017-17053": { "affected_versions": "v4.6-rc1 to v4.13-rc7", "breaks": "39a0526fb3f7d93433d146304278477eb463f8af", "cmt_msg": "x86/mm: Fix use-after-free of ldt_struct", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "score": 6.9 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.0 }, "cwe": "Use After Free", "fixes": "ccd5b3235180eef3cfec337df1c8554ab151b5cc", "last_affected_version": "4.12.9", "last_modified": "2023-12-06", "nvd_text": "The init_new_context function in arch/x86/include/asm/mmu_context.h in the Linux kernel before 4.12.10 does not correctly handle errors from LDT table allocation when forking a new process, allowing a local attacker to achieve a use-after-free or possibly have unspecified other impact by running a specially crafted program. This vulnerability only affected kernels built with CONFIG_MODIFY_LDT_SYSCALL=y.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-17053", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-17053", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-17053", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-17053", "SUSE": "https://www.suse.com/security/cve/CVE-2017-17053", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-17053" } }, "CVE-2017-17448": { "affected_versions": "v3.6-rc1 to v4.15-rc4", "breaks": "12f7a505331e6b2754684b509f2ac8f0011ce644", "cmt_msg": "netfilter: nfnetlink_cthelper: Add missing permission checks", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Security Features", "fixes": "4b380c42f7d00a395feede754f0bc2292eebe6e5", "last_affected_version": "4.14.15", "last_modified": "2023-12-06", "nvd_text": "net/netfilter/nfnetlink_cthelper.c in the Linux kernel through 4.14.4 does not require the CAP_NET_ADMIN capability for new, get, and del operations, which allows local users to bypass intended access restrictions because the nfnl_cthelper_list data structure is shared across all net namespaces.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-17448", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-17448", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-17448", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-17448", "SUSE": "https://www.suse.com/security/cve/CVE-2017-17448", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-17448" } }, "CVE-2017-17449": { "affected_versions": "v3.11-rc1 to v4.15-rc4", "breaks": "bcbde0d449eda7afa8f63280b165c8300dbd00e2", "cmt_msg": "netlink: Add netns check on taps", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "score": 1.9 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 4.7 }, "cwe": "Information Leak / Disclosure", "fixes": "93c647643b48f0131f02e45da3bd367d80443291", "last_affected_version": "4.14.10", "last_modified": "2023-12-06", "nvd_text": "The __netlink_deliver_tap_skb function in net/netlink/af_netlink.c in the Linux kernel through 4.14.4, when CONFIG_NLMON is enabled, does not restrict observations of Netlink messages to a single net namespace, which allows local users to obtain sensitive information by leveraging the CAP_NET_ADMIN capability to sniff an nlmon interface for all Netlink activity on the system.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-17449", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-17449", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-17449", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-17449", "SUSE": "https://www.suse.com/security/cve/CVE-2017-17449", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-17449" } }, "CVE-2017-17450": { "affected_versions": "v2.6.31-rc1 to v4.15-rc4", "breaks": "11eeef41d5f63c7d2f7fdfcc733eb7fb137cc384", "cmt_msg": "netfilter: xt_osf: Add missing permission checks", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Security Features", "fixes": "916a27901de01446bcf57ecca4783f6cff493309", "last_affected_version": "4.14.15", "last_modified": "2023-12-06", "nvd_text": "net/netfilter/xt_osf.c in the Linux kernel through 4.14.4 does not require the CAP_NET_ADMIN capability for add_callback and remove_callback operations, which allows local users to bypass intended access restrictions because the xt_osf_fingers data structure is shared across all net namespaces.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-17450", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-17450", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-17450", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-17450", "SUSE": "https://www.suse.com/security/cve/CVE-2017-17450", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-17450" } }, "CVE-2017-17558": { "affected_versions": "v2.6.12-rc2 to v4.15-rc4", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "USB: core: prevent malicious bNumInterfaces overflow", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Physical", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 6.6 }, "cwe": "Out-of-bounds Write", "fixes": "48a4ff1c7bb5a32d2e396b03132d20d552c0eca7", "last_affected_version": "4.14.7", "last_modified": "2023-12-06", "nvd_text": "The usb_destroy_configuration function in drivers/usb/core/config.c in the USB core subsystem in the Linux kernel through 4.14.5 does not consider the maximum number of configurations and interfaces before attempting to release resources, which allows local users to cause a denial of service (out-of-bounds write access) or possibly have unspecified other impact via a crafted USB device.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-17558", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-17558", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-17558", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-17558", "SUSE": "https://www.suse.com/security/cve/CVE-2017-17558", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-17558" } }, "CVE-2017-17712": { "affected_versions": "v3.19-rc1 to v4.15-rc4", "breaks": "c008ba5bdc9fa830e1a349b20b0be5a137bdef7a", "cmt_msg": "net: ipv4: fix for a race condition in raw_sendmsg", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "score": 6.9 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.0 }, "cwe": "Race Conditions", "fixes": "8f659a03a0ba9289b9aeb9b4470e6fb263d6f483", "last_affected_version": "4.14.10", "last_modified": "2023-12-06", "nvd_text": "The raw_sendmsg() function in net/ipv4/raw.c in the Linux kernel through 4.14.6 has a race condition in inet->hdrincl that leads to uninitialized stack pointer usage; this allows a local user to execute code and gain privileges.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-17712", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-17712", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-17712", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-17712", "SUSE": "https://www.suse.com/security/cve/CVE-2017-17712", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-17712" } }, "CVE-2017-17741": { "affected_versions": "v2.6.12-rc2 to v4.15-rc5", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "KVM: Fix stack-out-of-bounds read in write_mmio", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Changed", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "score": 6.5 }, "cwe": "Out-of-bounds Read", "fixes": "e39d200fa5bf5b94a0948db0dae44c1b73b84a56", "last_affected_version": "4.14.13", "last_modified": "2023-12-06", "nvd_text": "The KVM implementation in the Linux kernel through 4.14.7 allows attackers to obtain potentially sensitive information from kernel memory, aka a write_mmio stack-based out-of-bounds read, related to arch/x86/kvm/x86.c and include/trace/events/kvm.h.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-17741", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-17741", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-17741", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-17741", "SUSE": "https://www.suse.com/security/cve/CVE-2017-17741", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-17741" } }, "CVE-2017-17805": { "affected_versions": "v2.6.25-rc1 to v4.15-rc4", "breaks": "eb6f13eb9f812f5812ed5d14f241309da369dee6", "cmt_msg": "crypto: salsa20 - fix blkcipher_walk API usage", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Input Validation", "fixes": "ecaaab5649781c5a0effdaf298a925063020500e", "last_affected_version": "4.14.7", "last_modified": "2023-12-06", "nvd_text": "The Salsa20 encryption algorithm in the Linux kernel before 4.14.8 does not correctly handle zero-length inputs, allowing a local attacker able to use the AF_ALG-based skcipher interface (CONFIG_CRYPTO_USER_API_SKCIPHER) to cause a denial of service (uninitialized-memory free and kernel crash) or have unspecified other impact by executing a crafted sequence of system calls that use the blkcipher_walk API. Both the generic implementation (crypto/salsa20_generic.c) and x86 implementation (arch/x86/crypto/salsa20_glue.c) of Salsa20 were vulnerable.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-17805", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-17805", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-17805", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-17805", "SUSE": "https://www.suse.com/security/cve/CVE-2017-17805", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-17805" } }, "CVE-2017-17806": { "affected_versions": "v2.6.12-rc2 to v4.15-rc4", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "crypto: hmac - require that the underlying hash algorithm is unkeyed", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Buffer Errors", "fixes": "af3ff8045bbf3e32f1a448542e73abb4c8ceb6f1", "last_affected_version": "4.14.7", "last_modified": "2023-12-06", "nvd_text": "The HMAC implementation (crypto/hmac.c) in the Linux kernel before 4.14.8 does not validate that the underlying cryptographic hash algorithm is unkeyed, allowing a local attacker able to use the AF_ALG-based hash interface (CONFIG_CRYPTO_USER_API_HASH) and the SHA-3 hash algorithm (CONFIG_CRYPTO_SHA3) to cause a kernel stack buffer overflow by executing a crafted sequence of system calls that encounter a missing SHA-3 initialization.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-17806", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-17806", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-17806", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-17806", "SUSE": "https://www.suse.com/security/cve/CVE-2017-17806", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-17806" } }, "CVE-2017-17807": { "affected_versions": "v2.6.13-rc1 to v4.15-rc3", "breaks": "3e30148c3d524a9c1c63ca28261bc24c457eb07a", "cmt_msg": "KEYS: add missing permission check for request_key() destination", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "None", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "None", "Integrity": "Low", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "score": 3.3 }, "cwe": "Improper Access Control", "fixes": "4dca6ea1d9432052afb06baf2e3ae78188a4410b", "last_affected_version": "4.14.5", "last_modified": "2023-12-06", "nvd_text": "The KEYS subsystem in the Linux kernel before 4.14.6 omitted an access-control check when adding a key to the current task's \"default request-key keyring\" via the request_key() system call, allowing a local user to use a sequence of crafted system calls to add keys to a keyring with only Search permission (not Write permission) to that keyring, related to construct_get_dest_keyring() in security/keys/request_key.c.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-17807", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-17807", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-17807", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-17807", "SUSE": "https://www.suse.com/security/cve/CVE-2017-17807", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-17807" } }, "CVE-2017-17852": { "affected_versions": "v4.14-rc1 to v4.15-rc5", "breaks": "f1174f77b50c94eecaa658fdc56fa69b421de4b8", "cmt_msg": "bpf: fix 32-bit ALU op verification", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Buffer Errors", "fixes": "468f6eafa6c44cb2c5d8aad35e12f06c240a812a", "last_affected_version": "4.14.8", "last_modified": "2023-12-06", "nvd_text": "kernel/bpf/verifier.c in the Linux kernel through 4.14.8 allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging mishandling of 32-bit ALU ops.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-17852", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-17852", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-17852", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-17852", "SUSE": "https://www.suse.com/security/cve/CVE-2017-17852", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-17852" } }, "CVE-2017-17853": { "affected_versions": "v4.14-rc1 to v4.15-rc5", "breaks": "b03c9f9fdc37dab81ea04d5dacdc5995d4c224c2", "cmt_msg": "bpf/verifier: fix bounds calculation on BPF_RSH", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Buffer Errors", "fixes": "4374f256ce8182019353c0c639bb8d0695b4c941", "last_affected_version": "4.14.8", "last_modified": "2023-12-06", "nvd_text": "kernel/bpf/verifier.c in the Linux kernel through 4.14.8 allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging incorrect BPF_RSH signed bounds calculations.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-17853", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-17853", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-17853", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-17853", "SUSE": "https://www.suse.com/security/cve/CVE-2017-17853", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-17853" } }, "CVE-2017-17854": { "affected_versions": "v4.14-rc1 to v4.15-rc5", "breaks": "f1174f77b50c94eecaa658fdc56fa69b421de4b8", "cmt_msg": "bpf: fix integer overflows", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Integer Overflow or Wraparound", "fixes": "bb7f0f989ca7de1153bd128a40a71709e339fa03", "last_affected_version": "4.14.8", "last_modified": "2023-12-06", "nvd_text": "kernel/bpf/verifier.c in the Linux kernel through 4.14.8 allows local users to cause a denial of service (integer overflow and memory corruption) or possibly have unspecified other impact by leveraging unrestricted integer values for pointer arithmetic.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-17854", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-17854", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-17854", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-17854", "SUSE": "https://www.suse.com/security/cve/CVE-2017-17854", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-17854" } }, "CVE-2017-17855": { "affected_versions": "v4.14-rc1 to v4.15-rc5", "breaks": "f1174f77b50c94eecaa658fdc56fa69b421de4b8", "cmt_msg": "bpf: don't prune branches when a scalar is replaced with a pointer", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Buffer Errors", "fixes": "179d1c5602997fef5a940c6ddcf31212cbfebd14", "last_affected_version": "4.14.8", "last_modified": "2023-12-06", "nvd_text": "kernel/bpf/verifier.c in the Linux kernel through 4.14.8 allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging improper use of pointers in place of scalars.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-17855", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-17855", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-17855", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-17855", "SUSE": "https://www.suse.com/security/cve/CVE-2017-17855", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-17855" } }, "CVE-2017-17856": { "affected_versions": "v4.14-rc1 to v4.15-rc5", "breaks": "f1174f77b50c94eecaa658fdc56fa69b421de4b8", "cmt_msg": "bpf: force strict alignment checks for stack pointers", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Buffer Errors", "fixes": "a5ec6ae161d72f01411169a938fa5f8baea16e8f", "last_affected_version": "4.14.8", "last_modified": "2023-12-06", "nvd_text": "kernel/bpf/verifier.c in the Linux kernel through 4.14.8 allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging the lack of stack-pointer alignment enforcement.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-17856", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-17856", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-17856", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-17856", "SUSE": "https://www.suse.com/security/cve/CVE-2017-17856", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-17856" } }, "CVE-2017-17857": { "affected_versions": "v4.14-rc1 to v4.15-rc5", "breaks": "f1174f77b50c94eecaa658fdc56fa69b421de4b8", "cmt_msg": "bpf: fix missing error return in check_stack_boundary()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Buffer Errors", "fixes": "ea25f914dc164c8d56b36147ecc86bc65f83c469", "last_affected_version": "4.14.8", "last_modified": "2023-12-06", "nvd_text": "The check_stack_boundary function in kernel/bpf/verifier.c in the Linux kernel through 4.14.8 allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging mishandling of invalid variable stack read operations.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-17857", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-17857", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-17857", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-17857", "SUSE": "https://www.suse.com/security/cve/CVE-2017-17857", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-17857" } }, "CVE-2017-17862": { "affected_versions": "v3.18-rc1 to v4.15-rc1", "breaks": "17a5267067f3c372fec9ffb798d6eaba6b5e6a4c", "cmt_msg": "bpf: fix branch pruning logic", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Input Validation", "fixes": "c131187db2d3fa2f8bf32fdf4e9a4ef805168467", "last_affected_version": "4.14.8", "last_modified": "2023-12-06", "nvd_text": "kernel/bpf/verifier.c in the Linux kernel through 4.14.8 ignores unreachable code, even though it would still be processed by JIT compilers. This behavior, also considered an improper branch-pruning logic issue, could possibly be used by local users for denial of service.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-17862", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-17862", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-17862", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-17862", "SUSE": "https://www.suse.com/security/cve/CVE-2017-17862", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-17862" } }, "CVE-2017-17863": { "affected_versions": "v4.9-rc8 to v4.15-rc5", "breaks": "e2d2afe15ed452f91797a80dbc0a17838ba03ed4", "cmt_msg": "bpf: fix integer overflows", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Integer Overflow or Wraparound", "fixes": "bb7f0f989ca7de1153bd128a40a71709e339fa03", "last_affected_version": "4.14.8", "last_modified": "2023-12-06", "nvd_text": "kernel/bpf/verifier.c in the Linux kernel 4.9.x through 4.9.71 does not check the relationship between pointer values and the BPF stack, which allows local users to cause a denial of service (integer overflow or invalid memory access) or possibly have unspecified other impact.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-17863", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-17863", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-17863", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-17863", "SUSE": "https://www.suse.com/security/cve/CVE-2017-17863", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-17863" } }, "CVE-2017-17864": { "affected_versions": "v4.14-rc1 to v4.15-rc5", "breaks": "f1174f77b50c94eecaa658fdc56fa69b421de4b8", "cmt_msg": "bpf: don't prune branches when a scalar is replaced with a pointer", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "Low", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "score": 3.3 }, "cwe": "Information Leak / Disclosure", "fixes": "179d1c5602997fef5a940c6ddcf31212cbfebd14", "last_affected_version": "4.14.8", "last_modified": "2023-12-06", "nvd_text": "kernel/bpf/verifier.c in the Linux kernel through 4.14.8 mishandles states_equal comparisons between the pointer data type and the UNKNOWN_VALUE data type, which allows local users to obtain potentially sensitive address information, aka a \"pointer leak.\"", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-17864", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-17864", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-17864", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-17864", "SUSE": "https://www.suse.com/security/cve/CVE-2017-17864", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-17864" } }, "CVE-2017-17975": { "affected_versions": "v3.18-rc1 to v4.17-rc1", "breaks": "63ddf68de52efaac40a9287e44266ac30e71dd36", "cmt_msg": "media: usbtv: prevent double free in error case", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Use After Free", "fixes": "50e7044535537b2a54c7ab798cd34c7f6d900bd2", "last_affected_version": "4.16.0", "last_modified": "2023-12-06", "nvd_text": "Use-after-free in the usbtv_probe function in drivers/media/usb/usbtv/usbtv-core.c in the Linux kernel through 4.14.10 allows attackers to cause a denial of service (system crash) or possibly have unspecified other impact by triggering failure of audio registration, because a kfree of the usbtv data structure occurs during a usbtv_video_free call, but the usbtv_video_fail label's code attempts to both access and free this data structure.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-17975", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-17975", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-17975", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-17975", "SUSE": "https://www.suse.com/security/cve/CVE-2017-17975", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-17975" } }, "CVE-2017-18017": { "affected_versions": "v2.6.12-rc2 to v4.11-rc7", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "netfilter: xt_TCPMSS: add more sanity tests on tcph->doff", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "score": 10.0 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "score": 9.8 }, "cwe": "Use After Free", "fixes": "2638fd0f92d4397884fd991d8f4925cb3f081901", "last_affected_version": "4.9.35", "last_modified": "2023-12-06", "nvd_text": "The tcpmss_mangle_packet function in net/netfilter/xt_TCPMSS.c in the Linux kernel before 4.11, and 4.9.x before 4.9.36, allows remote attackers to cause a denial of service (use-after-free and memory corruption) or possibly have unspecified other impact by leveraging the presence of xt_TCPMSS in an iptables action.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-18017", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-18017", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-18017", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-18017", "SUSE": "https://www.suse.com/security/cve/CVE-2017-18017", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-18017" } }, "CVE-2017-18075": { "affected_versions": "v4.2-rc1 to v4.15-rc7", "breaks": "0496f56065e00f6c3bfcefc4f9b5419847e4a8b5", "cmt_msg": "crypto: pcrypt - fix freeing pcrypt instances", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Resource Management Errors", "fixes": "d76c68109f37cb85b243a1cf0f40313afd2bae68", "last_affected_version": "4.14.12", "last_modified": "2023-12-06", "nvd_text": "crypto/pcrypt.c in the Linux kernel before 4.14.13 mishandles freeing instances, allowing a local user able to access the AF_ALG-based AEAD interface (CONFIG_CRYPTO_USER_API_AEAD) and pcrypt (CONFIG_CRYPTO_PCRYPT) to cause a denial of service (kfree of an incorrect pointer) or possibly have unspecified other impact by executing a crafted sequence of system calls.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-18075", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-18075", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-18075", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-18075", "SUSE": "https://www.suse.com/security/cve/CVE-2017-18075", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-18075" } }, "CVE-2017-18079": { "affected_versions": "v2.6.12-rc2 to v4.13-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "Input: i8042 - fix crash at boot time", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "NULL Pointer Dereference", "fixes": "340d394a789518018f834ff70f7534fc463d3226", "last_affected_version": "4.12.3", "last_modified": "2023-12-06", "nvd_text": "drivers/input/serio/i8042.c in the Linux kernel before 4.12.4 allows attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact because the port->exists value can change after it is validated.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-18079", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-18079", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-18079", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-18079", "SUSE": "https://www.suse.com/security/cve/CVE-2017-18079", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-18079" } }, "CVE-2017-18169": { "affected_versions": "unk to unk", "breaks": "", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Data Handling", "fixes": "", "last_modified": "2023-12-06", "nvd_text": "User process can perform the kernel DOS in ashmem when doing cache maintenance operation in all Android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the Linux kernel.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-18169", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-18169", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-18169", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-18169", "SUSE": "https://www.suse.com/security/cve/CVE-2017-18169", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-18169" }, "vendor_specific": true }, "CVE-2017-18174": { "affected_versions": "v4.1-rc1 to v4.7-rc1", "breaks": "dbad75dd1f25e0107c643d42774a7f9a8ba85e9b", "cmt_msg": "pinctrl: amd: Use devm_pinctrl_register() for pinctrl registration", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "score": 7.5 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "score": 9.8 }, "cwe": "Double Free", "fixes": "251e22abde21833b3d29577e4d8c7aaccd650eee", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel before 4.7, the amd_gpio_remove function in drivers/pinctrl/pinctrl-amd.c calls the pinctrl_unregister function, leading to a double free.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-18174", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-18174", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-18174", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-18174", "SUSE": "https://www.suse.com/security/cve/CVE-2017-18174", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-18174" } }, "CVE-2017-18193": { "affected_versions": "v2.6.12-rc2 to v4.13-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "f2fs: fix a bug caused by NULL extent tree", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Buffer Errors", "fixes": "dad48e73127ba10279ea33e6dbc8d3905c4d31c0", "last_affected_version": "4.9.85", "last_modified": "2023-12-06", "nvd_text": "fs/f2fs/extent_cache.c in the Linux kernel before 4.13 mishandles extent trees, which allows local users to cause a denial of service (BUG) via an application with multiple threads.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-18193", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-18193", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-18193", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-18193", "SUSE": "https://www.suse.com/security/cve/CVE-2017-18193", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-18193" } }, "CVE-2017-18200": { "affected_versions": "v4.14-rc1 to v4.14-rc5", "breaks": "969d1b180d987c2be02de890d0fff0f66a0e80de", "cmt_msg": "f2fs: fix potential panic during fstrim", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Input Validation", "fixes": "638164a2718f337ea224b747cf5977ef143166a4", "last_modified": "2023-12-06", "nvd_text": "The f2fs implementation in the Linux kernel before 4.14 mishandles reference counts associated with f2fs_wait_discard_bios calls, which allows local users to cause a denial of service (BUG), as demonstrated by fstrim.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-18200", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-18200", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-18200", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-18200", "SUSE": "https://www.suse.com/security/cve/CVE-2017-18200", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-18200" } }, "CVE-2017-18202": { "affected_versions": "v4.6-rc1 to v4.15-rc2", "breaks": "aac453635549699c13a84ea1456d5b0e574ef855", "cmt_msg": "mm, oom_reaper: gather each vma to prevent leaking TLB entry", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "score": 6.9 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.0 }, "cwe": "Use After Free", "fixes": "687cb0884a714ff484d038e9190edc874edcf146", "last_affected_version": "4.14.3", "last_modified": "2023-12-06", "nvd_text": "The __oom_reap_task_mm function in mm/oom_kill.c in the Linux kernel before 4.14.4 mishandles gather operations, which allows attackers to cause a denial of service (TLB entry leak or use-after-free) or possibly have unspecified other impact by triggering a copy_to_user call within a certain time window.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-18202", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-18202", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-18202", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-18202", "SUSE": "https://www.suse.com/security/cve/CVE-2017-18202", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-18202" } }, "CVE-2017-18203": { "affected_versions": "v2.6.12-rc2 to v4.15-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "dm: fix race between dm_get_from_kobject() and __dm_destroy()", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:M/Au:N/C:N/I:N/A:P", "score": 1.9 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 4.7 }, "cwe": "Race Conditions", "fixes": "b9a41d21dceadf8104812626ef85dc56ee8a60ed", "last_affected_version": "4.14.2", "last_modified": "2023-12-06", "nvd_text": "The dm_get_from_kobject function in drivers/md/dm.c in the Linux kernel before 4.14.3 allow local users to cause a denial of service (BUG) by leveraging a race condition with __dm_destroy during creation and removal of DM devices.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-18203", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-18203", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-18203", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-18203", "SUSE": "https://www.suse.com/security/cve/CVE-2017-18203", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-18203" } }, "CVE-2017-18204": { "affected_versions": "v2.6.12-rc2 to v4.15-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "ocfs2: should wait dio before inode lock in ocfs2_setattr()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Unspecified", "fixes": "28f5a8a7c033cbf3e32277f4cc9c6afd74f05300", "last_affected_version": "4.14.1", "last_modified": "2023-12-06", "nvd_text": "The ocfs2_setattr function in fs/ocfs2/file.c in the Linux kernel before 4.14.2 allows local users to cause a denial of service (deadlock) via DIO requests.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-18204", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-18204", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-18204", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-18204", "SUSE": "https://www.suse.com/security/cve/CVE-2017-18204", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-18204" } }, "CVE-2017-18208": { "affected_versions": "v2.6.13-rc1 to v4.15-rc2", "breaks": "fe77ba6f4f97690baa4c756611a07f3cc033f6ae", "cmt_msg": "mm/madvise.c: fix madvise() infinite loop under special circumstances", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Resource Management Errors", "fixes": "6ea8d958a2c95a1d514015d4e29ba21a8c0a1a91", "last_affected_version": "4.14.3", "last_modified": "2023-12-06", "nvd_text": "The madvise_willneed function in mm/madvise.c in the Linux kernel before 4.14.4 allows local users to cause a denial of service (infinite loop) by triggering use of MADVISE_WILLNEED for a DAX mapping.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-18208", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-18208", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-18208", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-18208", "SUSE": "https://www.suse.com/security/cve/CVE-2017-18208", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-18208" } }, "CVE-2017-18216": { "affected_versions": "v2.6.12-rc2 to v4.15-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "ocfs2: subsystem.su_mutex is required while accessing the item->ci_parent", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "NULL Pointer Dereference", "fixes": "853bc26a7ea39e354b9f8889ae7ad1492ffa28d2", "last_affected_version": "4.14.56", "last_modified": "2023-12-06", "nvd_text": "In fs/ocfs2/cluster/nodemanager.c in the Linux kernel before 4.15, local users can cause a denial of service (NULL pointer dereference and BUG) because a required mutex is not used.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-18216", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-18216", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-18216", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-18216", "SUSE": "https://www.suse.com/security/cve/CVE-2017-18216", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-18216" } }, "CVE-2017-18218": { "affected_versions": "v4.5-rc1 to v4.13-rc1", "breaks": "13ac695e7ea16cb27b804fadf2ff569dbcab6af1", "cmt_msg": "net: hns: Fix a skb used after free bug", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Use After Free", "fixes": "27463ad99f738ed93c7c8b3e2e5bc8c4853a2ff2", "last_affected_version": "4.9.91", "last_modified": "2023-12-06", "nvd_text": "In drivers/net/ethernet/hisilicon/hns/hns_enet.c in the Linux kernel before 4.13, local users can cause a denial of service (use-after-free and BUG) or possibly have unspecified other impact by leveraging differences in skb handling between hns_nic_net_xmit_hw and hns_nic_net_xmit.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-18218", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-18218", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-18218", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-18218", "SUSE": "https://www.suse.com/security/cve/CVE-2017-18218", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-18218" } }, "CVE-2017-18221": { "affected_versions": "v3.12-rc1 to v4.12-rc4", "breaks": "1ebb7cc6a58321a4b22c4c9097b4651b0ab859d0", "cmt_msg": "mlock: fix mlock count can not decrease in race condition", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Input Validation", "fixes": "70feee0e1ef331b22cc51f383d532a0d043fbdcc", "last_affected_version": "4.11.3", "last_modified": "2023-12-06", "nvd_text": "The __munlock_pagevec function in mm/mlock.c in the Linux kernel before 4.11.4 allows local users to cause a denial of service (NR_MLOCK accounting corruption) via crafted use of mlockall and munlockall system calls.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-18221", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-18221", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-18221", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-18221", "SUSE": "https://www.suse.com/security/cve/CVE-2017-18221", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-18221" } }, "CVE-2017-18222": { "affected_versions": "v4.4-rc1 to v4.12-rc1", "breaks": "511e6bc071db1484d1a3d1d0bd4c244cf33910ff", "cmt_msg": "net: hns: fix ethtool_get_strings overflow in hns driver", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Buffer Errors", "fixes": "412b65d15a7f8a93794653968308fc100f2aa87c", "last_affected_version": "4.9.89", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel before 4.12, Hisilicon Network Subsystem (HNS) does not consider the ETH_SS_PRIV_FLAGS case when retrieving sset_count data, which allows local users to cause a denial of service (buffer overflow and memory corruption) or possibly have unspecified other impact, as demonstrated by incompatibility between hns_get_sset_count and ethtool_get_strings.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-18222", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-18222", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-18222", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-18222", "SUSE": "https://www.suse.com/security/cve/CVE-2017-18222", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-18222" } }, "CVE-2017-18224": { "affected_versions": "v4.6-rc1 to v4.15-rc1", "breaks": "c15471f79506830f80eca0e7fe09b8213953ab5f", "cmt_msg": "ocfs2: ip_alloc_sem should be taken in ocfs2_get_block()", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:M/Au:N/C:N/I:N/A:P", "score": 1.9 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 4.7 }, "cwe": "Race Conditions", "fixes": "3e4c56d41eef5595035872a2ec5a483f42e8917f", "last_affected_version": "4.14.56", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel before 4.15, fs/ocfs2/aops.c omits use of a semaphore and consequently has a race condition for access to the extent tree during read operations in DIRECT mode, which allows local users to cause a denial of service (BUG) by modifying a certain e_cpos field.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-18224", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-18224", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-18224", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-18224", "SUSE": "https://www.suse.com/security/cve/CVE-2017-18224", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-18224" } }, "CVE-2017-18232": { "affected_versions": "v3.4-rc1 to v4.16-rc1", "breaks": "87c8331fcf72e501c3a3c0cdc5c9391ec72f7cf2", "cmt_msg": "scsi: libsas: direct call probe and destruct", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Unspecified", "fixes": "0558f33c06bb910e2879e355192227a8e8f0219d", "last_affected_version": "4.14.191", "last_modified": "2023-12-06", "nvd_text": "The Serial Attached SCSI (SAS) implementation in the Linux kernel through 4.15.9 mishandles a mutex within libsas, which allows local users to cause a denial of service (deadlock) by triggering certain error-handling code.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-18232", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-18232", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-18232", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-18232", "SUSE": "https://www.suse.com/security/cve/CVE-2017-18232", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-18232" } }, "CVE-2017-18241": { "affected_versions": "v2.6.12-rc2 to v4.13-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "f2fs: fix a panic caused by NULL flush_cmd_control", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "NULL Pointer Dereference", "fixes": "d4fdf8ba0e5808ba9ad6b44337783bd9935e0982", "last_affected_version": "4.9.143", "last_modified": "2023-12-06", "nvd_text": "fs/f2fs/segment.c in the Linux kernel before 4.13 allows local users to cause a denial of service (NULL pointer dereference and panic) by using a noflush_merge option that triggers a NULL value for a flush_cmd_control data structure.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-18241", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-18241", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-18241", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-18241", "SUSE": "https://www.suse.com/security/cve/CVE-2017-18241", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-18241" } }, "CVE-2017-18249": { "affected_versions": "v2.6.12-rc2 to v4.12-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "f2fs: fix race condition in between free nid allocator/initializer", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "score": 4.4 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.0 }, "cwe": "Race Conditions", "fixes": "30a61ddf8117c26ac5b295e1233eaa9629a94ca3", "last_affected_version": "4.9.143", "last_modified": "2023-12-06", "nvd_text": "The add_free_nid function in fs/f2fs/node.c in the Linux kernel before 4.12 does not properly track an allocated nid, which allows local users to cause a denial of service (race condition) or possibly have unspecified other impact via concurrent threads.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-18249", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-18249", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-18249", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-18249", "SUSE": "https://www.suse.com/security/cve/CVE-2017-18249", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-18249" } }, "CVE-2017-18255": { "affected_versions": "v2.6.12-rc2 to v4.11-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "perf/core: Fix the perf_cpu_time_max_percent check", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Integer Overflow or Wraparound", "fixes": "1572e45a924f254d9570093abde46430c3172e3d", "last_affected_version": "4.9.98", "last_modified": "2023-12-06", "nvd_text": "The perf_cpu_time_max_percent_handler function in kernel/events/core.c in the Linux kernel before 4.11 allows local users to cause a denial of service (integer overflow) or possibly have unspecified other impact via a large value, as demonstrated by an incorrect sample-rate calculation.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-18255", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-18255", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-18255", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-18255", "SUSE": "https://www.suse.com/security/cve/CVE-2017-18255", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-18255" } }, "CVE-2017-18257": { "affected_versions": "v4.2-rc1 to v4.11-rc1", "breaks": "003a3e1d60b0bb5cfb4feffb05a2083db2346364", "cmt_msg": "f2fs: fix a dead loop in f2fs_fiemap()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Integer Overflow or Wraparound", "fixes": "b86e33075ed1909d8002745b56ecf73b833db143", "last_affected_version": "4.9.99", "last_modified": "2023-12-06", "nvd_text": "The __get_data_block function in fs/f2fs/data.c in the Linux kernel before 4.11 allows local users to cause a denial of service (integer overflow and loop) via crafted use of the open and fallocate system calls with an FS_IOC_FIEMAP ioctl.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-18257", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-18257", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-18257", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-18257", "SUSE": "https://www.suse.com/security/cve/CVE-2017-18257", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-18257" } }, "CVE-2017-18261": { "affected_versions": "v3.14-rc7 to v4.13-rc6", "breaks": "96b3d28bf4b00f62fc8386ff5d487d1830793a3d", "cmt_msg": "clocksource/drivers/arm_arch_timer: Avoid infinite recursion when ftrace is enabled", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Resource Management Errors", "fixes": "adb4f11e0a8f4e29900adb2b7af28b6bbd5c1fa4", "last_modified": "2023-12-06", "nvd_text": "The arch_timer_reg_read_stable macro in arch/arm64/include/asm/arch_timer.h in the Linux kernel before 4.13 allows local users to cause a denial of service (infinite recursion) by writing to a file under /sys/kernel/debug in certain circumstances, as demonstrated by a scenario involving debugfs, ftrace, PREEMPT_TRACER, and FUNCTION_GRAPH_TRACER.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-18261", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-18261", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-18261", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-18261", "SUSE": "https://www.suse.com/security/cve/CVE-2017-18261", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-18261" } }, "CVE-2017-18270": { "affected_versions": "v2.6.26-rc1 to v4.14-rc3", "breaks": "69664cf16af4f31cd54d77948a4baf9c7e0ca7b9", "cmt_msg": "KEYS: prevent creating a different user's keyrings", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:N/I:P/A:P", "score": 3.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "score": 7.1 }, "cwe": "Unspecified", "fixes": "237bbd29f7a049d310d907f4b2716a7feef9abf3", "last_affected_version": "4.13.4", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel before 4.13.5, a local user could create keyrings for other users via keyctl commands, setting unwanted defaults or causing a denial of service.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-18270", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-18270", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-18270", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-18270", "SUSE": "https://www.suse.com/security/cve/CVE-2017-18270", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-18270" } }, "CVE-2017-18344": { "affected_versions": "v3.10-rc1 to v4.15-rc4", "breaks": "57b8015e07a70301e9ec9f324db1a8b73b5a1e2b", "cmt_msg": "posix-timer: Properly check sigevent->sigev_notify", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.5 }, "cwe": "Out-of-bounds Read", "fixes": "cef31d9af908243421258f1df35a4a644604efbe", "last_affected_version": "4.14.7", "last_modified": "2023-12-06", "nvd_text": "The timer_create syscall implementation in kernel/time/posix-timers.c in the Linux kernel before 4.14.8 doesn't properly validate the sigevent->sigev_notify field, which leads to out-of-bounds access in the show_timer function (called when /proc/$PID/timers is read). This allows userspace applications to read arbitrary kernel memory (on a kernel built with CONFIG_POSIX_TIMERS and CONFIG_CHECKPOINT_RESTORE).", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-18344", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-18344", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-18344", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-18344", "SUSE": "https://www.suse.com/security/cve/CVE-2017-18344", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-18344" } }, "CVE-2017-18360": { "affected_versions": "v2.6.12-rc2 to v4.12-rc2", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "USB: serial: io_ti: fix div-by-zero in set_termios", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Divide By Zero", "fixes": "6aeb75e6adfaed16e58780309613a578fe1ee90b", "last_affected_version": "4.11.2", "last_modified": "2023-12-06", "nvd_text": "In change_port_settings in drivers/usb/serial/io_ti.c in the Linux kernel before 4.11.3, local users could cause a denial of service by division-by-zero in the serial device layer by trying to set very high baud rates.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-18360", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-18360", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-18360", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-18360", "SUSE": "https://www.suse.com/security/cve/CVE-2017-18360", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-18360" } }, "CVE-2017-18379": { "affected_versions": "v4.10-rc1 to v4.14-rc3", "breaks": "c53432030d86429dc9fe5adc3d68cb9d1343b0b2", "cmt_msg": "nvmet-fc: ensure target queue id within range.", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "score": 7.5 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "score": 9.8 }, "cwe": "Improper Restriction of Operations within the Bounds of a Memory Buffer", "fixes": "0c319d3a144d4b8f1ea2047fd614d2149b68f889", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel before 4.14, an out of boundary access happened in drivers/nvme/target/fc.c.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-18379", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-18379", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-18379", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-18379", "SUSE": "https://www.suse.com/security/cve/CVE-2017-18379", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-18379" } }, "CVE-2017-18509": { "affected_versions": "v2.6.12-rc2 to v4.11-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "ipv6: check sk sk_type and protocol early in ip_mroute_set/getsockopt", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Improper Input Validation", "fixes": "99253eb750fda6a644d5188fb26c43bad8d5a745", "last_affected_version": "4.9.186", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in net/ipv6/ip6mr.c in the Linux kernel before 4.11. By setting a specific socket option, an attacker can control a pointer in kernel land and cause an inet_csk_listen_stop general protection fault, or potentially execute arbitrary code under certain circumstances. The issue can be triggered as root (e.g., inside a default LXC container or with the CAP_NET_ADMIN capability) or after namespace unsharing. This occurs because sk_type and protocol are not checked in the appropriate part of the ip6_mroute_* functions. NOTE: this affects Linux distributions that use 4.9.x longterm kernels before 4.9.187.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-18509", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-18509", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-18509", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-18509", "SUSE": "https://www.suse.com/security/cve/CVE-2017-18509", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-18509" } }, "CVE-2017-18549": { "affected_versions": "v4.11-rc1 to v4.13-rc1", "breaks": "423400e64d377c0d8a2459795420681177e51e74", "cmt_msg": "scsi: aacraid: Don't copy uninitialized stack memory to userspace", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.5 }, "cwe": "Information Exposure", "fixes": "342ffc26693b528648bdc9377e51e4f2450b4860", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in drivers/scsi/aacraid/commctrl.c in the Linux kernel before 4.13. There is potential exposure of kernel stack memory because aac_send_raw_srb does not initialize the reply structure.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-18549", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-18549", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-18549", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-18549", "SUSE": "https://www.suse.com/security/cve/CVE-2017-18549", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-18549" } }, "CVE-2017-18550": { "affected_versions": "v4.11-rc1 to v4.13-rc1", "breaks": "c799d519bf088c0c5deb481b0190990417ace1bc", "cmt_msg": "scsi: aacraid: Don't copy uninitialized stack memory to userspace", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.5 }, "cwe": "Information Exposure", "fixes": "342ffc26693b528648bdc9377e51e4f2450b4860", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in drivers/scsi/aacraid/commctrl.c in the Linux kernel before 4.13. There is potential exposure of kernel stack memory because aac_get_hba_info does not initialize the hbainfo structure.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-18550", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-18550", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-18550", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-18550", "SUSE": "https://www.suse.com/security/cve/CVE-2017-18550", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-18550" } }, "CVE-2017-18551": { "affected_versions": "v2.6.12-rc2 to v4.15-rc9", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "i2c: core-smbus: prevent stack corruption on read I2C_BLOCK_DATA", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "score": 6.7 }, "cwe": "Out-of-bounds Write", "fixes": "89c6efa61f5709327ecfa24bff18e57a4e80c7fa", "last_affected_version": "4.14.14", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in drivers/i2c/i2c-core-smbus.c in the Linux kernel before 4.14.15. There is an out of bounds write in the function i2c_smbus_xfer_emulated.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-18551", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-18551", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-18551", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-18551", "SUSE": "https://www.suse.com/security/cve/CVE-2017-18551", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-18551" } }, "CVE-2017-18552": { "affected_versions": "v4.11-rc1 to v4.11-rc1", "backport": true, "breaks": "3289025aedc018f8fd9d0e37fb9efa0c6d531ffa", "cmt_msg": "RDS: validate the requested traces user input against max supported", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Out-of-bounds Write", "fixes": "780e982905bef61d13496d9af5310bf4af3a64d3", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in net/rds/af_rds.c in the Linux kernel before 4.11. There is an out of bounds write and read in the function rds_recv_track_latency.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-18552", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-18552", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-18552", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-18552", "SUSE": "https://www.suse.com/security/cve/CVE-2017-18552", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-18552" } }, "CVE-2017-18595": { "affected_versions": "v3.10-rc1 to v4.15-rc6", "breaks": "737223fbca3b1c91feb947c7f571b35749b743b6", "cmt_msg": "tracing: Fix possible double free on failure of allocating trace buffer", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Double Free", "fixes": "4397f04575c44e1440ec2e49b6302785c95fd2f8", "last_affected_version": "4.14.10", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel before 4.14.11. A double free may be caused by the function allocate_trace_buffer in the file kernel/trace/trace.c.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-18595", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-18595", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-18595", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-18595", "SUSE": "https://www.suse.com/security/cve/CVE-2017-18595", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-18595" } }, "CVE-2017-2583": { "affected_versions": "v3.6-rc1 to v4.10-rc4", "breaks": "79d5b4c3cd809c770d4bf9812635647016c56011", "cmt_msg": "KVM: x86: fix emulation of \"MOV SS, null selector\"", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "score": 8.4 }, "cwe": "Unspecified", "fixes": "33ab91103b3415e12457e3104f0e4517ce12d0f3", "last_affected_version": "4.9.4", "last_modified": "2023-12-06", "nvd_text": "The load_segment_descriptor implementation in arch/x86/kvm/emulate.c in the Linux kernel before 4.9.5 improperly emulates a \"MOV SS, NULL selector\" instruction, which allows guest OS users to cause a denial of service (guest OS crash) or gain guest OS privileges via a crafted application.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-2583", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-2583", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-2583", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-2583", "SUSE": "https://www.suse.com/security/cve/CVE-2017-2583", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-2583" } }, "CVE-2017-2584": { "affected_versions": "v3.6-rc1 to v4.10-rc4", "breaks": "96051572c819194c37a8367624b285be10297eca", "cmt_msg": "KVM: x86: Introduce segmented_write_std", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:P", "score": 3.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "score": 7.1 }, "cwe": "Information Leak / Disclosure", "fixes": "129a72a0d3c8e139a04512325384fe5ac119e74d", "last_affected_version": "4.9.4", "last_modified": "2023-12-06", "nvd_text": "arch/x86/kvm/emulate.c in the Linux kernel through 4.9.3 allows local users to obtain sensitive information from kernel memory or cause a denial of service (use-after-free) via a crafted application that leverages instruction emulation for fxrstor, fxsave, sgdt, and sidt.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-2584", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-2584", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-2584", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-2584", "SUSE": "https://www.suse.com/security/cve/CVE-2017-2584", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-2584" } }, "CVE-2017-2596": { "affected_versions": "v3.16-rc1 to v4.11-rc1", "breaks": "3573e22cfecaac83f82ef4f6847d90e466fc8e10", "cmt_msg": "kvm: fix page struct leak in handle_vmon", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Changed", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H", "score": 6.5 }, "cwe": "Resource Management Errors", "fixes": "06ce521af9558814b8606c0476c54497cf83a653", "last_affected_version": "4.10.9", "last_modified": "2023-12-06", "nvd_text": "The nested_vmx_check_vmptr function in arch/x86/kvm/vmx.c in the Linux kernel through 4.9.8 improperly emulates the VMXON instruction, which allows KVM L1 guest OS users to cause a denial of service (host OS memory consumption) by leveraging the mishandling of page references.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-2596", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-2596", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-2596", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-2596", "SUSE": "https://www.suse.com/security/cve/CVE-2017-2596", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-2596" } }, "CVE-2017-2618": { "affected_versions": "v3.5-rc1 to v4.10-rc8", "breaks": "d6ea83ec6864e9297fa8b00ec3dae183413a90e3", "cmt_msg": "selinux: fix off-by-one in setprocattr", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Incorrect Calculation", "fixes": "0c461cb727d146c9ef2d3e86214f498b78b7d125", "last_affected_version": "4.9.9", "last_modified": "2023-12-06", "nvd_text": "A flaw was found in the Linux kernel's handling of clearing SELinux attributes on /proc/pid/attr files before 4.9.10. An empty (null) write to this file can crash the system by causing the system to attempt to access unmapped kernel memory.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-2618", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-2618", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-2618", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-2618", "SUSE": "https://www.suse.com/security/cve/CVE-2017-2618", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-2618" } }, "CVE-2017-2634": { "affected_versions": "v2.6.12-rc2 to v2.6.25-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "score": 7.8 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 7.5 }, "cwe": "Buffer Errors", "fixes": "f53dc67c5e7babafe239b93a11678b0e05bead51", "last_modified": "2023-12-06", "nvd_text": "It was found that the Linux kernel's Datagram Congestion Control Protocol (DCCP) implementation before 2.6.22.17 used the IPv4-only inet_sk_rebuild_header() function for both IPv4 and IPv6 DCCP connections, which could result in memory corruptions. A remote attacker could use this flaw to crash the system.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-2634", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-2634", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-2634", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-2634", "SUSE": "https://www.suse.com/security/cve/CVE-2017-2634", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-2634" } }, "CVE-2017-2636": { "affected_versions": "v2.6.31-rc1 to v4.11-rc2", "breaks": "be10eb7589337e5defbe214dae038a53dd21add8", "cmt_msg": "tty: n_hdlc: get rid of racy n_hdlc.tbuf", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "score": 6.9 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.0 }, "cwe": "Race Conditions", "fixes": "82f2341c94d270421f383641b7cd670e474db56b", "last_affected_version": "4.10.2", "last_modified": "2023-12-06", "nvd_text": "Race condition in drivers/tty/n_hdlc.c in the Linux kernel through 4.10.1 allows local users to gain privileges or cause a denial of service (double free) by setting the HDLC line discipline.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-2636", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-2636", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-2636", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-2636", "SUSE": "https://www.suse.com/security/cve/CVE-2017-2636", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-2636" } }, "CVE-2017-2647": { "affected_versions": "v2.6.12-rc2 to v3.18-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "KEYS: Remove key_type::match in favour of overriding default by match_preparse", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "NULL Pointer Dereference", "fixes": "c06cfb08b88dfbe13be44a69ae2fdc3a7c902d81", "last_affected_version": "3.16.45", "last_modified": "2023-12-06", "nvd_text": "The KEYS subsystem in the Linux kernel before 3.18 allows local users to gain privileges or cause a denial of service (NULL pointer dereference and system crash) via vectors involving a NULL value for a certain match field, related to the keyring_search_iterator function in keyring.c.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-2647", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-2647", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-2647", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-2647", "SUSE": "https://www.suse.com/security/cve/CVE-2017-2647", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-2647" } }, "CVE-2017-2671": { "affected_versions": "v3.0-rc1 to v4.11-rc6", "breaks": "c319b4d76b9e583a5d88d6bf190e079c4e43213d", "cmt_msg": "ping: implement proper locking", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Unspecified", "fixes": "43a6684519ab0a6c52024b5e253224", "last_affected_version": "4.10.13", "last_modified": "2023-12-06", "nvd_text": "The ping_unhash function in net/ipv4/ping.c in the Linux kernel through 4.10.8 is too late in obtaining a certain lock and consequently cannot ensure that disconnect function calls are safe, which allows local users to cause a denial of service (panic) by leveraging access to the protocol value of IPPROTO_ICMP in a socket system call.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-2671", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-2671", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-2671", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-2671", "SUSE": "https://www.suse.com/security/cve/CVE-2017-2671", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-2671" } }, "CVE-2017-5123": { "affected_versions": "v4.13-rc1 to v4.14-rc5", "breaks": "4c48abe91be03d191d0c20cc755877da2cb35622", "cmt_msg": "waitid(): Add missing access_ok() checks", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Changed", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "score": 8.8 }, "cwe": "Improper Input Validation", "fixes": "96ca579a1ecc943b75beba58bebb0356f6cc4b51", "last_affected_version": "4.13.6", "last_modified": "2023-12-06", "nvd_text": "Insufficient data validation in waitid allowed an user to escape sandboxes on Linux.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-5123", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-5123", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-5123", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-5123", "SUSE": "https://www.suse.com/security/cve/CVE-2017-5123", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-5123" } }, "CVE-2017-5546": { "affected_versions": "v4.7-rc1 to v4.10-rc4", "breaks": "c7ce4f60ac199fb3521c5fcd64da21cee801ec2b", "cmt_msg": "mm/slab.c: fix SLAB freelist randomization duplicate entries", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Unspecified", "fixes": "c4e490cf148e85ead0d1b1c2caaba833f1d5b29f", "last_affected_version": "4.9.4", "last_modified": "2023-12-06", "nvd_text": "The freelist-randomization feature in mm/slab.c in the Linux kernel 4.8.x and 4.9.x before 4.9.5 allows local users to cause a denial of service (duplicate freelist entries and system crash) or possibly have unspecified other impact in opportunistic circumstances by leveraging the selection of a large value for a random number.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-5546", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-5546", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-5546", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-5546", "SUSE": "https://www.suse.com/security/cve/CVE-2017-5546", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-5546" } }, "CVE-2017-5547": { "affected_versions": "v4.4-rc1 to v4.10-rc5", "breaks": "6f78193ee9ea5575180d4462f0f7273a22dd5057", "cmt_msg": "HID: corsair: fix DMA buffers on stack", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Resource Management Errors", "fixes": "6d104af38b570d37aa32a5803b04c354f8ed513d", "last_affected_version": "4.9.5", "last_modified": "2023-12-06", "nvd_text": "drivers/hid/hid-corsair.c in the Linux kernel 4.9.x before 4.9.6 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-5547", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-5547", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-5547", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-5547", "SUSE": "https://www.suse.com/security/cve/CVE-2017-5547", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-5547" } }, "CVE-2017-5548": { "affected_versions": "v4.9-rc1 to v4.10-rc5", "breaks": "e37e43a497d5a8b7c0cc1736d56986f432c394c9", "cmt_msg": "ieee802154: atusb: do not use the stack for buffers to make them DMA able", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Resource Management Errors", "fixes": "05a974efa4bdf6e2a150e3f27dc6fcf0a9ad5655", "last_affected_version": "4.9.5", "last_modified": "2023-12-06", "nvd_text": "drivers/net/ieee802154/atusb.c in the Linux kernel 4.9.x before 4.9.6 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-5548", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-5548", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-5548", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-5548", "SUSE": "https://www.suse.com/security/cve/CVE-2017-5548", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-5548" } }, "CVE-2017-5549": { "affected_versions": "v2.6.34-rc1 to v4.10-rc4", "breaks": "abf492e7b3ae74873688cf9960283853a3054471", "cmt_msg": "USB: serial: kl5kusb105: fix line-state error handling", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.5 }, "cwe": "Information Exposure Through Log Files", "fixes": "146cc8a17a3b4996f6805ee5c080e7101277c410", "last_affected_version": "4.9.4", "last_modified": "2023-12-06", "nvd_text": "The klsi_105_get_line_state function in drivers/usb/serial/kl5kusb105.c in the Linux kernel before 4.9.5 places uninitialized heap-memory contents into a log entry upon a failure to read the line status, which allows local users to obtain sensitive information by reading the log.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-5549", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-5549", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-5549", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-5549", "SUSE": "https://www.suse.com/security/cve/CVE-2017-5549", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-5549" } }, "CVE-2017-5550": { "affected_versions": "v4.9-rc1 to v4.10-rc4", "breaks": "241699cd72a8489c9446ae3910ddd243e9b9061b", "cmt_msg": "fix a fencepost error in pipe_advance()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.5 }, "cwe": "Information Leak / Disclosure", "fixes": "b9dc6f65bc5e232d1c05fe34b5daadc7e8bbf1fb", "last_affected_version": "4.9.4", "last_modified": "2023-12-06", "nvd_text": "Off-by-one error in the pipe_advance function in lib/iov_iter.c in the Linux kernel before 4.9.5 allows local users to obtain sensitive information from uninitialized heap-memory locations in opportunistic circumstances by reading from a pipe after an incorrect buffer-release decision.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-5550", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-5550", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-5550", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-5550", "SUSE": "https://www.suse.com/security/cve/CVE-2017-5550", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-5550" } }, "CVE-2017-5551": { "affected_versions": "v4.9-rc1 to v4.10-rc4", "backport": true, "breaks": "073931017b49d9458aa351605b43a7e34598caef", "cmt_msg": "tmpfs: clear S_ISGID when setting posix ACLs", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:N", "score": 3.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "Low", "Integrity": "Low", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "score": 4.4 }, "cwe": "Unspecified", "fixes": "497de07d89c1410d76a15bec2bb41f24a2a89f31", "last_affected_version": "4.9.5", "last_modified": "2023-12-06", "nvd_text": "The simple_set_acl function in fs/posix_acl.c in the Linux kernel before 4.9.6 preserves the setgid bit during a setxattr call involving a tmpfs filesystem, which allows local users to gain group privileges by leveraging the existence of a setgid program with restrictions on execute permissions. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-7097.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-5551", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-5551", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-5551", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-5551", "SUSE": "https://www.suse.com/security/cve/CVE-2017-5551", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-5551" } }, "CVE-2017-5576": { "affected_versions": "v4.5-rc1 to v4.10-rc6", "breaks": "d5b1a78a772f1e31a94f8babfa964152ec5e9aa5", "cmt_msg": "drm/vc4: Fix an integer overflow in temporary allocation layout.", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Integer Overflow or Wraparound", "fixes": "0f2ff82e11c86c05d051cae32b58226392d33bbf", "last_affected_version": "4.9.6", "last_modified": "2023-12-06", "nvd_text": "Integer overflow in the vc4_get_bcl function in drivers/gpu/drm/vc4/vc4_gem.c in the VideoCore DRM driver in the Linux kernel before 4.9.7 allows local users to cause a denial of service or possibly have unspecified other impact via a crafted size value in a VC4_SUBMIT_CL ioctl call.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-5576", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-5576", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-5576", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-5576", "SUSE": "https://www.suse.com/security/cve/CVE-2017-5576", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-5576" } }, "CVE-2017-5577": { "affected_versions": "v4.5-rc1 to v4.10-rc6", "breaks": "d5b1a78a772f1e31a94f8babfa964152ec5e9aa5", "cmt_msg": "drm/vc4: Return -EINVAL on the overflow checks failing.", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Error Handling", "fixes": "6b8ac63847bc2f958dd93c09edc941a0118992d9", "last_affected_version": "4.9.6", "last_modified": "2023-12-06", "nvd_text": "The vc4_get_bcl function in drivers/gpu/drm/vc4/vc4_gem.c in the VideoCore DRM driver in the Linux kernel before 4.9.7 does not set an errno value upon certain overflow detections, which allows local users to cause a denial of service (incorrect pointer dereference and OOPS) via inconsistent size values in a VC4_SUBMIT_CL ioctl call.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-5577", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-5577", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-5577", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-5577", "SUSE": "https://www.suse.com/security/cve/CVE-2017-5577", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-5577" } }, "CVE-2017-5669": { "affected_versions": "v2.6.12-rc2 to v4.11-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "ipc/shm: Fix shmat mmap nil-page protection", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Unspecified", "fixes": "95e91b831f87ac8e1f8ed50c14d709089b4e01b8", "last_affected_version": "4.10.1", "last_modified": "2023-12-06", "nvd_text": "The do_shmat function in ipc/shm.c in the Linux kernel through 4.9.12 does not restrict the address calculated by a certain rounding operation, which allows local users to map page zero, and consequently bypass a protection mechanism that exists for the mmap system call, by making crafted shmget and shmat system calls in a privileged context.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-5669", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-5669", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-5669", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-5669", "SUSE": "https://www.suse.com/security/cve/CVE-2017-5669", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-5669" } }, "CVE-2017-5715": { "affected_versions": "v2.6.12-rc2 to v4.15-rc8", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "x86/cpufeatures: Add X86_BUG_SPECTRE_V[12]", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "score": 1.9 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Changed", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N", "score": 5.6 }, "cwe": "Information Leak / Disclosure", "fixes": "99c6fa2511d8a683e61468be91b83f85452115fa", "last_affected_version": "4.14.13", "last_modified": "2023-12-06", "name": "Spectre", "nvd_text": "Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-5715", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-5715", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-5715", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-5715", "SUSE": "https://www.suse.com/security/cve/CVE-2017-5715", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-5715" } }, "CVE-2017-5753": { "affected_versions": "v2.6.12-rc2 to v4.15-rc8", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "x86/cpufeatures: Add X86_BUG_SPECTRE_V[12]", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Complete", "Integrity Impact": "None", "raw": "AV:L/AC:M/Au:N/C:C/I:N/A:N", "score": 4.7 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Changed", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N", "score": 5.6 }, "cwe": "Information Leak / Disclosure", "fixes": "99c6fa2511d8a683e61468be91b83f85452115fa", "last_affected_version": "4.14.13", "last_modified": "2024-02-02", "name": "Spectre", "nvd_text": "Systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-5753", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-5753", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-5753", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-5753", "SUSE": "https://www.suse.com/security/cve/CVE-2017-5753", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-5753" } }, "CVE-2017-5754": { "affected_versions": "v2.6.12-rc2 to v4.16-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "x86/cpufeatures: Add Intel feature bits for Speculation Control", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Complete", "Integrity Impact": "None", "raw": "AV:L/AC:M/Au:N/C:C/I:N/A:N", "score": 4.7 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Changed", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N", "score": 5.6 }, "cwe": "Information Leak / Disclosure", "fixes": "fc67dd70adb711a45d2ef34e12d1a8be75edde61", "last_affected_version": "4.15.1", "last_modified": "2023-12-06", "name": "Meltdown", "nvd_text": "Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis of the data cache.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-5754", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-5754", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-5754", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-5754", "SUSE": "https://www.suse.com/security/cve/CVE-2017-5754", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-5754" } }, "CVE-2017-5897": { "affected_versions": "v3.7-rc1 to v4.10-rc8", "breaks": "c12b395a46646bab69089ce7016ac78177f6001f", "cmt_msg": "ip6_gre: fix ip6gre_err() invalid reads", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "score": 7.5 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "score": 9.8 }, "cwe": "Out-of-bounds Read", "fixes": "7892032cfe67f4bde6fc2ee967e45a8fbaf33756", "last_affected_version": "4.9.10", "last_modified": "2023-12-06", "nvd_text": "The ip6gre_err function in net/ipv6/ip6_gre.c in the Linux kernel allows remote attackers to have unspecified impact via vectors involving GRE flags in an IPv6 packet, which trigger an out-of-bounds access.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-5897", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-5897", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-5897", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-5897", "SUSE": "https://www.suse.com/security/cve/CVE-2017-5897", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-5897" } }, "CVE-2017-5967": { "affected_versions": "v2.6.12-rc2 to v4.11-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "time: Remove CONFIG_TIMER_STATS", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "Low", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "score": 4.0 }, "cwe": "Information Leak / Disclosure", "fixes": "dfb4357da6ddbdf57d583ba64361c9d792b0e0b1", "last_modified": "2023-12-06", "nvd_text": "The time subsystem in the Linux kernel through 4.9.9, when CONFIG_TIMER_STATS is enabled, allows local users to discover real PID values (as distinguished from PID values inside a PID namespace) by reading the /proc/timer_list file, related to the print_timer function in kernel/time/timer_list.c and the __timer_stats_timer_set_start_info function in kernel/time/timer.c.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-5967", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-5967", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-5967", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-5967", "SUSE": "https://www.suse.com/security/cve/CVE-2017-5967", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-5967" } }, "CVE-2017-5970": { "affected_versions": "v2.6.35-rc1 to v4.10-rc8", "breaks": "f84af32cbca70a3c6d30463dc08c7984af11c277", "cmt_msg": "ipv4: keep skb->dst around in presence of IP options", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "score": 5.0 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 7.5 }, "cwe": "Improper Access Control", "fixes": "34b2cef20f19c87999fff3da4071e66937db9644", "last_affected_version": "4.9.10", "last_modified": "2023-12-06", "nvd_text": "The ipv4_pktinfo_prepare function in net/ipv4/ip_sockglue.c in the Linux kernel through 4.9.9 allows attackers to cause a denial of service (system crash) via (1) an application that makes crafted system calls or possibly (2) IPv4 traffic with invalid IP options.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-5970", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-5970", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-5970", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-5970", "SUSE": "https://www.suse.com/security/cve/CVE-2017-5970", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-5970" } }, "CVE-2017-5972": { "affected_versions": "v2.6.12-rc2 to v4.4-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "tcp: do not lock listener to process SYN packets", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "score": 7.8 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 7.5 }, "cwe": "Resource Management Errors", "fixes": "e994b2f0fb9229aeff5eea9541320bd7b2ca8714", "last_modified": "2023-12-06", "nvd_text": "The TCP stack in the Linux kernel 3.x does not properly implement a SYN cookie protection mechanism for the case of a fast network connection, which allows remote attackers to cause a denial of service (CPU consumption) by sending many TCP SYN packets, as demonstrated by an attack against the kernel-3.10.0 package in CentOS Linux 7. NOTE: third parties have been unable to discern any relationship between the GitHub Engineering finding and the Trigemini.c attack code.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-5972", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-5972", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-5972", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-5972", "SUSE": "https://www.suse.com/security/cve/CVE-2017-5972", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-5972" } }, "CVE-2017-5986": { "affected_versions": "v2.6.17-rc5 to v4.10-rc8", "breaks": "61c9fed41638249f8b6ca5345064eb1beb50179f", "cmt_msg": "sctp: avoid BUG_ON on sctp_wait_for_sndbuf", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:N/AC:M/Au:N/C:N/I:N/A:C", "score": 7.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "raw": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Race Conditions", "fixes": "2dcab598484185dea7ec22219c76dcdd59e3cb90", "last_affected_version": "4.9.10", "last_modified": "2023-12-06", "nvd_text": "Race condition in the sctp_wait_for_sndbuf function in net/sctp/socket.c in the Linux kernel before 4.9.11 allows local users to cause a denial of service (assertion failure and panic) via a multithreaded application that peels off an association in a certain buffer-full state.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-5986", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-5986", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-5986", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-5986", "SUSE": "https://www.suse.com/security/cve/CVE-2017-5986", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-5986" } }, "CVE-2017-6001": { "affected_versions": "v4.5-rc6 to v4.10-rc4", "backport": true, "breaks": "130056275ade730e7a79c110212c8815202773ee", "cmt_msg": "perf/core: Fix concurrent sys_perf_event_open() vs. 'move_group' race", "cvss2": { "Access Complexity": "High", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "score": 7.6 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "raw": "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "score": 7.0 }, "cwe": "Race Conditions", "fixes": "321027c1fe77f892f4ea07846aeae08cefbbb290", "last_affected_version": "4.9.6", "last_modified": "2023-12-06", "nvd_text": "Race condition in kernel/events/core.c in the Linux kernel before 4.9.7 allows local users to gain privileges via a crafted application that makes concurrent perf_event_open system calls for moving a software group into a hardware context. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-6786.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-6001", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-6001", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-6001", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-6001", "SUSE": "https://www.suse.com/security/cve/CVE-2017-6001", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-6001" } }, "CVE-2017-6074": { "affected_versions": "v2.6.12-rc2 to v4.10", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "dccp: fix freeing skb too early for IPV6_RECVPKTINFO", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Double Free", "fixes": "5edabca9d4cff7f1f2b68f0bac55ef99d9798ba4", "last_affected_version": "4.9", "last_modified": "2023-12-06", "nvd_text": "The dccp_rcv_state_process function in net/dccp/input.c in the Linux kernel through 4.9.11 mishandles DCCP_PKT_REQUEST packet data structures in the LISTEN state, which allows local users to obtain root privileges or cause a denial of service (double free) via an application that makes an IPV6_RECVPKTINFO setsockopt system call.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-6074", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-6074", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-6074", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-6074", "SUSE": "https://www.suse.com/security/cve/CVE-2017-6074", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-6074" } }, "CVE-2017-6214": { "affected_versions": "v2.6.25-rc1 to v4.10-rc8", "breaks": "9c55e01c0cc835818475a6ce8c4d684df9949ac8", "cmt_msg": "tcp: avoid infinite loop in tcp_splice_read()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "score": 5.0 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 7.5 }, "cwe": "Resource Management Errors", "fixes": "ccf7abb93af09ad0868ae9033d1ca8108bdaec82", "last_affected_version": "4.9.10", "last_modified": "2023-12-06", "nvd_text": "The tcp_splice_read function in net/ipv4/tcp.c in the Linux kernel before 4.9.11 allows remote attackers to cause a denial of service (infinite loop and soft lockup) via vectors involving a TCP packet with the URG flag.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-6214", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-6214", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-6214", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-6214", "SUSE": "https://www.suse.com/security/cve/CVE-2017-6214", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-6214" } }, "CVE-2017-6345": { "affected_versions": "v3.12-rc1 to v4.10", "breaks": "376c7311bdb6efea3322310333576a04d73fbe4c", "cmt_msg": "net/llc: avoid BUG_ON() in skb_orphan()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Input Validation", "fixes": "8b74d439e1697110c5e5c600643e823eb1dd0762", "last_affected_version": "4.9", "last_modified": "2023-12-06", "nvd_text": "The LLC subsystem in the Linux kernel before 4.9.13 does not ensure that a certain destructor exists in required circumstances, which allows local users to cause a denial of service (BUG_ON) or possibly have unspecified other impact via crafted system calls.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-6345", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-6345", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-6345", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-6345", "SUSE": "https://www.suse.com/security/cve/CVE-2017-6345", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-6345" } }, "CVE-2017-6346": { "affected_versions": "v3.1-rc1 to v4.10", "breaks": "dc99f600698dcac69b8f56dda9a8a00d645c5ffc", "cmt_msg": "packet: fix races in fanout_add()", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "score": 6.9 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.0 }, "cwe": "Race Conditions", "fixes": "d199fab63c11998a602205f7ee7ff7c05c97164b", "last_affected_version": "4.9", "last_modified": "2023-12-06", "nvd_text": "Race condition in net/packet/af_packet.c in the Linux kernel before 4.9.13 allows local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via a multithreaded application that makes PACKET_FANOUT setsockopt system calls.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-6346", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-6346", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-6346", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-6346", "SUSE": "https://www.suse.com/security/cve/CVE-2017-6346", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-6346" } }, "CVE-2017-6347": { "affected_versions": "v4.0-rc1 to v4.11-rc1", "breaks": "ad6f939ab193750cc94a265f58e007fb598c97b7", "cmt_msg": "ip: fix IP_CHECKSUM handling", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Out-of-bounds Read", "fixes": "ca4ef4574f1ee5252e2cd365f8f5d5bafd048f32", "last_affected_version": "4.10.0", "last_modified": "2023-12-06", "nvd_text": "The ip_cmsg_recv_checksum function in net/ipv4/ip_sockglue.c in the Linux kernel before 4.10.1 has incorrect expectations about skb data layout, which allows local users to cause a denial of service (buffer over-read) or possibly have unspecified other impact via crafted system calls, as demonstrated by use of the MSG_MORE flag in conjunction with loopback UDP transmission.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-6347", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-6347", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-6347", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-6347", "SUSE": "https://www.suse.com/security/cve/CVE-2017-6347", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-6347" } }, "CVE-2017-6348": { "affected_versions": "v2.6.22-rc1 to v4.10", "breaks": "c7630a4b932af254d61947a3a7e3831de92c7fb5", "cmt_msg": "irda: Fix lockdep annotations in hashbin_delete().", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Unspecified", "fixes": "4c03b862b12f980456f9de92db6d508a4999b788", "last_affected_version": "4.9", "last_modified": "2023-12-06", "nvd_text": "The hashbin_delete function in net/irda/irqueue.c in the Linux kernel before 4.9.13 improperly manages lock dropping, which allows local users to cause a denial of service (deadlock) via crafted operations on IrDA devices.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-6348", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-6348", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-6348", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-6348", "SUSE": "https://www.suse.com/security/cve/CVE-2017-6348", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-6348" } }, "CVE-2017-6353": { "affected_versions": "v4.10-rc8 to v4.11-rc1", "backport": true, "breaks": "2dcab598484185dea7ec22219c76dcdd59e3cb90", "cmt_msg": "sctp: deny peeloff operation on asocs with threads sleeping on it", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Double Free", "fixes": "dfcb9f4f99f1e9a49e43398a7bfbf56927544af1", "last_affected_version": "4.10.4", "last_modified": "2023-12-06", "nvd_text": "net/sctp/socket.c in the Linux kernel through 4.10.1 does not properly restrict association peel-off operations during certain wait states, which allows local users to cause a denial of service (invalid unlock and double free) via a multithreaded application. NOTE: this vulnerability exists because of an incorrect fix for CVE-2017-5986.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-6353", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-6353", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-6353", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-6353", "SUSE": "https://www.suse.com/security/cve/CVE-2017-6353", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-6353" } }, "CVE-2017-6874": { "affected_versions": "v4.9-rc1 to v4.11-rc2", "breaks": "f6b2db1a3e8d141dd144df58900fb0444d5d7c53", "cmt_msg": "ucount: Remove the atomicity from ucount->count", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "score": 6.9 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.0 }, "cwe": "Race Conditions", "fixes": "040757f738e13caaa9c5078bca79aa97e11dde88", "last_affected_version": "4.10.3", "last_modified": "2023-12-06", "nvd_text": "Race condition in kernel/ucount.c in the Linux kernel through 4.10.2 allows local users to cause a denial of service (use-after-free and system crash) or possibly have unspecified other impact via crafted system calls that leverage certain decrement behavior that causes incorrect interaction between put_ucounts and get_ucounts.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-6874", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-6874", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-6874", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-6874", "SUSE": "https://www.suse.com/security/cve/CVE-2017-6874", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-6874" } }, "CVE-2017-6951": { "affected_versions": "v2.6.12-rc2 to v3.18-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "KEYS: Remove key_type::match in favour of overriding default by match_preparse", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "NULL Pointer Dereference", "fixes": "c06cfb08b88dfbe13be44a69ae2fdc3a7c902d81", "last_affected_version": "3.16.45", "last_modified": "2023-12-06", "nvd_text": "The keyring_search_aux function in security/keys/keyring.c in the Linux kernel through 3.14.79 allows local users to cause a denial of service (NULL pointer dereference and OOPS) via a request_key system call for the \"dead\" type.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-6951", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-6951", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-6951", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-6951", "SUSE": "https://www.suse.com/security/cve/CVE-2017-6951", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-6951" } }, "CVE-2017-7184": { "affected_versions": "v2.6.39-rc1 to v4.11-rc5", "breaks": "e2b19125e94124daaeda1ddcf9b85b04575ad86f", "cmt_msg": "xfrm_user: validate XFRM_MSG_NEWAE XFRMA_REPLAY_ESN_VAL replay_window", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Unspecified", "fixes": "677e806da4d916052585301785d847c3b3e6186a", "last_affected_version": "4.10.7", "last_modified": "2023-12-06", "nvd_text": "The xfrm_replay_verify_len function in net/xfrm/xfrm_user.c in the Linux kernel through 4.10.6 does not validate certain size data after an XFRM_MSG_NEWAE update, which allows local users to obtain root privileges or cause a denial of service (heap-based out-of-bounds access) by leveraging the CAP_NET_ADMIN capability, as demonstrated during a Pwn2Own competition at CanSecWest 2017 for the Ubuntu 16.10 linux-image-* package 4.8.0.41.52.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-7184", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-7184", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-7184", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-7184", "SUSE": "https://www.suse.com/security/cve/CVE-2017-7184", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7184" } }, "CVE-2017-7187": { "affected_versions": "v3.17-rc1 to v4.11-rc5", "breaks": "65c26a0f39695ba01d9693754f27ca76cc8a3ab5", "cmt_msg": "scsi: sg: check length passed to SG_NEXT_CMD_LEN", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Buffer Errors", "fixes": "bf33f87dd04c371ea33feb821b60d63d754e3124", "last_affected_version": "4.10.8", "last_modified": "2023-12-06", "nvd_text": "The sg_ioctl function in drivers/scsi/sg.c in the Linux kernel through 4.10.4 allows local users to cause a denial of service (stack-based buffer overflow) or possibly have unspecified other impact via a large command size in an SG_NEXT_CMD_LEN ioctl call, leading to out-of-bounds write access in the sg_write function.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-7187", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-7187", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-7187", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-7187", "SUSE": "https://www.suse.com/security/cve/CVE-2017-7187", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7187" } }, "CVE-2017-7261": { "affected_versions": "v2.6.33-rc1 to v4.11-rc6", "breaks": "fb1d9738ca053ea8afa5e86af6463155f983b01c", "cmt_msg": "drm/vmwgfx: NULL pointer dereference in vmw_surface_define_ioctl()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Input Validation", "fixes": "36274ab8c596f1240c606bb514da329add2a1bcd", "last_affected_version": "4.10.9", "last_modified": "2023-12-06", "nvd_text": "The vmw_surface_define_ioctl function in drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel through 4.10.5 does not check for a zero value of certain levels data, which allows local users to cause a denial of service (ZERO_SIZE_PTR dereference, and GPF and possibly panic) via a crafted ioctl call for a /dev/dri/renderD* device.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-7261", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-7261", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-7261", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-7261", "SUSE": "https://www.suse.com/security/cve/CVE-2017-7261", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7261" } }, "CVE-2017-7273": { "affected_versions": "v2.6.23-rc1 to v4.10-rc4", "breaks": "ea9a4a8b0e5a34eca6613e39d21be879d92ecff5", "cmt_msg": "HID: hid-cypress: validate length of report", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Physical", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 6.6 }, "cwe": "Unspecified", "fixes": "1ebb71143758f45dc0fa76e2f48429e13b16d110", "last_affected_version": "4.9.3", "last_modified": "2023-12-06", "nvd_text": "The cp_report_fixup function in drivers/hid/hid-cypress.c in the Linux kernel 3.2 and 4.x before 4.9.4 allows physically proximate attackers to cause a denial of service (integer underflow) or possibly have unspecified other impact via a crafted HID report.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-7273", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-7273", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-7273", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-7273", "SUSE": "https://www.suse.com/security/cve/CVE-2017-7273", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7273" } }, "CVE-2017-7277": { "affected_versions": "v4.10-rc1 to v4.11-rc4", "breaks": "1c885808e45601b2b6f68b30ac1d999e10b6f606", "cmt_msg": "tcp: mark skbs with SCM_TIMESTAMPING_OPT_STATS", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:C/I:N/A:C", "score": 6.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "score": 7.1 }, "cwe": "Out-of-bounds Read", "fixes": "4ef1b2869447411ad3ef91ad7d4891a83c1a509a", "last_affected_version": "4.10.13", "last_modified": "2023-12-06", "nvd_text": "The TCP stack in the Linux kernel through 4.10.6 mishandles the SCM_TIMESTAMPING_OPT_STATS feature, which allows local users to obtain sensitive information from the kernel's internal socket data structures or cause a denial of service (out-of-bounds read) via crafted system calls, related to net/core/skbuff.c and net/socket.c.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-7277", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-7277", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-7277", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-7277", "SUSE": "https://www.suse.com/security/cve/CVE-2017-7277", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7277" } }, "CVE-2017-7294": { "affected_versions": "v3.2-rc1 to v4.11-rc6", "breaks": "414ee50b3a111983056b1a828fac08f9e8fbc7e9", "cmt_msg": "drm/vmwgfx: fix integer overflow in vmw_surface_define_ioctl()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Integer Overflow or Wraparound", "fixes": "e7e11f99564222d82f0ce84bd521e57d78a6b678", "last_affected_version": "4.10.9", "last_modified": "2023-12-06", "nvd_text": "The vmw_surface_define_ioctl function in drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel through 4.10.6 does not validate addition of certain levels data, which allows local users to trigger an integer overflow and out-of-bounds write, and cause a denial of service (system hang or crash) or possibly gain privileges, via a crafted ioctl call for a /dev/dri/renderD* device.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-7294", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-7294", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-7294", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-7294", "SUSE": "https://www.suse.com/security/cve/CVE-2017-7294", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7294" } }, "CVE-2017-7308": { "affected_versions": "v2.6.12-rc2 to v4.11-rc6", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "net/packet: fix overflow in check for priv area size", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Buffer Errors", "fixes": "2b6867c2ce76c596676bec7d2d525af525fdc6e2", "last_affected_version": "4.10.10", "last_modified": "2023-12-06", "nvd_text": "The packet_set_ring function in net/packet/af_packet.c in the Linux kernel through 4.10.6 does not properly validate certain block-size data, which allows local users to cause a denial of service (integer signedness error and out-of-bounds write), or gain privileges (if the CAP_NET_RAW capability is held), via crafted system calls.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-7308", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-7308", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-7308", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-7308", "SUSE": "https://www.suse.com/security/cve/CVE-2017-7308", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7308" } }, "CVE-2017-7346": { "affected_versions": "v3.14-rc1 to v4.12-rc5", "breaks": "a97e21923b421993258e8487f2a5700c1ba3897f", "cmt_msg": "drm/vmwgfx: limit the number of mip levels in vmw_gb_surface_define_ioctl()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Input Validation", "fixes": "ee9c4e681ec4f58e42a83cb0c22a0289ade1aacf", "last_affected_version": "4.11.4", "last_modified": "2023-12-06", "nvd_text": "The vmw_gb_surface_define_ioctl function in drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel through 4.10.7 does not validate certain levels data, which allows local users to cause a denial of service (system hang) via a crafted ioctl call for a /dev/dri/renderD* device.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-7346", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-7346", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-7346", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-7346", "SUSE": "https://www.suse.com/security/cve/CVE-2017-7346", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7346" } }, "CVE-2017-7369": { "affected_versions": "unk to unk", "breaks": "", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "score": 9.3 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "raw": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Input Validation", "fixes": "", "last_modified": "2023-12-06", "nvd_text": "In all Android releases from CAF using the Linux kernel, an array index in an ALSA routine is not properly validating potentially leading to kernel stack corruption.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-7369", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-7369", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-7369", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-7369", "SUSE": "https://www.suse.com/security/cve/CVE-2017-7369", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7369" }, "vendor_specific": true }, "CVE-2017-7374": { "affected_versions": "v4.2-rc1 to v4.11-rc4", "breaks": "b7236e21d55ff9008737621c84dd8ee6c37c7c6d", "cmt_msg": "fscrypt: remove broken support for detecting keyring key revocation", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Use After Free", "fixes": "1b53cf9815bb4744958d41f3795d5d5a1d365e2d", "last_affected_version": "4.10.6", "last_modified": "2023-12-06", "nvd_text": "Use-after-free vulnerability in fs/crypto/ in the Linux kernel before 4.10.7 allows local users to cause a denial of service (NULL pointer dereference) or possibly gain privileges by revoking keyring keys being used for ext4, f2fs, or ubifs encryption, causing cryptographic transform objects to be freed prematurely.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-7374", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-7374", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-7374", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-7374", "SUSE": "https://www.suse.com/security/cve/CVE-2017-7374", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7374" } }, "CVE-2017-7472": { "affected_versions": "v2.6.29-rc1 to v4.11-rc8", "breaks": "d84f4f992cbd76e8f39c488cf0c5d123843923b1", "cmt_msg": "KEYS: fix keyctl_set_reqkey_keyring() to not leak thread keyrings", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Resource Management Errors", "fixes": "c9f838d104fed6f2f61d68164712e3204bf5271b", "last_affected_version": "4.10.12", "last_modified": "2023-12-06", "nvd_text": "The KEYS subsystem in the Linux kernel before 4.10.13 allows local users to cause a denial of service (memory consumption) via a series of KEY_REQKEY_DEFL_THREAD_KEYRING keyctl_set_reqkey_keyring calls.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-7472", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-7472", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-7472", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-7472", "SUSE": "https://www.suse.com/security/cve/CVE-2017-7472", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7472" } }, "CVE-2017-7477": { "affected_versions": "v4.6-rc1 to v4.11", "breaks": "c09440f7dcb304002dfced8c0fea289eb25f2da0", "cmt_msg": "macsec: avoid heap overflow in skb_to_sgvec", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "score": 6.9 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.0 }, "cwe": "Buffer Errors", "fixes": "4d6fa57b4dab0d77f4d8e9d9c73d1e63f6fe8fee", "last_affected_version": "4.10", "last_modified": "2023-12-06", "nvd_text": "Heap-based buffer overflow in drivers/net/macsec.c in the MACsec module in the Linux kernel through 4.10.12 allows attackers to cause a denial of service or possibly have unspecified other impact by leveraging the use of a MAX_SKB_FRAGS+1 size in conjunction with the NETIF_F_FRAGLIST feature, leading to an error in the skb_to_sgvec function.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-7477", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-7477", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-7477", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-7477", "SUSE": "https://www.suse.com/security/cve/CVE-2017-7477", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7477" } }, "CVE-2017-7482": { "affected_versions": "v2.6.12-rc2 to v4.12-rc7", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "rxrpc: Fix several cases where a padded len isn't checked in ticket decode", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Integer Overflow or Wraparound", "fixes": "5f2f97656ada8d811d3c1bef503ced266fcd53a0", "last_affected_version": "4.11.7", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel before version 4.12, Kerberos 5 tickets decoded when using the RXRPC keys incorrectly assumes the size of a field. This could lead to the size-remaining variable wrapping and the data pointer going over the end of the buffer. This could possibly lead to memory corruption and possible privilege escalation.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-7482", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-7482", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-7482", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-7482", "SUSE": "https://www.suse.com/security/cve/CVE-2017-7482", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7482" } }, "CVE-2017-7487": { "affected_versions": "v2.6.12-rc2 to v4.12-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "ipx: call ipxitf_put() in ioctl error path", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Use After Free", "fixes": "ee0d8d8482345ff97a75a7d747efc309f13b0d80", "last_affected_version": "4.11.2", "last_modified": "2023-12-06", "nvd_text": "The ipxitf_ioctl function in net/ipx/af_ipx.c in the Linux kernel through 4.11.1 mishandles reference counts, which allows local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via a failed SIOCGIFADDR ioctl call for an IPX interface.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-7487", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-7487", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-7487", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-7487", "SUSE": "https://www.suse.com/security/cve/CVE-2017-7487", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7487" } }, "CVE-2017-7495": { "affected_versions": "v3.8-rc1 to v4.7-rc1", "breaks": "f3b59291a69d0b734be1fc8be489fef2dd846d3d", "cmt_msg": "ext4: fix data exposure after a crash", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.5 }, "cwe": "Information Leak / Disclosure", "fixes": "06bd3c36a733ac27962fea7d6f47168841376824", "last_affected_version": "4.6.1", "last_modified": "2023-12-06", "nvd_text": "fs/ext4/inode.c in the Linux kernel before 4.6.2, when ext4 data=ordered mode is used, mishandles a needs-flushing-before-commit list, which allows local users to obtain sensitive information from other users' files in opportunistic circumstances by waiting for a hardware reset, creating a new file, making write system calls, and reading this file.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-7495", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-7495", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-7495", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-7495", "SUSE": "https://www.suse.com/security/cve/CVE-2017-7495", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7495" } }, "CVE-2017-7518": { "affected_versions": "v2.6.12-rc2 to v4.12-rc7", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "KVM: x86: fix singlestepping over syscall", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "c8401dda2f0a00cd25c0af6a95ed50e478d25de4", "last_affected_version": "4.11.7", "last_modified": "2023-12-06", "nvd_text": "A flaw was found in the Linux kernel before version 4.12 in the way the KVM module processed the trap flag(TF) bit in EFLAGS during emulation of the syscall instruction, which leads to a debug exception(#DB) being raised in the guest stack. A user/process inside a guest could use this flaw to potentially escalate their privileges inside the guest. Linux guests are not affected by this.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-7518", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-7518", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-7518", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-7518", "SUSE": "https://www.suse.com/security/cve/CVE-2017-7518", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7518" } }, "CVE-2017-7533": { "affected_versions": "v3.14-rc1 to v4.13-rc1", "breaks": "7053aee26a3548ebaba046ae2e52396ccf56ac6c", "cmt_msg": "dentry name snapshots", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "score": 6.9 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.0 }, "cwe": "Race Conditions", "fixes": "49d31c2f389acfe83417083e1208422b4091cd9e", "last_affected_version": "4.12.4", "last_modified": "2023-12-06", "nvd_text": "Race condition in the fsnotify implementation in the Linux kernel through 4.12.4 allows local users to gain privileges or cause a denial of service (memory corruption) via a crafted application that leverages simultaneous execution of the inotify_handle_event and vfs_rename functions.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-7533", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-7533", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-7533", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-7533", "SUSE": "https://www.suse.com/security/cve/CVE-2017-7533", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7533" } }, "CVE-2017-7541": { "affected_versions": "v3.9-rc1 to v4.13-rc1", "breaks": "18e2f61db3b708e0a22ccc403cb6ab2203d6faab", "cmt_msg": "brcmfmac: fix possible buffer overflow in brcmf_cfg80211_mgmt_tx()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Buffer Errors", "fixes": "8f44c9a41386729fea410e688959ddaa9d51be7c", "last_affected_version": "4.12.2", "last_modified": "2023-12-06", "nvd_text": "The brcmf_cfg80211_mgmt_tx function in drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c in the Linux kernel before 4.12.3 allows local users to cause a denial of service (buffer overflow and system crash) or possibly gain privileges via a crafted NL80211_CMD_FRAME Netlink packet.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-7541", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-7541", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-7541", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-7541", "SUSE": "https://www.suse.com/security/cve/CVE-2017-7541", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7541" } }, "CVE-2017-7542": { "affected_versions": "v2.6.12-rc2 to v4.13-rc2", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "ipv6: avoid overflow of offset in ip6_find_1stfragopt", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Integer Overflow or Wraparound", "fixes": "6399f1fae4ec29fab5ec76070435555e256ca3a6", "last_affected_version": "4.12.5", "last_modified": "2023-12-06", "nvd_text": "The ip6_find_1stfragopt function in net/ipv6/output_core.c in the Linux kernel through 4.12.3 allows local users to cause a denial of service (integer overflow and infinite loop) by leveraging the ability to open a raw socket.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-7542", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-7542", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-7542", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-7542", "SUSE": "https://www.suse.com/security/cve/CVE-2017-7542", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7542" } }, "CVE-2017-7558": { "affected_versions": "v4.7-rc1 to v4.13", "breaks": "8f840e47f190cbe61a96945c13e9551048d42cef", "cmt_msg": "sctp: Avoid out-of-bounds reads from address storage", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "score": 5.0 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "score": 7.5 }, "cwe": "Out-of-bounds Read", "fixes": "ee6c88bb754e3d363e568da78086adfedb692447", "last_affected_version": "4.12", "last_modified": "2023-12-06", "nvd_text": "A kernel data leak due to an out-of-bound read was found in the Linux kernel in inet_diag_msg_sctp{,l}addr_fill() and sctp_get_sctp_info() functions present since version 4.7-rc1 through version 4.13. A data leak happens when these functions fill in sockaddr data structures used to export socket's diagnostic information. As a result, up to 100 bytes of the slab data could be leaked to a userspace.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-7558", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-7558", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-7558", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-7558", "SUSE": "https://www.suse.com/security/cve/CVE-2017-7558", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7558" } }, "CVE-2017-7616": { "affected_versions": "v2.6.12-rc2 to v4.11-rc6", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "mm/mempolicy.c: fix error handling in set_mempolicy and mbind.", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.5 }, "cwe": "Error Handling", "fixes": "cf01fb9985e8deb25ccf0ea54d916b8871ae0e62", "last_affected_version": "4.10.9", "last_modified": "2023-12-06", "nvd_text": "Incorrect error handling in the set_mempolicy and mbind compat syscalls in mm/mempolicy.c in the Linux kernel through 4.10.9 allows local users to obtain sensitive information from uninitialized stack data by triggering failure of a certain bitmap operation.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-7616", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-7616", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-7616", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-7616", "SUSE": "https://www.suse.com/security/cve/CVE-2017-7616", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7616" } }, "CVE-2017-7618": { "affected_versions": "v2.6.27-rc1 to v4.11-rc8", "breaks": "004a403c2e954734090a69aedc7f4f822bdcc142", "cmt_msg": "crypto: ahash - Fix EINPROGRESS notification callback", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "score": 7.8 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 7.5 }, "cwe": "Other", "fixes": "ef0579b64e93188710d48667cb5e014926af9f1b", "last_affected_version": "4.10.11", "last_modified": "2023-12-06", "nvd_text": "crypto/ahash.c in the Linux kernel through 4.10.9 allows attackers to cause a denial of service (API operation calling its own callback, and infinite recursion) by triggering EBUSY on a full queue.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-7618", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-7618", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-7618", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-7618", "SUSE": "https://www.suse.com/security/cve/CVE-2017-7618", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7618" } }, "CVE-2017-7645": { "affected_versions": "v2.6.12-rc2 to v4.11", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "nfsd: check for oversized NFSv2/v3 arguments", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "score": 7.8 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 7.5 }, "cwe": "Input Validation", "fixes": "e6838a29ecb484c97e4efef9429643b9851fba6e", "last_affected_version": "4.10", "last_modified": "2023-12-06", "nvd_text": "The NFSv2/NFSv3 server in the nfsd subsystem in the Linux kernel through 4.10.11 allows remote attackers to cause a denial of service (system crash) via a long RPC reply, related to net/sunrpc/svc.c, fs/nfsd/nfs3xdr.c, and fs/nfsd/nfsxdr.c.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-7645", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-7645", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-7645", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-7645", "SUSE": "https://www.suse.com/security/cve/CVE-2017-7645", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7645" } }, "CVE-2017-7889": { "affected_versions": "v2.6.12-rc2 to v4.11-rc7", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "mm: Tighten x86 /dev/mem with zeroing reads", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Improper Access Control", "fixes": "a4866aa812518ed1a37d8ea0c881dc946409de94", "last_affected_version": "4.10.11", "last_modified": "2023-12-06", "nvd_text": "The mm subsystem in the Linux kernel through 3.2 does not properly enforce the CONFIG_STRICT_DEVMEM protection mechanism, which allows local users to read or write to kernel memory locations in the first megabyte (and bypass slab-allocation access restrictions) via an application that opens the /dev/mem file, related to arch/x86/mm/init.c and drivers/char/mem.c.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-7889", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-7889", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-7889", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-7889", "SUSE": "https://www.suse.com/security/cve/CVE-2017-7889", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7889" } }, "CVE-2017-7895": { "affected_versions": "v2.6.12-rc2 to v4.11", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "nfsd: stricter decoding of write-like NFSv2/v3 ops", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "score": 10.0 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "score": 9.8 }, "cwe": "Numeric Errors", "fixes": "13bf9fbff0e5e099e2b6f003a0ab8ae145436309", "last_affected_version": "4.10", "last_modified": "2023-12-06", "nvd_text": "The NFSv2 and NFSv3 server implementations in the Linux kernel through 4.10.13 lack certain checks for the end of a buffer, which allows remote attackers to trigger pointer-arithmetic errors or possibly have unspecified other impact via crafted requests, related to fs/nfsd/nfs3xdr.c and fs/nfsd/nfsxdr.c.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-7895", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-7895", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-7895", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-7895", "SUSE": "https://www.suse.com/security/cve/CVE-2017-7895", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7895" } }, "CVE-2017-7979": { "affected_versions": "v4.11-rc1 to v4.11-rc8", "breaks": "1045ba77a5962a22bce7777678ef46714107ea63", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Input Validation", "fixes": "e0535ce58b92d7baf0b33284a6c4f8f0338f943e", "last_modified": "2023-12-06", "nvd_text": "The cookie feature in the packet action API implementation in net/sched/act_api.c in the Linux kernel 4.11.x through 4.11-rc7 mishandles the tb nlattr array, which allows local users to cause a denial of service (uninitialized memory access and refcount underflow, and system hang or crash) or possibly have unspecified other impact via \"tc filter add\" commands in certain contexts. NOTE: this does not affect stable kernels, such as 4.10.x, from kernel.org.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-7979", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-7979", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-7979", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-7979", "SUSE": "https://www.suse.com/security/cve/CVE-2017-7979", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7979" } }, "CVE-2017-8061": { "affected_versions": "v4.9-rc1 to v4.11-rc4", "breaks": "e37e43a497d5a8b7c0cc1736d56986f432c394c9", "cmt_msg": "[media] dvb-usb-firmware: don't do DMA on stack", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Buffer Errors", "fixes": "67b0503db9c29b04eadfeede6bebbfe5ddad94ef", "last_affected_version": "4.10.6", "last_modified": "2023-12-06", "nvd_text": "drivers/media/usb/dvb-usb/dvb-usb-firmware.c in the Linux kernel 4.9.x and 4.10.x before 4.10.7 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-8061", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-8061", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-8061", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-8061", "SUSE": "https://www.suse.com/security/cve/CVE-2017-8061", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-8061" } }, "CVE-2017-8062": { "affected_versions": "v4.9-rc1 to v4.11-rc2", "breaks": "e37e43a497d5a8b7c0cc1736d56986f432c394c9", "cmt_msg": "[media] dw2102: don't do DMA on stack", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Buffer Errors", "fixes": "606142af57dad981b78707234cfbd15f9f7b7125", "last_affected_version": "4.10.3", "last_modified": "2023-12-06", "nvd_text": "drivers/media/usb/dvb-usb/dw2102.c in the Linux kernel 4.9.x and 4.10.x before 4.10.4 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-8062", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-8062", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-8062", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-8062", "SUSE": "https://www.suse.com/security/cve/CVE-2017-8062", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-8062" } }, "CVE-2017-8063": { "affected_versions": "v4.9-rc4 to v4.11-rc1", "breaks": "17ce039b4e5405c49d8c0d64e6d781cc6f4dc1ac", "cmt_msg": "[media] cxusb: Use a dma capable buffer also for reading", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Buffer Errors", "fixes": "3f190e3aec212fc8c61e202c51400afa7384d4bc", "last_affected_version": "4.10.11", "last_modified": "2023-12-06", "nvd_text": "drivers/media/usb/dvb-usb/cxusb.c in the Linux kernel 4.9.x and 4.10.x before 4.10.12 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-8063", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-8063", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-8063", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-8063", "SUSE": "https://www.suse.com/security/cve/CVE-2017-8063", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-8063" } }, "CVE-2017-8064": { "affected_versions": "v3.7-rc1 to v4.11-rc1", "breaks": "d10d1b9ac97b96dd9183944d30b1664bdbb5fbf6", "cmt_msg": "[media] dvb-usb-v2: avoid use-after-free", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Buffer Errors", "fixes": "005145378c9ad7575a01b6ce1ba118fb427f583a", "last_affected_version": "4.10.11", "last_modified": "2023-12-06", "nvd_text": "drivers/media/usb/dvb-usb-v2/dvb_usb_core.c in the Linux kernel 4.9.x and 4.10.x before 4.10.12 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-8064", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-8064", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-8064", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-8064", "SUSE": "https://www.suse.com/security/cve/CVE-2017-8064", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-8064" } }, "CVE-2017-8065": { "affected_versions": "v4.11-rc1 to v4.11-rc1", "backport": true, "breaks": "f15f05b0a5de667c821a9727c33bce9d1d9b26dd", "cmt_msg": "crypto: ccm - move cbcmac input off the stack", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Buffer Errors", "fixes": "3b30460c5b0ed762be75a004e924ec3f8711e032", "last_modified": "2023-12-06", "nvd_text": "crypto/ccm.c in the Linux kernel 4.9.x and 4.10.x through 4.10.12 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-8065", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-8065", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-8065", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-8065", "SUSE": "https://www.suse.com/security/cve/CVE-2017-8065", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-8065" } }, "CVE-2017-8066": { "affected_versions": "v4.8-rc1 to v4.11-rc1", "breaks": "05ca5270005c18ec46decacef87992ea968f9fce", "cmt_msg": "can: gs_usb: Don't use stack memory for USB transfers", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Buffer Errors", "fixes": "c919a3069c775c1c876bec55e00b2305d5125caa", "last_affected_version": "4.10.1", "last_modified": "2023-12-06", "nvd_text": "drivers/net/can/usb/gs_usb.c in the Linux kernel 4.9.x and 4.10.x before 4.10.2 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-8066", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-8066", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-8066", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-8066", "SUSE": "https://www.suse.com/security/cve/CVE-2017-8066", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-8066" } }, "CVE-2017-8067": { "affected_versions": "v4.9-rc1 to v4.11-rc1", "breaks": "e37e43a497d5a8b7c0cc1736d56986f432c394c9", "cmt_msg": "virtio-console: avoid DMA from stack", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Buffer Errors", "fixes": "c4baad50297d84bde1a7ad45e50c73adae4a2192", "last_affected_version": "4.10.11", "last_modified": "2023-12-06", "nvd_text": "drivers/char/virtio_console.c in the Linux kernel 4.9.x and 4.10.x before 4.10.12 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-8067", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-8067", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-8067", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-8067", "SUSE": "https://www.suse.com/security/cve/CVE-2017-8067", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-8067" } }, "CVE-2017-8068": { "affected_versions": "v4.9-rc1 to v4.10-rc8", "breaks": "e37e43a497d5a8b7c0cc1736d56986f432c394c9", "cmt_msg": "pegasus: Use heap buffers for all register access", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Buffer Errors", "fixes": "5593523f968bc86d42a035c6df47d5e0979b5ace", "last_affected_version": "4.9.10", "last_modified": "2023-12-06", "nvd_text": "drivers/net/usb/pegasus.c in the Linux kernel 4.9.x before 4.9.11 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-8068", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-8068", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-8068", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-8068", "SUSE": "https://www.suse.com/security/cve/CVE-2017-8068", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-8068" } }, "CVE-2017-8069": { "affected_versions": "v4.9-rc1 to v4.10-rc8", "breaks": "e37e43a497d5a8b7c0cc1736d56986f432c394c9", "cmt_msg": "rtl8150: Use heap buffers for all register access", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Buffer Errors", "fixes": "7926aff5c57b577ab0f43364ff0c59d968f6a414", "last_affected_version": "4.9.10", "last_modified": "2023-12-06", "nvd_text": "drivers/net/usb/rtl8150.c in the Linux kernel 4.9.x before 4.9.11 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-8069", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-8069", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-8069", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-8069", "SUSE": "https://www.suse.com/security/cve/CVE-2017-8069", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-8069" } }, "CVE-2017-8070": { "affected_versions": "v4.9-rc1 to v4.10-rc8", "breaks": "e37e43a497d5a8b7c0cc1736d56986f432c394c9", "cmt_msg": "catc: Use heap buffer for memory size test", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Buffer Errors", "fixes": "2d6a0e9de03ee658a9adc3bfb2f0ca55dff1e478", "last_affected_version": "4.9.10", "last_modified": "2023-12-06", "nvd_text": "drivers/net/usb/catc.c in the Linux kernel 4.9.x before 4.9.11 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-8070", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-8070", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-8070", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-8070", "SUSE": "https://www.suse.com/security/cve/CVE-2017-8070", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-8070" } }, "CVE-2017-8071": { "affected_versions": "v4.9-rc7 to v4.10-rc7", "breaks": "1ffb3c40ffb5c51bc39736409b11816c4260218e", "cmt_msg": "HID: cp2112: fix sleep-while-atomic", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Improper Resource Shutdown or Release", "fixes": "7a7b5df84b6b4e5d599c7289526eed96541a0654", "last_affected_version": "4.9.8", "last_modified": "2023-12-06", "nvd_text": "drivers/hid/hid-cp2112.c in the Linux kernel 4.9.x before 4.9.9 uses a spinlock without considering that sleeping is possible in a USB HID request callback, which allows local users to cause a denial of service (deadlock) via unspecified vectors.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-8071", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-8071", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-8071", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-8071", "SUSE": "https://www.suse.com/security/cve/CVE-2017-8071", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-8071" } }, "CVE-2017-8072": { "affected_versions": "v4.9-rc1 to v4.10-rc7", "breaks": "e37e43a497d5a8b7c0cc1736d56986f432c394c9", "cmt_msg": "HID: cp2112: fix gpio-callback error handling", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Error Handling", "fixes": "8e9faa15469ed7c7467423db4c62aeed3ff4cae3", "last_affected_version": "4.9.8", "last_modified": "2023-12-06", "nvd_text": "The cp2112_gpio_direction_input function in drivers/hid/hid-cp2112.c in the Linux kernel 4.9.x before 4.9.9 does not have the expected EIO error status for a zero-length report, which allows local users to have an unspecified impact via unknown vectors.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-8072", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-8072", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-8072", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-8072", "SUSE": "https://www.suse.com/security/cve/CVE-2017-8072", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-8072" } }, "CVE-2017-8106": { "affected_versions": "v3.12-rc1 to v3.16-rc1", "breaks": "bfd0a56b90005f8c8a004baf407ad90045c2b11e", "cmt_msg": "KVM: nVMX: Don't advertise single context invalidation for invept", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "NULL Pointer Dereference", "fixes": "4b855078601fc422dbac3059f2215e776f49780f", "last_modified": "2023-12-06", "nvd_text": "The handle_invept function in arch/x86/kvm/vmx.c in the Linux kernel 3.12 through 3.15 allows privileged KVM guest OS users to cause a denial of service (NULL pointer dereference and host OS crash) via a single-context INVEPT instruction with a NULL EPT pointer.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-8106", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-8106", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-8106", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-8106", "SUSE": "https://www.suse.com/security/cve/CVE-2017-8106", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-8106" } }, "CVE-2017-8240": { "affected_versions": "v3.18-rc1 to v3.19-rc6", "breaks": "327455817a92522e669d2d11367e42af5956a8ed", "cmt_msg": "pinctrl: qcom: Don't iterate past end of function array", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "score": 9.3 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "raw": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Buffer Errors", "fixes": "bcd53f858d87f52843cc87764b283999126a50d6", "last_affected_version": "3.18.4", "last_modified": "2023-12-06", "nvd_text": "In all Android releases from CAF using the Linux kernel, a kernel driver has an off-by-one buffer over-read vulnerability.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-8240", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-8240", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-8240", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-8240", "SUSE": "https://www.suse.com/security/cve/CVE-2017-8240", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-8240" } }, "CVE-2017-8242": { "affected_versions": "unk to unk", "breaks": "", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "None", "Integrity Impact": "Partial", "raw": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "score": 4.3 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Network", "Availability": "None", "Confidentiality": "None", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "score": 5.9 }, "cwe": "Race Conditions", "fixes": "", "last_modified": "2023-12-06", "nvd_text": "In all Android releases from CAF using the Linux kernel, a race condition exists in a QTEE driver potentially leading to an arbitrary memory write.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-8242", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-8242", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-8242", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-8242", "SUSE": "https://www.suse.com/security/cve/CVE-2017-8242", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-8242" }, "vendor_specific": true }, "CVE-2017-8244": { "affected_versions": "unk to unk", "breaks": "", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "score": 6.9 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.0 }, "cwe": "Buffer Errors", "fixes": "", "last_modified": "2023-12-06", "nvd_text": "In core_info_read and inst_info_read in all Android releases from CAF using the Linux kernel, variable \"dbg_buf\", \"dbg_buf->curr\" and \"dbg_buf->filled_size\" could be modified by different threads at the same time, but they are not protected with mutex or locks. Buffer overflow is possible on race conditions. \"buffer->curr\" itself could also be overwritten, which means that it may point to anywhere of kernel memory (for write).", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-8244", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-8244", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-8244", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-8244", "SUSE": "https://www.suse.com/security/cve/CVE-2017-8244", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-8244" }, "vendor_specific": true }, "CVE-2017-8245": { "affected_versions": "unk to unk", "breaks": "", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Buffer Errors", "fixes": "", "last_modified": "2023-12-06", "nvd_text": "In all Android releases from CAF using the Linux kernel, while processing a voice SVC request which is nonstandard by specifying a payload size that will overflow its own declared size, an out of bounds memory copy occurs.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-8245", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-8245", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-8245", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-8245", "SUSE": "https://www.suse.com/security/cve/CVE-2017-8245", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-8245" }, "vendor_specific": true }, "CVE-2017-8246": { "affected_versions": "unk to unk", "breaks": "", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Use After Free", "fixes": "", "last_modified": "2023-12-06", "nvd_text": "In function msm_pcm_playback_close() in all Android releases from CAF using the Linux kernel, prtd is assigned substream->runtime->private_data. Later, prtd is freed. However, prtd is not sanitized and set to NULL, resulting in a dangling pointer. There are other functions that access the same memory (substream->runtime->private_data) with a NULL check, such as msm_pcm_volume_ctl_put(), which means this freed memory could be used.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-8246", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-8246", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-8246", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-8246", "SUSE": "https://www.suse.com/security/cve/CVE-2017-8246", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-8246" }, "vendor_specific": true }, "CVE-2017-8797": { "affected_versions": "v2.6.12-rc2 to v4.12-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "nfsd: fix undefined behavior in nfsd4_layout_verify", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "score": 7.8 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 7.5 }, "cwe": "Improper Validation of Array Index", "fixes": "b550a32e60a4941994b437a8d662432a486235a5", "last_affected_version": "4.11.2", "last_modified": "2023-12-06", "nvd_text": "The NFSv4 server in the Linux kernel before 4.11.3 does not properly validate the layout type when processing the NFSv4 pNFS GETDEVICEINFO or LAYOUTGET operand in a UDP packet from a remote attacker. This type value is uninitialized upon encountering certain error conditions. This value is used as an array index for dereferencing, which leads to an OOPS and eventually a DoS of knfsd and a soft-lockup of the whole system.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-8797", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-8797", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-8797", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-8797", "SUSE": "https://www.suse.com/security/cve/CVE-2017-8797", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-8797" } }, "CVE-2017-8824": { "affected_versions": "v2.6.14-rc1 to v4.15-rc3", "breaks": "7c657876b63cb1d8a2ec06f8fc6c37bb8412e66c", "cmt_msg": "dccp: CVE-2017-8824: use-after-free in DCCP code", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Use After Free", "fixes": "69c64866ce072dea1d1e59a0d61e0f66c0dffb76", "last_affected_version": "4.14.19", "last_modified": "2023-12-06", "nvd_text": "The dccp_disconnect function in net/dccp/proto.c in the Linux kernel through 4.14.3 allows local users to gain privileges or cause a denial of service (use-after-free) via an AF_UNSPEC connect system call during the DCCP_LISTEN state.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-8824", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-8824", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-8824", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-8824", "SUSE": "https://www.suse.com/security/cve/CVE-2017-8824", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-8824" } }, "CVE-2017-8831": { "affected_versions": "v2.6.32-rc1 to v4.13-rc1", "breaks": "443c1228d50518f3c550e1fef490a2c9d9246ce7", "cmt_msg": "[media] saa7164: fix double fetch PCIe access condition", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "score": 6.9 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Physical", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "score": 6.4 }, "cwe": "Out-of-bounds Read", "fixes": "6fb05e0dd32e566facb96ea61a48c7488daa5ac3", "last_affected_version": "4.12.5", "last_modified": "2023-12-06", "nvd_text": "The saa7164_bus_get function in drivers/media/pci/saa7164/saa7164-bus.c in the Linux kernel through 4.11.5 allows local users to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact by changing a certain sequence-number value, aka a \"double fetch\" vulnerability.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-8831", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-8831", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-8831", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-8831", "SUSE": "https://www.suse.com/security/cve/CVE-2017-8831", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-8831" } }, "CVE-2017-8890": { "affected_versions": "v2.6.12-rc2 to v4.12-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "dccp/tcp: do not inherit mc_list from parent", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Double Free", "fixes": "657831ffc38e30092a2d5f03d385d710eb88b09a", "last_affected_version": "4.11.3", "last_modified": "2023-12-06", "nvd_text": "The inet_csk_clone_lock function in net/ipv4/inet_connection_sock.c in the Linux kernel through 4.10.15 allows attackers to cause a denial of service (double free) or possibly have unspecified other impact by leveraging use of the accept system call.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-8890", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-8890", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-8890", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-8890", "SUSE": "https://www.suse.com/security/cve/CVE-2017-8890", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-8890" } }, "CVE-2017-8924": { "affected_versions": "v2.6.30-rc1 to v4.11-rc2", "breaks": "8c209e6782ca0e3046803fc04a5ac01c8c10437a", "cmt_msg": "USB: serial: io_ti: fix information leak in completion handler", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Physical", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "score": 4.6 }, "cwe": "Integer Underflow (Wrap or Wraparound)", "fixes": "654b404f2a222f918af9b0cd18ad469d0c941a8e", "last_affected_version": "4.10.3", "last_modified": "2023-12-06", "nvd_text": "The edge_bulk_in_callback function in drivers/usb/serial/io_ti.c in the Linux kernel before 4.10.4 allows local users to obtain sensitive information (in the dmesg ringbuffer and syslog) from uninitialized kernel memory by using a crafted USB device (posing as an io_ti USB serial device) to trigger an integer underflow.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-8924", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-8924", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-8924", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-8924", "SUSE": "https://www.suse.com/security/cve/CVE-2017-8924", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-8924" } }, "CVE-2017-8925": { "affected_versions": "v2.6.28-rc1 to v4.11-rc2", "breaks": "4a90f09b20f4622dcbff1f0e1e6bae1704f8ad8c", "cmt_msg": "USB: serial: omninet: fix reference leaks at open", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Resource Management Errors", "fixes": "30572418b445d85fcfe6c8fe84c947d2606767d8", "last_affected_version": "4.10.3", "last_modified": "2023-12-06", "nvd_text": "The omninet_open function in drivers/usb/serial/omninet.c in the Linux kernel before 4.10.4 allows local users to cause a denial of service (tty exhaustion) by leveraging reference count mishandling.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-8925", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-8925", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-8925", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-8925", "SUSE": "https://www.suse.com/security/cve/CVE-2017-8925", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-8925" } }, "CVE-2017-9059": { "affected_versions": "v4.9-rc1 to v4.12-rc1", "breaks": "bb6aeba736ba9fd4d9569eec4bc3f7aecb42162a", "cmt_msg": "NFSv4: Fix callback server shutdown", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Resource Management Errors", "fixes": "ed6473ddc704a2005b9900ca08e236ebb2d8540a", "last_affected_version": "4.9.51", "last_modified": "2023-12-06", "nvd_text": "The NFSv4 implementation in the Linux kernel through 4.11.1 allows local users to cause a denial of service (resource consumption) by leveraging improper channel callback shutdown when unmounting an NFSv4 filesystem, aka a \"module reference and kernel daemon\" leak.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-9059", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-9059", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-9059", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-9059", "SUSE": "https://www.suse.com/security/cve/CVE-2017-9059", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-9059" } }, "CVE-2017-9074": { "affected_versions": "v2.6.12-rc2 to v4.12-rc2", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "ipv6: Prevent overrun when parsing v6 header options", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Out-of-bounds Read", "fixes": "2423496af35d94a87156b063ea5cedffc10a70a1", "last_affected_version": "4.11.3", "last_modified": "2023-12-06", "nvd_text": "The IPv6 fragmentation implementation in the Linux kernel through 4.11.1 does not consider that the nexthdr field may be associated with an invalid option, which allows local users to cause a denial of service (out-of-bounds read and BUG) or possibly have unspecified other impact via crafted socket and send system calls.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-9074", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-9074", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-9074", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-9074", "SUSE": "https://www.suse.com/security/cve/CVE-2017-9074", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-9074" } }, "CVE-2017-9075": { "affected_versions": "v2.6.12-rc2 to v4.12-rc2", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "sctp: do not inherit ipv6_{mc|ac|fl}_list from parent", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Unspecified", "fixes": "fdcee2cbb8438702ea1b328fb6e0ac5e9a40c7f8", "last_affected_version": "4.11.3", "last_modified": "2023-12-06", "nvd_text": "The sctp_v6_create_accept_sk function in net/sctp/ipv6.c in the Linux kernel through 4.11.1 mishandles inheritance, which allows local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-9075", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-9075", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-9075", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-9075", "SUSE": "https://www.suse.com/security/cve/CVE-2017-9075", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-9075" } }, "CVE-2017-9076": { "affected_versions": "v2.6.12-rc2 to v4.12-rc2", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "ipv6/dccp: do not inherit ipv6_mc_list from parent", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Unspecified", "fixes": "83eaddab4378db256d00d295bda6ca997cd13a52", "last_affected_version": "4.11.3", "last_modified": "2023-12-06", "nvd_text": "The dccp_v6_request_recv_sock function in net/dccp/ipv6.c in the Linux kernel through 4.11.1 mishandles inheritance, which allows local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-9076", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-9076", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-9076", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-9076", "SUSE": "https://www.suse.com/security/cve/CVE-2017-9076", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-9076" } }, "CVE-2017-9077": { "affected_versions": "v2.6.12-rc2 to v4.12-rc2", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "ipv6/dccp: do not inherit ipv6_mc_list from parent", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Unspecified", "fixes": "83eaddab4378db256d00d295bda6ca997cd13a52", "last_affected_version": "4.11.3", "last_modified": "2023-12-06", "nvd_text": "The tcp_v6_syn_recv_sock function in net/ipv6/tcp_ipv6.c in the Linux kernel through 4.11.1 mishandles inheritance, which allows local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-9077", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-9077", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-9077", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-9077", "SUSE": "https://www.suse.com/security/cve/CVE-2017-9077", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-9077" } }, "CVE-2017-9150": { "affected_versions": "v4.4-rc1 to v4.12-rc1", "breaks": "1be7f75d1668d6296b80bf35dcf6762393530afc", "cmt_msg": "bpf: don't let ldimm64 leak map addresses on unprivileged", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.5 }, "cwe": "Information Leak / Disclosure", "fixes": "0d0e57697f162da4aa218b5feafe614fb666db07", "last_affected_version": "4.11.0", "last_modified": "2023-12-06", "nvd_text": "The do_check function in kernel/bpf/verifier.c in the Linux kernel before 4.11.1 does not make the allow_ptr_leaks value available for restricting the output of the print_bpf_insn function, which allows local users to obtain sensitive address information via crafted bpf system calls.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-9150", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-9150", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-9150", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-9150", "SUSE": "https://www.suse.com/security/cve/CVE-2017-9150", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-9150" } }, "CVE-2017-9211": { "affected_versions": "v4.8-rc1 to v4.12-rc3", "breaks": "4e6c3df4d729f85997cbf276bfa8ffd8579b8e77", "cmt_msg": "crypto: skcipher - Add missing API setkey checks", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "NULL Pointer Dereference", "fixes": "9933e113c2e87a9f46a40fde8dafbf801dca1ab9", "last_affected_version": "4.11.3", "last_modified": "2023-12-06", "nvd_text": "The crypto_skcipher_init_tfm function in crypto/skcipher.c in the Linux kernel through 4.11.2 relies on a setkey function that lacks a key-size check, which allows local users to cause a denial of service (NULL pointer dereference) via a crafted application.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-9211", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-9211", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-9211", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-9211", "SUSE": "https://www.suse.com/security/cve/CVE-2017-9211", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-9211" } }, "CVE-2017-9242": { "affected_versions": "v2.6.12-rc2 to v4.12-rc3", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "ipv6: fix out of bound writes in __ip6_append_data()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Input Validation", "fixes": "232cd35d0804cc241eb887bb8d4d9b3b9881c64a", "last_affected_version": "4.11.3", "last_modified": "2023-12-06", "nvd_text": "The __ip6_append_data function in net/ipv6/ip6_output.c in the Linux kernel through 4.11.3 is too late in checking whether an overwrite of an skb data structure may occur, which allows local users to cause a denial of service (system crash) via crafted system calls.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-9242", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-9242", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-9242", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-9242", "SUSE": "https://www.suse.com/security/cve/CVE-2017-9242", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-9242" } }, "CVE-2017-9605": { "affected_versions": "v3.14-rc1 to v4.12-rc5", "breaks": "a97e21923b421993258e8487f2a5700c1ba3897f", "cmt_msg": "drm/vmwgfx: Make sure backup_handle is always valid", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Complete", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:C/I:N/A:N", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.5 }, "cwe": "Information Leak / Disclosure", "fixes": "07678eca2cf9c9a18584e546c2b2a0d0c9a3150c", "last_affected_version": "4.11.4", "last_modified": "2023-12-06", "nvd_text": "The vmw_gb_surface_define_ioctl function (accessible via DRM_IOCTL_VMW_GB_SURFACE_CREATE) in drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel through 4.11.4 defines a backup_handle variable but does not give it an initial value. If one attempts to create a GB surface, with a previously allocated DMA buffer to be used as a backup buffer, the backup_handle variable does not get written to and is then later returned to user space, allowing local users to obtain sensitive information from uninitialized kernel memory via a crafted ioctl call.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-9605", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-9605", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-9605", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-9605", "SUSE": "https://www.suse.com/security/cve/CVE-2017-9605", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-9605" } }, "CVE-2017-9725": { "affected_versions": "v2.6.12-rc2 to v4.3-rc7", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "mm: cma: fix incorrect type conversion for size during dma allocation", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "score": 9.3 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "raw": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "67a2e213e7e937c41c52ab5bc46bf3f4de469f6e", "last_affected_version": "3.18.68", "last_modified": "2023-12-06", "nvd_text": "In all Qualcomm products with Android releases from CAF using the Linux kernel, during DMA allocation, due to wrong data type of size, allocation size gets truncated which makes allocation succeed when it should fail.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-9725", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-9725", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-9725", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-9725", "SUSE": "https://www.suse.com/security/cve/CVE-2017-9725", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-9725" } }, "CVE-2017-9984": { "affected_versions": "v2.6.30-rc1 to v4.13-rc1", "breaks": "f6c6383502751ceb6f2f3579ad22578ca44f91f5", "cmt_msg": "ALSA: msnd: Optimize / harden DSP and MIDI loops", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Out-of-bounds Read", "fixes": "20e2b791796bd68816fa115f12be5320de2b8021", "last_affected_version": "4.12.12", "last_modified": "2023-12-06", "nvd_text": "The snd_msnd_interrupt function in sound/isa/msnd/msnd_pinnacle.c in the Linux kernel through 4.11.7 allows local users to cause a denial of service (over-boundary access) or possibly have unspecified other impact by changing the value of a message queue head pointer between two kernel reads of that value, aka a \"double fetch\" vulnerability.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-9984", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-9984", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-9984", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-9984", "SUSE": "https://www.suse.com/security/cve/CVE-2017-9984", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-9984" } }, "CVE-2017-9985": { "affected_versions": "v2.6.30-rc1 to v4.13-rc1", "breaks": "f6c6383502751ceb6f2f3579ad22578ca44f91f5", "cmt_msg": "ALSA: msnd: Optimize / harden DSP and MIDI loops", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Out-of-bounds Read", "fixes": "20e2b791796bd68816fa115f12be5320de2b8021", "last_affected_version": "4.12.12", "last_modified": "2023-12-06", "nvd_text": "The snd_msndmidi_input_read function in sound/isa/msnd/msnd_midi.c in the Linux kernel through 4.11.7 allows local users to cause a denial of service (over-boundary access) or possibly have unspecified other impact by changing the value of a message queue head pointer between two kernel reads of that value, aka a \"double fetch\" vulnerability.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-9985", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-9985", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-9985", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-9985", "SUSE": "https://www.suse.com/security/cve/CVE-2017-9985", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-9985" } }, "CVE-2017-9986": { "affected_versions": "v2.6.12-rc2 to v4.15-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "sound: Retire OSS", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Out-of-bounds Read", "fixes": "727dede0ba8afbd8d19116d39f2ae8d19d00033d", "last_modified": "2023-12-06", "nvd_text": "The intr function in sound/oss/msnd_pinnacle.c in the Linux kernel through 4.11.7 allows local users to cause a denial of service (over-boundary access) or possibly have unspecified other impact by changing the value of a message queue head pointer between two kernel reads of that value, aka a \"double fetch\" vulnerability.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2017-9986", "ExploitDB": "https://www.exploit-db.com/search?cve=2017-9986", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2017-9986", "Red Hat": "https://access.redhat.com/security/cve/CVE-2017-9986", "SUSE": "https://www.suse.com/security/cve/CVE-2017-9986", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-9986" } }, "CVE-2018-1000004": { "affected_versions": "v2.6.12-rc2 to v4.15-rc9", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "ALSA: seq: Make ioctls race-free", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:N/AC:M/Au:N/C:N/I:N/A:C", "score": 7.1 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 5.9 }, "cwe": "Race Conditions", "fixes": "b3defb791b26ea0683a93a4f49c77ec45ec96f10", "last_affected_version": "4.14.14", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel 4.12, 3.10, 2.6 and possibly earlier versions a race condition vulnerability exists in the sound system, this can lead to a deadlock and denial of service condition.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-1000004", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-1000004", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000004", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-1000004", "SUSE": "https://www.suse.com/security/cve/CVE-2018-1000004", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-1000004" } }, "CVE-2018-1000026": { "affected_versions": "v2.6.12-rc2 to v4.16-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "bnx2x: disable GSO where gso_size is too big for hardware", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "Single", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:N/AC:L/Au:S/C:N/I:N/A:C", "score": 6.8 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Changed", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H", "score": 7.7 }, "cwe": "Input Validation", "fixes": "8914a595110a6eca69a5e275b323f5d09e18f4f9", "last_affected_version": "4.14.101", "last_modified": "2023-12-06", "nvd_text": "Linux Linux kernel version at least v4.8 onwards, probably well before contains a Insufficient input validation vulnerability in bnx2x network card driver that can result in DoS: Network card firmware assertion takes card off-line. This attack appear to be exploitable via An attacker on a must pass a very large, specially crafted packet to the bnx2x card. This can be done from an untrusted guest VM..", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-1000026", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-1000026", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000026", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-1000026", "SUSE": "https://www.suse.com/security/cve/CVE-2018-1000026", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-1000026" } }, "CVE-2018-1000028": { "affected_versions": "v4.15-rc4 to v4.15", "backport": true, "breaks": "bdcf0a423ea1c40bbb40e7ee483b50fc8aa3d758", "cmt_msg": "nfsd: auth: Fix gid sorting when rootsquash enabled", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "score": 5.8 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Network", "Availability": "None", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "score": 7.4 }, "cwe": "Improper Access Control", "fixes": "1995266727fa8143897e89b55f5d3c79aa828420", "last_affected_version": "4.14", "last_modified": "2023-12-06", "nvd_text": "Linux kernel version after commit bdcf0a423ea1 - 4.15-rc4+, 4.14.8+, 4.9.76+, 4.4.111+ contains a Incorrect Access Control vulnerability in NFS server (nfsd) that can result in remote users reading or writing files they should not be able to via NFS. This attack appear to be exploitable via NFS server must export a filesystem with the \"rootsquash\" options enabled. This vulnerability appears to have been fixed in after commit 1995266727fa.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-1000028", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-1000028", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000028", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-1000028", "SUSE": "https://www.suse.com/security/cve/CVE-2018-1000028", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-1000028" } }, "CVE-2018-1000199": { "affected_versions": "v2.6.33-rc1 to v4.16", "breaks": "44234adcdce38f83c56e05f808ce656175b4beeb", "cmt_msg": "perf/hwbp: Simplify the perf-hwbp code, fix documentation", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Error Handling", "fixes": "f67b15037a7a50c57f72e69a6d59941ad90a0f0f", "last_affected_version": "4.15", "last_modified": "2023-12-06", "nvd_text": "The Linux Kernel version 3.18 contains a dangerous feature vulnerability in modify_user_hw_breakpoint() that can result in crash and possibly memory corruption. This attack appear to be exploitable via local code execution and the ability to use ptrace. This vulnerability appears to have been fixed in git commit f67b15037a7a50c57f72e69a6d59941ad90a0f0f.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-1000199", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-1000199", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000199", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-1000199", "SUSE": "https://www.suse.com/security/cve/CVE-2018-1000199", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-1000199" } }, "CVE-2018-1000200": { "affected_versions": "v4.14-rc1 to v4.17-rc5", "breaks": "212925802454672e6cd2949a727f5e2c1377bf06", "cmt_msg": "mm, oom: fix concurrent munlock and oom reaper unmap, v3", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "NULL Pointer Dereference", "fixes": "27ae357fa82be5ab73b2ef8d39dcb8ca2563483a", "last_affected_version": "4.16.8", "last_modified": "2023-12-06", "nvd_text": "The Linux Kernel versions 4.14, 4.15, and 4.16 has a null pointer dereference which can result in an out of memory (OOM) killing of large mlocked processes. The issue arises from an oom killed process's final thread calling exit_mmap(), which calls munlock_vma_pages_all() for mlocked vmas.This can happen synchronously with the oom reaper's unmap_page_range() since the vma's VM_LOCKED bit is cleared before munlocking (to determine if any other vmas share the memory and are mlocked).", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-1000200", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-1000200", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000200", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-1000200", "SUSE": "https://www.suse.com/security/cve/CVE-2018-1000200", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-1000200" } }, "CVE-2018-1000204": { "affected_versions": "v2.6.12-rc2 to v4.17-rc7", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "scsi: sg: allocate with __GFP_ZERO in sg_build_indirect()", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "Single", "Availability Impact": "None", "Confidentiality Impact": "Complete", "Integrity Impact": "None", "raw": "AV:N/AC:M/Au:S/C:C/I:N/A:N", "score": 6.3 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Network", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.3 }, "cwe": "Unspecified", "fixes": "a45b599ad808c3c982fdcdc12b0b8611c2f92824", "last_affected_version": "4.16.11", "last_modified": "2023-12-06", "nvd_text": "Linux Kernel version 3.18 to 4.16 incorrectly handles an SG_IO ioctl on /dev/sg0 with dxfer_direction=SG_DXFER_FROM_DEV and an empty 6-byte cmdp. This may lead to copying up to 1000 kernel heap pages to the userspace. This has been fixed upstream in https://github.com/torvalds/linux/commit/a45b599ad808c3c982fdcdc12b0b8611c2f92824 already. The problem has limited scope, as users don't usually have permissions to access SCSI devices. On the other hand, e.g. the Nero user manual suggests doing `chmod o+r+w /dev/sg*` to make the devices accessible. NOTE: third parties dispute the relevance of this report, noting that the requirement for an attacker to have both the CAP_SYS_ADMIN and CAP_SYS_RAWIO capabilities makes it \"virtually impossible to exploit.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-1000204", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-1000204", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000204", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-1000204", "SUSE": "https://www.suse.com/security/cve/CVE-2018-1000204", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-1000204" } }, "CVE-2018-10021": { "affected_versions": "v2.6.12-rc2 to v4.16-rc7", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "scsi: libsas: defer ata device eh commands to libata", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Unspecified", "fixes": "318aaf34f1179b39fa9c30fa0f3288b645beee39", "last_affected_version": "4.14.43", "last_modified": "2023-12-06", "nvd_text": "drivers/scsi/libsas/sas_scsi_host.c in the Linux kernel before 4.16 allows local users to cause a denial of service (ata qc leak) by triggering certain failure conditions. NOTE: a third party disputes the relevance of this report because the failure can only occur for physically proximate attackers who unplug SAS Host Bus Adapter cables", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-10021", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-10021", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-10021", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-10021", "SUSE": "https://www.suse.com/security/cve/CVE-2018-10021", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-10021" } }, "CVE-2018-10074": { "affected_versions": "v4.16-rc1 to v4.16-rc7", "breaks": "4f16f7ff3bc02f6e1845677235fea157bdc0e59c", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "NULL Pointer Dereference", "fixes": "9903e41ae1f5d50c93f268ca3304d4d7c64b9311", "last_modified": "2023-12-06", "nvd_text": "The hi3660_stub_clk_probe function in drivers/clk/hisilicon/clk-hi3660-stub.c in the Linux kernel before 4.16 allows local users to cause a denial of service (NULL pointer dereference) by triggering a failure of resource retrieval.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-10074", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-10074", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-10074", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-10074", "SUSE": "https://www.suse.com/security/cve/CVE-2018-10074", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-10074" } }, "CVE-2018-10087": { "affected_versions": "v2.6.12-rc2 to v4.13-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "kernel/exit.c: avoid undefined behaviour when calling wait4()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Input Validation", "fixes": "dd83c161fbcc5d8be637ab159c0de015cbff5ba4", "last_affected_version": "4.9.100", "last_modified": "2023-12-06", "nvd_text": "The kernel_wait4 function in kernel/exit.c in the Linux kernel before 4.13, when an unspecified architecture and compiler is used, might allow local users to cause a denial of service by triggering an attempted use of the -INT_MIN value.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-10087", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-10087", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-10087", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-10087", "SUSE": "https://www.suse.com/security/cve/CVE-2018-10087", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-10087" } }, "CVE-2018-10124": { "affected_versions": "v2.6.12-rc2 to v4.13-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "kernel/signal.c: avoid undefined behaviour in kill_something_info", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Buffer Errors", "fixes": "4ea77014af0d6205b05503d1c7aac6eace11d473", "last_affected_version": "4.9.103", "last_modified": "2023-12-06", "nvd_text": "The kill_something_info function in kernel/signal.c in the Linux kernel before 4.13, when an unspecified architecture and compiler is used, might allow local users to cause a denial of service via an INT_MIN argument.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-10124", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-10124", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-10124", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-10124", "SUSE": "https://www.suse.com/security/cve/CVE-2018-10124", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-10124" } }, "CVE-2018-10322": { "affected_versions": "v2.6.12-rc2 to v4.17-rc4", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "xfs: enhance dinode verifier", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "NULL Pointer Dereference", "fixes": "b42db0860e13067fcc7cbfba3966c9e652668bbc", "last_modified": "2023-12-06", "nvd_text": "The xfs_dinode_verify function in fs/xfs/libxfs/xfs_inode_buf.c in the Linux kernel through 4.16.3 allows local users to cause a denial of service (xfs_ilock_attr_map_shared invalid pointer dereference) via a crafted xfs image.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-10322", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-10322", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-10322", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-10322", "SUSE": "https://www.suse.com/security/cve/CVE-2018-10322", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-10322" } }, "CVE-2018-10323": { "affected_versions": "v2.6.12-rc2 to v4.17-rc4", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "xfs: set format back to extents if xfs_bmap_extents_to_btree", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "NULL Pointer Dereference", "fixes": "2c4306f719b083d17df2963bc761777576b8ad1b", "last_affected_version": "4.14.190", "last_modified": "2023-12-06", "nvd_text": "The xfs_bmap_extents_to_btree function in fs/xfs/libxfs/xfs_bmap.c in the Linux kernel through 4.16.3 allows local users to cause a denial of service (xfs_bmapi_write NULL pointer dereference) via a crafted xfs image.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-10323", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-10323", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-10323", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-10323", "SUSE": "https://www.suse.com/security/cve/CVE-2018-10323", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-10323" } }, "CVE-2018-1065": { "affected_versions": "v4.3-rc1 to v4.16-rc3", "breaks": "7814b6ec6d0d63444abdb49554166c8cfcbd063e", "cmt_msg": "netfilter: add back stackpointer size checks", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "score": 4.7 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 4.7 }, "cwe": "NULL Pointer Dereference", "fixes": "57ebd808a97d7c5b1e1afb937c2db22beba3c1f8", "last_affected_version": "4.15.9", "last_modified": "2023-12-06", "nvd_text": "The netfilter subsystem in the Linux kernel through 4.15.7 mishandles the case of a rule blob that contains a jump but lacks a user-defined chain, which allows local users to cause a denial of service (NULL pointer dereference) by leveraging the CAP_NET_RAW or CAP_NET_ADMIN capability, related to arpt_do_table in net/ipv4/netfilter/arp_tables.c, ipt_do_table in net/ipv4/netfilter/ip_tables.c, and ip6t_do_table in net/ipv6/netfilter/ip6_tables.c.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-1065", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-1065", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-1065", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-1065", "SUSE": "https://www.suse.com/security/cve/CVE-2018-1065", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-1065" } }, "CVE-2018-1066": { "affected_versions": "v2.6.12-rc2 to v4.11-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "CIFS: Enable encryption during session setup phase", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:N/AC:M/Au:N/C:N/I:N/A:C", "score": 7.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "raw": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "score": 6.5 }, "cwe": "NULL Pointer Dereference", "fixes": "cabfb3680f78981d26c078a26e5c748531257ebb", "last_affected_version": "4.9.89", "last_modified": "2023-12-06", "nvd_text": "The Linux kernel before version 4.11 is vulnerable to a NULL pointer dereference in fs/cifs/cifsencrypt.c:setup_ntlmv2_rsp() that allows an attacker controlling a CIFS server to kernel panic a client that has this server mounted, because an empty TargetInfo field in an NTLMSSP setup negotiation response is mishandled during session recovery.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-1066", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-1066", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-1066", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-1066", "SUSE": "https://www.suse.com/security/cve/CVE-2018-1066", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-1066" } }, "CVE-2018-10675": { "affected_versions": "v2.6.12-rc2 to v4.13-rc6", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "mm/mempolicy: fix use after free when calling get_mempolicy", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Use After Free", "fixes": "73223e4e2e3867ebf033a5a8eb2e5df0158ccc99", "last_affected_version": "4.12.8", "last_modified": "2023-12-06", "nvd_text": "The do_get_mempolicy function in mm/mempolicy.c in the Linux kernel before 4.12.9 allows local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via crafted system calls.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-10675", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-10675", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-10675", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-10675", "SUSE": "https://www.suse.com/security/cve/CVE-2018-10675", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-10675" } }, "CVE-2018-1068": { "affected_versions": "v2.6.12-rc2 to v4.16-rc5", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "netfilter: ebtables: CONFIG_COMPAT: don't trust userland offsets", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "score": 6.7 }, "cwe": "Out-of-bounds Write", "fixes": "b71812168571fa55e44cdd0254471331b9c4c4c6", "last_affected_version": "4.15.9", "last_modified": "2023-12-06", "nvd_text": "A flaw was found in the Linux 4.x kernel's implementation of 32-bit syscall interface for bridging. This allowed a privileged user to arbitrarily write to a limited range of kernel memory.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-1068", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-1068", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-1068", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-1068", "SUSE": "https://www.suse.com/security/cve/CVE-2018-1068", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-1068" } }, "CVE-2018-10840": { "affected_versions": "v4.13-rc1 to v4.18-rc1", "breaks": "dec214d00e0d78a08b947d7dccdfdb84407a9f4d", "cmt_msg": "ext4: correctly handle a zero-length xattr with a non-zero e_value_offs", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Physical", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 6.6 }, "cwe": "Buffer Errors", "fixes": "8a2b307c21d4b290e3cbe33f768f194286d07c23", "last_affected_version": "4.17.2", "last_modified": "2023-12-06", "nvd_text": "Linux kernel is vulnerable to a heap-based buffer overflow in the fs/ext4/xattr.c:ext4_xattr_set_entry() function. An attacker could exploit this by operating on a mounted crafted ext4 image.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-10840", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-10840", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-10840", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-10840", "SUSE": "https://www.suse.com/security/cve/CVE-2018-10840", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-10840" } }, "CVE-2018-10853": { "affected_versions": "v4.10-rc4 to v4.18-rc1", "breaks": "129a72a0d3c8e139a04512325384fe5ac119e74d", "cmt_msg": "kvm: x86: use correct privilege level for sgdt/sidt/fxsave/fxrstor access", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "3c9fa24ca7c9c47605672916491f79e8ccacb9e6", "last_affected_version": "4.17.1", "last_modified": "2023-12-06", "nvd_text": "A flaw was found in the way Linux kernel KVM hypervisor before 4.18 emulated instructions such as sgdt/sidt/fxsave/fxrstor. It did not check current privilege(CPL) level while emulating unprivileged instructions. An unprivileged guest user/process could use this flaw to potentially escalate privileges inside guest.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-10853", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-10853", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-10853", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-10853", "SUSE": "https://www.suse.com/security/cve/CVE-2018-10853", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-10853" } }, "CVE-2018-1087": { "affected_versions": "v2.6.30-rc1 to v4.16-rc7", "breaks": "42dbaa5a057736bf8b5c22aa42dbe975bf1080e5", "cmt_msg": "kvm/x86: fix icebp instruction handling", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Unspecified", "fixes": "32d43cd391bacb5f0814c2624399a5dad3501d09", "last_affected_version": "4.15.13", "last_modified": "2023-12-06", "nvd_text": "kernel KVM before versions kernel 4.16, kernel 4.16-rc7, kernel 4.17-rc1, kernel 4.17-rc2 and kernel 4.17-rc3 is vulnerable to a flaw in the way the Linux kernel's KVM hypervisor handled exceptions delivered after a stack switch operation via Mov SS or Pop SS instructions. During the stack switch operation, the processor did not deliver interrupts and exceptions, rather they are delivered once the first instruction after the stack switch is executed. An unprivileged KVM guest user could use this flaw to crash the guest or, potentially, escalate their privileges in the guest.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-1087", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-1087", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-1087", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-1087", "SUSE": "https://www.suse.com/security/cve/CVE-2018-1087", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-1087" } }, "CVE-2018-10872": { "affected_versions": "unk to unk", "breaks": "", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Buffer Errors", "fixes": "", "last_modified": "2023-12-06", "nvd_text": "A flaw was found in the way the Linux kernel handled exceptions delivered after a stack switch operation via Mov SS or Pop SS instructions. During the stack switch operation, processor does not deliver interrupts and exceptions, they are delivered once the first instruction after the stack switch is executed. An unprivileged system user could use this flaw to crash the system kernel resulting in DoS. This CVE-2018-10872 was assigned due to regression of CVE-2018-8897 in Red Hat Enterprise Linux 6.10 GA kernel. No other versions are affected by this CVE.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-10872", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-10872", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-10872", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-10872", "SUSE": "https://www.suse.com/security/cve/CVE-2018-10872", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-10872" }, "vendor_specific": true }, "CVE-2018-10876": { "affected_versions": "v2.6.12-rc2 to v4.18-rc4", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "ext4: only look at the bg_flags field if it is valid", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Use After Free", "fixes": "8844618d8aa7a9973e7b527d038a2a589665002c", "last_affected_version": "4.17.5", "last_modified": "2023-12-06", "nvd_text": "A flaw was found in Linux kernel in the ext4 filesystem code. A use-after-free is possible in ext4_ext_remove_space() function when mounting and operating a crafted ext4 image.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-10876", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-10876", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-10876", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-10876", "SUSE": "https://www.suse.com/security/cve/CVE-2018-10876", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-10876" } }, "CVE-2018-10877": { "affected_versions": "v2.6.12-rc2 to v4.18-rc4", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "ext4: verify the depth of extent tree in ext4_find_extent()", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "score": 6.8 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "Required", "raw": "CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H", "score": 6.5 }, "cwe": "Out-of-bounds Read", "fixes": "bc890a60247171294acc0bd67d211fa4b88d40ba", "last_affected_version": "4.17.5", "last_modified": "2023-12-06", "nvd_text": "Linux kernel ext4 filesystem is vulnerable to an out-of-bound access in the ext4_ext_drop_refs() function when operating on a crafted ext4 filesystem image.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-10877", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-10877", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-10877", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-10877", "SUSE": "https://www.suse.com/security/cve/CVE-2018-10877", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-10877" } }, "CVE-2018-10878": { "affected_versions": "v2.6.12-rc2 to v4.18-rc4", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "ext4: always check block group bounds in ext4_init_block_bitmap()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:C", "score": 6.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Out-of-bounds Write", "fixes": "819b23f1c501b17b9694325471789e6b5cc2d0d2", "last_affected_version": "4.17.5", "last_modified": "2023-12-06", "nvd_text": "A flaw was found in the Linux kernel's ext4 filesystem. A local user can cause an out-of-bounds write and a denial of service or unspecified other impact is possible by mounting and operating a crafted ext4 filesystem image.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-10878", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-10878", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-10878", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-10878", "SUSE": "https://www.suse.com/security/cve/CVE-2018-10878", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-10878" } }, "CVE-2018-10879": { "affected_versions": "v2.6.12-rc2 to v4.18-rc4", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "ext4: make sure bitmaps and the inode table don't overlap with bg descriptors", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:C", "score": 6.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Use After Free", "fixes": "77260807d1170a8cf35dbb06e07461a655f67eee", "last_affected_version": "4.17.5", "last_modified": "2023-12-06", "nvd_text": "A flaw was found in the Linux kernel's ext4 filesystem. A local user can cause a use-after-free in ext4_xattr_set_entry function and a denial of service or unspecified other impact may occur by renaming a file in a crafted ext4 filesystem image.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-10879", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-10879", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-10879", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-10879", "SUSE": "https://www.suse.com/security/cve/CVE-2018-10879", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-10879" } }, "CVE-2018-10880": { "affected_versions": "v2.6.12-rc2 to v4.18-rc4", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "ext4: never move the system.data xattr out of the inode body", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:N/AC:M/Au:N/C:N/I:N/A:C", "score": 7.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "raw": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Out-of-bounds Write", "fixes": "8cdb5240ec5928b20490a2bb34cb87e9a5f40226", "last_affected_version": "4.17.5", "last_modified": "2023-12-06", "nvd_text": "Linux kernel is vulnerable to a stack-out-of-bounds write in the ext4 filesystem code when mounting and writing to a crafted ext4 image in ext4_update_inline_data(). An attacker could use this to cause a system crash and a denial of service.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-10880", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-10880", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-10880", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-10880", "SUSE": "https://www.suse.com/security/cve/CVE-2018-10880", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-10880" } }, "CVE-2018-10881": { "affected_versions": "v2.6.12-rc2 to v4.18-rc4", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "ext4: clear i_data in ext4_inode_info when removing inline data", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Buffer Errors", "fixes": "6e8ab72a812396996035a37e5ca4b3b99b5d214b", "last_affected_version": "4.17.5", "last_modified": "2023-12-06", "nvd_text": "A flaw was found in the Linux kernel's ext4 filesystem. A local user can cause an out-of-bound access in ext4_get_group_info function, a denial of service, and a system crash by mounting and operating on a crafted ext4 filesystem image.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-10881", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-10881", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-10881", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-10881", "SUSE": "https://www.suse.com/security/cve/CVE-2018-10881", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-10881" } }, "CVE-2018-10882": { "affected_versions": "v2.6.12-rc2 to v4.18-rc4", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "ext4: add more inode number paranoia checks", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Out-of-bounds Write", "fixes": "c37e9e013469521d9adb932d17a1795c139b36db", "last_affected_version": "4.17.5", "last_modified": "2023-12-06", "nvd_text": "A flaw was found in the Linux kernel's ext4 filesystem. A local user can cause an out-of-bound write in in fs/jbd2/transaction.c code, a denial of service, and a system crash by unmounting a crafted ext4 filesystem image.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-10882", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-10882", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-10882", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-10882", "SUSE": "https://www.suse.com/security/cve/CVE-2018-10882", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-10882" } }, "CVE-2018-10883": { "affected_versions": "v2.6.12-rc2 to v4.18-rc4", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "jbd2: don't mark block as modified if the handle is out of credits", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Out-of-bounds Write", "fixes": "e09463f220ca9a1a1ecfda84fcda658f99a1f12a", "last_affected_version": "4.17.5", "last_modified": "2023-12-06", "nvd_text": "A flaw was found in the Linux kernel's ext4 filesystem. A local user can cause an out-of-bounds write in jbd2_journal_dirty_metadata(), a denial of service, and a system crash by mounting and operating on a crafted ext4 filesystem image.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-10883", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-10883", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-10883", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-10883", "SUSE": "https://www.suse.com/security/cve/CVE-2018-10883", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-10883" } }, "CVE-2018-10901": { "affected_versions": "v2.6.12-rc2 to v2.6.36-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Unspecified", "fixes": "3444d7da1839b851eefedd372978d8a982316c36", "last_modified": "2023-12-06", "nvd_text": "A flaw was found in Linux kernel's KVM virtualization subsystem. The VMX code does not restore the GDT.LIMIT to the previous host value, but instead sets it to 64KB. With a corrupted GDT limit a host's userspace code has an ability to place malicious entries in the GDT, particularly to the per-cpu variables. An attacker can use this to escalate their privileges.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-10901", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-10901", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-10901", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-10901", "SUSE": "https://www.suse.com/security/cve/CVE-2018-10901", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-10901" } }, "CVE-2018-10902": { "affected_versions": "v2.6.12-rc2 to v4.18-rc6", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "ALSA: rawmidi: Change resized buffers atomically", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Double Free", "fixes": "39675f7a7c7e7702f7d5341f1e0d01db746543a0", "last_affected_version": "4.17.9", "last_modified": "2023-12-06", "nvd_text": "It was found that the raw midi kernel driver does not protect against concurrent access which leads to a double realloc (double free) in snd_rawmidi_input_params() and snd_rawmidi_output_status() which are part of snd_rawmidi_ioctl() handler in rawmidi.c file. A malicious local attacker could possibly use this for privilege escalation.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-10902", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-10902", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-10902", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-10902", "SUSE": "https://www.suse.com/security/cve/CVE-2018-10902", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-10902" } }, "CVE-2018-1091": { "affected_versions": "v4.13-rc4 to v4.14-rc2", "breaks": "cd63f3cf1d59b7ad8419eba1cac8f9126e79cc43", "cmt_msg": "powerpc/tm: Flush TM only if CPU has TM feature", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Buffer Errors", "fixes": "c1fa0768a8713b135848f78fd43ffc208d8ded70", "last_affected_version": "4.13.4", "last_modified": "2023-12-06", "nvd_text": "In the flush_tmregs_to_thread function in arch/powerpc/kernel/ptrace.c in the Linux kernel before 4.13.5, a guest kernel crash can be triggered from unprivileged userspace during a core dump on a POWER host due to a missing processor feature check and an erroneous use of transactional memory (TM) instructions in the core dump path, leading to a denial of service.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-1091", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-1091", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-1091", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-1091", "SUSE": "https://www.suse.com/security/cve/CVE-2018-1091", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-1091" } }, "CVE-2018-1092": { "affected_versions": "v2.6.12-rc2 to v4.17-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "ext4: fail ext4_iget for root directory if unallocated", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:N/AC:M/Au:N/C:N/I:N/A:C", "score": 7.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "raw": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "NULL Pointer Dereference", "fixes": "8e4b5eae5decd9dfe5a4ee369c22028f90ab4c44", "last_affected_version": "4.16.3", "last_modified": "2023-12-06", "nvd_text": "The ext4_iget function in fs/ext4/inode.c in the Linux kernel through 4.15.15 mishandles the case of a root directory with a zero i_links_count, which allows attackers to cause a denial of service (ext4_process_freed_data NULL pointer dereference and OOPS) via a crafted ext4 image.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-1092", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-1092", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-1092", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-1092", "SUSE": "https://www.suse.com/security/cve/CVE-2018-1092", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-1092" } }, "CVE-2018-1093": { "affected_versions": "v2.6.12-rc2 to v4.17-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "ext4: add validity checks for bitmap block numbers", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:N/AC:M/Au:N/C:N/I:N/A:C", "score": 7.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "raw": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Out-of-bounds Read", "fixes": "7dac4a1726a9c64a517d595c40e95e2d0d135f6f", "last_affected_version": "4.16.6", "last_modified": "2023-12-06", "nvd_text": "The ext4_valid_block_bitmap function in fs/ext4/balloc.c in the Linux kernel through 4.15.15 allows attackers to cause a denial of service (out-of-bounds read and system crash) via a crafted ext4 image because balloc.c and ialloc.c do not validate bitmap block numbers.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-1093", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-1093", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-1093", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-1093", "SUSE": "https://www.suse.com/security/cve/CVE-2018-1093", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-1093" } }, "CVE-2018-10938": { "affected_versions": "v4.0-rc1 to v4.13-rc5", "breaks": "04f81f0154e4bf002be6f4d85668ce1257efa4d9", "cmt_msg": "Cipso: cipso_v4_optptr enter infinite loop", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:N/AC:M/Au:N/C:N/I:N/A:C", "score": 7.1 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 5.9 }, "cwe": "Resource Management Errors", "fixes": "40413955ee265a5e42f710940ec78f5450d49149", "last_affected_version": "4.9.124", "last_modified": "2023-12-06", "nvd_text": "A flaw was found in the Linux kernel present since v4.0-rc1 and through v4.13-rc4. A crafted network packet sent remotely by an attacker may force the kernel to enter an infinite loop in the cipso_v4_optptr() function in net/ipv4/cipso_ipv4.c leading to a denial-of-service. A certain non-default configuration of LSM (Linux Security Module) and NetLabel should be set up on a system before an attacker could leverage this flaw.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-10938", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-10938", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-10938", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-10938", "SUSE": "https://www.suse.com/security/cve/CVE-2018-10938", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-10938" } }, "CVE-2018-1094": { "affected_versions": "v4.13-rc1 to v4.17-rc1", "breaks": "dec214d00e0d78a08b947d7dccdfdb84407a9f4d", "cmt_msg": "ext4: always initialize the crc32c checksum driver", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:N/AC:M/Au:N/C:N/I:N/A:C", "score": 7.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "raw": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "NULL Pointer Dereference", "fixes": "a45403b51582a87872927a3e0fc0a389c26867f1", "last_affected_version": "4.16.3", "last_modified": "2023-12-06", "nvd_text": "The ext4_fill_super function in fs/ext4/super.c in the Linux kernel through 4.15.15 does not always initialize the crc32c checksum driver, which allows attackers to cause a denial of service (ext4_xattr_inode_hash NULL pointer dereference and system crash) via a crafted ext4 image.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-1094", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-1094", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-1094", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-1094", "SUSE": "https://www.suse.com/security/cve/CVE-2018-1094", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-1094" } }, "CVE-2018-10940": { "affected_versions": "v2.6.12-rc2 to v4.17-rc3", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "cdrom: information leak in cdrom_ioctl_media_changed()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Buffer Errors", "fixes": "9de4ee40547fd315d4a0ed1dd15a2fa3559ad707", "last_affected_version": "4.16.5", "last_modified": "2023-12-06", "nvd_text": "The cdrom_ioctl_media_changed function in drivers/cdrom/cdrom.c in the Linux kernel before 4.16.6 allows local attackers to use a incorrect bounds check in the CDROM driver CDROM_MEDIA_CHANGED ioctl to read out kernel memory.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-10940", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-10940", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-10940", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-10940", "SUSE": "https://www.suse.com/security/cve/CVE-2018-10940", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-10940" } }, "CVE-2018-1095": { "affected_versions": "v4.13-rc1 to v4.17-rc1", "breaks": "e50e5129f384ae282adebfb561189cdb19b81cee", "cmt_msg": "ext4: limit xattr size to INT_MAX", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:N/AC:M/Au:N/C:N/I:N/A:C", "score": 7.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "raw": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "NULL Pointer Dereference", "fixes": "ce3fd194fcc6fbdc00ce095a852f22df97baa401", "last_affected_version": "4.16.3", "last_modified": "2023-12-06", "nvd_text": "The ext4_xattr_check_entries function in fs/ext4/xattr.c in the Linux kernel through 4.15.15 does not properly validate xattr sizes, which causes misinterpretation of a size as an error code, and consequently allows attackers to cause a denial of service (get_acl NULL pointer dereference and system crash) via a crafted ext4 image.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-1095", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-1095", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-1095", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-1095", "SUSE": "https://www.suse.com/security/cve/CVE-2018-1095", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-1095" } }, "CVE-2018-1108": { "affected_versions": "v4.8-rc1 to v4.17-rc2", "breaks": "e192be9d9a30555aae2ca1dc3aad37cba484cd4a", "cmt_msg": "random: fix crng_ready() test", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "None", "Integrity Impact": "Partial", "raw": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "score": 4.3 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Network", "Availability": "None", "Confidentiality": "None", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "score": 5.9 }, "cwe": "Cryptographic Issues", "fixes": "43838a23a05fbd13e47d750d3dfd77001536dd33", "last_affected_version": "4.16.3", "last_modified": "2023-12-06", "nvd_text": "kernel drivers before version 4.17-rc1 are vulnerable to a weakness in the Linux kernel's implementation of random seed data. Programs, early in the boot sequence, could use the data allocated for the seed before it was sufficiently generated.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-1108", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-1108", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-1108", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-1108", "SUSE": "https://www.suse.com/security/cve/CVE-2018-1108", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-1108" } }, "CVE-2018-1118": { "affected_versions": "v4.8-rc1 to v4.18-rc1", "breaks": "6b1e6cc7855b09a0a9bfa1d9f30172ba366f161c", "cmt_msg": "vhost: fix info leak due to uninitialized memory", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.5 }, "cwe": "Information Leak / Disclosure", "fixes": "670ae9caaca467ea1bfd325cb2a5c98ba87f94ad", "last_affected_version": "4.17.2", "last_modified": "2023-12-06", "nvd_text": "Linux kernel vhost since version 4.8 does not properly initialize memory in messages passed between virtual guests and the host operating system in the vhost/vhost.c:vhost_new_msg() function. This can allow local privileged users to read some kernel memory contents when reading from the /dev/vhost-net device file.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-1118", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-1118", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-1118", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-1118", "SUSE": "https://www.suse.com/security/cve/CVE-2018-1118", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-1118" } }, "CVE-2018-1120": { "affected_versions": "v2.6.12-rc2 to v4.17-rc6", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "proc: do not access cmdline nor environ from file-backed areas", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "Single", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:N/AC:M/Au:S/C:N/I:N/A:P", "score": 3.5 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.3 }, "cwe": "Buffer Errors", "fixes": "7f7ccc2ccc2e70c6054685f5e3522efa81556830", "last_affected_version": "4.16.9", "last_modified": "2023-12-06", "nvd_text": "A flaw was found affecting the Linux kernel before version 4.17. By mmap()ing a FUSE-backed file onto a process's memory containing command line arguments (or environment strings), an attacker can cause utilities from psutils or procps (such as ps, w) or any other program which makes a read() call to the /proc//cmdline (or /proc//environ) files to block indefinitely (denial of service) or for some controlled time (as a synchronization primitive for other attacks).", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-1120", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-1120", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-1120", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-1120", "SUSE": "https://www.suse.com/security/cve/CVE-2018-1120", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-1120" } }, "CVE-2018-1121": { "affected_versions": "unk to unk", "breaks": "", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "None", "Integrity Impact": "Partial", "raw": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "score": 4.3 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Network", "Availability": "None", "Confidentiality": "None", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "score": 5.9 }, "cwe": "Race Conditions", "fixes": "", "last_modified": "2023-12-06", "nvd_text": "procps-ng, procps is vulnerable to a process hiding through race condition. Since the kernel's proc_pid_readdir() returns PID entries in ascending numeric order, a process occupying a high PID can use inotify events to determine when the process list is being scanned, and fork/exec to obtain a lower PID, thus avoiding enumeration. An unprivileged attacker can hide a process from procps-ng's utilities by exploiting a race condition in reading /proc/PID entries. This vulnerability affects procps and procps-ng up to version 3.3.15, newer versions might be affected also.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-1121", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-1121", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-1121", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-1121", "SUSE": "https://www.suse.com/security/cve/CVE-2018-1121", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-1121" } }, "CVE-2018-11232": { "affected_versions": "v4.10-rc1 to v4.11-rc1", "breaks": "d52c9750f150111dc7f73e4036f6948b20c9f8c3", "cmt_msg": "coresight: fix kernel panic caused by invalid CPU", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Input Validation", "fixes": "f09444639099584bc4784dfcd85ada67c6f33e0f", "last_affected_version": "4.10.1", "last_modified": "2023-12-06", "nvd_text": "The etm_setup_aux function in drivers/hwtracing/coresight/coresight-etm-perf.c in the Linux kernel before 4.10.2 allows attackers to cause a denial of service (panic) because a parameter is incorrectly used as a local variable.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-11232", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-11232", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-11232", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-11232", "SUSE": "https://www.suse.com/security/cve/CVE-2018-11232", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-11232" } }, "CVE-2018-1128": { "affected_versions": "unk to v4.19-rc1", "breaks": "", "cmt_msg": "libceph: add authorizer challenge", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Adjacent Network", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:A/AC:M/Au:N/C:P/I:P/A:P", "score": 5.4 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Adjacent", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "score": 7.5 }, "cwe": "Authentication Issues", "fixes": "6daca13d2e72bedaaacfc08f873114c9307d5aea", "last_affected_version": "4.14.85", "last_modified": "2023-12-06", "nvd_text": "It was found that cephx authentication protocol did not verify ceph clients correctly and was vulnerable to replay attack. Any attacker having access to ceph cluster network who is able to sniff packets on network can use this vulnerability to authenticate with ceph service and perform actions allowed by ceph service. Ceph branches master, mimic, luminous and jewel are believed to be vulnerable.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-1128", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-1128", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-1128", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-1128", "SUSE": "https://www.suse.com/security/cve/CVE-2018-1128", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-1128" } }, "CVE-2018-1129": { "affected_versions": "unk to v4.19-rc1", "breaks": "", "cmt_msg": "libceph: implement CEPHX_V2 calculation mode", "cvss2": { "Access Complexity": "Low", "Access Vector": "Adjacent Network", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "None", "Integrity Impact": "Partial", "raw": "AV:A/AC:L/Au:N/C:N/I:P/A:N", "score": 3.3 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Adjacent", "Availability": "None", "Confidentiality": "None", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "score": 6.5 }, "cwe": "Authentication Issues", "fixes": "cc255c76c70f7a87d97939621eae04b600d9f4a1", "last_affected_version": "4.14.85", "last_modified": "2023-12-06", "nvd_text": "A flaw was found in the way signature calculation was handled by cephx authentication protocol. An attacker having access to ceph cluster network who is able to alter the message payload was able to bypass signature checks done by cephx protocol. Ceph branches master, mimic, luminous and jewel are believed to be vulnerable.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-1129", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-1129", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-1129", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-1129", "SUSE": "https://www.suse.com/security/cve/CVE-2018-1129", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-1129" } }, "CVE-2018-1130": { "affected_versions": "v2.6.12-rc2 to v4.16-rc7", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "dccp: check sk for closed state in dccp_sendmsg()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "NULL Pointer Dereference", "fixes": "67f93df79aeefc3add4e4b31a752600f834236e2", "last_affected_version": "4.15.14", "last_modified": "2023-12-06", "nvd_text": "Linux kernel before version 4.16-rc7 is vulnerable to a null pointer dereference in dccp_write_xmit() function in net/dccp/output.c in that allows a local user to cause a denial of service by a number of certain crafted system calls.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-1130", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-1130", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-1130", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-1130", "SUSE": "https://www.suse.com/security/cve/CVE-2018-1130", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-1130" } }, "CVE-2018-11412": { "affected_versions": "v4.13-rc1 to v4.18-rc1", "breaks": "e50e5129f384ae282adebfb561189cdb19b81cee", "cmt_msg": "ext4: do not allow external inodes for inline data", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "score": 4.3 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 5.9 }, "cwe": "Use After Free", "fixes": "117166efb1ee8f13c38f9e96b258f16d4923f888", "last_affected_version": "4.17.2", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel 4.13 through 4.16.11, ext4_read_inline_data() in fs/ext4/inline.c performs a memcpy with an untrusted length value in certain circumstances involving a crafted filesystem that stores the system.data extended attribute value in a dedicated inode.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-11412", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-11412", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-11412", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-11412", "SUSE": "https://www.suse.com/security/cve/CVE-2018-11412", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-11412" } }, "CVE-2018-11506": { "affected_versions": "v4.11-rc1 to v4.17-rc7", "breaks": "82ed4db499b8598f16f8871261bff088d6b0597f", "cmt_msg": "sr: pass down correctly sized SCSI sense buffer", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Buffer Errors", "fixes": "f7068114d45ec55996b9040e98111afa56e010fe", "last_affected_version": "4.16.12", "last_modified": "2023-12-06", "nvd_text": "The sr_do_ioctl function in drivers/scsi/sr_ioctl.c in the Linux kernel through 4.16.12 allows local users to cause a denial of service (stack-based buffer overflow) or possibly have unspecified other impact because sense buffers have different sizes at the CDROM layer and the SCSI layer, as demonstrated by a CDROMREADMODE2 ioctl call.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-11506", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-11506", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-11506", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-11506", "SUSE": "https://www.suse.com/security/cve/CVE-2018-11506", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-11506" } }, "CVE-2018-11508": { "affected_versions": "v4.13-rc1 to v4.17-rc5", "breaks": "3a4d44b6162555070194e486ff6b3799a8d323a2", "cmt_msg": "compat: fix 4-byte infoleak via uninitialized struct field", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.5 }, "cwe": "Information Leak / Disclosure", "fixes": "0a0b98734479aa5b3c671d5190e86273372cab95", "last_affected_version": "4.16.8", "last_modified": "2023-12-06", "nvd_text": "The compat_get_timex function in kernel/compat.c in the Linux kernel before 4.16.9 allows local users to obtain sensitive information from kernel memory via adjtimex.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-11508", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-11508", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-11508", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-11508", "SUSE": "https://www.suse.com/security/cve/CVE-2018-11508", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-11508" } }, "CVE-2018-11987": { "affected_versions": "unk to unk", "breaks": "", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Double Free", "fixes": "", "last_modified": "2023-12-06", "nvd_text": "In all android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, if there is an unlikely memory alloc failure for the secure pool in boot, it can result in wrong pointer access causing kernel panic.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-11987", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-11987", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-11987", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-11987", "SUSE": "https://www.suse.com/security/cve/CVE-2018-11987", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-11987" }, "vendor_specific": true }, "CVE-2018-12126": { "affected_versions": "v2.6.12-rc2 to v5.2-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "s390/speculation: Support 'mitigations=' cmdline option", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Complete", "Integrity Impact": "None", "raw": "AV:L/AC:M/Au:N/C:C/I:N/A:N", "score": 4.7 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Changed", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N", "score": 5.6 }, "cwe": "Information Leak / Disclosure", "fixes": "0336e04a6520bdaefdb0769d2a70084fa52e81ed", "last_affected_version": "5.1.1", "last_modified": "2023-12-06", "name": "Fallout", "nvd_text": "Microarchitectural Store Buffer Data Sampling (MSBDS): Store buffers on some microprocessors utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access. A list of impacted products can be found here: https://www.intel.com/content/dam/www/public/us/en/documents/corporate-information/SA00233-microcode-update-guidance_05132019.pdf", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-12126", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-12126", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-12126", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-12126", "SUSE": "https://www.suse.com/security/cve/CVE-2018-12126", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-12126" } }, "CVE-2018-12127": { "affected_versions": "v2.6.12-rc2 to v5.2-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "s390/speculation: Support 'mitigations=' cmdline option", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Complete", "Integrity Impact": "None", "raw": "AV:L/AC:M/Au:N/C:C/I:N/A:N", "score": 4.7 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Changed", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N", "score": 5.6 }, "cwe": "Information Leak / Disclosure", "fixes": "0336e04a6520bdaefdb0769d2a70084fa52e81ed", "last_affected_version": "5.1.1", "last_modified": "2023-12-06", "name": "RIDL", "nvd_text": "Microarchitectural Load Port Data Sampling (MLPDS): Load ports on some microprocessors utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access. A list of impacted products can be found here: https://www.intel.com/content/dam/www/public/us/en/documents/corporate-information/SA00233-microcode-update-guidance_05132019.pdf", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-12127", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-12127", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-12127", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-12127", "SUSE": "https://www.suse.com/security/cve/CVE-2018-12127", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-12127" } }, "CVE-2018-12130": { "affected_versions": "v2.6.12-rc2 to v5.2-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "s390/speculation: Support 'mitigations=' cmdline option", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Complete", "Integrity Impact": "None", "raw": "AV:L/AC:M/Au:N/C:C/I:N/A:N", "score": 4.7 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Changed", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N", "score": 5.6 }, "cwe": "Information Leak / Disclosure", "fixes": "0336e04a6520bdaefdb0769d2a70084fa52e81ed", "last_affected_version": "5.1.1", "last_modified": "2023-12-06", "name": "Zombieload", "nvd_text": "Microarchitectural Fill Buffer Data Sampling (MFBDS): Fill buffers on some microprocessors utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access. A list of impacted products can be found here: https://www.intel.com/content/dam/www/public/us/en/documents/corporate-information/SA00233-microcode-update-guidance_05132019.pdf", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-12130", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-12130", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-12130", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-12130", "SUSE": "https://www.suse.com/security/cve/CVE-2018-12130", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-12130" } }, "CVE-2018-12207": { "affected_versions": "v2.6.12-rc2 to v5.4-rc2", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "kvm: x86, powerpc: do not allow clearing largepages debugfs entry", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Changed", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H", "score": 6.5 }, "cwe": "Improper Input Validation", "fixes": "833b45de69a6016c4b0cebe6765d526a31a81580", "last_affected_version": "5.3.10", "last_modified": "2023-12-06", "nvd_text": "Improper invalidation for page table updates by a virtual guest operating system for multiple Intel(R) Processors may allow an authenticated user to potentially enable denial of service of the host system via local access.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-12207", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-12207", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-12207", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-12207", "SUSE": "https://www.suse.com/security/cve/CVE-2018-12207", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-12207" } }, "CVE-2018-12232": { "affected_versions": "v4.10-rc1 to v4.18-rc1", "breaks": "86741ec25462e4c8cdce6df2f41ead05568c7d5e", "cmt_msg": "socket: close race condition between sock_close() and sockfs_setattr()", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:N/AC:M/Au:N/C:N/I:N/A:C", "score": 7.1 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 5.9 }, "cwe": "Race Conditions", "fixes": "6d8c50dcb029872b298eea68cc6209c866fd3e14", "last_affected_version": "4.17.2", "last_modified": "2023-12-06", "nvd_text": "In net/socket.c in the Linux kernel through 4.17.1, there is a race condition between fchownat and close in cases where they target the same socket file descriptor, related to the sock_close and sockfs_setattr functions. fchownat does not increment the file descriptor reference count, which allows close to set the socket to NULL during fchownat's execution, leading to a NULL pointer dereference and system crash.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-12232", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-12232", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-12232", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-12232", "SUSE": "https://www.suse.com/security/cve/CVE-2018-12232", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-12232" } }, "CVE-2018-12233": { "affected_versions": "v2.6.12-rc2 to v4.18-rc2", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "jfs: Fix inconsistency between memory allocation and ea_buf->max_size", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "score": 6.8 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "raw": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Buffer Errors", "fixes": "92d34134193e5b129dc24f8d79cb9196626e8d7a", "last_affected_version": "4.17.13", "last_modified": "2023-12-06", "nvd_text": "In the ea_get function in fs/jfs/xattr.c in the Linux kernel through 4.17.1, a memory corruption bug in JFS can be triggered by calling setxattr twice with two different extended attribute names on the same file. This vulnerability can be triggered by an unprivileged user with the ability to create files and execute programs. A kmalloc call is incorrect, leading to slab-out-of-bounds in jfs_xattr.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-12233", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-12233", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-12233", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-12233", "SUSE": "https://www.suse.com/security/cve/CVE-2018-12233", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-12233" } }, "CVE-2018-12633": { "affected_versions": "v4.16-rc1 to v4.18-rc1", "breaks": "0ba002bc4393dcfae031fc707b11c094b46a5048", "cmt_msg": "virt: vbox: Only copy_from_user the request-header once", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "None", "raw": "AV:L/AC:M/Au:N/C:C/I:N/A:C", "score": 6.3 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:H", "score": 6.3 }, "cwe": "Race Conditions", "fixes": "bd23a7269834dc7c1f93e83535d16ebc44b75eba", "last_affected_version": "4.17.3", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel through 4.17.2. vbg_misc_device_ioctl() in drivers/virt/vboxguest/vboxguest_linux.c reads the same user data twice with copy_from_user. The header part of the user data is double-fetched, and a malicious user thread can tamper with the critical variables (hdr.size_in and hdr.size_out) in the header between the two fetches because of a race condition, leading to severe kernel errors, such as buffer over-accesses. This bug can cause a local denial of service and information leakage.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-12633", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-12633", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-12633", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-12633", "SUSE": "https://www.suse.com/security/cve/CVE-2018-12633", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-12633" } }, "CVE-2018-12714": { "affected_versions": "v4.17-rc1 to v4.18-rc2", "breaks": "80765597bc587feae8dbc8ce97a0f32e12a6e625", "cmt_msg": "tracing: Check for no filter when processing event filters", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "score": 10.0 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "score": 9.8 }, "cwe": "Out-of-bounds Write", "fixes": "70303420b5721c38998cf987e6b7d30cc62d4ff1", "last_affected_version": "4.17.3", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel through 4.17.2. The filter parsing in kernel/trace/trace_events_filter.c could be called with no filter, which is an N=0 case when it expected at least one line to have been read, thus making the N-1 index invalid. This allows attackers to cause a denial of service (slab out-of-bounds write) or possibly have unspecified other impact via crafted perf_event_open and mmap system calls.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-12714", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-12714", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-12714", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-12714", "SUSE": "https://www.suse.com/security/cve/CVE-2018-12714", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-12714" } }, "CVE-2018-12896": { "affected_versions": "v2.6.12-rc2 to v4.19-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "posix-timers: Sanitize overrun handling", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Integer Overflow or Wraparound", "fixes": "78c9c4dfbf8c04883941445a195276bb4bb92c76", "last_affected_version": "4.18.11", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel through 4.17.3. An Integer Overflow in kernel/time/posix-timers.c in the POSIX timer code is caused by the way the overrun accounting works. Depending on interval and expiry time values, the overrun can be larger than INT_MAX, but the accounting is int based. This basically makes the accounting values, which are visible to user space via timer_getoverrun(2) and siginfo::si_overrun, random. For example, a local user can cause a denial of service (signed integer overflow) via crafted mmap, futex, timer_create, and timer_settime system calls.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-12896", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-12896", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-12896", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-12896", "SUSE": "https://www.suse.com/security/cve/CVE-2018-12896", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-12896" } }, "CVE-2018-12904": { "affected_versions": "v4.12-rc1 to v4.18-rc1", "breaks": "70f3aac964ae2bc9a0a1d5d65a62e258591ade18", "cmt_msg": "kvm: nVMX: Enforce cpl=0 for VMX instructions", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "score": 4.4 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "Low", "Confidentiality": "Low", "Integrity": "Low", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", "score": 4.9 }, "cwe": "Unspecified", "fixes": "727ba748e110b4de50d142edca9d6a9b7e6111d8", "last_affected_version": "4.17.1", "last_modified": "2023-12-06", "nvd_text": "In arch/x86/kvm/vmx.c in the Linux kernel before 4.17.2, when nested virtualization is used, local attackers could cause L1 KVM guests to VMEXIT, potentially allowing privilege escalations and denial of service attacks due to lack of checking of CPL.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-12904", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-12904", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-12904", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-12904", "SUSE": "https://www.suse.com/security/cve/CVE-2018-12904", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-12904" } }, "CVE-2018-12928": { "affected_versions": "v2.6.12-rc2 to unk", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "NULL Pointer Dereference", "fixes": "", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel 4.15.0, a NULL pointer dereference was discovered in hfs_ext_read_extent in hfs.ko. This can occur during a mount of a crafted hfs filesystem.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-12928", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-12928", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-12928", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-12928", "SUSE": "https://www.suse.com/security/cve/CVE-2018-12928", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-12928" } }, "CVE-2018-12929": { "affected_versions": "v2.6.12-rc2 to unk", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Use After Free", "fixes": "", "last_modified": "2023-12-06", "nvd_text": "ntfs_read_locked_inode in the ntfs.ko filesystem driver in the Linux kernel 4.15.0 allows attackers to trigger a use-after-free read and possibly cause a denial of service (kernel oops or panic) via a crafted ntfs filesystem.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-12929", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-12929", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-12929", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-12929", "SUSE": "https://www.suse.com/security/cve/CVE-2018-12929", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-12929" } }, "CVE-2018-12930": { "affected_versions": "v2.6.12-rc2 to unk", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Out-of-bounds Write", "fixes": "", "last_modified": "2023-12-06", "nvd_text": "ntfs_end_buffer_async_read in the ntfs.ko filesystem driver in the Linux kernel 4.15.0 allows attackers to trigger a stack-based out-of-bounds write and cause a denial of service (kernel oops or panic) or possibly have unspecified other impact via a crafted ntfs filesystem.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-12930", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-12930", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-12930", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-12930", "SUSE": "https://www.suse.com/security/cve/CVE-2018-12930", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-12930" } }, "CVE-2018-12931": { "affected_versions": "v2.6.12-rc2 to unk", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Out-of-bounds Write", "fixes": "", "last_modified": "2023-12-06", "nvd_text": "ntfs_attr_find in the ntfs.ko filesystem driver in the Linux kernel 4.15.0 allows attackers to trigger a stack-based out-of-bounds write and cause a denial of service (kernel oops or panic) or possibly have unspecified other impact via a crafted ntfs filesystem.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-12931", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-12931", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-12931", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-12931", "SUSE": "https://www.suse.com/security/cve/CVE-2018-12931", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-12931" } }, "CVE-2018-13053": { "affected_versions": "v3.0-rc1 to v4.19-rc1", "breaks": "9a7adcf5c6dea63d2e47e6f6d2f7a6c9f48b9337", "cmt_msg": "alarmtimer: Prevent overflow for relative nanosleep", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "Low", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "score": 3.3 }, "cwe": "Integer Overflow or Wraparound", "fixes": "5f936e19cc0ef97dbe3a56e9498922ad5ba1edef", "last_affected_version": "4.18.11", "last_modified": "2023-12-06", "nvd_text": "The alarm_timer_nsleep function in kernel/time/alarmtimer.c in the Linux kernel through 4.17.3 has an integer overflow via a large relative timeout because ktime_add_safe is not used.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-13053", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-13053", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-13053", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-13053", "SUSE": "https://www.suse.com/security/cve/CVE-2018-13053", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-13053" } }, "CVE-2018-13093": { "affected_versions": "v2.6.12-rc2 to v4.18-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "xfs: validate cached inodes are free when allocated", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "score": 4.3 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "raw": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "NULL Pointer Dereference", "fixes": "afca6c5b2595fc44383919fba740c194b0b76aff", "last_affected_version": "4.17.13", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in fs/xfs/xfs_icache.c in the Linux kernel through 4.17.3. There is a NULL pointer dereference and panic in lookup_slow() on a NULL inode->i_ops pointer when doing pathwalks on a corrupted xfs image. This occurs because of a lack of proper validation that cached inodes are free during allocation.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-13093", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-13093", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-13093", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-13093", "SUSE": "https://www.suse.com/security/cve/CVE-2018-13093", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-13093" } }, "CVE-2018-13094": { "affected_versions": "v2.6.12-rc2 to v4.18-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "xfs: don't call xfs_da_shrink_inode with NULL bp", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "score": 4.3 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "raw": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "NULL Pointer Dereference", "fixes": "bb3d48dcf86a97dc25fe9fc2c11938e19cb4399a", "last_affected_version": "4.17.13", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in fs/xfs/libxfs/xfs_attr_leaf.c in the Linux kernel through 4.17.3. An OOPS may occur for a corrupted xfs image after xfs_da_shrink_inode() is called with a NULL bp.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-13094", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-13094", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-13094", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-13094", "SUSE": "https://www.suse.com/security/cve/CVE-2018-13094", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-13094" } }, "CVE-2018-13095": { "affected_versions": "v2.6.12-rc2 to v4.18-rc3", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "xfs: More robust inode extent count validation", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "score": 4.3 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "raw": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "NULL Pointer Dereference", "fixes": "23fcb3340d033d9f081e21e6c12c2db7eaa541d3", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in fs/xfs/libxfs/xfs_inode_buf.c in the Linux kernel through 4.17.3. A denial of service (memory corruption and BUG) can occur for a corrupted xfs image upon encountering an inode that is in extent format, but has more extents than fit in the inode fork.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-13095", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-13095", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-13095", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-13095", "SUSE": "https://www.suse.com/security/cve/CVE-2018-13095", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-13095" } }, "CVE-2018-13096": { "affected_versions": "v3.8-rc1 to v4.19-rc1", "breaks": "98e4da8ca301e062d79ae168c67e56f3c3de3ce4", "cmt_msg": "f2fs: fix to do sanity check with node footer and iblocks", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "score": 4.3 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "raw": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Out-of-bounds Read", "fixes": "e34438c903b653daca2b2a7de95aed46226f8ed3", "last_affected_version": "4.14.85", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in fs/f2fs/super.c in the Linux kernel through 4.14. A denial of service (out-of-bounds memory access and BUG) can occur upon encountering an abnormal bitmap size when mounting a crafted f2fs image.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-13096", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-13096", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-13096", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-13096", "SUSE": "https://www.suse.com/security/cve/CVE-2018-13096", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-13096" } }, "CVE-2018-13097": { "affected_versions": "v3.8-rc1 to v4.19-rc1", "breaks": "98e4da8ca301e062d79ae168c67e56f3c3de3ce4", "cmt_msg": "f2fs: fix to do sanity check with user_block_count", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "score": 4.3 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "raw": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Out-of-bounds Read", "fixes": "9dc956b2c8523aed39d1e6508438be9fea28c8fc", "last_affected_version": "4.14.85", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in fs/f2fs/super.c in the Linux kernel through 4.17.3. There is an out-of-bounds read or a divide-by-zero error for an incorrect user_block_count in a corrupted f2fs image, leading to a denial of service (BUG).", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-13097", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-13097", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-13097", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-13097", "SUSE": "https://www.suse.com/security/cve/CVE-2018-13097", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-13097" } }, "CVE-2018-13098": { "affected_versions": "v3.8-rc1 to v4.19-rc1", "breaks": "98e4da8ca301e062d79ae168c67e56f3c3de3ce4", "cmt_msg": "f2fs: fix to do sanity check with extra_attr feature", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "score": 4.3 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "raw": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Out-of-bounds Read", "fixes": "76d56d4ab4f2a9e4f085c7d77172194ddaccf7d2", "last_affected_version": "4.18.8", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in fs/f2fs/inode.c in the Linux kernel through 4.17.3. A denial of service (slab out-of-bounds read and BUG) can occur for a modified f2fs filesystem image in which FI_EXTRA_ATTR is set in an inode.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-13098", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-13098", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-13098", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-13098", "SUSE": "https://www.suse.com/security/cve/CVE-2018-13098", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-13098" } }, "CVE-2018-13099": { "affected_versions": "v3.14-rc1 to v4.19-rc1", "breaks": "bfad7c2d40332be6a1d7a89660bceb0f6ea1d73a", "cmt_msg": "f2fs: fix to do sanity check with reserved blkaddr of inline inode", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "score": 4.3 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "raw": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Out-of-bounds Read", "fixes": "4dbe38dc386910c668c75ae616b99b823b59f3eb", "last_affected_version": "4.18.8", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in fs/f2fs/inline.c in the Linux kernel through 4.4. A denial of service (out-of-bounds memory access and BUG) can occur for a modified f2fs filesystem image in which an inline inode contains an invalid reserved blkaddr.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-13099", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-13099", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-13099", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-13099", "SUSE": "https://www.suse.com/security/cve/CVE-2018-13099", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-13099" } }, "CVE-2018-13100": { "affected_versions": "v3.8-rc1 to v4.19-rc1", "breaks": "aff063e266cbf4754021d8e5d16ee418560906fd", "cmt_msg": "f2fs: fix to do sanity check with secs_per_zone", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "score": 4.3 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "raw": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Divide By Zero", "fixes": "42bf546c1fe3f3654bdf914e977acbc2b80a5be5", "last_affected_version": "4.18.8", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in fs/f2fs/super.c in the Linux kernel through 4.17.3, which does not properly validate secs_per_zone in a corrupted f2fs image, as demonstrated by a divide-by-zero error.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-13100", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-13100", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-13100", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-13100", "SUSE": "https://www.suse.com/security/cve/CVE-2018-13100", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-13100" } }, "CVE-2018-13405": { "affected_versions": "v2.6.12-rc2 to v4.18-rc4", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "Fix up non-directory creation in SGID directories", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "0fa3ecd87848c9c93c2c828ef4c3a8ca36ce46c7", "last_affected_version": "4.17.6", "last_modified": "2023-12-06", "nvd_text": "The inode_init_owner function in fs/inode.c in the Linux kernel through 3.16 allows local users to create files with an unintended group ownership, in a scenario where a directory is SGID to a certain group and is writable by a user who is not a member of that group. Here, the non-member can trigger creation of a plain file whose group ownership is that group. The intended behavior was that the non-member can trigger creation of a directory (but not a plain file) whose group ownership is that group. The non-member can escalate privileges by making the plain file executable and SGID.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-13405", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-13405", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-13405", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-13405", "SUSE": "https://www.suse.com/security/cve/CVE-2018-13405", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-13405" } }, "CVE-2018-13406": { "affected_versions": "v2.6.24-rc1 to v4.18-rc1", "breaks": "8bdb3a2d7df48b861972c4bfb58490853a228f51", "cmt_msg": "video: uvesafb: Fix integer overflow in allocation", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Integer Overflow or Wraparound", "fixes": "9f645bcc566a1e9f921bdae7528a01ced5bc3713", "last_affected_version": "4.17.3", "last_modified": "2023-12-06", "nvd_text": "An integer overflow in the uvesafb_setcmap function in drivers/video/fbdev/uvesafb.c in the Linux kernel before 4.17.4 could result in local attackers being able to crash the kernel or potentially elevate privileges because kmalloc_array is not used.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-13406", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-13406", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-13406", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-13406", "SUSE": "https://www.suse.com/security/cve/CVE-2018-13406", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-13406" } }, "CVE-2018-14609": { "affected_versions": "v2.6.31-rc1 to v4.19-rc1", "breaks": "5d4f98a28c7d334091c1b7744f48a1acdd2a4ae0", "cmt_msg": "btrfs: relocation: Only remove reloc rb_trees if reloc control has been initialized", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:N/AC:M/Au:N/C:N/I:N/A:C", "score": 7.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "raw": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "NULL Pointer Dereference", "fixes": "389305b2aa68723c754f88d9dbd268a400e10664", "last_affected_version": "4.18.7", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel through 4.17.10. There is an invalid pointer dereference in __del_reloc_root() in fs/btrfs/relocation.c when mounting a crafted btrfs image, related to removing reloc rb_trees when reloc control has not been initialized.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-14609", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-14609", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-14609", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-14609", "SUSE": "https://www.suse.com/security/cve/CVE-2018-14609", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-14609" } }, "CVE-2018-14610": { "affected_versions": "v2.6.12-rc2 to v4.19-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "btrfs: Check that each block group has corresponding chunk at mount time", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:N/AC:M/Au:N/C:N/I:N/A:C", "score": 7.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "raw": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Out-of-bounds Read", "fixes": "514c7dca85a0bf40be984dab0b477403a6db901f", "last_affected_version": "4.14.85", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel through 4.17.10. There is out-of-bounds access in write_extent_buffer() when mounting and operating a crafted btrfs image, because of a lack of verification that each block group has a corresponding chunk at mount time, within btrfs_read_block_groups in fs/btrfs/extent-tree.c.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-14610", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-14610", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-14610", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-14610", "SUSE": "https://www.suse.com/security/cve/CVE-2018-14610", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-14610" } }, "CVE-2018-14611": { "affected_versions": "v2.6.12-rc2 to v4.19-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "btrfs: validate type when reading a chunk", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:N/AC:M/Au:N/C:N/I:N/A:C", "score": 7.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "raw": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Use After Free", "fixes": "315409b0098fb2651d86553f0436b70502b29bb2", "last_affected_version": "4.14.85", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel through 4.17.10. There is a use-after-free in try_merge_free_space() when mounting a crafted btrfs image, because of a lack of chunk type flag checks in btrfs_check_chunk_valid in fs/btrfs/volumes.c.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-14611", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-14611", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-14611", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-14611", "SUSE": "https://www.suse.com/security/cve/CVE-2018-14611", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-14611" } }, "CVE-2018-14612": { "affected_versions": "v2.6.12-rc2 to v4.19-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "btrfs: tree-checker: Detect invalid and empty essential trees", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:N/AC:M/Au:N/C:N/I:N/A:C", "score": 7.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "raw": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "NULL Pointer Dereference", "fixes": "ba480dd4db9f1798541eb2d1c423fc95feee8d36", "last_affected_version": "4.18.7", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel through 4.17.10. There is an invalid pointer dereference in btrfs_root_node() when mounting a crafted btrfs image, because of a lack of chunk block group mapping validation in btrfs_read_block_groups in fs/btrfs/extent-tree.c, and a lack of empty-tree checks in check_leaf in fs/btrfs/tree-checker.c.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-14612", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-14612", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-14612", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-14612", "SUSE": "https://www.suse.com/security/cve/CVE-2018-14612", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-14612" } }, "CVE-2018-14613": { "affected_versions": "v2.6.12-rc2 to v4.19-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "btrfs: tree-checker: Verify block_group_item", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:N/AC:M/Au:N/C:N/I:N/A:C", "score": 7.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "raw": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "NULL Pointer Dereference", "fixes": "fce466eab7ac6baa9d2dcd88abcf945be3d4a089", "last_affected_version": "4.14.85", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel through 4.17.10. There is an invalid pointer dereference in io_ctl_map_page() when mounting and operating a crafted btrfs image, because of a lack of block group item validation in check_leaf_item in fs/btrfs/tree-checker.c.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-14613", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-14613", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-14613", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-14613", "SUSE": "https://www.suse.com/security/cve/CVE-2018-14613", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-14613" } }, "CVE-2018-14614": { "affected_versions": "v2.6.12-rc2 to v4.19-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "f2fs: fix to do sanity check with cp_pack_start_sum", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:N/AC:M/Au:N/C:N/I:N/A:C", "score": 7.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "raw": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "NULL Pointer Dereference", "fixes": "e494c2f995d6181d6e29c4927d68e0f295ecf75b", "last_affected_version": "4.14.85", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel through 4.17.10. There is an out-of-bounds access in __remove_dirty_segment() in fs/f2fs/segment.c when mounting an f2fs image.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-14614", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-14614", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-14614", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-14614", "SUSE": "https://www.suse.com/security/cve/CVE-2018-14614", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-14614" } }, "CVE-2018-14615": { "affected_versions": "v4.14-rc1 to v4.19-rc1", "breaks": "7a2af766af15887754f7f7a0869b4603b390876a", "cmt_msg": "f2fs: fix to do sanity check with i_extra_isize", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:N/AC:M/Au:N/C:N/I:N/A:C", "score": 7.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "raw": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Buffer Errors", "fixes": "18dd6470c2d14d10f5a2dd926925dc80dbd3abfd", "last_affected_version": "4.14.85", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel through 4.17.10. There is a buffer overflow in truncate_inline_inode() in fs/f2fs/inline.c when umounting an f2fs image, because a length value may be negative.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-14615", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-14615", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-14615", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-14615", "SUSE": "https://www.suse.com/security/cve/CVE-2018-14615", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-14615" } }, "CVE-2018-14616": { "affected_versions": "v2.6.12-rc2 to v4.19-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "f2fs: fix to do sanity check with block address in main area v2", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:N/AC:M/Au:N/C:N/I:N/A:C", "score": 7.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "raw": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "NULL Pointer Dereference", "fixes": "91291e9998d208370eb8156c760691b873bd7522", "last_affected_version": "4.14.87", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel through 4.17.10. There is a NULL pointer dereference in fscrypt_do_page_crypto() in fs/crypto/crypto.c when operating on a file in a corrupted f2fs image.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-14616", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-14616", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-14616", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-14616", "SUSE": "https://www.suse.com/security/cve/CVE-2018-14616", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-14616" } }, "CVE-2018-14617": { "affected_versions": "v2.6.12-rc2 to v4.19-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "hfsplus: fix NULL dereference in hfsplus_lookup()", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:N/AC:M/Au:N/C:N/I:N/A:C", "score": 7.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "raw": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "NULL Pointer Dereference", "fixes": "a7ec7a4193a2eb3b5341243fc0b621c1ac9e4ec4", "last_affected_version": "4.18.7", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel through 4.17.10. There is a NULL pointer dereference and panic in hfsplus_lookup() in fs/hfsplus/dir.c when opening a file (that is purportedly a hard link) in an hfs+ filesystem that has malformed catalog data, and is mounted read-only without a metadata directory.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-14617", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-14617", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-14617", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-14617", "SUSE": "https://www.suse.com/security/cve/CVE-2018-14617", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-14617" } }, "CVE-2018-14619": { "affected_versions": "v4.14-rc1 to v4.15-rc4", "breaks": "72548b093ee38a6d4f2a19e6ef1948ae05c181f7", "cmt_msg": "crypto: algif_aead - fix reference counting of null skcipher", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Input Validation", "fixes": "b32a7dc8aef1882fbf983eb354837488cc9d54dc", "last_affected_version": "4.14.7", "last_modified": "2023-12-06", "nvd_text": "A flaw was found in the crypto subsystem of the Linux kernel before version kernel-4.15-rc4. The \"null skcipher\" was being dropped when each af_alg_ctx was freed instead of when the aead_tfm was freed. This can cause the null skcipher to be freed while it is still in use leading to a local user being able to crash the system or possibly escalate privileges.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-14619", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-14619", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-14619", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-14619", "SUSE": "https://www.suse.com/security/cve/CVE-2018-14619", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-14619" } }, "CVE-2018-14625": { "affected_versions": "v4.8-rc1 to v4.20-rc6", "breaks": "433fc58e6bf2c8bd97e57153ed28e64fd78207b8", "cmt_msg": "vhost/vsock: fix use-after-free in network stack callers", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "score": 4.4 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.0 }, "cwe": "Race Conditions", "fixes": "834e772c8db0c6a275d75315d90aba4ebbb1e249", "last_affected_version": "4.19.8", "last_modified": "2023-12-06", "nvd_text": "A flaw was found in the Linux Kernel where an attacker may be able to have an uncontrolled read to kernel-memory from within a vm guest. A race condition between connect() and close() function may allow an attacker using the AF_VSOCK protocol to gather a 4 byte information leak or possibly intercept or corrupt AF_VSOCK messages destined to other clients.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-14625", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-14625", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-14625", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-14625", "SUSE": "https://www.suse.com/security/cve/CVE-2018-14625", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-14625" } }, "CVE-2018-14633": { "affected_versions": "v3.1-rc1 to v4.19-rc6", "breaks": "e48354ce078c079996f89d715dfa44814b4eba01", "cmt_msg": "scsi: target: iscsi: Use hex2bin instead of a re-implementation", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:N/AC:M/Au:N/C:P/I:P/A:C", "score": 8.3 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "Low", "Integrity": "Low", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H", "score": 7.0 }, "cwe": "Buffer Errors", "fixes": "1816494330a83f2a064499d8ed2797045641f92c", "last_affected_version": "4.18.10", "last_modified": "2023-12-06", "nvd_text": "A security flaw was found in the chap_server_compute_md5() function in the ISCSI target code in the Linux kernel in a way an authentication request from an ISCSI initiator is processed. An unauthenticated remote attacker can cause a stack buffer overflow and smash up to 17 bytes of the stack. The attack requires the iSCSI target to be enabled on the victim host. Depending on how the target's code was built (i.e. depending on a compiler, compile flags and hardware architecture) an attack may lead to a system crash and thus to a denial-of-service or possibly to a non-authorized access to data exported by an iSCSI target. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is highly unlikely. Kernel versions 4.18.x, 4.14.x and 3.10.x are believed to be vulnerable.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-14633", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-14633", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-14633", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-14633", "SUSE": "https://www.suse.com/security/cve/CVE-2018-14633", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-14633" } }, "CVE-2018-14634": { "affected_versions": "v2.6.23-rc1 to v4.13-rc1", "breaks": "b6a2fea39318e43fee84fa7b0b90d68bed92d2ba", "cmt_msg": "exec: Limit arg stack to at most 75% of _STK_LIM", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Integer Overflow or Wraparound", "fixes": "da029c11e6b12f321f36dac8771e833b65cec962", "last_affected_version": "4.12.2", "last_modified": "2023-12-06", "name": "Mutagen Astronomy", "nvd_text": "An integer overflow flaw was found in the Linux kernel's create_elf_tables() function. An unprivileged local user with access to SUID (or otherwise privileged) binary could use this flaw to escalate their privileges on the system. Kernel versions 2.6.x, 3.10.x and 4.14.x are believed to be vulnerable.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-14634", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-14634", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-14634", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-14634", "SUSE": "https://www.suse.com/security/cve/CVE-2018-14634", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-14634" } }, "CVE-2018-14641": { "affected_versions": "v4.19-rc1 to v4.19-rc4", "breaks": "fa0f527358bd900ef92f925878ed6bfbd51305cc", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:N/AC:M/Au:N/C:N/I:N/A:C", "score": 7.1 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 5.9 }, "cwe": "Input Validation", "fixes": "5d407b071dc369c26a38398326ee2be53651cfe4", "last_modified": "2023-12-06", "nvd_text": "A security flaw was found in the ip_frag_reasm() function in net/ipv4/ip_fragment.c in the Linux kernel from 4.19-rc1 to 4.19-rc3 inclusive, which can cause a later system crash in ip_do_fragment(). With certain non-default, but non-rare, configuration of a victim host, an attacker can trigger this crash remotely, thus leading to a remote denial-of-service.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-14641", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-14641", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-14641", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-14641", "SUSE": "https://www.suse.com/security/cve/CVE-2018-14641", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-14641" } }, "CVE-2018-14646": { "affected_versions": "v4.15-rc1 to v4.15-rc8", "breaks": "79e1ad148c844f5c8b9d76b36b26e3886dca95ae", "cmt_msg": "rtnetlink: give a user socket to get_target_net()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "NULL Pointer Dereference", "fixes": "f428fe4a04cc339166c8bbd489789760de3a0cee", "last_modified": "2023-12-06", "nvd_text": "The Linux kernel before 4.15-rc8 was found to be vulnerable to a NULL pointer dereference bug in the __netlink_ns_capable() function in the net/netlink/af_netlink.c file. A local attacker could exploit this when a net namespace with a netnsid is assigned to cause a kernel panic and a denial of service.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-14646", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-14646", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-14646", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-14646", "SUSE": "https://www.suse.com/security/cve/CVE-2018-14646", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-14646" } }, "CVE-2018-14656": { "affected_versions": "v4.18-rc1 to v4.19-rc2", "breaks": "7cccf0725cf7402514e09c52b089430005798b7f", "cmt_msg": "x86/dumpstack: Don't dump kernel memory based on usermode RIP", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.5 }, "cwe": "Input Validation", "fixes": "342db04ae71273322f0011384a9ed414df8bdae4", "last_affected_version": "4.18.5", "last_modified": "2023-12-06", "nvd_text": "A missing address check in the callers of the show_opcodes() in the Linux kernel allows an attacker to dump the kernel memory at an arbitrary kernel address into the dmesg log.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-14656", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-14656", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-14656", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-14656", "SUSE": "https://www.suse.com/security/cve/CVE-2018-14656", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-14656" } }, "CVE-2018-14678": { "affected_versions": "v4.16-rc2 to v4.18-rc8", "breaks": "3ac6d8c787b835b997eb23e43e09aa0895ef7d58", "cmt_msg": "x86/entry/64: Remove %ebx handling from error_entry/exit", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "b3681dd548d06deb2e1573890829dff4b15abf46", "last_affected_version": "4.17.12", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel through 4.17.11, as used in Xen through 4.11.x. The xen_failsafe_callback entry point in arch/x86/entry/entry_64.S does not properly maintain RBX, which allows local users to cause a denial of service (uninitialized memory usage and system crash). Within Xen, 64-bit x86 PV Linux guest OS users can trigger a guest OS crash or possibly gain privileges.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-14678", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-14678", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-14678", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-14678", "SUSE": "https://www.suse.com/security/cve/CVE-2018-14678", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-14678" } }, "CVE-2018-14734": { "affected_versions": "v2.6.21-rc1 to v4.18-rc1", "breaks": "c8f6a362bf3eb28ade6027b49bb160a336dd51c0", "cmt_msg": "infiniband: fix a possible use-after-free bug", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:C", "score": 6.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Use After Free", "fixes": "cb2595c1393b4a5211534e6f0a0fbad369e21ad8", "last_affected_version": "4.17.11", "last_modified": "2023-12-06", "nvd_text": "drivers/infiniband/core/ucma.c in the Linux kernel through 4.17.11 allows ucma_leave_multicast to access a certain data structure after a cleanup step in ucma_process_join, which allows attackers to cause a denial of service (use-after-free).", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-14734", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-14734", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-14734", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-14734", "SUSE": "https://www.suse.com/security/cve/CVE-2018-14734", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-14734" } }, "CVE-2018-15471": { "affected_versions": "v4.7-rc1 to v4.19-rc7", "breaks": "40d8abdee806d496a60ee607a6d01b1cd7fabaf0", "cmt_msg": "xen-netback: fix input validation in xenvif_set_hash_mapping()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "Single", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:S/C:C/I:C/A:C", "score": 6.8 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Integer Overflow or Wraparound", "fixes": "780e83c259fc33e8959fed8dfdad17e378d72b62", "last_affected_version": "4.18.13", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in xenvif_set_hash_mapping in drivers/net/xen-netback/hash.c in the Linux kernel through 4.18.1, as used in Xen through 4.11.x and other products. The Linux netback driver allows frontends to control mapping of requests to request queues. When processing a request to set or change this mapping, some input validation (e.g., for an integer overflow) was missing or flawed, leading to OOB access in hash handling. A malicious or buggy frontend may cause the (usually privileged) backend to make out of bounds memory accesses, potentially resulting in one or more of privilege escalation, Denial of Service (DoS), or information leaks.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-15471", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-15471", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-15471", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-15471", "SUSE": "https://www.suse.com/security/cve/CVE-2018-15471", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-15471" } }, "CVE-2018-15572": { "affected_versions": "v4.15-rc9 to v4.19-rc1", "backport": true, "breaks": "c995efd5a740d9cbafbf58bde4973e8b50b4d761", "cmt_msg": "x86/speculation: Protect against userspace-userspace spectreRSB", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Changed", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "score": 6.5 }, "cwe": "Unspecified", "fixes": "fdf82a7856b32d905c39afc85e34364491e46346", "last_affected_version": "4.18.0", "last_modified": "2023-12-06", "nvd_text": "The spectre_v2_select_mitigation function in arch/x86/kernel/cpu/bugs.c in the Linux kernel before 4.18.1 does not always fill RSB upon a context switch, which makes it easier for attackers to conduct userspace-userspace spectreRSB attacks.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-15572", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-15572", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-15572", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-15572", "SUSE": "https://www.suse.com/security/cve/CVE-2018-15572", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-15572" } }, "CVE-2018-15594": { "affected_versions": "v4.16-rc4 to v4.19-rc1", "breaks": "3010a0663fd949d122eca0561b06b0a9453f7866", "cmt_msg": "x86/paravirt: Fix spectre-v2 mitigations for paravirt guests", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.5 }, "cwe": "Security Features", "fixes": "5800dc5c19f34e6e03b5adab1282535cb102fafd", "last_affected_version": "4.18.0", "last_modified": "2023-12-06", "nvd_text": "arch/x86/kernel/paravirt.c in the Linux kernel before 4.18.1 mishandles certain indirect calls, which makes it easier for attackers to conduct Spectre-v2 attacks against paravirtual guests.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-15594", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-15594", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-15594", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-15594", "SUSE": "https://www.suse.com/security/cve/CVE-2018-15594", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-15594" } }, "CVE-2018-16276": { "affected_versions": "v2.6.37-rc1 to v4.18-rc5", "breaks": "6bc235a2e24a5ef677daee3fd4f74f6cd643e23c", "cmt_msg": "USB: yurex: fix out-of-bounds uaccess in read handler", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Input Validation", "fixes": "f1e255d60ae66a9f672ff9a207ee6cd8e33d2679", "last_affected_version": "4.17.6", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in yurex_read in drivers/usb/misc/yurex.c in the Linux kernel before 4.17.7. Local attackers could use user access read/writes with incorrect bounds checking in the yurex USB driver to crash the kernel or potentially escalate privileges.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-16276", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-16276", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-16276", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-16276", "SUSE": "https://www.suse.com/security/cve/CVE-2018-16276", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-16276" } }, "CVE-2018-16597": { "affected_versions": "v3.18-rc2 to v4.8-rc1", "breaks": "e9be9d5e76e34872f0c37d72e25bc27fe9e2c54c", "cmt_msg": "ovl: modify ovl_permission() to do checks on two inodes", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "None", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:N/I:C/A:N", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "None", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "score": 5.5 }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "c0ca3d70e8d3cf81e2255a217f7ca402f5ed0862", "last_affected_version": "4.4.184", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel before 4.8. Incorrect access checking in overlayfs mounts could be used by local attackers to modify or truncate files in the underlying filesystem.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-16597", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-16597", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-16597", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-16597", "SUSE": "https://www.suse.com/security/cve/CVE-2018-16597", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-16597" } }, "CVE-2018-16658": { "affected_versions": "v2.6.12-rc2 to v4.19-rc2", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "cdrom: Fix info leak/OOB read in cdrom_ioctl_drive_status", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:P", "score": 3.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "Low", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H", "score": 6.1 }, "cwe": "Information Leak / Disclosure", "fixes": "8f3fafc9c2f0ece10832c25f7ffcb07c97a32ad4", "last_affected_version": "4.18.5", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel before 4.18.6. An information leak in cdrom_ioctl_drive_status in drivers/cdrom/cdrom.c could be used by local attackers to read kernel memory because a cast from unsigned long to int interferes with bounds checking. This is similar to CVE-2018-10940.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-16658", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-16658", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-16658", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-16658", "SUSE": "https://www.suse.com/security/cve/CVE-2018-16658", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-16658" } }, "CVE-2018-16862": { "affected_versions": "v3.15-rc1 to v4.20-rc5", "breaks": "91b0abe36a7b2b3b02d7500925a5f8455334f0e5", "cmt_msg": "mm: cleancache: fix corruption on missed inode invalidation", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.5 }, "cwe": "Information Leak / Disclosure", "fixes": "6ff38bd40230af35e446239396e5fc8ebd6a5248", "last_affected_version": "4.19.6", "last_modified": "2023-12-06", "nvd_text": "A security flaw was found in the Linux kernel in a way that the cleancache subsystem clears an inode after the final file truncation (removal). The new file created with the same inode may contain leftover pages from cleancache and the old file data instead of the new one.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-16862", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-16862", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-16862", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-16862", "SUSE": "https://www.suse.com/security/cve/CVE-2018-16862", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-16862" } }, "CVE-2018-16871": { "affected_versions": "v4.5-rc1 to v4.20-rc3", "breaks": "ffa0160a103917defd5d9c097ae0455a59166e03", "cmt_msg": "nfsd: COPY and CLONE operations require the saved filehandle to be set", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "score": 5.0 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 7.5 }, "cwe": "NULL Pointer Dereference", "fixes": "01310bb7c9c98752cc763b36532fab028e0f8f81", "last_affected_version": "4.19.2", "last_modified": "2023-12-06", "nvd_text": "A flaw was found in the Linux kernel's NFS implementation, all versions 3.x and all versions 4.x up to 4.20. An attacker, who is able to mount an exported NFS filesystem, is able to trigger a null pointer dereference by using an invalid NFS sequence. This can panic the machine and deny access to the NFS server. Any outstanding disk writes to the NFS server will be lost.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-16871", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-16871", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-16871", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-16871", "SUSE": "https://www.suse.com/security/cve/CVE-2018-16871", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-16871" } }, "CVE-2018-16880": { "affected_versions": "v4.16-rc1 to v5.0-rc5", "breaks": "e2b3b35eb9896f26c98b9a2c047d9111638059a2", "cmt_msg": "vhost: fix OOB in get_rx_bufs()", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "score": 6.9 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.0 }, "cwe": "Out-of-bounds Write", "fixes": "b46a0bf78ad7b150ef5910da83859f7f5a514ffd", "last_affected_version": "4.20.6", "last_modified": "2023-12-06", "nvd_text": "A flaw was found in the Linux kernel's handle_rx() function in the [vhost_net] driver. A malicious virtual guest, under specific conditions, can trigger an out-of-bounds write in a kmalloc-8 slab on a virtual host which may lead to a kernel memory corruption and a system panic. Due to the nature of the flaw, privilege escalation cannot be fully ruled out. Versions from v4.16 and newer are vulnerable.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-16880", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-16880", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-16880", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-16880", "SUSE": "https://www.suse.com/security/cve/CVE-2018-16880", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-16880" } }, "CVE-2018-16882": { "affected_versions": "v4.14-rc1 to v4.20", "breaks": "5e2f30b756a37bd80c5b0471d0e10d769ab2eb9a", "cmt_msg": "KVM: Fix UAF in nested posted interrupt processing", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Changed", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "score": 8.8 }, "cwe": "Use After Free", "fixes": "c2dd5146e9fe1f22c77c1b011adf84eea0245806", "last_affected_version": "4.19", "last_modified": "2023-12-06", "nvd_text": "A use-after-free issue was found in the way the Linux kernel's KVM hypervisor processed posted interrupts when nested(=1) virtualization is enabled. In nested_get_vmcs12_pages(), in case of an error while processing posted interrupt address, it unmaps the 'pi_desc_page' without resetting 'pi_desc' descriptor address, which is later used in pi_test_and_clear_on(). A guest user/process could use this flaw to crash the host kernel resulting in DoS or potentially gain privileged access to a system. Kernel versions before 4.14.91 and before 4.19.13 are vulnerable.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-16882", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-16882", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-16882", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-16882", "SUSE": "https://www.suse.com/security/cve/CVE-2018-16882", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-16882" } }, "CVE-2018-16884": { "affected_versions": "v3.7-rc1 to v5.0-rc1", "breaks": "23c20ecd44750dd42e5fd53285a17ca8d8a9b0a3", "cmt_msg": "sunrpc: use-after-free in svc_process_common()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Adjacent Network", "Authentication": "Single", "Availability Impact": "Complete", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:A/AC:L/Au:S/C:P/I:P/A:C", "score": 6.7 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Adjacent", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 8.0 }, "cwe": "Use After Free", "fixes": "d4b09acf924b84bae77cad090a9d108e70b43643", "last_affected_version": "4.20.2", "last_modified": "2023-12-06", "nvd_text": "A flaw was found in the Linux kernel's NFS41+ subsystem. NFS41+ shares mounted in different network namespaces at the same time can make bc_svc_process() use wrong back-channel IDs and cause a use-after-free vulnerability. Thus a malicious container user can cause a host kernel memory corruption and a system panic. Due to the nature of the flaw, privilege escalation cannot be fully ruled out.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-16884", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-16884", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-16884", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-16884", "SUSE": "https://www.suse.com/security/cve/CVE-2018-16884", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-16884" } }, "CVE-2018-16885": { "affected_versions": "unk to unk", "breaks": "", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Out-of-bounds Read", "fixes": "", "last_modified": "2023-12-06", "nvd_text": "A flaw was found in the Linux kernel that allows the userspace to call memcpy_fromiovecend() and similar functions with a zero offset and buffer length which causes the read beyond the buffer boundaries, in certain cases causing a memory access fault and a system halt by accessing invalid memory address. This issue only affects kernel version 3.10.x as shipped with Red Hat Enterprise Linux 7.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-16885", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-16885", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-16885", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-16885", "SUSE": "https://www.suse.com/security/cve/CVE-2018-16885", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-16885" }, "vendor_specific": true }, "CVE-2018-17182": { "affected_versions": "v3.16-rc1 to v4.19-rc4", "breaks": "6b4ebc3a9078c5b7b8c4cf495a0b1d2d0e0bfe7a", "cmt_msg": "mm: get rid of vmacache_flush_all() entirely", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Use After Free", "fixes": "7a9cdebdcc17e426fb5287e4a82db1dfe86339b2", "last_affected_version": "4.18.8", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel through 4.18.8. The vmacache_flush_all function in mm/vmacache.c mishandles sequence number overflows. An attacker can trigger a use-after-free (and possibly gain privileges) via certain thread creation, map, unmap, invalidation, and dereference operations.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-17182", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-17182", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-17182", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-17182", "SUSE": "https://www.suse.com/security/cve/CVE-2018-17182", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-17182" } }, "CVE-2018-17972": { "affected_versions": "v2.6.29-rc1 to v4.19-rc7", "breaks": "2ec220e27f5040aec1e88901c1b6ea3d135787ad", "cmt_msg": "proc: restrict kernel stack dumps to root", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Complete", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:C/I:N/A:N", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.5 }, "cwe": "Improper Access Control", "fixes": "f8a00cef17206ecd1b30d3d9f99e10d9fa707aa7", "last_affected_version": "4.18.12", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the proc_pid_stack function in fs/proc/base.c in the Linux kernel through 4.18.11. It does not ensure that only root may inspect the kernel stack of an arbitrary task, allowing a local attacker to exploit racy stack unwinding and leak kernel task stack contents.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-17972", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-17972", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-17972", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-17972", "SUSE": "https://www.suse.com/security/cve/CVE-2018-17972", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-17972" } }, "CVE-2018-17977": { "affected_versions": "unk to unk", "breaks": "", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "score": 4.4 }, "cwe": "Uncontrolled Resource Consumption ('Resource Exhaustion')", "fixes": "", "last_modified": "2023-12-06", "nvd_text": "The Linux kernel 4.14.67 mishandles certain interaction among XFRM Netlink messages, IPPROTO_AH packets, and IPPROTO_IP packets, which allows local users to cause a denial of service (memory consumption and system hang) by leveraging root access to execute crafted applications, as demonstrated on CentOS 7.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-17977", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-17977", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-17977", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-17977", "SUSE": "https://www.suse.com/security/cve/CVE-2018-17977", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-17977" } }, "CVE-2018-18021": { "affected_versions": "v3.11-rc1 to v4.19-rc7", "breaks": "0d854a60b1d7d39a37b25dd28f63cfa0df637b91", "cmt_msg": "arm64: KVM: Tighten guest core register access from userspace", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:N/I:P/A:P", "score": 3.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "score": 7.1 }, "cwe": "Input Validation", "fixes": "d26c25a9d19b5976b319af528886f89cf455692d", "last_affected_version": "4.18.11", "last_modified": "2023-12-06", "nvd_text": "arch/arm64/kvm/guest.c in KVM in the Linux kernel before 4.18.12 on the arm64 platform mishandles the KVM_SET_ON_REG ioctl. This is exploitable by attackers who can create virtual machines. An attacker can arbitrarily redirect the hypervisor flow of control (with full register control). An attacker can also cause a denial of service (hypervisor panic) via an illegal exception return. This occurs because of insufficient restrictions on userspace access to the core register file, and because PSTATE.M validation does not prevent unintended execution modes.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-18021", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-18021", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-18021", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-18021", "SUSE": "https://www.suse.com/security/cve/CVE-2018-18021", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-18021" } }, "CVE-2018-18281": { "affected_versions": "v3.2-rc1 to v4.19", "breaks": "7b6efc2bc4f19952b25ebf9b236e5ac43cd386c2", "cmt_msg": "mremap: properly flush TLB before releasing the page", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Input Validation", "fixes": "eb66ae030829605d61fbef1909ce310e29f78821", "last_affected_version": "4.18", "last_modified": "2023-12-06", "nvd_text": "Since Linux kernel version 3.2, the mremap() syscall performs TLB flushes after dropping pagetable locks. If a syscall such as ftruncate() removes entries from the pagetables of a task that is in the middle of mremap(), a stale TLB entry can remain for a short time that permits access to a physical page after it has been released back to the page allocator and reused. This is fixed in the following kernel versions: 4.9.135, 4.14.78, 4.18.16, 4.19.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-18281", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-18281", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-18281", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-18281", "SUSE": "https://www.suse.com/security/cve/CVE-2018-18281", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-18281" } }, "CVE-2018-18386": { "affected_versions": "v2.6.36-rc1 to v4.15-rc6", "breaks": "26df6d13406d1a53b0bda08bd712f1924affd7cd", "cmt_msg": "n_tty: fix EXTPROC vs ICANON interaction with TIOCINQ (aka FIONREAD)", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "Low", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "score": 3.3 }, "cwe": "Incorrect Type Conversion or Cast", "fixes": "966031f340185eddd05affcf72b740549f056348", "last_affected_version": "4.14.10", "last_modified": "2023-12-06", "nvd_text": "drivers/tty/n_tty.c in the Linux kernel before 4.14.11 allows local attackers (who are able to access pseudo terminals) to hang/block further usage of any pseudo terminal devices due to an EXTPROC versus ICANON confusion in TIOCINQ.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-18386", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-18386", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-18386", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-18386", "SUSE": "https://www.suse.com/security/cve/CVE-2018-18386", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-18386" } }, "CVE-2018-18397": { "affected_versions": "v4.11-rc1 to v4.20-rc5", "breaks": "4c27fe4c4c84f3afd504ecff2420cc1ad420d38e", "cmt_msg": "userfaultfd: use ENOENT instead of EFAULT if the atomic copy user fails", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "None", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "None", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "score": 5.5 }, "cwe": "Improper Access Control", "fixes": "9e368259ad988356c4c95150fafd1a06af095d98", "last_affected_version": "4.19.7", "last_modified": "2023-12-06", "nvd_text": "The userfaultfd implementation in the Linux kernel before 4.19.7 mishandles access control for certain UFFDIO_ ioctl calls, as demonstrated by allowing local users to write data into holes in a tmpfs file (if the user has read-only access to that file, and that file contains holes), related to fs/userfaultfd.c and mm/userfaultfd.c.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-18397", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-18397", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-18397", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-18397", "SUSE": "https://www.suse.com/security/cve/CVE-2018-18397", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-18397" } }, "CVE-2018-18445": { "affected_versions": "v4.15-rc5 to v4.19-rc7", "breaks": "468f6eafa6c44cb2c5d8aad35e12f06c240a812a", "cmt_msg": "bpf: 32-bit RSH verification must truncate input before the ALU op", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Out-of-bounds Read", "fixes": "b799207e1e1816b09e7a5920fbb2d5fcf6edd681", "last_affected_version": "4.18.12", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel 4.14.x, 4.15.x, 4.16.x, 4.17.x, and 4.18.x before 4.18.13, faulty computation of numeric bounds in the BPF verifier permits out-of-bounds memory accesses because adjust_scalar_min_max_vals in kernel/bpf/verifier.c mishandles 32-bit right shifts.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-18445", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-18445", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-18445", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-18445", "SUSE": "https://www.suse.com/security/cve/CVE-2018-18445", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-18445" } }, "CVE-2018-18559": { "affected_versions": "v4.4-rc1 to v4.15-rc2", "breaks": "30f7ea1c2b5f5fb7462c5ae44fe2e40cb2d6a474", "cmt_msg": "net/packet: fix a race in packet_bind() and packet_notifier()", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "score": 6.8 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "score": 8.1 }, "cwe": "Race Conditions", "fixes": "15fe076edea787807a7cdc168df832544b58eba6", "last_affected_version": "4.14.6", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel through 4.19, a use-after-free can occur due to a race condition between fanout_add from setsockopt and bind on an AF_PACKET socket. This issue exists because of the 15fe076edea787807a7cdc168df832544b58eba6 incomplete fix for a race condition. The code mishandles a certain multithreaded case involving a packet_do_bind unregister action followed by a packet_notifier register action. Later, packet_release operates on only one of the two applicable linked lists. The attacker can achieve Program Counter control.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-18559", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-18559", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-18559", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-18559", "SUSE": "https://www.suse.com/security/cve/CVE-2018-18559", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-18559" } }, "CVE-2018-18653": { "affected_versions": "unk to unk", "breaks": "", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Improper Access Control", "fixes": "", "last_modified": "2023-12-06", "nvd_text": "The Linux kernel, as used in Ubuntu 18.10 and when booted with UEFI Secure Boot enabled, allows privileged local users to bypass intended Secure Boot restrictions and execute untrusted code by loading arbitrary kernel modules. This occurs because a modified kernel/module.c, in conjunction with certain configuration options, leads to mishandling of the result of signature verification.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-18653", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-18653", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-18653", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-18653", "SUSE": "https://www.suse.com/security/cve/CVE-2018-18653", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-18653" }, "vendor_specific": true }, "CVE-2018-18690": { "affected_versions": "v2.6.12-rc2 to v4.17-rc4", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "xfs: don't fail when converting shortform attr to long form during ATTR_REPLACE", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Data Handling", "fixes": "7b38460dc8e4eafba06c78f8e37099d3b34d473c", "last_affected_version": "4.14.85", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel before 4.17, a local attacker able to set attributes on an xfs filesystem could make this filesystem non-operational until the next mount by triggering an unchecked error condition during an xfs attribute change, because xfs_attr_shortform_addname in fs/xfs/libxfs/xfs_attr.c mishandles ATTR_REPLACE operations with conversion of an attr from short to long form.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-18690", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-18690", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-18690", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-18690", "SUSE": "https://www.suse.com/security/cve/CVE-2018-18690", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-18690" } }, "CVE-2018-18710": { "affected_versions": "v2.6.12-rc2 to v4.20-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "cdrom: fix improper type cast, which can leat to information leak.", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.5 }, "cwe": "Information Leak / Disclosure", "fixes": "e4f3aa2e1e67bb48dfbaaf1cad59013d5a5bc276", "last_affected_version": "4.19.2", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel through 4.19. An information leak in cdrom_ioctl_select_disc in drivers/cdrom/cdrom.c could be used by local attackers to read kernel memory because a cast from unsigned long to int interferes with bounds checking. This is similar to CVE-2018-10940 and CVE-2018-16658.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-18710", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-18710", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-18710", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-18710", "SUSE": "https://www.suse.com/security/cve/CVE-2018-18710", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-18710" } }, "CVE-2018-18955": { "affected_versions": "v4.15-rc1 to v4.20-rc2", "breaks": "6397fac4915ab3002dc15aae751455da1a852f25", "cmt_msg": "userns: also map extents in the reverse map to kernel IDs", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "score": 4.4 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.0 }, "cwe": "Input Validation", "fixes": "d2f007dbe7e4c9583eea6eb04d60001e85c6f1bd", "last_affected_version": "4.19.1", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel 4.15.x through 4.19.x before 4.19.2, map_write() in kernel/user_namespace.c allows privilege escalation because it mishandles nested user namespaces with more than 5 UID or GID ranges. A user who has CAP_SYS_ADMIN in an affected user namespace can bypass access controls on resources outside the namespace, as demonstrated by reading /etc/shadow. This occurs because an ID transformation takes place properly for the namespaced-to-kernel direction but not for the kernel-to-namespaced direction.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-18955", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-18955", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-18955", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-18955", "SUSE": "https://www.suse.com/security/cve/CVE-2018-18955", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-18955" } }, "CVE-2018-19406": { "affected_versions": "v4.19-rc1 to v4.20-rc5", "breaks": "4180bf1b655a791a0a6ef93a2ffffc762722c782", "cmt_msg": "KVM: LAPIC: Fix pv ipis use-before-initialization", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "NULL Pointer Dereference", "fixes": "38ab012f109caf10f471db1adf284e620dd8d701", "last_affected_version": "4.19.6", "last_modified": "2023-12-06", "nvd_text": "kvm_pv_send_ipi in arch/x86/kvm/lapic.c in the Linux kernel through 4.19.2 allows local users to cause a denial of service (NULL pointer dereference and BUG) via crafted system calls that reach a situation where the apic map is uninitialized.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-19406", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-19406", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-19406", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-19406", "SUSE": "https://www.suse.com/security/cve/CVE-2018-19406", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-19406" } }, "CVE-2018-19407": { "affected_versions": "v4.5-rc1 to v4.20-rc5", "breaks": "5c919412fe61c35947816fdbd5f7bd09fe0dd073", "cmt_msg": "KVM: X86: Fix scan ioapic use-before-initialization", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "NULL Pointer Dereference", "fixes": "e97f852fd4561e77721bb9a4e0ea9d98305b1e93", "last_affected_version": "4.19.6", "last_modified": "2023-12-06", "nvd_text": "The vcpu_scan_ioapic function in arch/x86/kvm/x86.c in the Linux kernel through 4.19.2 allows local users to cause a denial of service (NULL pointer dereference and BUG) via crafted system calls that reach a situation where ioapic is uninitialized.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-19407", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-19407", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-19407", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-19407", "SUSE": "https://www.suse.com/security/cve/CVE-2018-19407", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-19407" } }, "CVE-2018-19824": { "affected_versions": "v3.1-rc8 to v4.20-rc6", "breaks": "362e4e49abe53e89d87455dfcd7c1bbaf08a839d", "cmt_msg": "ALSA: usb-audio: Fix UAF decrement if card has no live interfaces in card.c", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Use After Free", "fixes": "5f8cf712582617d523120df67d392059eaf2fc4b", "last_affected_version": "4.19.8", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel through 4.19.6, a local user could exploit a use-after-free in the ALSA driver by supplying a malicious USB Sound device (with zero interfaces) that is mishandled in usb_audio_probe in sound/usb/card.c.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-19824", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-19824", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-19824", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-19824", "SUSE": "https://www.suse.com/security/cve/CVE-2018-19824", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-19824" } }, "CVE-2018-19854": { "affected_versions": "v4.12-rc1 to v4.20-rc3", "breaks": "4473710df1f8779c59b33737eeaa151596907761", "cmt_msg": "crypto: user - fix leaking uninitialized memory to userspace", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "score": 1.9 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 4.7 }, "cwe": "Information Leak / Disclosure", "fixes": "f43f39958beb206b53292801e216d9b8a660f087", "last_affected_version": "4.19.2", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel before 4.19.3. crypto_report_one() and related functions in crypto/crypto_user.c (the crypto user configuration API) do not fully initialize structures that are copied to userspace, potentially leaking sensitive memory to user programs. NOTE: this is a CVE-2013-2547 regression but with easier exploitability because the attacker does not need a capability (however, the system must have the CONFIG_CRYPTO_USER kconfig option).", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-19854", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-19854", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-19854", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-19854", "SUSE": "https://www.suse.com/security/cve/CVE-2018-19854", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-19854" } }, "CVE-2018-19985": { "affected_versions": "v2.6.27-rc1 to v4.20", "breaks": "72dc1c096c7051a48ab1dbb12f71976656b55eb5", "cmt_msg": "USB: hso: Fix OOB memory access in hso_probe/hso_get_config_data", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Physical", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "score": 4.6 }, "cwe": "Out-of-bounds Read", "fixes": "5146f95df782b0ac61abde36567e718692725c89", "last_affected_version": "4.19", "last_modified": "2023-12-06", "nvd_text": "The function hso_get_config_data in drivers/net/usb/hso.c in the Linux kernel through 4.19.8 reads if_num from the USB device (as a u8) and uses it to index a small array, resulting in an object out-of-bounds (OOB) read that potentially allows arbitrary read in the kernel address space.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-19985", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-19985", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-19985", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-19985", "SUSE": "https://www.suse.com/security/cve/CVE-2018-19985", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-19985" } }, "CVE-2018-20169": { "affected_versions": "v2.6.12-rc2 to v4.20-rc6", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "USB: check usb_get_extra_descriptor for proper size", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Physical", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "score": 6.8 }, "cwe": "Uncontrolled Resource Consumption ('Resource Exhaustion')", "fixes": "704620afc70cf47abb9d6a1a57f3825d2bca49cf", "last_affected_version": "4.19.8", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel before 4.19.9. The USB subsystem mishandles size checks during the reading of an extra descriptor, related to __usb_get_extra_descriptor in drivers/usb/core/usb.c.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-20169", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-20169", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-20169", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-20169", "SUSE": "https://www.suse.com/security/cve/CVE-2018-20169", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-20169" } }, "CVE-2018-20449": { "affected_versions": "v4.7-rc1 to v4.15-rc2", "breaks": "570d0176296f0d17c4b5ab206ad4a4bc027b863b", "cmt_msg": "printk: hash addresses printed with %p", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.5 }, "cwe": "Exposure of Sensitive Information to an Unauthorized Actor", "fixes": "ad67b74d2469d9b82aaa572d76474c95bc484d57", "last_modified": "2023-12-06", "nvd_text": "The hidma_chan_stats function in drivers/dma/qcom/hidma_dbg.c in the Linux kernel 4.14.90 allows local users to obtain sensitive address information by reading \"callback=\" lines in a debugfs file.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-20449", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-20449", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-20449", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-20449", "SUSE": "https://www.suse.com/security/cve/CVE-2018-20449", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-20449" } }, "CVE-2018-20509": { "affected_versions": "v2.6.12-rc2 to v4.14-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "binder: refactor binder ref inc/dec for thread safety", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.5 }, "cwe": "Information Leak / Disclosure", "fixes": "372e3147df7016ebeaa372939e8774a1292db558", "last_modified": "2023-12-06", "nvd_text": "The print_binder_ref_olocked function in drivers/android/binder.c in the Linux kernel 4.14.90 allows local users to obtain sensitive address information by reading \" ref *desc *node\" lines in a debugfs file.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-20509", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-20509", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-20509", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-20509", "SUSE": "https://www.suse.com/security/cve/CVE-2018-20509", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-20509" } }, "CVE-2018-20510": { "affected_versions": "v2.6.29-rc1 to v4.16-rc3", "breaks": "457b9a6f09f011ebcb9b52cc203a6331a6fc2de7", "cmt_msg": "binder: replace \"%p\" with \"%pK\"", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.5 }, "cwe": "Information Leak / Disclosure", "fixes": "8ca86f1639ec5890d400fff9211aca22d0a392eb", "last_affected_version": "4.15.5", "last_modified": "2023-12-06", "nvd_text": "The print_binder_transaction_ilocked function in drivers/android/binder.c in the Linux kernel 4.14.90 allows local users to obtain sensitive address information by reading \"*from *code *flags\" lines in a debugfs file.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-20510", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-20510", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-20510", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-20510", "SUSE": "https://www.suse.com/security/cve/CVE-2018-20510", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-20510" } }, "CVE-2018-20511": { "affected_versions": "v2.6.31-rc1 to v4.19-rc5", "breaks": "5615968a70845157adaffc11062c997d045339ee", "cmt_msg": "net/appletalk: fix minor pointer leak to userspace in SIOCFINDIPDDPRT", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.5 }, "cwe": "Information Leak / Disclosure", "fixes": "9824dfae5741275473a23a7ed5756c7b6efacc9d", "last_affected_version": "4.18.10", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel before 4.18.11. The ipddp_ioctl function in drivers/net/appletalk/ipddp.c allows local users to obtain sensitive kernel address information by leveraging CAP_NET_ADMIN to read the ipddp_route dev and next fields via an SIOCFINDIPDDPRT ioctl call.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-20511", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-20511", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-20511", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-20511", "SUSE": "https://www.suse.com/security/cve/CVE-2018-20511", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-20511" } }, "CVE-2018-20669": { "affected_versions": "v4.13-rc1 to v5.0-rc1", "breaks": "2889caa9232109afc8881f29a2205abeb5709d0c", "cmt_msg": "make 'user_access_begin()' do 'access_ok()'", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Input Validation", "fixes": "594cc251fdd0d231d342d88b2fdff4bc42fb0690", "last_affected_version": "4.19.128", "last_modified": "2023-12-06", "nvd_text": "An issue where a provided address with access_ok() is not checked was discovered in i915_gem_execbuffer2_ioctl in drivers/gpu/drm/i915/i915_gem_execbuffer.c in the Linux kernel through 4.19.13. A local attacker can craft a malicious IOCTL function call to overwrite arbitrary kernel memory, resulting in a Denial of Service or privilege escalation.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-20669", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-20669", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-20669", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-20669", "SUSE": "https://www.suse.com/security/cve/CVE-2018-20669", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-20669" } }, "CVE-2018-20784": { "affected_versions": "v4.13-rc1 to v5.0-rc1", "breaks": "a9e7f6544b9cebdae54d29f87a7ba2a83c0471b5", "cmt_msg": "sched/fair: Fix infinite loop in update_blocked_averages() by reverting a9e7f6544b9c", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "score": 7.5 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "score": 9.8 }, "cwe": "Uncontrolled Resource Consumption ('Resource Exhaustion')", "fixes": "c40f7d74c741a907cfaeb73a7697081881c497d0", "last_affected_version": "4.20.1", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel before 4.20.2, kernel/sched/fair.c mishandles leaf cfs_rq's, which allows attackers to cause a denial of service (infinite loop in update_blocked_averages) or possibly have unspecified other impact by inducing a high load.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-20784", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-20784", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-20784", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-20784", "SUSE": "https://www.suse.com/security/cve/CVE-2018-20784", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-20784" } }, "CVE-2018-20836": { "affected_versions": "v2.6.19-rc1 to v4.20-rc1", "breaks": "2908d778ab3e244900c310974e1fc1c69066e450", "cmt_msg": "scsi: libsas: fix a race condition when smp task timeout", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "score": 9.3 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "score": 8.1 }, "cwe": "Race Conditions", "fixes": "b90cd6f2b905905fb42671009dc0e27c310a16ae", "last_affected_version": "4.19.41", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel before 4.20. There is a race condition in smp_task_timedout() and smp_task_done() in drivers/scsi/libsas/sas_expander.c, leading to a use-after-free.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-20836", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-20836", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-20836", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-20836", "SUSE": "https://www.suse.com/security/cve/CVE-2018-20836", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-20836" } }, "CVE-2018-20854": { "affected_versions": "v4.20-rc1 to v4.20-rc1", "backport": true, "breaks": "51f6b410fc220d8a5a4fae00ebfd8243b6c11d4e", "cmt_msg": "phy: ocelot-serdes: fix out-of-bounds read", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Out-of-bounds Read", "fixes": "6acb47d1a318e5b3b7115354ebc4ea060c59d3a1", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel before 4.20. drivers/phy/mscc/phy-ocelot-serdes.c has an off-by-one error with a resultant ctrl->phys out-of-bounds read.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-20854", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-20854", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-20854", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-20854", "SUSE": "https://www.suse.com/security/cve/CVE-2018-20854", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-20854" } }, "CVE-2018-20855": { "affected_versions": "v3.11-rc1 to v4.19-rc1", "breaks": "e126ba97dba9edeb6fafa3665b5f8497fc9cdf8c", "cmt_msg": "IB/mlx5: Fix leaking stack memory to userspace", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "Low", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "score": 3.3 }, "cwe": "Improper Restriction of Operations within the Bounds of a Memory Buffer", "fixes": "0625b4ba1a5d4703c7fb01c497bd6c156908af00", "last_affected_version": "4.18.6", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel before 4.18.7. In create_qp_common in drivers/infiniband/hw/mlx5/qp.c, mlx5_ib_create_qp_resp was never initialized, resulting in a leak of stack memory to userspace.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-20855", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-20855", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-20855", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-20855", "SUSE": "https://www.suse.com/security/cve/CVE-2018-20855", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-20855" } }, "CVE-2018-20856": { "affected_versions": "v3.18-rc1 to v4.19-rc1", "breaks": "7c94e1c157a227837b04f02f5edeff8301410ba2", "cmt_msg": "block: blk_init_allocated_queue() set q->fq as NULL in the fail case", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Use After Free", "fixes": "54648cf1ec2d7f4b6a71767799c45676a138ca24", "last_affected_version": "4.18.6", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel before 4.18.7. In block/blk-core.c, there is an __blk_drain_queue() use-after-free because a certain error case is mishandled.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-20856", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-20856", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-20856", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-20856", "SUSE": "https://www.suse.com/security/cve/CVE-2018-20856", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-20856" } }, "CVE-2018-20961": { "affected_versions": "v4.4-rc5 to v4.17-rc1", "breaks": "ad0d1a058eac46503edbc510d1ce44c5df8e0c91", "cmt_msg": "USB: gadget: f_midi: fixing a possible double-free in f_midi", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "score": 10.0 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "score": 9.8 }, "cwe": "Double Free", "fixes": "7fafcfdf6377b18b2a726ea554d6e593ba44349f", "last_affected_version": "4.16.3", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel before 4.16.4, a double free vulnerability in the f_midi_set_alt function of drivers/usb/gadget/function/f_midi.c in the f_midi driver may allow attackers to cause a denial of service or possibly have unspecified other impact.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-20961", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-20961", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-20961", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-20961", "SUSE": "https://www.suse.com/security/cve/CVE-2018-20961", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-20961" } }, "CVE-2018-20976": { "affected_versions": "v3.1-rc1 to v4.18-rc1", "breaks": "8daaa83145ef1f0a146680618328dbbd0fa76939", "cmt_msg": "xfs: clear sb->s_fs_info on mount failure", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Use After Free", "fixes": "c9fbd7bbc23dbdd73364be4d045e5d3612cf6e82", "last_affected_version": "4.14.149", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in fs/xfs/xfs_super.c in the Linux kernel before 4.18. A use after free exists, related to xfs_fs_fill_super failure.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-20976", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-20976", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-20976", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-20976", "SUSE": "https://www.suse.com/security/cve/CVE-2018-20976", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-20976" } }, "CVE-2018-21008": { "affected_versions": "v2.6.12-rc2 to v4.18-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "rsi: add fix for crash during assertions", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Use After Free", "fixes": "abd39c6ded9db53aa44c2540092bdd5fb6590fa8", "last_affected_version": "4.14.165", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel before 4.16.7. A use-after-free can be caused by the function rsi_mac80211_detach in the file drivers/net/wireless/rsi/rsi_91x_mac80211.c.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-21008", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-21008", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-21008", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-21008", "SUSE": "https://www.suse.com/security/cve/CVE-2018-21008", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-21008" } }, "CVE-2018-25015": { "affected_versions": "v4.15-rc1 to v4.15-rc9", "breaks": "cea0cc80a6777beb6eb643d4ad53690e1ad1d4ff", "cmt_msg": "sctp: return error if the asoc has been peeled off in sctp_wait_for_sndbuf", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Use After Free", "fixes": "a0ff660058b88d12625a783ce9e5c1371c87951f", "last_affected_version": "4.14.15", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel before 4.14.16. There is a use-after-free in net/sctp/socket.c for a held lock after a peel off, aka CID-a0ff660058b8.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-25015", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-25015", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-25015", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-25015", "SUSE": "https://www.suse.com/security/cve/CVE-2018-25015", "Ubuntu": "https://ubuntu.com/security/CVE-2018-25015" } }, "CVE-2018-25020": { "affected_versions": "v2.6.12-rc2 to v4.17-rc7", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "bpf: fix truncated jump targets on heavy expansions", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')", "fixes": "050fad7c4534c13c8eb1d9c2ba66012e014773cb", "last_affected_version": "4.14.264", "last_modified": "2023-12-06", "nvd_text": "The BPF subsystem in the Linux kernel before 4.17 mishandles situations with a long jump over an instruction sequence where inner instructions require substantial expansions into multiple BPF instructions, leading to an overflow. This affects kernel/bpf/core.c and net/core/filter.c.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-25020", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-25020", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-25020", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-25020", "SUSE": "https://www.suse.com/security/cve/CVE-2018-25020", "Ubuntu": "https://ubuntu.com/security/CVE-2018-25020" } }, "CVE-2018-3574": { "affected_versions": "unk to unk", "breaks": "", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "None", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "None", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "score": 5.5 }, "cwe": "Input Validation", "fixes": "", "last_modified": "2023-12-06", "nvd_text": "In all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, userspace can request ION cache maintenance on a secure ION buffer for which the ION_FLAG_SECURE ion flag is not set and cause the kernel to attempt to perform cache maintenance on memory which does not belong to HLOS.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-3574", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-3574", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-3574", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-3574", "SUSE": "https://www.suse.com/security/cve/CVE-2018-3574", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-3574" }, "vendor_specific": true }, "CVE-2018-3620": { "affected_versions": "v2.6.12-rc2 to v4.19-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "x86/microcode: Allow late microcode loading with SMT disabled", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Complete", "Integrity Impact": "None", "raw": "AV:L/AC:M/Au:N/C:C/I:N/A:N", "score": 4.7 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Changed", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N", "score": 5.6 }, "cwe": "Information Leak / Disclosure", "fixes": "07d981ad4cf1e78361c6db1c28ee5ba105f96cc1", "last_affected_version": "4.18.0", "last_modified": "2023-12-06", "nvd_text": "Systems with microprocessors utilizing speculative execution and address translations may allow unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access via a terminal page fault and a side-channel analysis.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-3620", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-3620", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-3620", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-3620", "SUSE": "https://www.suse.com/security/cve/CVE-2018-3620", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-3620" } }, "CVE-2018-3639": { "affected_versions": "v2.6.12-rc2 to v4.17-rc7", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "x86/nospec: Simplify alternative_msr_write()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.5 }, "cwe": "Information Leak / Disclosure", "fixes": "1aa7a5735a41418d8e01fa7c9565eb2657e2ea3f", "last_affected_version": "4.16.10", "last_modified": "2023-12-06", "nvd_text": "Systems with microprocessors utilizing speculative execution and speculative execution of memory reads before the addresses of all prior memory writes are known may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis, aka Speculative Store Bypass (SSB), Variant 4.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-3639", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-3639", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-3639", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-3639", "SUSE": "https://www.suse.com/security/cve/CVE-2018-3639", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-3639" } }, "CVE-2018-3646": { "affected_versions": "v2.6.12-rc2 to v4.19-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "x86/microcode: Allow late microcode loading with SMT disabled", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Complete", "Integrity Impact": "None", "raw": "AV:L/AC:M/Au:N/C:C/I:N/A:N", "score": 4.7 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Changed", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N", "score": 5.6 }, "cwe": "Unspecified", "fixes": "07d981ad4cf1e78361c6db1c28ee5ba105f96cc1", "last_affected_version": "4.18.0", "last_modified": "2023-12-06", "nvd_text": "Systems with microprocessors utilizing speculative execution and address translations may allow unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access with guest OS privilege via a terminal page fault and a side-channel analysis.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-3646", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-3646", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-3646", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-3646", "SUSE": "https://www.suse.com/security/cve/CVE-2018-3646", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-3646" } }, "CVE-2018-3665": { "affected_versions": "v2.6.12-rc2 to v3.7-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "x86, fpu: decouple non-lazy/eager fpu restore from xsave", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Complete", "Integrity Impact": "None", "raw": "AV:L/AC:M/Au:N/C:C/I:N/A:N", "score": 4.7 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Changed", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N", "score": 5.6 }, "cwe": "Information Leak / Disclosure", "fixes": "5d2bd7009f306c82afddd1ca4d9763ad8473c216", "last_modified": "2023-12-06", "nvd_text": "System software utilizing Lazy FP state restore technique on systems using Intel Core-based microprocessors may potentially allow a local process to infer data from another process through a speculative execution side channel.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-3665", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-3665", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-3665", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-3665", "SUSE": "https://www.suse.com/security/cve/CVE-2018-3665", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-3665" } }, "CVE-2018-3693": { "affected_versions": "v2.6.12-rc2 to v4.19-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "ext4: fix spectre gadget in ext4_mb_regular_allocator()", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Complete", "Integrity Impact": "None", "raw": "AV:L/AC:M/Au:N/C:C/I:N/A:N", "score": 4.7 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Changed", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N", "score": 5.6 }, "cwe": "Unspecified", "fixes": "1a5d5e5d51e75a5bca67dadbcea8c841934b7b85", "last_affected_version": "4.18.4", "last_modified": "2023-12-06", "nvd_text": "Systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a speculative buffer overflow and side-channel analysis.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-3693", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-3693", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-3693", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-3693", "SUSE": "https://www.suse.com/security/cve/CVE-2018-3693", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-3693" } }, "CVE-2018-5332": { "affected_versions": "v2.6.12-rc2 to v4.15-rc8", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "RDS: Heap OOB write in rds_message_alloc_sgs()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Out-of-bounds Write", "fixes": "c095508770aebf1b9218e77026e48345d719b17c", "last_affected_version": "4.14.13", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel through 3.2, the rds_message_alloc_sgs() function does not validate a value that is used during DMA page allocation, leading to a heap-based out-of-bounds write (related to the rds_rdma_extra_size function in net/rds/rdma.c).", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-5332", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-5332", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-5332", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-5332", "SUSE": "https://www.suse.com/security/cve/CVE-2018-5332", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-5332" } }, "CVE-2018-5333": { "affected_versions": "v2.6.37-rc1 to v4.15-rc8", "breaks": "15133f6e67d8d646d0744336b4daa3135452cb0d", "cmt_msg": "RDS: null pointer dereference in rds_atomic_free_op", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "NULL Pointer Dereference", "fixes": "7d11f77f84b27cef452cee332f4e469503084737", "last_affected_version": "4.14.13", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel through 4.14.13, the rds_cmsg_atomic function in net/rds/rdma.c mishandles cases where page pinning fails or an invalid address is supplied, leading to an rds_atomic_free_op NULL pointer dereference.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-5333", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-5333", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-5333", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-5333", "SUSE": "https://www.suse.com/security/cve/CVE-2018-5333", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-5333" } }, "CVE-2018-5344": { "affected_versions": "v2.6.12-rc2 to v4.15-rc8", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "loop: fix concurrent lo_open/lo_release", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Use After Free", "fixes": "ae6650163c66a7eff1acd6eb8b0f752dcfa8eba5", "last_affected_version": "4.14.16", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel through 4.14.13, drivers/block/loop.c mishandles lo_release serialization, which allows attackers to cause a denial of service (__lock_acquire use-after-free) or possibly have unspecified other impact.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-5344", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-5344", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-5344", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-5344", "SUSE": "https://www.suse.com/security/cve/CVE-2018-5344", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-5344" } }, "CVE-2018-5390": { "affected_versions": "v4.9-rc1 to v4.18-rc7", "breaks": "36a6503feddadbbad415fb3891e80f94c10a9b21", "cmt_msg": "tcp: free batches of packets in tcp_prune_ofo_queue()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "score": 7.8 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 7.5 }, "cwe": "Input Validation", "fixes": "72cd43ba64fc172a443410ce01645895850844c8", "last_affected_version": "4.17.10", "last_modified": "2023-12-06", "name": "SegmentSmack", "nvd_text": "Linux kernel versions 4.9+ can be forced to make very expensive calls to tcp_collapse_ofo_queue() and tcp_prune_ofo_queue() for every incoming packet which can lead to a denial of service.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-5390", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-5390", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-5390", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-5390", "SUSE": "https://www.suse.com/security/cve/CVE-2018-5390", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-5390" } }, "CVE-2018-5391": { "affected_versions": "v3.9-rc1 to v4.19-rc1", "breaks": "c2a936600f78aea00d3312ea4b66a79a4619f9b4", "cmt_msg": "ip: discard IPv4 datagrams with overlapping segments.", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "score": 7.8 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 7.5 }, "cwe": "Input Validation", "fixes": "7969e5c40dfd04799d4341f1b7cd266b6e47f227", "last_affected_version": "4.14.70", "last_modified": "2023-12-06", "name": "FragmentSmack", "nvd_text": "The Linux kernel, versions 3.9+, is vulnerable to a denial of service attack with low rates of specially modified packets targeting IP fragment re-assembly. An attacker may cause a denial of service condition by sending specially crafted IP fragments. Various vulnerabilities in IP fragmentation have been discovered and fixed over the years. The current vulnerability (CVE-2018-5391) became exploitable in the Linux kernel with the increase of the IP fragment reassembly queue size.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-5391", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-5391", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-5391", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-5391", "SUSE": "https://www.suse.com/security/cve/CVE-2018-5391", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-5391" } }, "CVE-2018-5703": { "affected_versions": "v4.13-rc1 to v4.16-rc5", "breaks": "3c4d7559159bfe1e3b94df3a657b2cda3a34e218", "cmt_msg": "tls: Use correct sk->sk_prot for IPV6", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "score": 10.0 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "score": 9.8 }, "cwe": "Out-of-bounds Write", "fixes": "c113187d38ff85dc302a1bb55864b203ebb2ba10", "last_affected_version": "4.15.7", "last_modified": "2023-12-06", "nvd_text": "The tcp_v6_syn_recv_sock function in net/ipv6/tcp_ipv6.c in the Linux kernel through 4.14.11 allows attackers to cause a denial of service (slab out-of-bounds write) or possibly have unspecified other impact via vectors involving TLS.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-5703", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-5703", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-5703", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-5703", "SUSE": "https://www.suse.com/security/cve/CVE-2018-5703", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-5703" } }, "CVE-2018-5750": { "affected_versions": "v2.6.24-rc1 to v4.16-rc1", "breaks": "91087dfa51a29b3c190e99339c4c32eb13646c51", "cmt_msg": "ACPI: sbshc: remove raw pointer from printk() message", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.5 }, "cwe": "Information Leak / Disclosure", "fixes": "43cdd1b716b26f6af16da4e145b6578f98798bf6", "last_affected_version": "4.15.3", "last_modified": "2023-12-06", "nvd_text": "The acpi_smbus_hc_add function in drivers/acpi/sbshc.c in the Linux kernel through 4.14.15 allows local users to obtain sensitive address information by reading dmesg data from an SBS HC printk call.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-5750", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-5750", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-5750", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-5750", "SUSE": "https://www.suse.com/security/cve/CVE-2018-5750", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-5750" } }, "CVE-2018-5803": { "affected_versions": "v2.6.12-rc2 to v4.16-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "sctp: verify size of a new chunk in _sctp_make_chunk()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Input Validation", "fixes": "07f2c7ab6f8d0a7e7c5764c4e6cc9c52951b9d9c", "last_affected_version": "4.15.7", "last_modified": "2023-12-06", "nvd_text": "In the Linux Kernel before version 4.15.8, 4.14.25, 4.9.87, 4.4.121, 4.1.51, and 3.2.102, an error in the \"_sctp_make_chunk()\" function (net/sctp/sm_make_chunk.c) when handling SCTP packets length can be exploited to cause a kernel crash.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-5803", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-5803", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-5803", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-5803", "SUSE": "https://www.suse.com/security/cve/CVE-2018-5803", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-5803" } }, "CVE-2018-5814": { "affected_versions": "v2.6.36-rc1 to v4.17-rc6", "breaks": "aa5873e96271611ae55586f65e49ea1fab90cb88", "cmt_msg": "usbip: usbip_host: fix NULL-ptr deref and use-after-free errors", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "score": 6.9 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.0 }, "cwe": "Race Conditions", "fixes": "22076557b07c12086eeb16b8ce2b0b735f7a27e7", "last_affected_version": "4.16.10", "last_modified": "2023-12-06", "nvd_text": "In the Linux Kernel before version 4.16.11, 4.14.43, 4.9.102, and 4.4.133, multiple race condition errors when handling probe, disconnect, and rebind operations can be exploited to trigger a use-after-free condition or a NULL pointer dereference by sending multiple USB over IP packets.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-5814", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-5814", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-5814", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-5814", "SUSE": "https://www.suse.com/security/cve/CVE-2018-5814", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-5814" } }, "CVE-2018-5848": { "affected_versions": "v2.6.12-rc2 to v4.16-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "wil6210: missing length check in wmi_set_ie", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Buffer Errors", "fixes": "b5a8ffcae4103a9d823ea3aa3a761f65779fbe2a", "last_affected_version": "4.14.85", "last_modified": "2023-12-06", "nvd_text": "In the function wmi_set_ie(), the length validation code does not handle unsigned integer overflow properly. As a result, a large value of the 'ie_len' argument can cause a buffer overflow in all Android releases from CAF (Android for MSM, Firefox OS for MSM, QRD Android) using the Linux Kernel.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-5848", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-5848", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-5848", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-5848", "SUSE": "https://www.suse.com/security/cve/CVE-2018-5848", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-5848" } }, "CVE-2018-5856": { "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:C", "score": 6.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Use After Free", "last_modified": "2023-12-06", "new": true, "nvd_text": "In all android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, due to a race condition, a Use After Free condition can occur in Audio.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-5856", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-5856", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-5856", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-5856", "SUSE": "https://www.suse.com/security/cve/CVE-2018-5856", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-5856" }, "vendor_specific": true }, "CVE-2018-5873": { "affected_versions": "v3.19-rc1 to v4.11-rc8", "breaks": "e149ed2b805fefdccf7ccdfc19eca22fdd4514ac", "cmt_msg": "nsfs: mark dentry with DCACHE_RCUACCESS", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "score": 6.9 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.0 }, "cwe": "Race Conditions", "fixes": "073c516ff73557a8f7315066856c04b50383ac34", "last_affected_version": "4.9.81", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the __ns_get_path function in fs/nsfs.c in the Linux kernel before 4.11. Due to a race condition when accessing files, a Use After Free condition can occur. This also affects all Android releases from CAF using the Linux kernel (Android for MSM, Firefox OS for MSM, QRD Android) before security patch level 2018-07-05.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-5873", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-5873", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-5873", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-5873", "SUSE": "https://www.suse.com/security/cve/CVE-2018-5873", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-5873" } }, "CVE-2018-5953": { "affected_versions": "v2.6.12-rc2 to v4.15-rc2", "alt_msg": "swiotlb: clean up reporting", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "printk: hash addresses printed with %p", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.5 }, "cwe": "Exposure of Sensitive Information to an Unauthorized Actor", "fixes": "ad67b74d2469d9b82aaa572d76474c95bc484d57", "last_affected_version": "4.14.87", "last_modified": "2023-12-06", "nvd_text": "The swiotlb_print_info function in lib/swiotlb.c in the Linux kernel through 4.14.14 allows local users to obtain sensitive address information by reading dmesg data from a \"software IO TLB\" printk call.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-5953", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-5953", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-5953", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-5953", "SUSE": "https://www.suse.com/security/cve/CVE-2018-5953", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-5953" } }, "CVE-2018-5995": { "affected_versions": "v2.6.12-rc2 to v4.15-rc2", "alt_msg": "percpu: stop printing kernel addresses", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "printk: hash addresses printed with %p", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.5 }, "cwe": "Exposure of Sensitive Information to an Unauthorized Actor", "fixes": "ad67b74d2469d9b82aaa572d76474c95bc484d57", "last_affected_version": "4.14.113", "last_modified": "2023-12-06", "nvd_text": "The pcpu_embed_first_chunk function in mm/percpu.c in the Linux kernel through 4.14.14 allows local users to obtain sensitive address information by reading dmesg data from a \"pages/cpu\" printk call.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-5995", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-5995", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-5995", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-5995", "SUSE": "https://www.suse.com/security/cve/CVE-2018-5995", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-5995" } }, "CVE-2018-6412": { "affected_versions": "v2.6.12-rc2 to v4.16-rc5", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "fbdev: Fixing arbitrary kernel leak in case FBIOGETCMAP_SPARC in sbusfb_ioctl_helper().", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "score": 5.0 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "score": 7.5 }, "cwe": "Information Leak / Disclosure", "fixes": "250c6c49e3b68756b14983c076183568636e2bde", "last_affected_version": "4.14.44", "last_modified": "2023-12-06", "nvd_text": "In the function sbusfb_ioctl_helper() in drivers/video/fbdev/sbuslib.c in the Linux kernel through 4.15, an integer signedness error allows arbitrary information leakage for the FBIOPUTCMAP_SPARC and FBIOGETCMAP_SPARC commands.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-6412", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-6412", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-6412", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-6412", "SUSE": "https://www.suse.com/security/cve/CVE-2018-6412", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-6412" } }, "CVE-2018-6554": { "affected_versions": "v2.6.12-rc2 to v4.17-rc1", "alt_msg": "irda: Fix memory leak caused by repeated binds of irda socket", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "staging: irda: remove the irda network stack and drivers", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Resource Management Errors", "fixes": "d64c2a76123f0300b08d0557ad56e9d599872a36", "last_affected_version": "4.14.69", "last_modified": "2023-12-06", "nvd_text": "Memory leak in the irda_bind function in net/irda/af_irda.c and later in drivers/staging/irda/net/af_irda.c in the Linux kernel before 4.17 allows local users to cause a denial of service (memory consumption) by repeatedly binding an AF_IRDA socket.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-6554", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-6554", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-6554", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-6554", "SUSE": "https://www.suse.com/security/cve/CVE-2018-6554", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-6554" } }, "CVE-2018-6555": { "affected_versions": "v2.6.12-rc2 to v4.17-rc1", "alt_msg": "irda: Only insert new objects into the global database via setsockopt", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "staging: irda: remove the irda network stack and drivers", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Use After Free", "fixes": "d64c2a76123f0300b08d0557ad56e9d599872a36", "last_affected_version": "4.14.69", "last_modified": "2023-12-06", "nvd_text": "The irda_setsockopt function in net/irda/af_irda.c and later in drivers/staging/irda/net/af_irda.c in the Linux kernel before 4.17 allows local users to cause a denial of service (ias_object use-after-free and system crash) or possibly have unspecified other impact via an AF_IRDA socket.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-6555", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-6555", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-6555", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-6555", "SUSE": "https://www.suse.com/security/cve/CVE-2018-6555", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-6555" } }, "CVE-2018-6559": { "affected_versions": "unk to unk", "breaks": "", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "Low", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "score": 3.3 }, "cwe": "Information Leak / Disclosure", "fixes": "", "last_modified": "2023-12-06", "nvd_text": "The Linux kernel, as used in Ubuntu 18.04 LTS and Ubuntu 18.10, allows local users to obtain names of files in which they would not normally be able to access via an overlayfs mount inside of a user namespace.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-6559", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-6559", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-6559", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-6559", "SUSE": "https://www.suse.com/security/cve/CVE-2018-6559", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-6559" }, "vendor_specific": true }, "CVE-2018-6927": { "affected_versions": "v2.6.12-rc2 to v4.15-rc9", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "futex: Prevent overflow by strengthen input validation", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Integer Overflow or Wraparound", "fixes": "fbe0e839d1e22d88810f3ee3e2f1479be4c0aa4a", "last_affected_version": "4.14.14", "last_modified": "2023-12-06", "nvd_text": "The futex_requeue function in kernel/futex.c in the Linux kernel before 4.14.15 might allow attackers to cause a denial of service (integer overflow) or possibly have unspecified other impact by triggering a negative wake or requeue value.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-6927", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-6927", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-6927", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-6927", "SUSE": "https://www.suse.com/security/cve/CVE-2018-6927", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-6927" } }, "CVE-2018-7191": { "affected_versions": "v3.8-rc1 to v4.14-rc6", "breaks": "96442e42429e5f268ab97a3586c7694a3acc55a7", "cmt_msg": "tun: call dev_get_valid_name() before register_netdevice()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "NULL Pointer Dereference", "fixes": "0ad646c81b2182f7fa67ec0c8c825e0ee165696d", "last_affected_version": "4.13.13", "last_modified": "2023-12-06", "nvd_text": "In the tun subsystem in the Linux kernel before 4.13.14, dev_get_valid_name is not called before register_netdevice. This allows local users to cause a denial of service (NULL pointer dereference and panic) via an ioctl(TUNSETIFF) call with a dev name containing a / character. This is similar to CVE-2013-4343.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-7191", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-7191", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-7191", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-7191", "SUSE": "https://www.suse.com/security/cve/CVE-2018-7191", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-7191" } }, "CVE-2018-7273": { "affected_versions": "v2.6.12-rc2 to v4.15-rc2", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "printk: hash addresses printed with %p", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Complete", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:C/I:N/A:N", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.5 }, "cwe": "Exposure of Sensitive Information to an Unauthorized Actor", "fixes": "ad67b74d2469d9b82aaa572d76474c95bc484d57", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel through 4.15.4, the floppy driver reveals the addresses of kernel functions and global variables using printk calls within the function show_floppy in drivers/block/floppy.c. An attacker can read this information from dmesg and use the addresses to find the locations of kernel code and data and bypass kernel security protections such as KASLR.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-7273", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-7273", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-7273", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-7273", "SUSE": "https://www.suse.com/security/cve/CVE-2018-7273", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-7273" } }, "CVE-2018-7480": { "affected_versions": "v4.2-rc1 to v4.11-rc1", "backport": true, "breaks": "ec13b1d6f0a0457312e615335ce8ceb07da50a11", "cmt_msg": "blkcg: fix double free of new_blkg in blkcg_init_queue", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Double Free", "fixes": "9b54d816e00425c3a517514e0d677bb3cec49258", "last_affected_version": "4.9.88", "last_modified": "2023-12-06", "nvd_text": "The blkcg_init_queue function in block/blk-cgroup.c in the Linux kernel before 4.11 allows local users to cause a denial of service (double free) or possibly have unspecified other impact by triggering a creation failure.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-7480", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-7480", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-7480", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-7480", "SUSE": "https://www.suse.com/security/cve/CVE-2018-7480", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-7480" } }, "CVE-2018-7492": { "affected_versions": "v2.6.12-rc2 to v4.15-rc3", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "rds: Fix NULL pointer dereference in __rds_rdma_map", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "NULL Pointer Dereference", "fixes": "f3069c6d33f6ae63a1668737bc78aaaa51bff7ca", "last_affected_version": "4.14.6", "last_modified": "2023-12-06", "nvd_text": "A NULL pointer dereference was found in the net/rds/rdma.c __rds_rdma_map() function in the Linux kernel before 4.14.7 allowing local attackers to cause a system panic and a denial-of-service, related to RDS_GET_MR and RDS_GET_MR_FOR_DEST.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-7492", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-7492", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-7492", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-7492", "SUSE": "https://www.suse.com/security/cve/CVE-2018-7492", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-7492" } }, "CVE-2018-7566": { "affected_versions": "v2.6.12-rc2 to v4.16-rc2", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "ALSA: seq: Fix racy pool initializations", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Buffer Errors", "fixes": "d15d662e89fc667b90cd294b0eb45694e33144da", "last_affected_version": "4.15.4", "last_modified": "2023-12-06", "nvd_text": "The Linux kernel 4.15 has a Buffer Overflow via an SNDRV_SEQ_IOCTL_SET_CLIENT_POOL ioctl write operation to /dev/snd/seq by a local user.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-7566", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-7566", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-7566", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-7566", "SUSE": "https://www.suse.com/security/cve/CVE-2018-7566", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-7566" } }, "CVE-2018-7740": { "affected_versions": "v4.11-rc7 to v4.16-rc7", "breaks": "045c7a3f53d9403b62d396b6d051c4be5044cdb4", "cmt_msg": "hugetlbfs: check for pgoff value overflow", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Buffer Errors", "fixes": "63489f8e821144000e0bdca7e65a8d1cc23a7ee7", "last_affected_version": "4.15.13", "last_modified": "2023-12-06", "nvd_text": "The resv_map_release function in mm/hugetlb.c in the Linux kernel through 4.15.7 allows local users to cause a denial of service (BUG) via a crafted application that makes mmap system calls and has a large pgoff argument to the remap_file_pages system call.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-7740", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-7740", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-7740", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-7740", "SUSE": "https://www.suse.com/security/cve/CVE-2018-7740", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-7740" } }, "CVE-2018-7754": { "affected_versions": "v3.12-rc1 to v4.15-rc2", "breaks": "2256c1c51e98d4eb2063a7f84f9ea783fda95f7f", "cmt_msg": "printk: hash addresses printed with %p", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.5 }, "cwe": "DEPRECATED: Information Exposure Through Debug Log Files", "fixes": "ad67b74d2469d9b82aaa572d76474c95bc484d57", "last_modified": "2023-12-06", "nvd_text": "The aoedisk_debugfs_show function in drivers/block/aoe/aoeblk.c in the Linux kernel through 4.16.4rc4 allows local users to obtain sensitive address information by reading \"ffree: \" lines in a debugfs file.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-7754", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-7754", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-7754", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-7754", "SUSE": "https://www.suse.com/security/cve/CVE-2018-7754", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-7754" } }, "CVE-2018-7755": { "affected_versions": "v2.6.12-rc2 to v4.19-rc5", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "floppy: Do not copy a kernel pointer to user memory in FDGETPRM ioctl", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.5 }, "cwe": "Information Leak / Disclosure", "fixes": "65eea8edc315589d6c993cf12dbb5d0e9ef1fe4e", "last_affected_version": "4.18.11", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the fd_locked_ioctl function in drivers/block/floppy.c in the Linux kernel through 4.15.7. The floppy driver will copy a kernel pointer to user memory in response to the FDGETPRM ioctl. An attacker can send the FDGETPRM ioctl and use the obtained kernel pointer to discover the location of kernel code and data and bypass kernel security protections such as KASLR.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-7755", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-7755", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-7755", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-7755", "SUSE": "https://www.suse.com/security/cve/CVE-2018-7755", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-7755" } }, "CVE-2018-7757": { "affected_versions": "v2.6.19-rc1 to v4.16-rc1", "breaks": "2908d778ab3e244900c310974e1fc1c69066e450", "cmt_msg": "scsi: libsas: fix memory leak in sas_smp_get_phy_events()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Resource Management Errors", "fixes": "4a491b1ab11ca0556d2fda1ff1301e862a2d44c4", "last_affected_version": "4.15.16", "last_modified": "2023-12-06", "nvd_text": "Memory leak in the sas_smp_get_phy_events function in drivers/scsi/libsas/sas_expander.c in the Linux kernel through 4.15.7 allows local users to cause a denial of service (memory consumption) via many read accesses to files in the /sys/class/sas_phy directory, as demonstrated by the /sys/class/sas_phy/phy-1:0:12/invalid_dword_count file.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-7757", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-7757", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-7757", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-7757", "SUSE": "https://www.suse.com/security/cve/CVE-2018-7757", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-7757" } }, "CVE-2018-7995": { "affected_versions": "v2.6.12-rc2 to v4.16-rc5", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "x86/MCE: Serialize sysfs changes", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "score": 4.7 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 4.7 }, "cwe": "Race Conditions", "fixes": "b3b7c4795ccab5be71f080774c45bbbcc75c2aaf", "last_affected_version": "4.15.9", "last_modified": "2023-12-06", "nvd_text": "Race condition in the store_int_with_restart() function in arch/x86/kernel/cpu/mcheck/mce.c in the Linux kernel through 4.15.7 allows local users to cause a denial of service (panic) by leveraging root access to write to the check_interval file in a /sys/devices/system/machinecheck/machinecheck directory. NOTE: a third party has indicated that this report is not security relevant", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-7995", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-7995", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-7995", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-7995", "SUSE": "https://www.suse.com/security/cve/CVE-2018-7995", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-7995" } }, "CVE-2018-8043": { "affected_versions": "v3.18-rc1 to v4.16-rc1", "breaks": "2ba1b163c9d5d716fb1061f3fb76832cc6eea37f", "cmt_msg": "net: phy: mdio-bcm-unimac: fix potential NULL dereference in unimac_mdio_probe()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "NULL Pointer Dereference", "fixes": "297a6961ffb8ff4dc66c9fbf53b924bd1dda05d5", "last_affected_version": "4.14.191", "last_modified": "2023-12-06", "nvd_text": "The unimac_mdio_probe function in drivers/net/phy/mdio-bcm-unimac.c in the Linux kernel through 4.15.8 does not validate certain resource availability, which allows local users to cause a denial of service (NULL pointer dereference).", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-8043", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-8043", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-8043", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-8043", "SUSE": "https://www.suse.com/security/cve/CVE-2018-8043", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-8043" } }, "CVE-2018-8087": { "affected_versions": "v4.11-rc1 to v4.16-rc1", "breaks": "ff4dd73dd2b4806419f8ff65cbce11d5019548d0", "cmt_msg": "mac80211_hwsim: fix possible memory leak in hwsim_new_radio_nl()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Resource Management Errors", "fixes": "0ddcff49b672239dda94d70d0fcf50317a9f4b51", "last_affected_version": "4.14.36", "last_modified": "2023-12-06", "nvd_text": "Memory leak in the hwsim_new_radio_nl function in drivers/net/wireless/mac80211_hwsim.c in the Linux kernel through 4.15.9 allows local users to cause a denial of service (memory consumption) by triggering an out-of-array error case.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-8087", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-8087", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-8087", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-8087", "SUSE": "https://www.suse.com/security/cve/CVE-2018-8087", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-8087" } }, "CVE-2018-8781": { "affected_versions": "v3.4-rc1 to v4.16-rc7", "breaks": "5320918b9a87865223fd6b228e530bf30bc64d9d", "cmt_msg": "drm: udl: Properly check framebuffer mmap offsets", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Integer Overflow or Wraparound", "fixes": "3b82a4db8eaccce735dffd50b4d4e1578099b8e8", "last_affected_version": "4.15.13", "last_modified": "2023-12-06", "nvd_text": "The udl_fb_mmap function in drivers/gpu/drm/udl/udl_fb.c at the Linux kernel version 3.4 and up to and including 4.15 has an integer-overflow vulnerability allowing local users with access to the udldrmfb driver to obtain full read and write permissions on kernel physical pages, resulting in a code execution in kernel space.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-8781", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-8781", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-8781", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-8781", "SUSE": "https://www.suse.com/security/cve/CVE-2018-8781", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-8781" } }, "CVE-2018-8822": { "affected_versions": "v2.6.12-rc2 to v4.16-rc7", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "staging: ncpfs: memory corruption in ncp_read_kernel()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Buffer Errors", "fixes": "4c41aa24baa4ed338241d05494f2c595c885af8f", "last_affected_version": "4.15.13", "last_modified": "2023-12-06", "nvd_text": "Incorrect buffer length handling in the ncp_read_kernel function in fs/ncpfs/ncplib_kernel.c in the Linux kernel through 4.15.11, and in drivers/staging/ncpfs/ncplib_kernel.c in the Linux kernel 4.16-rc through 4.16-rc6, could be exploited by malicious NCPFS servers to crash the kernel or execute code.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-8822", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-8822", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-8822", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-8822", "SUSE": "https://www.suse.com/security/cve/CVE-2018-8822", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-8822" } }, "CVE-2018-8897": { "affected_versions": "v2.6.12-rc2 to v4.16-rc7", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "x86/entry/64: Don't use IST entry for #BP stack", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Permissions, Privileges, and Access Control", "fixes": "d8ba61ba58c88d5207c1ba2f7d9a2280e7d03be9", "last_affected_version": "4.15.13", "last_modified": "2023-12-06", "nvd_text": "A statement in the System Programming Guide of the Intel 64 and IA-32 Architectures Software Developer's Manual (SDM) was mishandled in the development of some or all operating-system kernels, resulting in unexpected behavior for #DB exceptions that are deferred by MOV SS or POP SS, as demonstrated by (for example) privilege escalation in Windows, macOS, some Xen configurations, or FreeBSD, or a Linux kernel crash. The MOV to SS and POP SS instructions inhibit interrupts (including NMIs), data breakpoints, and single step trap exceptions until the instruction boundary following the next instruction (SDM Vol. 3A; section 6.8.3). (The inhibited data breakpoints are those on memory accessed by the MOV to SS or POP to SS instruction itself.) Note that debug exceptions are not inhibited by the interrupt enable (EFLAGS.IF) system flag (SDM Vol. 3A; section 2.3). If the instruction following the MOV to SS or POP to SS instruction is an instruction like SYSCALL, SYSENTER, INT 3, etc. that transfers control to the operating system at CPL < 3, the debug exception is delivered after the transfer to CPL < 3 is complete. OS kernels may not expect this order of events and may therefore experience unexpected behavior when it occurs.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-8897", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-8897", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-8897", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-8897", "SUSE": "https://www.suse.com/security/cve/CVE-2018-8897", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-8897" } }, "CVE-2018-9363": { "affected_versions": "v3.14-rc4 to v4.19-rc1", "breaks": "a4b1b5877b514b276f0f31efe02388a9c2836728", "cmt_msg": "Bluetooth: hidp: buffer overflow in hidp_process_report", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "score": 8.4 }, "cwe": "Integer Overflow or Wraparound", "fixes": "7992c18810e568b95c869b227137a2215702a805", "last_affected_version": "4.18.1", "last_modified": "2023-12-06", "nvd_text": "In the hidp_process_report in bluetooth, there is an integer overflow. This could lead to an out of bounds write with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android Versions: Android kernel Android ID: A-65853588 References: Upstream kernel.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-9363", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-9363", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-9363", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-9363", "SUSE": "https://www.suse.com/security/cve/CVE-2018-9363", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-9363" } }, "CVE-2018-9385": { "affected_versions": "v4.0-rc1 to v4.17-rc3", "breaks": "3cf385713460eb2bb4cb7ceb8ed89833b00b594b", "cmt_msg": "ARM: amba: Don't read past the end of sysfs \"driver_override\" buffer", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Out-of-bounds Write", "fixes": "d2ffed5185df9d8d9ccd150e4340e3b6f96a8381", "last_affected_version": "4.16.6", "last_modified": "2023-12-06", "nvd_text": "In driver_override_store of bus.c, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Product: Android Versions: Android kernel Android ID: A-74128061 References: Upstream kernel.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-9385", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-9385", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-9385", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-9385", "SUSE": "https://www.suse.com/security/cve/CVE-2018-9385", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-9385" } }, "CVE-2018-9415": { "affected_versions": "v4.0-rc1 to v4.17-rc3", "breaks": "3cf385713460eb2bb4cb7ceb8ed89833b00b594b", "cmt_msg": "ARM: amba: Fix race condition with driver_override", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Double Free", "fixes": "6a7228d90d42bcacfe38786756ba62762b91c20a", "last_affected_version": "4.16.6", "last_modified": "2023-12-06", "nvd_text": "In driver_override_store and driver_override_show of bus.c, there is a possible double free due to improper locking. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Product: Android Versions: Android kernel Android ID: A-69129004 References: Upstream kernel.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-9415", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-9415", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-9415", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-9415", "SUSE": "https://www.suse.com/security/cve/CVE-2018-9415", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-9415" } }, "CVE-2018-9422": { "affected_versions": "v2.6.12-rc2 to v4.6-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "futex: Remove requirement for lock_page() in get_futex_key()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Use After Free", "fixes": "65d8fc777f6dcfee12785c057a6b57f679641c90", "last_affected_version": "4.4.127", "last_modified": "2023-12-06", "nvd_text": "In get_futex_key of futex.c, there is a use-after-free due to improper locking. This could lead to local escalation of privilege with no additional privileges needed. User interaction is not needed for exploitation. Product: Android Versions: Android kernel Android ID: A-74250718 References: Upstream kernel.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-9422", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-9422", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-9422", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-9422", "SUSE": "https://www.suse.com/security/cve/CVE-2018-9422", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-9422" } }, "CVE-2018-9465": { "affected_versions": "v2.6.12-rc2 to v4.15-rc6", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "binder: fix proc->files use-after-free", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Use After Free", "fixes": "7f3dc0088b98533f17128058fac73cd8b2752ef1", "last_affected_version": "4.14.10", "last_modified": "2023-12-06", "nvd_text": "In task_get_unused_fd_flags of binder.c, there is a possible memory corruption due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android Versions: Android kernel Android ID: A-69164715 References: Upstream kernel.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-9465", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-9465", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-9465", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-9465", "SUSE": "https://www.suse.com/security/cve/CVE-2018-9465", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-9465" } }, "CVE-2018-9516": { "affected_versions": "v2.6.32-rc1 to v4.18-rc5", "breaks": "cd667ce24796700e1a0e6e7528efc61c96ff832e", "cmt_msg": "HID: debug: check length before copy_to_user()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Out-of-bounds Write", "fixes": "717adfdaf14704fd3ec7fa2c04520c0723247eac", "last_affected_version": "4.17.5", "last_modified": "2023-12-06", "nvd_text": "In hid_debug_events_read of drivers/hid/hid-debug.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Product: Android Versions: Android kernel Android ID: A-71361580.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-9516", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-9516", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-9516", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-9516", "SUSE": "https://www.suse.com/security/cve/CVE-2018-9516", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-9516" } }, "CVE-2018-9517": { "affected_versions": "v2.6.35-rc1 to v4.14-rc1", "breaks": "309795f4bec2d69cd507a631f82065c2198a0825", "cmt_msg": "l2tp: pass tunnel pointer to ->session_create()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "score": 6.7 }, "cwe": "Use After Free", "fixes": "f026bc29a8e093edfbb2a77700454b285c97e8ad", "last_affected_version": "4.9.224", "last_modified": "2023-12-06", "nvd_text": "In pppol2tp_connect, there is possible memory corruption due to a use after free. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android kernel. Android ID: A-38159931.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-9517", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-9517", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-9517", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-9517", "SUSE": "https://www.suse.com/security/cve/CVE-2018-9517", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-9517" } }, "CVE-2018-9518": { "affected_versions": "v3.10-rc1 to v4.16-rc3", "breaks": "d9b8d8e19b073096d3609bbd60f82148d128b555", "cmt_msg": "NFC: llcp: Limit size of SDP URI", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Out-of-bounds Write", "fixes": "fe9c842695e26d8116b61b80bfb905356f07834b", "last_affected_version": "4.14.44", "last_modified": "2023-12-06", "nvd_text": "In nfc_llcp_build_sdreq_tlv of llcp_commands.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android kernel. Android ID: A-73083945.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-9518", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-9518", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-9518", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-9518", "SUSE": "https://www.suse.com/security/cve/CVE-2018-9518", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-9518" } }, "CVE-2018-9568": { "affected_versions": "v2.6.12-rc2 to v4.14-rc4", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "net: Set sk_prot_creator when cloning sockets to the right proto", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Incorrect Type Conversion or Cast", "fixes": "9d538fa60bad4f7b23193c89e843797a1cf71ef3", "last_affected_version": "4.13.5", "last_modified": "2023-12-06", "nvd_text": "In sk_clone_lock of sock.c, there is a possible memory corruption due to type confusion. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android kernel. Android ID: A-113509306. References: Upstream kernel.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2018-9568", "ExploitDB": "https://www.exploit-db.com/search?cve=2018-9568", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2018-9568", "Red Hat": "https://access.redhat.com/security/cve/CVE-2018-9568", "SUSE": "https://www.suse.com/security/cve/CVE-2018-9568", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-9568" } }, "CVE-2019-0136": { "affected_versions": "v2.6.12-rc2 to v5.2-rc6", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "mac80211: drop robust management frames from unknown TA", "cvss2": { "Access Complexity": "Low", "Access Vector": "Adjacent Network", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:A/AC:L/Au:N/C:N/I:N/A:P", "score": 3.3 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Adjacent", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Changed", "User Interaction": "None", "raw": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H", "score": 7.4 }, "cwe": "Unspecified", "fixes": "588f7d39b3592a36fb7702ae3b8bdd9be4621e2f", "last_affected_version": "5.1.14", "last_modified": "2023-12-06", "nvd_text": "Insufficient access control in the Intel(R) PROSet/Wireless WiFi Software driver before version 21.10 may allow an unauthenticated user to potentially enable denial of service via adjacent access.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-0136", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-0136", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-0136", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-0136", "SUSE": "https://www.suse.com/security/cve/CVE-2019-0136", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-0136" } }, "CVE-2019-0145": { "affected_versions": "v4.6-rc1 to v5.2-rc1", "breaks": "e3219ce6a775468368fb270fae3eb82a6787b436", "cmt_msg": "i40e: add num_vectors checker in iwarp handler", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')", "fixes": "7015ca3df965378bcef072cca9cd63ed098665b5", "last_affected_version": "4.19.138", "last_modified": "2023-12-06", "nvd_text": "Buffer overflow in i40e driver for Intel(R) Ethernet 700 Series Controllers versions before 7.0 may allow an authenticated user to potentially enable an escalation of privilege via local access.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-0145", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-0145", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-0145", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-0145", "SUSE": "https://www.suse.com/security/cve/CVE-2019-0145", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-0145" } }, "CVE-2019-0146": { "affected_versions": "v4.6-rc1 to v5.2-rc1", "breaks": "e3219ce6a775468368fb270fae3eb82a6787b436", "cmt_msg": "i40e: add num_vectors checker in iwarp handler", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Missing Release of Resource after Effective Lifetime", "fixes": "7015ca3df965378bcef072cca9cd63ed098665b5", "last_affected_version": "4.19.138", "last_modified": "2023-12-06", "nvd_text": "Resource leak in i40e driver for Intel(R) Ethernet 700 Series Controllers versions before 2.8.43 may allow an authenticated user to potentially enable a denial of service via local access.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-0146", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-0146", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-0146", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-0146", "SUSE": "https://www.suse.com/security/cve/CVE-2019-0146", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-0146" } }, "CVE-2019-0147": { "affected_versions": "v4.6-rc1 to v5.2-rc1", "breaks": "e3219ce6a775468368fb270fae3eb82a6787b436", "cmt_msg": "i40e: add num_vectors checker in iwarp handler", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Improper Input Validation", "fixes": "7015ca3df965378bcef072cca9cd63ed098665b5", "last_affected_version": "4.19.138", "last_modified": "2023-12-06", "nvd_text": "Insufficient input validation in i40e driver for Intel(R) Ethernet 700 Series Controllers versions before 7.0 may allow an authenticated user to potentially enable a denial of service via local access.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-0147", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-0147", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-0147", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-0147", "SUSE": "https://www.suse.com/security/cve/CVE-2019-0147", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-0147" } }, "CVE-2019-0148": { "affected_versions": "v3.12-rc1 to v5.2-rc1", "breaks": "5c3c48ac6bf56367c4e89f6453cd2d61e50375bd", "cmt_msg": "i40e: Wrong truncation from u16 to u8", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Missing Release of Resource after Effective Lifetime", "fixes": "c004804dceee9ca384d97d9857ea2e2795c2651d", "last_affected_version": "4.19.138", "last_modified": "2023-12-06", "nvd_text": "Resource leak in i40e driver for Intel(R) Ethernet 700 Series Controllers versions before 7.0 may allow an authenticated user to potentially enable a denial of service via local access.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-0148", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-0148", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-0148", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-0148", "SUSE": "https://www.suse.com/security/cve/CVE-2019-0148", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-0148" } }, "CVE-2019-0149": { "affected_versions": "v4.17-rc1 to v5.3-rc1", "breaks": "c27eac48160de72dee33d42b5a33cc7b8a2eb1f5", "cmt_msg": "i40e: Add bounds check for ch[] array", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Improper Input Validation", "fixes": "f5a2b3ffb7af4b6ae5b905850a1a6bad82b268b9", "last_modified": "2023-12-06", "nvd_text": "Insufficient input validation in i40e driver for Intel(R) Ethernet 700 Series Controllers versions before 2.8.43 may allow an authenticated user to potentially enable a denial of service via local access.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-0149", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-0149", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-0149", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-0149", "SUSE": "https://www.suse.com/security/cve/CVE-2019-0149", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-0149" } }, "CVE-2019-0154": { "affected_versions": "v2.6.12-rc2 to v5.4-rc8", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "drm/i915: Lower RM timeout to avoid DSI hard hangs", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Unspecified", "fixes": "1d85a299c4db57c55e0229615132c964d17aa765", "last_affected_version": "5.3.10", "last_modified": "2023-12-06", "nvd_text": "Insufficient access control in subsystem for Intel (R) processor graphics in 6th, 7th, 8th and 9th Generation Intel(R) Core(TM) Processor Families; Intel(R) Pentium(R) Processor J, N, Silver and Gold Series; Intel(R) Celeron(R) Processor J, N, G3900 and G4900 Series; Intel(R) Atom(R) Processor A and E3900 Series; Intel(R) Xeon(R) Processor E3-1500 v5 and v6 and E-2100 Processor Families may allow an authenticated user to potentially enable denial of service via local access.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-0154", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-0154", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-0154", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-0154", "SUSE": "https://www.suse.com/security/cve/CVE-2019-0154", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-0154" } }, "CVE-2019-0155": { "affected_versions": "v3.19-rc1 to v5.4-rc8", "breaks": "72bbf0af0c76cbefe9cecbd2ed670b7555e03625", "cmt_msg": "drm/i915: Rename gen7 cmdparser tables", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Unspecified", "fixes": "0a2f661b6c21815a7fa60e30babe975fee8e73c6", "last_affected_version": "5.3.10", "last_modified": "2023-12-06", "nvd_text": "Insufficient access control in a subsystem for Intel (R) processor graphics in 6th, 7th, 8th and 9th Generation Intel(R) Core(TM) Processor Families; Intel(R) Pentium(R) Processor J, N, Silver and Gold Series; Intel(R) Celeron(R) Processor J, N, G3900 and G4900 Series; Intel(R) Atom(R) Processor A and E3900 Series; Intel(R) Xeon(R) Processor E3-1500 v5 and v6, E-2100 and E-2200 Processor Families; Intel(R) Graphics Driver for Windows before 26.20.100.6813 (DCH) or 26.20.100.6812 and before 21.20.x.5077 (aka15.45.5077), i915 Linux Driver for Intel(R) Processor Graphics before versions 5.4-rc7, 5.3.11, 4.19.84, 4.14.154, 4.9.201, 4.4.201 may allow an authenticated user to potentially enable escalation of privilege via local access.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-0155", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-0155", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-0155", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-0155", "SUSE": "https://www.suse.com/security/cve/CVE-2019-0155", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-0155" } }, "CVE-2019-10124": { "affected_versions": "v4.5-rc1 to v5.1-rc1", "breaks": "61f5d698cc97600e813ca5cf8e449b1ea1c11492", "cmt_msg": "mm: hwpoison: fix thp split handing in soft_offline_in_use_page()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "7.8" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "score": "7.5" }, "cwe": "Code Injection", "fixes": "46612b751c4941c5c0472ddf04027e877ae5990f", "last_affected_version": "5.0.3", "last_modified": "2023-12-06", "nvd_text": "Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-10124", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-10124", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-10124", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-10124", "SUSE": "https://www.suse.com/security/cve/CVE-2019-10124", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-10124" }, "rejected": true }, "CVE-2019-10125": { "affected_versions": "v4.19-rc1 to v5.1-rc1", "breaks": "bfe4037e722ec672c9dafd5730d9132afeeb76e9", "cmt_msg": "aio: simplify - and fix - fget/fput for io_submit()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "score": 10.0 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "score": 9.8 }, "cwe": "Code Injection", "fixes": "84c4e1f89fefe70554da0ab33be72c9be7994379", "last_affected_version": "5.0.4", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in aio_poll() in fs/aio.c in the Linux kernel through 5.0.4. A file may be released by aio_poll_wake() if an expected event is triggered immediately (e.g., by the close of a pair of pipes) after the return of vfs_poll(), and this will cause a use-after-free.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-10125", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-10125", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-10125", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-10125", "SUSE": "https://www.suse.com/security/cve/CVE-2019-10125", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-10125" } }, "CVE-2019-10126": { "affected_versions": "v2.6.12-rc2 to v5.2-rc6", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "mwifiex: Fix heap overflow in mwifiex_uap_parse_tail_ies()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "score": 7.5 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "score": 9.8 }, "cwe": "Buffer Errors", "fixes": "69ae4f6aac1578575126319d3f55550e7e440449", "last_affected_version": "5.1.17", "last_modified": "2023-12-06", "nvd_text": "A flaw was found in the Linux kernel. A heap based buffer overflow in mwifiex_uap_parse_tail_ies function in drivers/net/wireless/marvell/mwifiex/ie.c might lead to memory corruption and possibly other consequences.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-10126", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-10126", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-10126", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-10126", "SUSE": "https://www.suse.com/security/cve/CVE-2019-10126", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-10126" } }, "CVE-2019-10140": { "affected_versions": "unk to unk", "breaks": "", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "NULL Pointer Dereference", "fixes": "", "last_modified": "2023-12-06", "nvd_text": "A vulnerability was found in Linux kernel's, versions up to 3.10, implementation of overlayfs. An attacker with local access can create a denial of service situation via NULL pointer dereference in ovl_posix_acl_create function in fs/overlayfs/dir.c. This can allow attackers with ability to create directories on overlayfs to crash the kernel creating a denial of service (DOS).", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-10140", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-10140", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-10140", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-10140", "SUSE": "https://www.suse.com/security/cve/CVE-2019-10140", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-10140" }, "vendor_specific": true }, "CVE-2019-10142": { "affected_versions": "v3.1-rc1 to v5.2-rc1", "breaks": "6db7199407ca56f55bc0832fb124e1ad216ea57b", "cmt_msg": "drivers/virt/fsl_hypervisor.c: prevent integer overflow in ioctl", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Integer Overflow or Wraparound", "fixes": "6a024330650e24556b8a18cc654ad00cfecf6c6c", "last_affected_version": "5.1.2", "last_modified": "2023-12-06", "nvd_text": "A flaw was found in the Linux kernel's freescale hypervisor manager implementation, kernel versions 5.0.x up to, excluding 5.0.17. A parameter passed to an ioctl was incorrectly validated and used in size calculations for the page size calculation. An attacker can use this flaw to crash the system, corrupt memory, or create other adverse security affects.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-10142", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-10142", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-10142", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-10142", "SUSE": "https://www.suse.com/security/cve/CVE-2019-10142", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-10142" } }, "CVE-2019-10207": { "affected_versions": "v2.6.36-rc1 to v5.3-rc3", "breaks": "b3190df628617c7a4f188a9465aeabe1f5761933", "cmt_msg": "Bluetooth: hci_uart: check for missing tty operations", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "NULL Pointer Dereference", "fixes": "b36a1552d7319bbfd5cf7f08726c23c5c66d4f73", "last_affected_version": "5.2.5", "last_modified": "2023-12-06", "nvd_text": "A flaw was found in the Linux kernel's Bluetooth implementation of UART, all versions kernel 3.x.x before 4.18.0 and kernel 5.x.x. An attacker with local access and write permissions to the Bluetooth hardware could use this flaw to issue a specially crafted ioctl function call and cause the system to crash.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-10207", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-10207", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-10207", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-10207", "SUSE": "https://www.suse.com/security/cve/CVE-2019-10207", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-10207" } }, "CVE-2019-10220": { "affected_versions": "v2.6.12-rc2 to v5.4-rc2", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "Convert filldir[64]() from __put_user() to unsafe_put_user()", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "score": 9.3 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "score": 8.8 }, "cwe": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "fixes": "9f79b78ef74436c7507bac6bfb7b8b989263bccb", "last_affected_version": "5.3.7", "last_modified": "2023-12-06", "nvd_text": "Linux kernel CIFS implementation, version 4.9.0 is vulnerable to a relative paths injection in directory entry lists.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-10220", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-10220", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-10220", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-10220", "SUSE": "https://www.suse.com/security/cve/CVE-2019-10220", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-10220" } }, "CVE-2019-10638": { "affected_versions": "v2.6.12-rc2 to v5.2-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "inet: switch IP ID generator to siphash", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "score": 4.3 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "raw": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "score": 6.5 }, "cwe": "Information Leak / Disclosure", "fixes": "df453700e8d81b1bdafdf684365ee2b9431fb702", "last_affected_version": "5.1.6", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel before 5.1.7, a device can be tracked by an attacker using the IP ID values the kernel produces for connection-less protocols (e.g., UDP and ICMP). When such traffic is sent to multiple destination IP addresses, it is possible to obtain hash collisions (of indices to the counter array) and thereby obtain the hashing key (via enumeration). An attack may be conducted by hosting a crafted web page that uses WebRTC or gQUIC to force UDP traffic to attacker-controlled IP addresses.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-10638", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-10638", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-10638", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-10638", "SUSE": "https://www.suse.com/security/cve/CVE-2019-10638", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-10638" } }, "CVE-2019-10639": { "affected_versions": "v2.6.27-rc1 to v5.1-rc4", "breaks": "0b4419162aa6c4204843f3a13b48d9ab821d3167", "cmt_msg": "netns: provide pure entropy for net_hash_mix()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "score": 5.0 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "score": 7.5 }, "cwe": "Information Leak / Disclosure", "fixes": "355b98553789b646ed97ad801a619ff898471b92", "last_affected_version": "5.0.7", "last_modified": "2023-12-06", "nvd_text": "The Linux kernel 4.x (starting from 4.1) and 5.x before 5.0.8 allows Information Exposure (partial kernel address disclosure), leading to a KASLR bypass. Specifically, it is possible to extract the KASLR kernel image offset using the IP ID values the kernel produces for connection-less protocols (e.g., UDP and ICMP). When such traffic is sent to multiple destination IP addresses, it is possible to obtain hash collisions (of indices to the counter array) and thereby obtain the hashing key (via enumeration). This key contains enough bits from a kernel address (of a static variable) so when the key is extracted (via enumeration), the offset of the kernel image is exposed. This attack can be carried out remotely, by the attacker forcing the target device to send UDP or ICMP (or certain other) traffic to attacker-controlled IP addresses. Forcing a server to send UDP traffic is trivial if the server is a DNS server. ICMP traffic is trivial if the server answers ICMP Echo requests (ping). For client targets, if the target visits the attacker's web page, then WebRTC or gQUIC can be used to force UDP traffic to attacker-controlled IP addresses. NOTE: this attack against KASLR became viable in 4.1 because IP ID generation was changed to have a dependency on an address associated with a network namespace.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-10639", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-10639", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-10639", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-10639", "SUSE": "https://www.suse.com/security/cve/CVE-2019-10639", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-10639" } }, "CVE-2019-11085": { "affected_versions": "v4.10-rc1 to v5.0-rc3", "breaks": "659643f7d81432189c2c87230e2feee4c75c14c1", "cmt_msg": "drm/i915/gvt: Fix mmap range check", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Input Validation", "fixes": "51b00d8509dc69c98740da2ad07308b630d3eb7d", "last_affected_version": "4.20.3", "last_modified": "2023-12-06", "nvd_text": "Insufficient input validation in Kernel Mode Driver in Intel(R) i915 Graphics for Linux before version 5.0 may allow an authenticated user to potentially enable escalation of privilege via local access.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-11085", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-11085", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-11085", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-11085", "SUSE": "https://www.suse.com/security/cve/CVE-2019-11085", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11085" } }, "CVE-2019-11091": { "affected_versions": "v2.6.12-rc2 to v5.2-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "s390/speculation: Support 'mitigations=' cmdline option", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Complete", "Integrity Impact": "None", "raw": "AV:L/AC:M/Au:N/C:C/I:N/A:N", "score": 4.7 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Changed", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N", "score": 5.6 }, "cwe": "Unspecified", "fixes": "0336e04a6520bdaefdb0769d2a70084fa52e81ed", "last_affected_version": "5.1.1", "last_modified": "2023-12-06", "name": "Zombieload", "nvd_text": "Microarchitectural Data Sampling Uncacheable Memory (MDSUM): Uncacheable memory on some microprocessors utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access. A list of impacted products can be found here: https://www.intel.com/content/dam/www/public/us/en/documents/corporate-information/SA00233-microcode-update-guidance_05132019.pdf", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-11091", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-11091", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-11091", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-11091", "SUSE": "https://www.suse.com/security/cve/CVE-2019-11091", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11091" } }, "CVE-2019-11135": { "affected_versions": "v2.6.12-rc2 to v5.4-rc8", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "x86/msr: Add the IA32_TSX_CTRL MSR", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Changed", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "score": 6.5 }, "cwe": "Unspecified", "fixes": "c2955f270a84762343000f103e0640d29c7a96f3", "last_affected_version": "5.3.10", "last_modified": "2023-12-06", "nvd_text": "TSX Asynchronous Abort condition on some CPUs utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-11135", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-11135", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-11135", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-11135", "SUSE": "https://www.suse.com/security/cve/CVE-2019-11135", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11135" } }, "CVE-2019-11190": { "affected_versions": "v2.6.12-rc2 to v4.8-rc5", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "binfmt_elf: switch to new creds when switching to new mm", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Complete", "Integrity Impact": "None", "raw": "AV:L/AC:M/Au:N/C:C/I:N/A:N", "score": 4.7 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 4.7 }, "cwe": "Race Conditions", "fixes": "9f834ec18defc369d73ccf9e87a2790bfa05bf46", "last_affected_version": "4.4.178", "last_modified": "2023-12-06", "nvd_text": "The Linux kernel before 4.8 allows local users to bypass ASLR on setuid programs (such as /bin/su) because install_exec_creds() is called too late in load_elf_binary() in fs/binfmt_elf.c, and thus the ptrace_may_access() check has a race condition when reading /proc/pid/stat.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-11190", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-11190", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-11190", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-11190", "SUSE": "https://www.suse.com/security/cve/CVE-2019-11190", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11190" } }, "CVE-2019-11191": { "affected_versions": "v2.6.12-rc2 to v5.1-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "x86: Deprecate a.out support", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "score": 1.9 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "Low", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N", "score": 2.5 }, "cwe": "Race Conditions", "fixes": "eac616557050737a8d6ef6fe0322d0980ff0ffde", "last_modified": "2023-12-06", "nvd_text": "The Linux kernel through 5.0.7, when CONFIG_IA32_AOUT is enabled and ia32_aout is loaded, allows local users to bypass ASLR on setuid a.out programs (if any exist) because install_exec_creds() is called too late in load_aout_binary() in fs/binfmt_aout.c, and thus the ptrace_may_access() check has a race condition when reading /proc/pid/stat. NOTE: the software maintainer disputes that this is a vulnerability because ASLR for a.out format executables has never been supported", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-11191", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-11191", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-11191", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-11191", "SUSE": "https://www.suse.com/security/cve/CVE-2019-11191", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11191" } }, "CVE-2019-1125": { "affected_versions": "v2.6.12-rc2 to v5.3-rc4", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "x86/speculation: Prepare entry code for Spectre v1 swapgs mitigations", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.5 }, "cwe": "Unspecified", "fixes": "18ec54fdd6d18d92025af097cd042a75cf0ea24c", "last_affected_version": "5.2.6", "last_modified": "2023-12-06", "nvd_text": "An information disclosure vulnerability exists when certain central processing units (CPU) speculatively access memory, aka 'Windows Kernel Information Disclosure Vulnerability'. This CVE ID is unique from CVE-2019-1071, CVE-2019-1073.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-1125", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-1125", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-1125", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-1125", "SUSE": "https://www.suse.com/security/cve/CVE-2019-1125", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-1125" } }, "CVE-2019-11477": { "affected_versions": "v2.6.29-rc1 to v5.2-rc6", "breaks": "832d11c5cd076abc0aa1eaf7be96c81d1a59ce41", "cmt_msg": "tcp: limit payload size of sacked skbs", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "score": 7.8 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 7.5 }, "cwe": "Integer Overflow or Wraparound", "fixes": "3b4929f65b0d8249f19a50245cd88ed1a2f78cff", "last_affected_version": "5.1.10", "last_modified": "2023-12-06", "name": "SACK Panic", "nvd_text": "Jonathan Looney discovered that the TCP_SKB_CB(skb)->tcp_gso_segs value was subject to an integer overflow in the Linux kernel when handling TCP Selective Acknowledgments (SACKs). A remote attacker could use this to cause a denial of service. This has been fixed in stable kernel releases 4.4.182, 4.9.182, 4.14.127, 4.19.52, 5.1.11, and is fixed in commit 3b4929f65b0d8249f19a50245cd88ed1a2f78cff.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-11477", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-11477", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-11477", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-11477", "SUSE": "https://www.suse.com/security/cve/CVE-2019-11477", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11477" } }, "CVE-2019-11478": { "affected_versions": "v2.6.12-rc2 to v5.2-rc6", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "tcp: tcp_fragment() should apply sane memory limits", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "score": 5.0 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 7.5 }, "cwe": "Uncontrolled Resource Consumption ('Resource Exhaustion')", "fixes": "f070ef2ac66716357066b683fb0baf55f8191a2e", "last_affected_version": "5.1.10", "last_modified": "2023-12-06", "nvd_text": "Jonathan Looney discovered that the TCP retransmission queue implementation in tcp_fragment in the Linux kernel could be fragmented when handling certain TCP Selective Acknowledgment (SACK) sequences. A remote attacker could use this to cause a denial of service. This has been fixed in stable kernel releases 4.4.182, 4.9.182, 4.14.127, 4.19.52, 5.1.11, and is fixed in commit f070ef2ac66716357066b683fb0baf55f8191a2e.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-11478", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-11478", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-11478", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-11478", "SUSE": "https://www.suse.com/security/cve/CVE-2019-11478", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11478" } }, "CVE-2019-11479": { "affected_versions": "v2.6.12-rc2 to v5.2-rc6", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "tcp: add tcp_min_snd_mss sysctl", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "score": 5.0 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 7.5 }, "cwe": "Uncontrolled Resource Consumption ('Resource Exhaustion')", "fixes": "5f3e2bf008c2221478101ee72f5cb4654b9fc363", "last_affected_version": "5.1.10", "last_modified": "2023-12-06", "nvd_text": "Jonathan Looney discovered that the Linux kernel default MSS is hard-coded to 48 bytes. This allows a remote peer to fragment TCP resend queues significantly more than if a larger MSS were enforced. A remote attacker could use this to cause a denial of service. This has been fixed in stable kernel releases 4.4.182, 4.9.182, 4.14.127, 4.19.52, 5.1.11, and is fixed in commits 967c05aee439e6e5d7d805e195b3a20ef5c433d6 and 5f3e2bf008c2221478101ee72f5cb4654b9fc363.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-11479", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-11479", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-11479", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-11479", "SUSE": "https://www.suse.com/security/cve/CVE-2019-11479", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11479" } }, "CVE-2019-11486": { "affected_versions": "v2.6.12-rc2 to v5.1-rc4", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "tty: mark Siemens R3964 line discipline as BROKEN", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "score": 6.9 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.0 }, "cwe": "Race Conditions", "fixes": "c7084edc3f6d67750f50d4183134c4fb5712a5c8", "last_affected_version": "5.0.7", "last_modified": "2023-12-06", "nvd_text": "The Siemens R3964 line discipline driver in drivers/tty/n_r3964.c in the Linux kernel before 5.0.8 has multiple race conditions.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-11486", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-11486", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-11486", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-11486", "SUSE": "https://www.suse.com/security/cve/CVE-2019-11486", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11486" } }, "CVE-2019-11487": { "affected_versions": "v2.6.12-rc2 to v5.1-rc5", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "fs: prevent page refcount overflow in pipe_buf_get", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Use After Free", "fixes": "15fab63e1e57be9fdb5eec1bbc5916e9825e9acb", "last_affected_version": "5.0.11", "last_modified": "2023-12-06", "nvd_text": "The Linux kernel before 5.1-rc5 allows page->_refcount reference count overflow, with resultant use-after-free issues, if about 140 GiB of RAM exists. This is related to fs/fuse/dev.c, fs/pipe.c, fs/splice.c, include/linux/mm.h, include/linux/pipe_fs_i.h, kernel/trace/trace.c, mm/gup.c, and mm/hugetlb.c. It can occur with FUSE requests.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-11487", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-11487", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-11487", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-11487", "SUSE": "https://www.suse.com/security/cve/CVE-2019-11487", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11487" } }, "CVE-2019-11599": { "affected_versions": "v2.6.12-rc2 to v5.1-rc6", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "coredump: fix race condition between mmget_not_zero()/get_task_mm() and core dumping", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "score": 6.9 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.0 }, "cwe": "Race Conditions", "fixes": "04f5866e41fb70690e28397487d8bd8eea7d712a", "last_affected_version": "5.0.9", "last_modified": "2023-12-06", "nvd_text": "The coredump implementation in the Linux kernel before 5.0.10 does not use locking or other mechanisms to prevent vma layout or vma flags changes while it runs, which allows local users to obtain sensitive information, cause a denial of service, or possibly have unspecified other impact by triggering a race condition with mmget_not_zero or get_task_mm calls. This is related to fs/userfaultfd.c, mm/mmap.c, fs/proc/task_mmu.c, and drivers/infiniband/core/uverbs_main.c.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-11599", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-11599", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-11599", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-11599", "SUSE": "https://www.suse.com/security/cve/CVE-2019-11599", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11599" } }, "CVE-2019-11683": { "affected_versions": "v5.0-rc1 to v5.1", "breaks": "e20cf8d3f1f763ad28a9cb3b41305b8a8a42653e", "cmt_msg": "udp: fix GRO packet of death", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "score": 10.0 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "score": 9.8 }, "cwe": "Resource Management Errors", "fixes": "4dd2b82d5adfbe0b1587ccad7a8f76d826120f37", "last_affected_version": "5.0", "last_modified": "2023-12-06", "nvd_text": "udp_gro_receive_segment in net/ipv4/udp_offload.c in the Linux kernel 5.x before 5.0.13 allows remote attackers to cause a denial of service (slab-out-of-bounds memory corruption) or possibly have unspecified other impact via UDP packets with a 0 payload, because of mishandling of padded packets, aka the \"GRO packet of death\" issue.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-11683", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-11683", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-11683", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-11683", "SUSE": "https://www.suse.com/security/cve/CVE-2019-11683", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11683" } }, "CVE-2019-11810": { "affected_versions": "v2.6.14-rc4 to v5.1-rc1", "breaks": "c4a3e0a529ab3e65223e81681c7c6b1bc188fa58", "cmt_msg": "scsi: megaraid_sas: return error when create DMA pool failed", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "score": 7.8 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 7.5 }, "cwe": "NULL Pointer Dereference", "fixes": "bcf3b67d16a4c8ffae0aa79de5853435e683945c", "last_affected_version": "5.0.6", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel before 5.0.7. A NULL pointer dereference can occur when megasas_create_frame_pool() fails in megasas_alloc_cmds() in drivers/scsi/megaraid/megaraid_sas_base.c. This causes a Denial of Service, related to a use-after-free.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-11810", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-11810", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-11810", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-11810", "SUSE": "https://www.suse.com/security/cve/CVE-2019-11810", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11810" } }, "CVE-2019-11811": { "affected_versions": "v4.18-rc1 to v5.1-rc1", "breaks": "93c303d2045b30572d8d5e74d3ad80692acfebbe", "cmt_msg": "ipmi_si: fix use-after-free of resource->name", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "score": 6.9 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.0 }, "cwe": "Use After Free", "fixes": "401e7e88d4ef80188ffa07095ac00456f901b8c4", "last_affected_version": "5.0.3", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel before 5.0.4. There is a use-after-free upon attempted read access to /proc/ioports after the ipmi_si module is removed, related to drivers/char/ipmi/ipmi_si_intf.c, drivers/char/ipmi/ipmi_si_mem_io.c, and drivers/char/ipmi/ipmi_si_port_io.c.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-11811", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-11811", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-11811", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-11811", "SUSE": "https://www.suse.com/security/cve/CVE-2019-11811", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11811" } }, "CVE-2019-11815": { "affected_versions": "v4.3-rc1 to v5.1-rc4", "breaks": "467fa15356acfb7b2efa38839c3e76caa4e6e0ea", "cmt_msg": "net: rds: force to destroy connection if t_sock is NULL in rds_tcp_kill_sock().", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "score": 9.3 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "score": 8.1 }, "cwe": "Race Conditions", "fixes": "cb66ddd156203daefb8d71158036b27b0e2caf63", "last_affected_version": "5.0.7", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in rds_tcp_kill_sock in net/rds/tcp.c in the Linux kernel before 5.0.8. There is a race condition leading to a use-after-free, related to net namespace cleanup.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-11815", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-11815", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-11815", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-11815", "SUSE": "https://www.suse.com/security/cve/CVE-2019-11815", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11815" } }, "CVE-2019-11833": { "affected_versions": "v2.6.19-rc2 to v5.2-rc1", "breaks": "a86c61812637c7dd0c57e29880cffd477b62f2e7", "cmt_msg": "ext4: zero out the unused memory region in the extent tree block", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.5 }, "cwe": "Information Leak / Disclosure", "fixes": "592acbf16821288ecdc4192c47e3774a4c48bb64", "last_affected_version": "5.1.3", "last_modified": "2023-12-06", "nvd_text": "fs/ext4/extents.c in the Linux kernel through 5.1.2 does not zero out the unused memory region in the extent tree block, which might allow local users to obtain sensitive information by reading uninitialized data in the filesystem.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-11833", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-11833", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-11833", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-11833", "SUSE": "https://www.suse.com/security/cve/CVE-2019-11833", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11833" } }, "CVE-2019-11884": { "affected_versions": "v2.6.12-rc2 to v5.2-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "Bluetooth: hidp: fix buffer overflow", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "Low", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "score": 3.3 }, "cwe": "Unspecified", "fixes": "a1616a5ac99ede5d605047a9012481ce7ff18b16", "last_affected_version": "5.1.0", "last_modified": "2023-12-06", "nvd_text": "The do_hidp_sock_ioctl function in net/bluetooth/hidp/sock.c in the Linux kernel before 5.0.15 allows a local user to obtain potentially sensitive information from kernel stack memory via a HIDPCONNADD command, because a name field may not end with a '\\0' character.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-11884", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-11884", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-11884", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-11884", "SUSE": "https://www.suse.com/security/cve/CVE-2019-11884", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11884" } }, "CVE-2019-12378": { "affected_versions": "v2.6.12-rc2 to v5.2-rc3", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "ipv6_sockglue: Fix a missing-check bug in ip6_ra_control()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "NULL Pointer Dereference", "fixes": "95baa60a0da80a0143e3ddd4d3725758b4513825", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in ip6_ra_control in net/ipv6/ipv6_sockglue.c in the Linux kernel through 5.1.5. There is an unchecked kmalloc of new_ra, which might allow an attacker to cause a denial of service (NULL pointer dereference and system crash). NOTE: This has been disputed as not an issue", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-12378", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-12378", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-12378", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-12378", "SUSE": "https://www.suse.com/security/cve/CVE-2019-12378", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-12378" } }, "CVE-2019-12379": { "affected_versions": "v2.6.12-rc2 to v5.3-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "consolemap: Fix a memory leaking bug in drivers/tty/vt/consolemap.c", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Resource Management Errors", "fixes": "84ecc2f6eb1cb12e6d44818f94fa49b50f06e6ac", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in con_insert_unipair in drivers/tty/vt/consolemap.c in the Linux kernel through 5.1.5. There is a memory leak in a certain case of an ENOMEM outcome of kmalloc. NOTE: This id is disputed as not being an issue", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-12379", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-12379", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-12379", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-12379", "SUSE": "https://www.suse.com/security/cve/CVE-2019-12379", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-12379" } }, "CVE-2019-12380": { "affected_versions": "v3.8-rc6 to v5.2-rc3", "breaks": "b8f2c21db390273c3eaf0e5308faeaeb1e233840", "cmt_msg": "efi/x86/Add missing error handling to old_memmap 1:1 mapping code", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Error Handling", "fixes": "4e78921ba4dd0aca1cc89168f45039add4183f8e", "last_modified": "2023-12-06", "nvd_text": "**DISPUTED** An issue was discovered in the efi subsystem in the Linux kernel through 5.1.5. phys_efi_set_virtual_address_map in arch/x86/platform/efi/efi.c and efi_call_phys_prolog in arch/x86/platform/efi/efi_64.c mishandle memory allocation failures. NOTE: This id is disputed as not being an issue because \u201cAll the code touched by the referenced commit runs only at boot, before any user processes are started. Therefore, there is no possibility for an unprivileged user to control it.\u201d.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-12380", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-12380", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-12380", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-12380", "SUSE": "https://www.suse.com/security/cve/CVE-2019-12380", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-12380" } }, "CVE-2019-12381": { "affected_versions": "v2.6.12-rc2 to v5.2-rc3", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "ip_sockglue: Fix missing-check bug in ip_ra_control()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "NULL Pointer Dereference", "fixes": "425aa0e1d01513437668fa3d4a971168bbaa8515", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in ip_ra_control in net/ipv4/ip_sockglue.c in the Linux kernel through 5.1.5. There is an unchecked kmalloc of new_ra, which might allow an attacker to cause a denial of service (NULL pointer dereference and system crash). NOTE: this is disputed because new_ra is never used if it is NULL", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-12381", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-12381", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-12381", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-12381", "SUSE": "https://www.suse.com/security/cve/CVE-2019-12381", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-12381" } }, "CVE-2019-12382": { "affected_versions": "unk to v5.3-rc1", "breaks": "", "cmt_msg": "drm/edid: Fix a missing-check bug in drm_load_edid_firmware()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "NULL Pointer Dereference", "fixes": "9f1f1a2dab38d4ce87a13565cf4dc1b73bef3a5f", "last_affected_version": "5.2.4", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in drm_load_edid_firmware in drivers/gpu/drm/drm_edid_load.c in the Linux kernel through 5.1.5. There is an unchecked kstrdup of fwstr, which might allow an attacker to cause a denial of service (NULL pointer dereference and system crash). NOTE: The vendor disputes this issues as not being a vulnerability because kstrdup() returning NULL is handled sufficiently and there is no chance for a NULL pointer dereference", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-12382", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-12382", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-12382", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-12382", "SUSE": "https://www.suse.com/security/cve/CVE-2019-12382", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-12382" } }, "CVE-2019-12454": { "affected_versions": "v5.1-rc1 to v5.3-rc1", "breaks": "20aedafdf4926e7a957f8b302a18c8fb75c7e332", "cmt_msg": "wcd9335: fix a incorrect use of kstrndup()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Unspecified", "fixes": "a54988113985ca22e414e132054f234fc8a92604", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in wcd9335_codec_enable_dec in sound/soc/codecs/wcd9335.c in the Linux kernel through 5.1.5. It uses kstrndup instead of kmemdup_nul, which allows attackers to have an unspecified impact via unknown vectors. NOTE: The vendor disputes this issues as not being a vulnerability because switching to kmemdup_nul() would only fix a security issue if the source string wasn't NUL-terminated, which is not the case", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-12454", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-12454", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-12454", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-12454", "SUSE": "https://www.suse.com/security/cve/CVE-2019-12454", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-12454" } }, "CVE-2019-12455": { "affected_versions": "v4.7-rc1 to v5.3-rc1", "breaks": "ff2bb89335daec6053b5ac778369f7f72b931142", "cmt_msg": "clk-sunxi: fix a missing-check bug in sunxi_divs_clk_setup()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "NULL Pointer Dereference", "fixes": "fcdf445ff42f036d22178b49cf64e92d527c1330", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in sunxi_divs_clk_setup in drivers/clk/sunxi/clk-sunxi.c in the Linux kernel through 5.1.5. There is an unchecked kstrndup of derived_name, which might allow an attacker to cause a denial of service (NULL pointer dereference and system crash). NOTE: This id is disputed as not being an issue because \u201cThe memory allocation that was not checked is part of a code that only runs at boot time, before user processes are started. Therefore, there is no possibility for an unprivileged user to control it, and no denial of service.\u201d", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-12455", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-12455", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-12455", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-12455", "SUSE": "https://www.suse.com/security/cve/CVE-2019-12455", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-12455" } }, "CVE-2019-12456": { "affected_versions": "v3.8-rc1 to unk", "breaks": "f92363d12359498f9a9960511de1a550f0ec41c2", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Unspecified", "fixes": "86e5aca7fa2927060839f3e3b40c8bd65a7e8d1e", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the MPT3COMMAND case in _ctl_ioctl_main in drivers/scsi/mpt3sas/mpt3sas_ctl.c in the Linux kernel through 5.1.5. It allows local users to cause a denial of service or possibly have unspecified other impact by changing the value of ioc_number between two kernel reads of that value, aka a \"double fetch\" vulnerability. NOTE: a third party reports that this is unexploitable because the doubly fetched value is not used", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-12456", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-12456", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-12456", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-12456", "SUSE": "https://www.suse.com/security/cve/CVE-2019-12456", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-12456" } }, "CVE-2019-12614": { "affected_versions": "v2.6.33-rc1 to v5.3-rc1", "breaks": "ab519a011caa5ec47d992cb8a4fc8e7af9b9e3f8", "cmt_msg": "powerpc/pseries/dlpar: Fix a missing check in dlpar_parse_cc_property()", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "score": 4.7 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H", "score": 4.1 }, "cwe": "NULL Pointer Dereference", "fixes": "efa9ace68e487ddd29c2b4d6dd23242158f1f607", "last_affected_version": "4.19.87", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in dlpar_parse_cc_property in arch/powerpc/platforms/pseries/dlpar.c in the Linux kernel through 5.1.6. There is an unchecked kstrdup of prop->name, which might allow an attacker to cause a denial of service (NULL pointer dereference and system crash).", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-12614", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-12614", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-12614", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-12614", "SUSE": "https://www.suse.com/security/cve/CVE-2019-12614", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-12614" } }, "CVE-2019-12615": { "affected_versions": "v2.6.12-rc2 to v5.2-rc4", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "mdesc: fix a missing-check bug in get_vdev_port_node_info()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "score": 7.8 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 7.5 }, "cwe": "NULL Pointer Dereference", "fixes": "80caf43549e7e41a695c6d1e11066286538b336f", "last_affected_version": "5.1.14", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in get_vdev_port_node_info in arch/sparc/kernel/mdesc.c in the Linux kernel through 5.1.6. There is an unchecked kstrdup_const of node_info->vdev_port.name, which might allow an attacker to cause a denial of service (NULL pointer dereference and system crash).", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-12615", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-12615", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-12615", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-12615", "SUSE": "https://www.suse.com/security/cve/CVE-2019-12615", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-12615" } }, "CVE-2019-12817": { "affected_versions": "v4.17-rc1 to v5.2-rc7", "breaks": "f384796c40dc55b3dba25e0ee9c1afd98c6d24d1", "cmt_msg": "powerpc/mm/64s/hash: Reallocate context ids on fork", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "score": 6.9 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.0 }, "cwe": "Buffer Errors", "fixes": "ca72d88378b2f2444d3ec145dd442d449d3fefbc", "last_affected_version": "5.1.14", "last_modified": "2023-12-06", "nvd_text": "arch/powerpc/mm/mmu_context_book3s64.c in the Linux kernel before 5.1.15 for powerpc has a bug where unrelated processes may be able to read/write to one another's virtual memory under certain conditions via an mmap above 512 TB. Only a subset of powerpc systems are affected.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-12817", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-12817", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-12817", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-12817", "SUSE": "https://www.suse.com/security/cve/CVE-2019-12817", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-12817" } }, "CVE-2019-12818": { "affected_versions": "v2.6.12-rc2 to v5.0", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "net: nfc: Fix NULL dereference on nfc_llcp_build_tlv fails", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "score": 5.0 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 7.5 }, "cwe": "NULL Pointer Dereference", "fixes": "58bdd544e2933a21a51eecf17c3f5f94038261b5", "last_affected_version": "5.-1", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel before 4.20.15. The nfc_llcp_build_tlv function in net/nfc/llcp_commands.c may return NULL. If the caller does not check for this, it will trigger a NULL pointer dereference. This will cause denial of service. This affects nfc_llcp_build_gb in net/nfc/llcp_core.c.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-12818", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-12818", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-12818", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-12818", "SUSE": "https://www.suse.com/security/cve/CVE-2019-12818", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-12818" } }, "CVE-2019-12819": { "affected_versions": "v3.14-rc1 to v5.0-rc8", "breaks": "0c692d07842a67d9aa6b8266a80e4ac460a5c1a2", "cmt_msg": "mdio_bus: Fix use-after-free on device_register fails", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Use After Free", "fixes": "6ff7b060535e87c2ae14dd8548512abfdda528fb", "last_affected_version": "4.20.16", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel before 5.0. The function __mdiobus_register() in drivers/net/phy/mdio_bus.c calls put_device(), which will trigger a fixed_mdio_bus_init use-after-free. This will cause a denial of service.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-12819", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-12819", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-12819", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-12819", "SUSE": "https://www.suse.com/security/cve/CVE-2019-12819", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-12819" } }, "CVE-2019-12881": { "affected_versions": "v2.6.12-rc2 to v4.18-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "drm/i915/userptr: reject zero user_size", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "NULL Pointer Dereference", "fixes": "c11c7bfd213495784b22ef82a69b6489f8d0092f", "last_affected_version": "None", "last_modified": "2023-12-06", "nvd_text": "i915_gem_userptr_get_pages in drivers/gpu/drm/i915/i915_gem_userptr.c in the Linux kernel 4.15.0 on Ubuntu 18.04.2 allows local users to cause a denial of service (NULL pointer dereference and BUG) or possibly have unspecified other impact via crafted ioctl calls to /dev/dri/card0.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-12881", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-12881", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-12881", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-12881", "SUSE": "https://www.suse.com/security/cve/CVE-2019-12881", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-12881" } }, "CVE-2019-12984": { "affected_versions": "v4.15-rc1 to v5.2-rc6", "breaks": "4d63adfe12dd9cb61ed8badb4d798955399048c2", "cmt_msg": "nfc: Ensure presence of required attributes in the deactivate_target handler", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "score": 4.3 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "raw": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "NULL Pointer Dereference", "fixes": "385097a3675749cbc9e97c085c0e5dfe4269ca51", "last_affected_version": "5.1.12", "last_modified": "2023-12-06", "nvd_text": "A NULL pointer dereference vulnerability in the function nfc_genl_deactivate_target() in net/nfc/netlink.c in the Linux kernel before 5.1.13 can be triggered by a malicious user-mode program that omits certain NFC attributes, leading to denial of service.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-12984", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-12984", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-12984", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-12984", "SUSE": "https://www.suse.com/security/cve/CVE-2019-12984", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-12984" } }, "CVE-2019-13233": { "affected_versions": "v4.15-rc1 to v5.2-rc4", "breaks": "670f928ba09b06712da34a3c44be6c8fa561fb19", "cmt_msg": "x86/insn-eval: Fix use-after-free access to LDT entry", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "score": 4.4 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.0 }, "cwe": "Race Conditions", "fixes": "de9f869616dd95e95c00bdd6b0fcd3421e8a4323", "last_affected_version": "5.1.8", "last_modified": "2023-12-06", "nvd_text": "In arch/x86/lib/insn-eval.c in the Linux kernel before 5.1.9, there is a use-after-free for access to an LDT entry because of a race condition between modify_ldt() and a #BR exception for an MPX bounds violation.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-13233", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-13233", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-13233", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-13233", "SUSE": "https://www.suse.com/security/cve/CVE-2019-13233", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-13233" } }, "CVE-2019-13272": { "affected_versions": "v4.10-rc1 to v5.2", "backport": true, "breaks": "64b875f7ac8a5d60a4e191479299e931ee949b67", "cmt_msg": "ptrace: Fix ->ptracer_cred handling for PTRACE_TRACEME", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Permissions, Privileges, and Access Controls", "fixes": "6994eefb0053799d2e07cd140df6c2ea106c41ee", "last_affected_version": "5.1", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel before 5.1.17, ptrace_link in kernel/ptrace.c mishandles the recording of the credentials of a process that wants to create a ptrace relationship, which allows local users to obtain root access by leveraging certain scenarios with a parent-child process relationship, where a parent drops privileges and calls execve (potentially allowing control by an attacker). One contributing factor is an object lifetime issue (which can also cause a panic). Another contributing factor is incorrect marking of a ptrace relationship as privileged, which is exploitable through (for example) Polkit's pkexec helper with PTRACE_TRACEME. NOTE: SELinux deny_ptrace might be a usable workaround in some environments.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-13272", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-13272", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-13272", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-13272", "SUSE": "https://www.suse.com/security/cve/CVE-2019-13272", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-13272" } }, "CVE-2019-13631": { "affected_versions": "v2.6.21-rc1 to v5.3-rc1", "breaks": "a19ceb56cbd1e1beff3e9cf6042e1f31f6487aa6", "cmt_msg": "Input: gtco - bounds check collection indent level", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Physical", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "score": 6.8 }, "cwe": "Out-of-bounds Write", "fixes": "2a017fd82c5402b3c8df5e3d6e5165d9e6147dc1", "last_affected_version": "5.2.2", "last_modified": "2023-12-06", "nvd_text": "In parse_hid_report_descriptor in drivers/input/tablet/gtco.c in the Linux kernel through 5.2.1, a malicious USB device can send an HID report that triggers an out-of-bounds write during generation of debugging messages.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-13631", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-13631", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-13631", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-13631", "SUSE": "https://www.suse.com/security/cve/CVE-2019-13631", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-13631" } }, "CVE-2019-13648": { "affected_versions": "v3.9-rc1 to v5.3-rc2", "breaks": "2b0a576d15e0e14751f00f9c87e46bad27f217e7", "cmt_msg": "powerpc/tm: Fix oops on sigreturn on systems without TM", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Resource Management Errors", "fixes": "f16d80b75a096c52354c6e0a574993f3b0dfbdfe", "last_affected_version": "5.2.4", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel through 5.2.1 on the powerpc platform, when hardware transactional memory is disabled, a local user can cause a denial of service (TM Bad Thing exception and system crash) via a sigreturn() system call that sends a crafted signal frame. This affects arch/powerpc/kernel/signal_32.c and arch/powerpc/kernel/signal_64.c.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-13648", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-13648", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-13648", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-13648", "SUSE": "https://www.suse.com/security/cve/CVE-2019-13648", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-13648" } }, "CVE-2019-14283": { "affected_versions": "v2.6.12-rc2 to v5.3-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "floppy: fix out-of-bounds read in copy_buffer", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Physical", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "score": 6.8 }, "cwe": "Out-of-bounds Read", "fixes": "da99466ac243f15fbba65bd261bfc75ffa1532b6", "last_affected_version": "5.2.2", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel before 5.2.3, set_geometry in drivers/block/floppy.c does not validate the sect and head fields, as demonstrated by an integer overflow and out-of-bounds read. It can be triggered by an unprivileged local user when a floppy disk has been inserted. NOTE: QEMU creates the floppy device by default.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-14283", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-14283", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-14283", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-14283", "SUSE": "https://www.suse.com/security/cve/CVE-2019-14283", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-14283" } }, "CVE-2019-14284": { "affected_versions": "v2.6.12-rc2 to v5.3-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "floppy: fix div-by-zero in setup_format_params", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 6.2 }, "cwe": "Divide By Zero", "fixes": "f3554aeb991214cbfafd17d55e2bfddb50282e32", "last_affected_version": "5.2.2", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel before 5.2.3, drivers/block/floppy.c allows a denial of service by setup_format_params division-by-zero. Two consecutive ioctls can trigger the bug: the first one should set the drive geometry with .sect and .rate values that make F_SECT_PER_TRACK be zero. Next, the floppy format operation should be called. It can be triggered by an unprivileged local user even when a floppy disk has not been inserted. NOTE: QEMU creates the floppy device by default.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-14284", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-14284", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-14284", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-14284", "SUSE": "https://www.suse.com/security/cve/CVE-2019-14284", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-14284" } }, "CVE-2019-14615": { "affected_versions": "v2.6.12-rc2 to v5.5-rc7", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "drm/i915/gen9: Clear residual context state on context switch", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "score": 1.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "raw": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "score": 5.5 }, "cwe": "Unspecified", "fixes": "bc8a76a152c5f9ef3b48104154a65a68a8b76946", "last_affected_version": "5.4.11", "last_modified": "2023-12-06", "nvd_text": "Insufficient control flow in certain data structures for some Intel(R) Processors with Intel(R) Processor Graphics may allow an unauthenticated user to potentially enable information disclosure via local access.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-14615", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-14615", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-14615", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-14615", "SUSE": "https://www.suse.com/security/cve/CVE-2019-14615", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-14615" } }, "CVE-2019-14763": { "affected_versions": "v4.11-rc1 to v4.17-rc1", "breaks": "749494b6bdbbaf0899aa1c62a1ad74cd747bce47", "cmt_msg": "usb: dwc3: gadget: never call ->complete() from ->ep_queue()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Numeric Errors", "fixes": "c91815b596245fd7da349ecc43c8def670d2269e", "last_affected_version": "4.16.3", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel before 4.16.4, a double-locking error in drivers/usb/dwc3/gadget.c may potentially cause a deadlock with f_hid.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-14763", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-14763", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-14763", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-14763", "SUSE": "https://www.suse.com/security/cve/CVE-2019-14763", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-14763" } }, "CVE-2019-14814": { "affected_versions": "v3.7-rc1 to v5.3", "breaks": "a3c2c4f6d8bcd473a7016db93da4f10b3f10f25f", "cmt_msg": "mwifiex: Fix three heap overflow at parsing element in cfg80211_ap_settings", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')", "fixes": "7caac62ed598a196d6ddf8d9c121e12e082cac3a", "last_affected_version": "5.2", "last_modified": "2023-12-06", "nvd_text": "There is heap-based buffer overflow in Linux kernel, all versions up to, excluding 5.3, in the marvell wifi chip driver in Linux kernel, that allows local users to cause a denial of service(system crash) or possibly execute arbitrary code.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-14814", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-14814", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-14814", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-14814", "SUSE": "https://www.suse.com/security/cve/CVE-2019-14814", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-14814" } }, "CVE-2019-14815": { "affected_versions": "v4.10-rc1 to v5.3", "breaks": "113630b581d6d423998d2113a8e892ed6e6af6f9", "cmt_msg": "mwifiex: Fix three heap overflow at parsing element in cfg80211_ap_settings", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Heap-based Buffer Overflow", "fixes": "7caac62ed598a196d6ddf8d9c121e12e082cac3a", "last_affected_version": "5.2", "last_modified": "2023-12-06", "nvd_text": "A vulnerability was found in Linux Kernel, where a Heap Overflow was found in mwifiex_set_wmm_params() function of Marvell Wifi Driver.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-14815", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-14815", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-14815", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-14815", "SUSE": "https://www.suse.com/security/cve/CVE-2019-14815", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-14815" } }, "CVE-2019-14816": { "affected_versions": "v3.7-rc1 to v5.3", "breaks": "8a6e231766bdd2e1d228a14af89e36dc190be3a6", "cmt_msg": "mwifiex: Fix three heap overflow at parsing element in cfg80211_ap_settings", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')", "fixes": "7caac62ed598a196d6ddf8d9c121e12e082cac3a", "last_affected_version": "5.2", "last_modified": "2023-12-06", "nvd_text": "There is heap-based buffer overflow in kernel, all versions up to, excluding 5.3, in the marvell wifi chip driver in Linux kernel, that allows local users to cause a denial of service(system crash) or possibly execute arbitrary code.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-14816", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-14816", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-14816", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-14816", "SUSE": "https://www.suse.com/security/cve/CVE-2019-14816", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-14816" } }, "CVE-2019-14821": { "affected_versions": "v2.6.27-rc1 to v5.4-rc1", "breaks": "5f94c1741bdc7a336553122036e8a779e616ccbf", "cmt_msg": "KVM: coalesced_mmio: add bounds checking", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Changed", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "score": 8.8 }, "cwe": "Out-of-bounds Write", "fixes": "b60fe990c6b07ef6d4df67bc0530c7c90a62623a", "last_affected_version": "5.3.0", "last_modified": "2023-12-06", "nvd_text": "An out-of-bounds access issue was found in the Linux kernel, all versions through 5.3, in the way Linux kernel's KVM hypervisor implements the Coalesced MMIO write operation. It operates on an MMIO ring buffer 'struct kvm_coalesced_mmio' object, wherein write indices 'ring->first' and 'ring->last' value could be supplied by a host user-space process. An unprivileged host user or process with access to '/dev/kvm' device could use this flaw to crash the host kernel, resulting in a denial of service or potentially escalating privileges on the system.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-14821", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-14821", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-14821", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-14821", "SUSE": "https://www.suse.com/security/cve/CVE-2019-14821", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-14821" } }, "CVE-2019-14835": { "affected_versions": "v2.6.34-rc1 to v5.3", "breaks": "3a4d5c94e959359ece6d6b55045c3f046677f55c", "cmt_msg": "vhost: make sure log_num < in_num", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')", "fixes": "060423bfdee3f8bc6e2c1bac97de24d5415e2bc4", "last_affected_version": "5.2", "last_modified": "2023-12-06", "nvd_text": "A buffer overflow flaw was found, in versions from 2.6.34 to 5.2.x, in the way Linux kernel's vhost functionality that translates virtqueue buffers to IOVs, logged the buffer descriptors during migration. A privileged guest user able to pass descriptors with invalid length to the host when migration is underway, could use this flaw to increase their privileges on the host.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-14835", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-14835", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-14835", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-14835", "SUSE": "https://www.suse.com/security/cve/CVE-2019-14835", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-14835" } }, "CVE-2019-14895": { "affected_versions": "v2.6.12-rc2 to v5.5-rc3", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "mwifiex: fix possible heap overflow in mwifiex_process_country_ie()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "score": 7.5 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "score": 9.8 }, "cwe": "Heap-based Buffer Overflow", "fixes": "3d94a4a8373bf5f45cf5f939e88b8354dbf2311b", "last_affected_version": "5.4.11", "last_modified": "2023-12-06", "nvd_text": "A heap-based buffer overflow was discovered in the Linux kernel, all versions 3.x.x and 4.x.x before 4.18.0, in Marvell WiFi chip driver. The flaw could occur when the station attempts a connection negotiation during the handling of the remote devices country settings. This could allow the remote device to cause a denial of service (system crash) or possibly execute arbitrary code.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-14895", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-14895", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-14895", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-14895", "SUSE": "https://www.suse.com/security/cve/CVE-2019-14895", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-14895" } }, "CVE-2019-14896": { "affected_versions": "v2.6.12-rc2 to v5.5", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "libertas: Fix two buffer overflows at parsing bss descriptor", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "score": 10.0 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "score": 9.8 }, "cwe": "Heap-based Buffer Overflow", "fixes": "e5e884b42639c74b5b57dc277909915c0aefc8bb", "last_affected_version": "5.4", "last_modified": "2023-12-06", "nvd_text": "A heap-based buffer overflow vulnerability was found in the Linux kernel, version kernel-2.6.32, in Marvell WiFi chip driver. A remote attacker could cause a denial of service (system crash) or, possibly execute arbitrary code, when the lbs_ibss_join_existing function is called after a STA connects to an AP.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-14896", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-14896", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-14896", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-14896", "SUSE": "https://www.suse.com/security/cve/CVE-2019-14896", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-14896" } }, "CVE-2019-14897": { "affected_versions": "v2.6.12-rc2 to v5.5", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "libertas: Fix two buffer overflows at parsing bss descriptor", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "score": 7.5 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "score": 9.8 }, "cwe": "Stack-based Buffer Overflow", "fixes": "e5e884b42639c74b5b57dc277909915c0aefc8bb", "last_affected_version": "5.4", "last_modified": "2023-12-06", "nvd_text": "A stack-based buffer overflow was found in the Linux kernel, version kernel-2.6.32, in Marvell WiFi chip driver. An attacker is able to cause a denial of service (system crash) or, possibly execute arbitrary code, when a STA works in IBSS mode (allows connecting stations together without the use of an AP) and connects to another STA.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-14897", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-14897", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-14897", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-14897", "SUSE": "https://www.suse.com/security/cve/CVE-2019-14897", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-14897" } }, "CVE-2019-14898": { "affected_versions": "unk to unk", "breaks": "", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "score": 6.9 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.0 }, "cwe": "Improper Locking", "fixes": "", "last_modified": "2023-12-06", "nvd_text": "The fix for CVE-2019-11599, affecting the Linux kernel before 5.0.10 was not complete. A local user could use this flaw to obtain sensitive information, cause a denial of service, or possibly have other unspecified impacts by triggering a race condition with mmget_not_zero or get_task_mm calls.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-14898", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-14898", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-14898", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-14898", "SUSE": "https://www.suse.com/security/cve/CVE-2019-14898", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-14898" }, "vendor_specific": true }, "CVE-2019-14901": { "affected_versions": "v2.6.12-rc2 to v5.5-rc3", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "mwifiex: Fix heap overflow in mmwifiex_process_tdls_action_frame()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "score": 10.0 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "score": 9.8 }, "cwe": "Uncontrolled Resource Consumption", "fixes": "1e58252e334dc3f3756f424a157d1b7484464c40", "last_affected_version": "5.4.10", "last_modified": "2023-12-06", "nvd_text": "A heap overflow flaw was found in the Linux kernel, all versions 3.x.x and 4.x.x before 4.18.0, in Marvell WiFi chip driver. The vulnerability allows a remote attacker to cause a system crash, resulting in a denial of service, or execute arbitrary code. The highest threat with this vulnerability is with the availability of the system. If code execution occurs, the code will run with the permissions of root. This will affect both confidentiality and integrity of files on the system.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-14901", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-14901", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-14901", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-14901", "SUSE": "https://www.suse.com/security/cve/CVE-2019-14901", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-14901" } }, "CVE-2019-15030": { "affected_versions": "v4.12-rc2 to v5.3-rc8", "breaks": "f48e91e87e67b56bef63393d1a02c6e22c1d7078", "cmt_msg": "powerpc/tm: Fix FP/VMX unavailable exceptions inside a transaction", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:P", "score": 3.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "Low", "Confidentiality": "Low", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L", "score": 4.4 }, "cwe": "Improper Input Validation", "fixes": "8205d5d98ef7f155de211f5e2eb6ca03d95a5a60", "last_affected_version": "5.2.14", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel through 5.2.14 on the powerpc platform, a local user can read vector registers of other users' processes via a Facility Unavailable exception. To exploit the venerability, a local user starts a transaction (via the hardware transactional memory instruction tbegin) and then accesses vector registers. At some point, the vector registers will be corrupted with the values from a different local Linux process because of a missing arch/powerpc/kernel/process.c check.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-15030", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-15030", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-15030", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-15030", "SUSE": "https://www.suse.com/security/cve/CVE-2019-15030", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-15030" } }, "CVE-2019-15031": { "affected_versions": "v4.15-rc1 to v5.3-rc8", "breaks": "a7771176b4392fbc3a17399c51a8c11f2f681afe", "cmt_msg": "powerpc/tm: Fix restoring FP/VMX facility incorrectly on interrupts", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:P", "score": 3.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "Low", "Confidentiality": "Low", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L", "score": 4.4 }, "cwe": "Information Exposure", "fixes": "a8318c13e79badb92bc6640704a64cc022a6eb97", "last_affected_version": "5.2.14", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel through 5.2.14 on the powerpc platform, a local user can read vector registers of other users' processes via an interrupt. To exploit the venerability, a local user starts a transaction (via the hardware transactional memory instruction tbegin) and then accesses vector registers. At some point, the vector registers will be corrupted with the values from a different local Linux process, because MSR_TM_ACTIVE is misused in arch/powerpc/kernel/process.c.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-15031", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-15031", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-15031", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-15031", "SUSE": "https://www.suse.com/security/cve/CVE-2019-15031", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-15031" } }, "CVE-2019-15090": { "affected_versions": "v4.10-rc1 to v5.2-rc2", "breaks": "ace7f46ba5fde7273207c7122b0650ceb72510e0", "cmt_msg": "scsi: qedi: remove memset/memcpy to nfunc and use func instead", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "score": 6.7 }, "cwe": "Out-of-bounds Read", "fixes": "c09581a52765a85f19fc35340127396d5e3379cc", "last_affected_version": "5.1.11", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in drivers/scsi/qedi/qedi_dbg.c in the Linux kernel before 5.1.12. In the qedi_dbg_* family of functions, there is an out-of-bounds read.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-15090", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-15090", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-15090", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-15090", "SUSE": "https://www.suse.com/security/cve/CVE-2019-15090", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-15090" } }, "CVE-2019-15098": { "affected_versions": "v3.5-rc1 to v5.4-rc1", "breaks": "9cbee358687edf0359e29ac683ec25835134f059", "cmt_msg": "ath6kl: fix a NULL-ptr-deref bug in ath6kl_usb_alloc_urb_from_pipe()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Physical", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 4.6 }, "cwe": "NULL Pointer Dereference", "fixes": "39d170b3cb62ba98567f5c4f40c27b5864b304e5", "last_affected_version": "5.3.8", "last_modified": "2023-12-06", "nvd_text": "drivers/net/wireless/ath/ath6kl/usb.c in the Linux kernel through 5.2.9 has a NULL pointer dereference via an incomplete address in an endpoint descriptor.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-15098", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-15098", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-15098", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-15098", "SUSE": "https://www.suse.com/security/cve/CVE-2019-15098", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-15098" } }, "CVE-2019-15099": { "affected_versions": "v4.14-rc1 to v5.5-rc1", "breaks": "4db66499df91b9398435e2dbee0e42cd6df0bc27", "cmt_msg": "ath6kl: fix a NULL-ptr-deref bug in ath6kl_usb_alloc_urb_from_pipe()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "score": 7.8 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 7.5 }, "cwe": "NULL Pointer Dereference", "fixes": "bfd6e6e6c5d2ee43a3d9902b36e01fc7527ebb27", "last_affected_version": "None", "last_modified": "2023-12-06", "nvd_text": "drivers/net/wireless/ath/ath10k/usb.c in the Linux kernel through 5.2.8 has a NULL pointer dereference via an incomplete address in an endpoint descriptor.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-15099", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-15099", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-15099", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-15099", "SUSE": "https://www.suse.com/security/cve/CVE-2019-15099", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-15099" } }, "CVE-2019-15117": { "affected_versions": "v2.6.12-rc2 to v5.3-rc5", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "ALSA: usb-audio: Fix an OOB bug in parse_audio_mixer_unit", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Improper Restriction of Operations within the Bounds of a Memory Buffer", "fixes": "daac07156b330b18eb5071aec4b3ddca1c377f2c", "last_affected_version": "5.2.9", "last_modified": "2023-12-06", "nvd_text": "parse_audio_mixer_unit in sound/usb/mixer.c in the Linux kernel through 5.2.9 mishandles a short descriptor, leading to out-of-bounds memory access.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-15117", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-15117", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-15117", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-15117", "SUSE": "https://www.suse.com/security/cve/CVE-2019-15117", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-15117" } }, "CVE-2019-15118": { "affected_versions": "v2.6.12-rc2 to v5.3-rc5", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "ALSA: usb-audio: Fix a stack buffer overflow bug in check_input_term", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Uncontrolled Resource Consumption", "fixes": "19bce474c45be69a284ecee660aa12d8f1e88f18", "last_affected_version": "5.2.9", "last_modified": "2023-12-06", "nvd_text": "check_input_term in sound/usb/mixer.c in the Linux kernel through 5.2.9 mishandles recursion, leading to kernel stack exhaustion.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-15118", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-15118", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-15118", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-15118", "SUSE": "https://www.suse.com/security/cve/CVE-2019-15118", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-15118" } }, "CVE-2019-15211": { "affected_versions": "v3.14-rc1 to v5.3-rc1", "breaks": "21326c461e10431767e817e858e66113336d361c", "cmt_msg": "media: radio-raremono: change devm_k*alloc to k*alloc", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Physical", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 4.6 }, "cwe": "Use After Free", "fixes": "c666355e60ddb4748ead3bdd983e3f7f2224aaf0", "last_affected_version": "5.2.5", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel before 5.2.6. There is a use-after-free caused by a malicious USB device in the drivers/media/v4l2-core/v4l2-dev.c driver because drivers/media/radio/radio-raremono.c does not properly allocate memory.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-15211", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-15211", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-15211", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-15211", "SUSE": "https://www.suse.com/security/cve/CVE-2019-15211", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-15211" } }, "CVE-2019-15212": { "affected_versions": "v2.6.12-rc2 to v5.2-rc3", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "USB: rio500: refuse more than one device at a time", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Physical", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 4.6 }, "cwe": "Double Free", "fixes": "3864d33943b4a76c6e64616280e98d2410b1190f", "last_affected_version": "5.1.7", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel before 5.1.8. There is a double-free caused by a malicious USB device in the drivers/usb/misc/rio500.c driver.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-15212", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-15212", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-15212", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-15212", "SUSE": "https://www.suse.com/security/cve/CVE-2019-15212", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-15212" } }, "CVE-2019-15213": { "affected_versions": "v4.19-rc1 to v5.3-rc1", "breaks": "299c7007e93645067e1d2743f4e50156de78c4ff", "cmt_msg": "media: dvb: usb: fix use after free in dvb_usb_device_exit", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Physical", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 4.6 }, "cwe": "Use After Free", "fixes": "6cf97230cd5f36b7665099083272595c55d72be7", "last_affected_version": "5.2.2", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel before 5.2.3. There is a use-after-free caused by a malicious USB device in the drivers/media/usb/dvb-usb/dvb-usb-init.c driver.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-15213", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-15213", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-15213", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-15213", "SUSE": "https://www.suse.com/security/cve/CVE-2019-15213", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-15213" } }, "CVE-2019-15214": { "affected_versions": "v2.6.12-rc2 to v5.1-rc6", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "ALSA: core: Fix card races between register and disconnect", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "score": 6.9 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "score": 6.4 }, "cwe": "Use After Free", "fixes": "2a3f7221acddfe1caa9ff09b3a8158c39b2fdeac", "last_affected_version": "5.0.9", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel before 5.0.10. There is a use-after-free in the sound subsystem because card disconnection causes certain data structures to be deleted too early. This is related to sound/core/init.c and sound/core/info.c.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-15214", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-15214", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-15214", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-15214", "SUSE": "https://www.suse.com/security/cve/CVE-2019-15214", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-15214" } }, "CVE-2019-15215": { "affected_versions": "v3.5-rc1 to v5.3-rc1", "breaks": "6c493f8b28c6744995e92801a20dca192635dd22", "cmt_msg": "media: cpia2_usb: first wake up, then free in disconnect", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Physical", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 4.6 }, "cwe": "Use After Free", "fixes": "eff73de2b1600ad8230692f00bc0ab49b166512a", "last_affected_version": "5.2.5", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel before 5.2.6. There is a use-after-free caused by a malicious USB device in the drivers/media/usb/cpia2/cpia2_usb.c driver.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-15215", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-15215", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-15215", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-15215", "SUSE": "https://www.suse.com/security/cve/CVE-2019-15215", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-15215" } }, "CVE-2019-15216": { "affected_versions": "v2.6.37-rc1 to v5.1", "breaks": "6bc235a2e24a5ef677daee3fd4f74f6cd643e23c", "cmt_msg": "USB: yurex: Fix protection fault after device removal", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Physical", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 4.6 }, "cwe": "NULL Pointer Dereference", "fixes": "ef61eb43ada6c1d6b94668f0f514e4c268093ff3", "last_affected_version": "5.0", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel before 5.0.14. There is a NULL pointer dereference caused by a malicious USB device in the drivers/usb/misc/yurex.c driver.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-15216", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-15216", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-15216", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-15216", "SUSE": "https://www.suse.com/security/cve/CVE-2019-15216", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-15216" } }, "CVE-2019-15217": { "affected_versions": "v2.6.32-rc1 to v5.3-rc1", "breaks": "ccbf035ae5de4c535160fc99f73feb44cc55b534", "cmt_msg": "media: usb:zr364xx:Fix KASAN:null-ptr-deref Read in zr364xx_vidioc_querycap", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Physical", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 4.6 }, "cwe": "NULL Pointer Dereference", "fixes": "5d2e73a5f80a5b5aff3caf1ec6d39b5b3f54b26e", "last_affected_version": "5.2.2", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel before 5.2.3. There is a NULL pointer dereference caused by a malicious USB device in the drivers/media/usb/zr364xx/zr364xx.c driver.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-15217", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-15217", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-15217", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-15217", "SUSE": "https://www.suse.com/security/cve/CVE-2019-15217", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-15217" } }, "CVE-2019-15218": { "affected_versions": "v3.10-rc1 to v5.2-rc3", "breaks": "05f0ffbc487517a529c00119d0bfde33df509b52", "cmt_msg": "media: usb: siano: Fix general protection fault in smsusb", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Physical", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 4.6 }, "cwe": "NULL Pointer Dereference", "fixes": "31e0456de5be379b10fea0fa94a681057114a96e", "last_affected_version": "5.1.7", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel before 5.1.8. There is a NULL pointer dereference caused by a malicious USB device in the drivers/media/usb/siano/smsusb.c driver.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-15218", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-15218", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-15218", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-15218", "SUSE": "https://www.suse.com/security/cve/CVE-2019-15218", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-15218" } }, "CVE-2019-15219": { "affected_versions": "v2.6.24-rc1 to v5.2-rc3", "breaks": "7b5cd5fefbe023625a7ff7604e8beb9a15a9efab", "cmt_msg": "USB: sisusbvga: fix oops in error path of sisusb_probe", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Physical", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 4.6 }, "cwe": "NULL Pointer Dereference", "fixes": "9a5729f68d3a82786aea110b1bfe610be318f80a", "last_affected_version": "5.1.7", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel before 5.1.8. There is a NULL pointer dereference caused by a malicious USB device in the drivers/usb/misc/sisusbvga/sisusb.c driver.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-15219", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-15219", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-15219", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-15219", "SUSE": "https://www.suse.com/security/cve/CVE-2019-15219", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-15219" } }, "CVE-2019-15220": { "affected_versions": "v3.5-rc1 to v5.3-rc1", "breaks": "5612a508d11f81c1ca3290260f86328dfb55d513", "cmt_msg": "p54usb: Fix race between disconnect and firmware loading", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Physical", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 4.6 }, "cwe": "Use After Free", "fixes": "6e41e2257f1094acc37618bf6c856115374c6922", "last_affected_version": "5.2.0", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel before 5.2.1. There is a use-after-free caused by a malicious USB device in the drivers/net/wireless/intersil/p54/p54usb.c driver.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-15220", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-15220", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-15220", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-15220", "SUSE": "https://www.suse.com/security/cve/CVE-2019-15220", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-15220" } }, "CVE-2019-15221": { "affected_versions": "v2.6.12-rc2 to v5.2", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "ALSA: line6: Fix write on zero-sized buffer", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Physical", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 4.6 }, "cwe": "NULL Pointer Dereference", "fixes": "3450121997ce872eb7f1248417225827ea249710", "last_affected_version": "5.1", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel before 5.1.17. There is a NULL pointer dereference caused by a malicious USB device in the sound/usb/line6/pcm.c driver.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-15221", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-15221", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-15221", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-15221", "SUSE": "https://www.suse.com/security/cve/CVE-2019-15221", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-15221" } }, "CVE-2019-15222": { "affected_versions": "v5.3-rc1 to v5.3-rc3", "backport": true, "breaks": "801ebf1043ae7b182588554cc9b9ad3c14bc2ab5", "cmt_msg": "ALSA: usb-audio: Fix gpf in snd_usb_pipe_sanity_check", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Physical", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 4.6 }, "cwe": "NULL Pointer Dereference", "fixes": "5d78e1c2b7f4be00bbe62141603a631dc7812f35", "last_affected_version": "5.2.7", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel before 5.2.8. There is a NULL pointer dereference caused by a malicious USB device in the sound/usb/helper.c (motu_microbookii) driver.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-15222", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-15222", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-15222", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-15222", "SUSE": "https://www.suse.com/security/cve/CVE-2019-15222", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-15222" } }, "CVE-2019-15223": { "affected_versions": "v5.2-rc1 to v5.2-rc3", "backport": true, "breaks": "7f84ff68be05ec7a5d2acf8fdc734fe5897af48f", "cmt_msg": "ALSA: line6: Assure canceling delayed work at disconnection", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Physical", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 4.6 }, "cwe": "NULL Pointer Dereference", "fixes": "0b074ab7fc0d575247b9cc9f93bb7e007ca38840", "last_affected_version": "5.1.7", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel before 5.1.8. There is a NULL pointer dereference caused by a malicious USB device in the sound/usb/line6/driver.c driver.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-15223", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-15223", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-15223", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-15223", "SUSE": "https://www.suse.com/security/cve/CVE-2019-15223", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-15223" } }, "CVE-2019-15239": { "affected_versions": "v4.17-rc7 to unk", "alt_msg": "tcp: reset sk_send_head in tcp_write_queue_purge", "backport": true, "breaks": "7f582b248d0a86bae5788c548d7bb5bca6f7691a", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Use After Free", "fixes": "dbbf2d1e4077bab0c65ece2765d3fc69cf7d610f", "last_affected_version": "4.14.31", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel, a certain net/ipv4/tcp_output.c change, which was properly incorporated into 4.16.12, was incorrectly backported to the earlier longterm kernels, introducing a new vulnerability that was potentially more severe than the issue that was intended to be fixed by backporting. Specifically, by adding to a write queue between disconnection and re-connection, a local attacker can trigger multiple use-after-free conditions. This can result in a kernel crash, or potentially in privilege escalation. NOTE: this affects (for example) Linux distributions that use 4.9.x longterm kernels before 4.9.190 or 4.14.x longterm kernels before 4.14.139.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-15239", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-15239", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-15239", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-15239", "SUSE": "https://www.suse.com/security/cve/CVE-2019-15239", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-15239" } }, "CVE-2019-15290": { "affected_versions": "unk to unk", "breaks": "", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "score": "4.9" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Physical", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "score": "4.6" }, "cwe": "NULL Pointer Dereference", "fixes": "", "last_modified": "2023-12-06", "nvd_text": "Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2019-15098. Reason: This candidate is a duplicate of CVE-2019-15098. Notes: All CVE users should reference CVE-2019-15098 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-15290", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-15290", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-15290", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-15290", "SUSE": "https://www.suse.com/security/cve/CVE-2019-15290", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-15290" }, "rejected": true }, "CVE-2019-15291": { "affected_versions": "v2.6.12-rc5 to v5.5-rc1", "breaks": "2add87a95068d6457d4e5824d0417d39007665a4", "cmt_msg": "media: b2c2-flexcop-usb: add sanity checking", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Physical", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 4.6 }, "cwe": "NULL Pointer Dereference", "fixes": "1b976fc6d684e3282914cdbe7a8d68fdce19095c", "last_affected_version": "5.4.0", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel through 5.2.9. There is a NULL pointer dereference caused by a malicious USB device in the flexcop_usb_probe function in the drivers/media/usb/b2c2/flexcop-usb.c driver.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-15291", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-15291", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-15291", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-15291", "SUSE": "https://www.suse.com/security/cve/CVE-2019-15291", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-15291" } }, "CVE-2019-15292": { "affected_versions": "v2.6.12-rc2 to v5.1-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "appletalk: Fix use-after-free in atalk_proc_exit", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "score": 10.0 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 4.7 }, "cwe": "Use After Free", "fixes": "6377f787aeb945cae7abbb6474798de129e1f3ac", "last_affected_version": "5.0.8", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel before 5.0.9. There is a use-after-free in atalk_proc_exit, related to net/appletalk/atalk_proc.c, net/appletalk/ddp.c, and net/appletalk/sysctl_net_atalk.c.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-15292", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-15292", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-15292", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-15292", "SUSE": "https://www.suse.com/security/cve/CVE-2019-15292", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-15292" } }, "CVE-2019-15504": { "affected_versions": "v4.17-rc1 to v5.3", "breaks": "a1854fae1414dd8edfff4857fd26c3e355d43e19", "cmt_msg": "rsi: fix a double free bug in rsi_91x_deinit()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "score": 10.0 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "score": 9.8 }, "cwe": "Double Free", "fixes": "8b51dc7291473093c821195c4b6af85fadedbc2f", "last_affected_version": "5.2", "last_modified": "2023-12-06", "nvd_text": "drivers/net/wireless/rsi/rsi_91x_usb.c in the Linux kernel through 5.2.9 has a Double Free via crafted USB device traffic (which may be remote via usbip or usbredir).", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-15504", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-15504", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-15504", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-15504", "SUSE": "https://www.suse.com/security/cve/CVE-2019-15504", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-15504" } }, "CVE-2019-15505": { "affected_versions": "v2.6.39-rc1 to v5.4-rc1", "breaks": "739ff04f63ba6498b287021649cb999e639c3c83", "cmt_msg": "media: technisat-usb2: break out of loop at end of buffer", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "score": 10.0 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "score": 9.8 }, "cwe": "Out-of-bounds Read", "fixes": "0c4df39e504bf925ab666132ac3c98d6cbbe380b", "last_affected_version": "5.3.0", "last_modified": "2023-12-06", "nvd_text": "drivers/media/usb/dvb-usb/technisat-usb2.c in the Linux kernel through 5.2.9 has an out-of-bounds read via crafted USB device traffic (which may be remote via usbip or usbredir).", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-15505", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-15505", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-15505", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-15505", "SUSE": "https://www.suse.com/security/cve/CVE-2019-15505", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-15505" } }, "CVE-2019-15538": { "affected_versions": "v4.7-rc1 to v5.3-rc6", "breaks": "253f4911f297b83745938b7f2c5649b94730b002", "cmt_msg": "xfs: fix missing ILOCK unlock when xfs_setattr_nonsize fails due to EDQUOT", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "score": 7.8 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 7.5 }, "cwe": "Resource Management Errors", "fixes": "1fb254aa983bf190cfd685d40c64a480a9bafaee", "last_affected_version": "5.2.10", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in xfs_setattr_nonsize in fs/xfs/xfs_iops.c in the Linux kernel through 5.2.9. XFS partially wedges when a chgrp fails on account of being out of disk quota. xfs_setattr_nonsize is failing to unlock the ILOCK after the xfs_qm_vop_chown_reserve call fails. This is primarily a local DoS attack vector, but it might result as well in remote DoS if the XFS filesystem is exported for instance via NFS.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-15538", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-15538", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-15538", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-15538", "SUSE": "https://www.suse.com/security/cve/CVE-2019-15538", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-15538" } }, "CVE-2019-15666": { "affected_versions": "v3.14-rc1 to v5.1", "breaks": "e682adf021be796940be6cc10c07be7f7398c220", "cmt_msg": "xfrm: policy: Fix out-of-bound array accesses in __xfrm_policy_unlink", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "score": 4.4 }, "cwe": "Out-of-bounds Read", "fixes": "b805d78d300bcf2c83d6df7da0c818b0fee41427", "last_affected_version": "5.0", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel before 5.0.19. There is an out-of-bounds array access in __xfrm_policy_unlink, which will cause denial of service, because verify_newpolicy_info in net/xfrm/xfrm_user.c mishandles directory validation.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-15666", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-15666", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-15666", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-15666", "SUSE": "https://www.suse.com/security/cve/CVE-2019-15666", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-15666" } }, "CVE-2019-15791": { "affected_versions": "unk to unk", "breaks": "", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Operation on a Resource after Expiration or Release", "fixes": "", "last_modified": "2023-12-06", "nvd_text": "In shiftfs, a non-upstream patch to the Linux kernel included in the Ubuntu 5.0 and 5.3 kernel series, shiftfs_btrfs_ioctl_fd_replace() installs an fd referencing a file from the lower filesystem without taking an additional reference to that file. After the btrfs ioctl completes this fd is closed, which then puts a reference to that file, leading to a refcount underflow.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-15791", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-15791", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-15791", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-15791", "SUSE": "https://www.suse.com/security/cve/CVE-2019-15791", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-15791" }, "vendor_specific": true }, "CVE-2019-15792": { "affected_versions": "unk to unk", "breaks": "", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Access of Resource Using Incompatible Type ('Type Confusion')", "fixes": "", "last_modified": "2023-12-06", "nvd_text": "In shiftfs, a non-upstream patch to the Linux kernel included in the Ubuntu 5.0 and 5.3 kernel series, shiftfs_btrfs_ioctl_fd_replace() calls fdget(oldfd), then without further checks passes the resulting file* into shiftfs_real_fdget(), which casts file->private_data, a void* that points to a filesystem-dependent type, to a \"struct shiftfs_file_info *\". As the private_data is not required to be a pointer, an attacker can use this to cause a denial of service or possibly execute arbitrary code.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-15792", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-15792", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-15792", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-15792", "SUSE": "https://www.suse.com/security/cve/CVE-2019-15792", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-15792" }, "vendor_specific": true }, "CVE-2019-15793": { "affected_versions": "unk to unk", "breaks": "", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Changed", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "score": 8.8 }, "cwe": "Insertion of Sensitive Information into Externally-Accessible File or Directory", "fixes": "", "last_modified": "2023-12-06", "nvd_text": "In shiftfs, a non-upstream patch to the Linux kernel included in the Ubuntu 5.0 and 5.3 kernel series, several locations which shift ids translate user/group ids before performing operations in the lower filesystem were translating them into init_user_ns, whereas they should have been translated into the s_user_ns for the lower filesystem. This resulted in using ids other than the intended ones in the lower fs, which likely did not map into the shifts s_user_ns. A local attacker could use this to possibly bypass discretionary access control permissions.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-15793", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-15793", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-15793", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-15793", "SUSE": "https://www.suse.com/security/cve/CVE-2019-15793", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-15793" }, "vendor_specific": true }, "CVE-2019-15794": { "affected_versions": "v4.19-rc1 to v5.12", "breaks": "2f502839e85ab265f03f25f30d6463154aee5473", "cmt_msg": "ovl: fix reference counting in ovl_mmap error path", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "score": 6.7 }, "cwe": "Operation on a Resource after Expiration or Release", "fixes": "2896900e22f8212606a1837d89a6bbce314ceeda", "last_affected_version": "5.11", "last_modified": "2023-12-06", "nvd_text": "Overlayfs in the Linux kernel and shiftfs, a non-upstream patch to the Linux kernel included in the Ubuntu 5.0 and 5.3 kernel series, both replace vma->vm_file in their mmap handlers. On error the original value is not restored, and the reference is put for the file to which vm_file points. On upstream kernels this is not an issue, as no callers dereference vm_file following after call_mmap() returns an error. However, the aufs patchs change mmap_region() to replace the fput() using a local variable with vma_fput(), which will fput() vm_file, leading to a refcount underflow.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-15794", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-15794", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-15794", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-15794", "SUSE": "https://www.suse.com/security/cve/CVE-2019-15794", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-15794" } }, "CVE-2019-15807": { "affected_versions": "v2.6.19-rc1 to v5.2-rc3", "breaks": "2908d778ab3e244900c310974e1fc1c69066e450", "cmt_msg": "scsi: libsas: delete sas port if expander discover failed", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "score": 4.7 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 4.7 }, "cwe": "Resource Management Errors", "fixes": "3b0541791453fbe7f42867e310e0c9eb6295364d", "last_affected_version": "5.1.12", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel before 5.1.13, there is a memory leak in drivers/scsi/libsas/sas_expander.c when SAS expander discovery fails. This will cause a BUG and denial of service.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-15807", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-15807", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-15807", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-15807", "SUSE": "https://www.suse.com/security/cve/CVE-2019-15807", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-15807" } }, "CVE-2019-15902": { "affected_versions": "unk to unk", "alt_msg": "x86/ptrace: fix up botched merge of spectrev1 fix", "breaks": "", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Complete", "Integrity Impact": "None", "raw": "AV:L/AC:M/Au:N/C:C/I:N/A:N", "score": 4.7 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Changed", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N", "score": 5.6 }, "cwe": "Improper Restriction of Operations within the Bounds of a Memory Buffer", "fixes": "", "last_affected_version": "5.2.11", "last_modified": "2023-12-06", "nvd_text": "A backporting error was discovered in the Linux stable/longterm kernel 4.4.x through 4.4.190, 4.9.x through 4.9.190, 4.14.x through 4.14.141, 4.19.x through 4.19.69, and 5.2.x through 5.2.11. Misuse of the upstream \"x86/ptrace: Fix possible spectre-v1 in ptrace_get_debugreg()\" commit reintroduced the Spectre vulnerability that it aimed to eliminate. This occurred because the backport process depends on cherry picking specific commits, and because two (correctly ordered) code lines were swapped.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-15902", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-15902", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-15902", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-15902", "SUSE": "https://www.suse.com/security/cve/CVE-2019-15902", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-15902" } }, "CVE-2019-15916": { "affected_versions": "v2.6.38-rc1 to v5.1-rc1", "breaks": "1d24eb4815d1e0e8b451ecc546645f8ef1176d4f", "cmt_msg": "net-sysfs: Fix mem leak in netdev_register_kobject", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "score": 7.8 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 7.5 }, "cwe": "Improper Restriction of Operations within the Bounds of a Memory Buffer", "fixes": "895a5e96dbd6386c8e78e5b78e067dcc67b7f0ab", "last_affected_version": "5.0.0", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel before 5.0.1. There is a memory leak in register_queue_kobjects() in net/core/net-sysfs.c, which will cause denial of service.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-15916", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-15916", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-15916", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-15916", "SUSE": "https://www.suse.com/security/cve/CVE-2019-15916", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-15916" } }, "CVE-2019-15917": { "affected_versions": "v2.6.12-rc2 to v5.1-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "Bluetooth: hci_ldisc: Postpone HCI_UART_PROTO_READY bit set in hci_uart_set_proto()", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "score": 6.9 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.0 }, "cwe": "Use After Free", "fixes": "56897b217a1d0a91c9920cb418d6b3fe922f590a", "last_affected_version": "5.0.4", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel before 5.0.5. There is a use-after-free issue when hci_uart_register_dev() fails in hci_uart_set_proto() in drivers/bluetooth/hci_ldisc.c.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-15917", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-15917", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-15917", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-15917", "SUSE": "https://www.suse.com/security/cve/CVE-2019-15917", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-15917" } }, "CVE-2019-15918": { "affected_versions": "v4.14-rc2 to v5.1-rc6", "breaks": "9764c02fcbad40001fd3f63558d918e4d519bb75", "cmt_msg": "cifs: Fix lease buffer length error", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Out-of-bounds Read", "fixes": "b57a55e2200ede754e4dc9cce4ba9402544b9365", "last_affected_version": "5.0.9", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel before 5.0.10. SMB2_negotiate in fs/cifs/smb2pdu.c has an out-of-bounds read because data structures are incompletely updated after a change from smb30 to smb21.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-15918", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-15918", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-15918", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-15918", "SUSE": "https://www.suse.com/security/cve/CVE-2019-15918", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-15918" } }, "CVE-2019-15919": { "affected_versions": "v4.18-rc1 to v5.1-rc6", "breaks": "eccb4422cf97a4b0daf97b3f3d68044514fea7bd", "cmt_msg": "cifs: Fix use-after-free in SMB2_write", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "Low", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "score": 3.3 }, "cwe": "Use After Free", "fixes": "6a3eb3360667170988f8a6477f6686242061488a", "last_affected_version": "5.0.9", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel before 5.0.10. SMB2_write in fs/cifs/smb2pdu.c has a use-after-free.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-15919", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-15919", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-15919", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-15919", "SUSE": "https://www.suse.com/security/cve/CVE-2019-15919", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-15919" } }, "CVE-2019-15920": { "affected_versions": "v4.18-rc1 to v5.1-rc6", "breaks": "eccb4422cf97a4b0daf97b3f3d68044514fea7bd", "cmt_msg": "cifs: Fix use-after-free in SMB2_read", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "Single", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "score": 4.0 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "None", "Confidentiality": "Low", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "score": 4.3 }, "cwe": "Use After Free", "fixes": "088aaf17aa79300cab14dbee2569c58cfafd7d6e", "last_affected_version": "5.0.9", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel before 5.0.10. SMB2_read in fs/cifs/smb2pdu.c has a use-after-free. NOTE: this was not fixed correctly in 5.0.10; see the 5.0.11 ChangeLog, which documents a memory leak.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-15920", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-15920", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-15920", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-15920", "SUSE": "https://www.suse.com/security/cve/CVE-2019-15920", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-15920" } }, "CVE-2019-15921": { "affected_versions": "v4.10-rc1 to v5.1-rc3", "breaks": "2ae0f17df1cd52aafd1ab0415ea1f1dd56dc0e2a", "cmt_msg": "genetlink: Fix a memory leak on error path", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "score": 4.7 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 4.7 }, "cwe": "Resource Management Errors", "fixes": "ceabee6c59943bdd5e1da1a6a20dc7ee5f8113a2", "last_affected_version": "5.0.5", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel before 5.0.6. There is a memory leak issue when idr_alloc() fails in genl_register_family() in net/netlink/genetlink.c.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-15921", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-15921", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-15921", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-15921", "SUSE": "https://www.suse.com/security/cve/CVE-2019-15921", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-15921" } }, "CVE-2019-15922": { "affected_versions": "v5.1-rc2 to v5.1-rc4", "breaks": "6ce59025f1182125e75c8d121daf44056b65dd1f", "cmt_msg": "paride/pf: Fix potential NULL pointer dereference", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "NULL Pointer Dereference", "fixes": "58ccd2d31e502c37e108b285bf3d343eb00c235b", "last_affected_version": "5.0.8", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel before 5.0.9. There is a NULL pointer dereference for a pf data structure if alloc_disk fails in drivers/block/paride/pf.c.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-15922", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-15922", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-15922", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-15922", "SUSE": "https://www.suse.com/security/cve/CVE-2019-15922", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-15922" } }, "CVE-2019-15923": { "affected_versions": "v5.1-rc2 to v5.1-rc4", "breaks": "81b74ac68c28fddb3589ad5d4d5e587baf4bb781", "cmt_msg": "paride/pcd: Fix potential NULL pointer dereference and mem leak", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "NULL Pointer Dereference", "fixes": "f0d1762554014ce0ae347b9f0d088f2c157c8c72", "last_affected_version": "5.0.8", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel before 5.0.9. There is a NULL pointer dereference for a cd data structure if alloc_disk fails in drivers/block/paride/pf.c.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-15923", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-15923", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-15923", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-15923", "SUSE": "https://www.suse.com/security/cve/CVE-2019-15923", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-15923" } }, "CVE-2019-15924": { "affected_versions": "v4.8-rc1 to v5.1-rc4", "breaks": "0a38c17a21a0965b4853211afa1d3e85428e6170", "cmt_msg": "fm10k: Fix a potential NULL pointer dereference", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "NULL Pointer Dereference", "fixes": "01ca667133d019edc9f0a1f70a272447c84ec41f", "last_affected_version": "5.0.10", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel before 5.0.11. fm10k_init_module in drivers/net/ethernet/intel/fm10k/fm10k_main.c has a NULL pointer dereference because there is no -ENOMEM upon an alloc_workqueue failure.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-15924", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-15924", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-15924", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-15924", "SUSE": "https://www.suse.com/security/cve/CVE-2019-15924", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-15924" } }, "CVE-2019-15925": { "affected_versions": "v4.14-rc1 to v5.3-rc1", "breaks": "848440544b41fbe21f36072ee7dc7c3c59ce62e2", "cmt_msg": "net: hns3: add some error checking in hclge_tm module", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Out-of-bounds Read", "fixes": "04f25edb48c441fc278ecc154c270f16966cbb90", "last_affected_version": "5.2.2", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel before 5.2.3. An out of bounds access exists in the function hclge_tm_schd_mode_vnet_base_cfg in the file drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.c.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-15925", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-15925", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-15925", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-15925", "SUSE": "https://www.suse.com/security/cve/CVE-2019-15925", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-15925" } }, "CVE-2019-15926": { "affected_versions": "v3.2-rc1 to v5.3-rc1", "breaks": "bdcd81707973cf8aa9305337166f8ee842a050d4", "cmt_msg": "ath6kl: add some bounds checking", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "None", "raw": "AV:N/AC:L/Au:N/C:C/I:N/A:C", "score": 9.4 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "score": 9.1 }, "cwe": "Out-of-bounds Read", "fixes": "5d6751eaff672ea77642e74e92e6c0ac7f9709ab", "last_affected_version": "5.2.2", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel before 5.2.3. Out of bounds access exists in the functions ath6kl_wmi_pstream_timeout_event_rx and ath6kl_wmi_cac_event_rx in the file drivers/net/wireless/ath/ath6kl/wmi.c.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-15926", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-15926", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-15926", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-15926", "SUSE": "https://www.suse.com/security/cve/CVE-2019-15926", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-15926" } }, "CVE-2019-15927": { "affected_versions": "v2.6.12-rc2 to v5.0-rc2", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "ALSA: usb-audio: Avoid access before bLength check in build_audio_procunit()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Out-of-bounds Read", "fixes": "f4351a199cc120ff9d59e06d02e8657d08e6cc46", "last_affected_version": "4.20.1", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel before 4.20.2. An out-of-bounds access exists in the function build_audio_procunit in the file sound/usb/mixer.c.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-15927", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-15927", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-15927", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-15927", "SUSE": "https://www.suse.com/security/cve/CVE-2019-15927", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-15927" } }, "CVE-2019-16089": { "affected_versions": "v4.12-rc1 to unk", "breaks": "47d902b90a32a42a3d33aef3a02170fc6f70aa23", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "score": 4.7 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H", "score": 4.1 }, "cwe": "NULL Pointer Dereference", "fixes": "", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel through 5.2.13. nbd_genl_status in drivers/block/nbd.c does not check the nla_nest_start_noflag return value.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-16089", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-16089", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-16089", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-16089", "SUSE": "https://www.suse.com/security/cve/CVE-2019-16089", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-16089" } }, "CVE-2019-16229": { "affected_versions": "v4.15-rc1 to v5.5-rc1", "breaks": "48e876a20e79566f1736413d4f42dc66f3ab2f16", "cmt_msg": "drm/amdkfd: fix a potential NULL pointer dereference (v2)", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "score": 4.7 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H", "score": 4.1 }, "cwe": "NULL Pointer Dereference", "fixes": "81de29d842ccb776c0f77aa3e2b11b07fff0c0e2", "last_affected_version": "5.4.6", "last_modified": "2023-12-06", "nvd_text": "drivers/gpu/drm/amd/amdkfd/kfd_interrupt.c in the Linux kernel 5.2.14 does not check the alloc_workqueue return value, leading to a NULL pointer dereference. NOTE: The security community disputes this issues as not being serious enough to be deserving a CVE id", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-16229", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-16229", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-16229", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-16229", "SUSE": "https://www.suse.com/security/cve/CVE-2019-16229", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-16229" } }, "CVE-2019-16230": { "affected_versions": "v3.16-rc1 to v5.5-rc1", "breaks": "fa7f517cb26eb1a1a1f0baffcced39f6c3ec3337", "cmt_msg": "drm/amdkfd: fix a potential NULL pointer dereference (v2)", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "score": 4.7 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 4.7 }, "cwe": "NULL Pointer Dereference", "fixes": "81de29d842ccb776c0f77aa3e2b11b07fff0c0e2", "last_affected_version": "5.4.6", "last_modified": "2023-12-06", "nvd_text": "drivers/gpu/drm/radeon/radeon_display.c in the Linux kernel 5.2.14 does not check the alloc_workqueue return value, leading to a NULL pointer dereference. NOTE: A third-party software maintainer states that the work queue allocation is happening during device initialization, which for a graphics card occurs during boot. It is not attacker controllable and OOM at that time is highly unlikely", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-16230", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-16230", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-16230", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-16230", "SUSE": "https://www.suse.com/security/cve/CVE-2019-16230", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-16230" } }, "CVE-2019-16231": { "affected_versions": "v4.3-rc1 to v5.4-rc6", "breaks": "b772b9dc63df0ca8a750ceac9ab356376022f0b6", "cmt_msg": "fjes: Handle workqueue allocation failure", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "score": 4.7 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H", "score": 4.1 }, "cwe": "NULL Pointer Dereference", "fixes": "85ac30fa2e24f628e9f4f9344460f4015d33fd7d", "last_affected_version": "5.3.10", "last_modified": "2023-12-06", "nvd_text": "drivers/net/fjes/fjes_main.c in the Linux kernel 5.2.14 does not check the alloc_workqueue return value, leading to a NULL pointer dereference.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-16231", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-16231", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-16231", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-16231", "SUSE": "https://www.suse.com/security/cve/CVE-2019-16231", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-16231" } }, "CVE-2019-16232": { "affected_versions": "v2.6.30-rc1 to v5.5-rc1", "breaks": "9b02f419a7dbd956b2c293e5cb1790b6b687f367", "cmt_msg": "libertas: fix a potential NULL pointer dereference", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "score": 4.7 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H", "score": 4.1 }, "cwe": "NULL Pointer Dereference", "fixes": "7da413a18583baaf35dd4a8eb414fa410367d7f2", "last_affected_version": "5.4.6", "last_modified": "2023-12-06", "nvd_text": "drivers/net/wireless/marvell/libertas/if_sdio.c in the Linux kernel 5.2.14 does not check the alloc_workqueue return value, leading to a NULL pointer dereference.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-16232", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-16232", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-16232", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-16232", "SUSE": "https://www.suse.com/security/cve/CVE-2019-16232", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-16232" } }, "CVE-2019-16233": { "affected_versions": "v2.6.31-rc1 to v5.4-rc5", "breaks": "68ca949cdb04b4dc71451a999148fbc5f187a220", "cmt_msg": "scsi: qla2xxx: fix a potential NULL pointer dereference", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "score": 4.7 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H", "score": 4.1 }, "cwe": "NULL Pointer Dereference", "fixes": "35a79a63517981a8aea395497c548776347deda8", "last_affected_version": "5.3.9", "last_modified": "2023-12-06", "nvd_text": "drivers/scsi/qla2xxx/qla_os.c in the Linux kernel 5.2.14 does not check the alloc_workqueue return value, leading to a NULL pointer dereference.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-16233", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-16233", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-16233", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-16233", "SUSE": "https://www.suse.com/security/cve/CVE-2019-16233", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-16233" } }, "CVE-2019-16234": { "affected_versions": "v4.3-rc1 to v5.4-rc4", "breaks": "26d535aedc0e9fcf2c8bee65b33cecb58ee8e8ed", "cmt_msg": "iwlwifi: pcie: fix rb_allocator workqueue allocation", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "score": 4.7 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 4.7 }, "cwe": "NULL Pointer Dereference", "fixes": "8188a18ee2e48c9a7461139838048363bfce3fef", "last_affected_version": "4.19.107", "last_modified": "2023-12-06", "nvd_text": "drivers/net/wireless/intel/iwlwifi/pcie/trans.c in the Linux kernel 5.2.14 does not check the alloc_workqueue return value, leading to a NULL pointer dereference.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-16234", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-16234", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-16234", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-16234", "SUSE": "https://www.suse.com/security/cve/CVE-2019-16234", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-16234" } }, "CVE-2019-16413": { "affected_versions": "v2.6.32-rc1 to v5.1-rc1", "breaks": "7549ae3e81cc45908cbeee54a52b24f247fb0a2d", "cmt_msg": "9p: use inode->i_lock to protect i_size_write() under 32-bit", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "score": 5.0 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 7.5 }, "cwe": "Loop with Unreachable Exit Condition ('Infinite Loop')", "fixes": "5e3cc1ee1405a7eb3487ed24f786dec01b4cbe1f", "last_affected_version": "5.0.3", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel before 5.0.4. The 9p filesystem did not protect i_size_write() properly, which causes an i_size_read() infinite loop and denial of service on SMP systems.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-16413", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-16413", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-16413", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-16413", "SUSE": "https://www.suse.com/security/cve/CVE-2019-16413", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-16413" } }, "CVE-2019-16714": { "affected_versions": "v5.1-rc1 to v5.3-rc7", "breaks": "3eb450367d0823226515ee24712ed08eccb33eb9", "cmt_msg": "net/rds: Fix info leak in rds6_inc_info_copy()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "score": 5.0 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "score": 7.5 }, "cwe": "Information Exposure", "fixes": "7d0a06586b2686ba80c4a2da5f91cb10ffbea736", "last_affected_version": "5.2.13", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel before 5.2.14, rds6_inc_info_copy in net/rds/recv.c allows attackers to obtain sensitive information from kernel stack memory because tos and flags fields are not initialized.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-16714", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-16714", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-16714", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-16714", "SUSE": "https://www.suse.com/security/cve/CVE-2019-16714", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-16714" } }, "CVE-2019-16746": { "affected_versions": "v2.6.25-rc1 to v5.4-rc2", "breaks": "ed1b6cc7f80f831e192704b05b9917f9cc37be15", "cmt_msg": "nl80211: validate beacon head", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "score": 7.5 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "score": 9.8 }, "cwe": "Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')", "fixes": "f88eb7c0d002a67ef31aeb7850b42ff69abc46dc", "last_affected_version": "5.3.5", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in net/wireless/nl80211.c in the Linux kernel through 5.2.17. It does not check the length of variable elements in a beacon head, leading to a buffer overflow.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-16746", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-16746", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-16746", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-16746", "SUSE": "https://www.suse.com/security/cve/CVE-2019-16746", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-16746" } }, "CVE-2019-16921": { "affected_versions": "v4.17-rc1 to v4.17-rc1", "backport": true, "breaks": "e088a685eae94a0607b8f7b99949a0e14d748813", "cmt_msg": "RDMA/hns: Fix init resp when alloc ucontext", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "score": 5.0 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "score": 7.5 }, "cwe": "Improper Initialization", "fixes": "df7e40425813c50cd252e6f5e348a81ef1acae56", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel before 4.17, hns_roce_alloc_ucontext in drivers/infiniband/hw/hns/hns_roce_main.c does not initialize the resp data structure, which might allow attackers to obtain sensitive information from kernel stack memory, aka CID-df7e40425813.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-16921", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-16921", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-16921", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-16921", "SUSE": "https://www.suse.com/security/cve/CVE-2019-16921", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-16921" } }, "CVE-2019-16994": { "affected_versions": "v4.12-rc6 to v5.0", "breaks": "cf124db566e6b036b8bcbe8decbed740bdfac8c6", "cmt_msg": "net: sit: fix memory leak in sit_init_net()", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "score": 4.7 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 4.7 }, "cwe": "Missing Release of Resource after Effective Lifetime", "fixes": "07f12b26e21ab359261bf75cfcb424fdc7daeb6d", "last_affected_version": "5.-1", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel before 5.0, a memory leak exists in sit_init_net() in net/ipv6/sit.c when register_netdev() fails to register sitn->fb_tunnel_dev, which may cause denial of service, aka CID-07f12b26e21a.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-16994", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-16994", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-16994", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-16994", "SUSE": "https://www.suse.com/security/cve/CVE-2019-16994", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-16994" } }, "CVE-2019-16995": { "affected_versions": "v3.17-rc1 to v5.1-rc1", "breaks": "c5a7591172100269e426cf630da0f2dc8138a206", "cmt_msg": "net: hsr: fix memory leak in hsr_dev_finalize()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "score": 7.8 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 7.5 }, "cwe": "Missing Release of Resource after Effective Lifetime", "fixes": "6caabe7f197d3466d238f70915d65301f1716626", "last_affected_version": "5.0.2", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel before 5.0.3, a memory leak exits in hsr_dev_finalize() in net/hsr/hsr_device.c if hsr_add_port fails to add a port, which may cause denial of service, aka CID-6caabe7f197d.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-16995", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-16995", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-16995", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-16995", "SUSE": "https://www.suse.com/security/cve/CVE-2019-16995", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-16995" } }, "CVE-2019-17052": { "affected_versions": "v2.6.12-rc2 to v5.4-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "ax25: enforce CAP_NET_RAW for raw sockets", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "None", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "None", "Integrity": "Low", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "score": 3.3 }, "cwe": "Incorrect Default Permissions", "fixes": "0614e2b73768b502fc32a75349823356d98aae2c", "last_affected_version": "5.3.3", "last_modified": "2023-12-06", "nvd_text": "ax25_create in net/ax25/af_ax25.c in the AF_AX25 network module in the Linux kernel 3.16 through 5.3.2 does not enforce CAP_NET_RAW, which means that unprivileged users can create a raw socket, aka CID-0614e2b73768.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-17052", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-17052", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-17052", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-17052", "SUSE": "https://www.suse.com/security/cve/CVE-2019-17052", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-17052" } }, "CVE-2019-17053": { "affected_versions": "v2.6.31-rc1 to v5.4-rc1", "breaks": "9ec7671603573ede31207eb5b0b3e1aa211b2854", "cmt_msg": "ieee802154: enforce CAP_NET_RAW for raw sockets", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "None", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "None", "Integrity": "Low", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "score": 3.3 }, "cwe": "Incorrect Default Permissions", "fixes": "e69dbd4619e7674c1679cba49afd9dd9ac347eef", "last_affected_version": "5.3.3", "last_modified": "2023-12-06", "nvd_text": "ieee802154_create in net/ieee802154/socket.c in the AF_IEEE802154 network module in the Linux kernel through 5.3.2 does not enforce CAP_NET_RAW, which means that unprivileged users can create a raw socket, aka CID-e69dbd4619e7.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-17053", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-17053", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-17053", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-17053", "SUSE": "https://www.suse.com/security/cve/CVE-2019-17053", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-17053" } }, "CVE-2019-17054": { "affected_versions": "v2.6.12-rc2 to v5.4-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "appletalk: enforce CAP_NET_RAW for raw sockets", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "None", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "None", "Integrity": "Low", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "score": 3.3 }, "cwe": "Incorrect Default Permissions", "fixes": "6cc03e8aa36c51f3b26a0d21a3c4ce2809c842ac", "last_affected_version": "5.3.3", "last_modified": "2023-12-06", "nvd_text": "atalk_create in net/appletalk/ddp.c in the AF_APPLETALK network module in the Linux kernel through 5.3.2 does not enforce CAP_NET_RAW, which means that unprivileged users can create a raw socket, aka CID-6cc03e8aa36c.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-17054", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-17054", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-17054", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-17054", "SUSE": "https://www.suse.com/security/cve/CVE-2019-17054", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-17054" } }, "CVE-2019-17055": { "affected_versions": "v2.6.27-rc1 to v5.4-rc1", "breaks": "1b2b03f8e514e4f68e293846ba511a948b80243c", "cmt_msg": "mISDN: enforce CAP_NET_RAW for raw sockets", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "None", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "None", "Integrity": "Low", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "score": 3.3 }, "cwe": "Improper Input Validation", "fixes": "b91ee4aa2a2199ba4d4650706c272985a5a32d80", "last_affected_version": "5.3.3", "last_modified": "2023-12-06", "nvd_text": "base_sock_create in drivers/isdn/mISDN/socket.c in the AF_ISDN network module in the Linux kernel through 5.3.2 does not enforce CAP_NET_RAW, which means that unprivileged users can create a raw socket, aka CID-b91ee4aa2a21.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-17055", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-17055", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-17055", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-17055", "SUSE": "https://www.suse.com/security/cve/CVE-2019-17055", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-17055" } }, "CVE-2019-17056": { "affected_versions": "v3.7-rc1 to v5.4-rc1", "breaks": "4463523bef98ff827a89cf8219db7dfac4350241", "cmt_msg": "nfc: enforce CAP_NET_RAW for raw sockets", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "None", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "None", "Integrity": "Low", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "score": 3.3 }, "cwe": "Incorrect Default Permissions", "fixes": "3a359798b176183ef09efb7a3dc59abad1cc7104", "last_affected_version": "5.3.3", "last_modified": "2023-12-06", "nvd_text": "llcp_sock_create in net/nfc/llcp_sock.c in the AF_NFC network module in the Linux kernel through 5.3.2 does not enforce CAP_NET_RAW, which means that unprivileged users can create a raw socket, aka CID-3a359798b176.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-17056", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-17056", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-17056", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-17056", "SUSE": "https://www.suse.com/security/cve/CVE-2019-17056", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-17056" } }, "CVE-2019-17075": { "affected_versions": "v2.6.35-rc1 to v5.4-rc3", "breaks": "cfdda9d764362ab77b11a410bb928400e6520d57", "cmt_msg": "RDMA/cxgb4: Do not dma memory off of the stack", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:N/AC:M/Au:N/C:N/I:N/A:C", "score": 7.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 7.5 }, "cwe": "Unspecified", "fixes": "3840c5b78803b2b6cc1ff820100a74a092c40cbb", "last_affected_version": "5.3.7", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in write_tpt_entry in drivers/infiniband/hw/cxgb4/mem.c in the Linux kernel through 5.3.2. The cxgb4 driver is directly calling dma_map_single (a DMA function) from a stack variable. This could allow an attacker to trigger a Denial of Service, exploitable if this driver is used on an architecture for which this stack/DMA interaction has security relevance.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-17075", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-17075", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-17075", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-17075", "SUSE": "https://www.suse.com/security/cve/CVE-2019-17075", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-17075" } }, "CVE-2019-17133": { "affected_versions": "v2.6.32-rc1 to v5.4-rc4", "breaks": "a42dd7efd934888833c01199dbd21b242100ee92", "cmt_msg": "cfg80211: wext: avoid copying malformed SSIDs", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "score": 7.5 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "score": 9.8 }, "cwe": "Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')", "fixes": "4ac2813cc867ae563a1ba5a9414bfb554e5796fa", "last_affected_version": "5.3.7", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel through 5.3.2, cfg80211_mgd_wext_giwessid in net/wireless/wext-sme.c does not reject a long SSID IE, leading to a Buffer Overflow.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-17133", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-17133", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-17133", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-17133", "SUSE": "https://www.suse.com/security/cve/CVE-2019-17133", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-17133" } }, "CVE-2019-17351": { "affected_versions": "v2.6.26-rc1 to v5.3-rc1", "breaks": "1775826ceec51187aa868406585799b7e76ffa7d", "cmt_msg": "xen: let alloc_xenballooned_pages() fail if not enough memory free", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Changed", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H", "score": 6.5 }, "cwe": "Uncontrolled Resource Consumption", "fixes": "a1078e821b605813b63bf6bca414a85f804d5c66", "last_affected_version": "5.2.2", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in drivers/xen/balloon.c in the Linux kernel before 5.2.3, as used in Xen through 4.12.x, allowing guest OS users to cause a denial of service because of unrestricted resource consumption during the mapping of guest memory, aka CID-6ef36ab967c7.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-17351", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-17351", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-17351", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-17351", "SUSE": "https://www.suse.com/security/cve/CVE-2019-17351", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-17351" } }, "CVE-2019-17666": { "affected_versions": "v3.10-rc1 to v5.4-rc6", "breaks": "26634c4b1868323f49f8cd24c3493b57819867fd", "cmt_msg": "rtlwifi: Fix potential overflow on P2P code", "cvss2": { "Access Complexity": "Low", "Access Vector": "Adjacent Network", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:A/AC:L/Au:N/C:C/I:C/A:C", "score": 8.3 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Adjacent", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "score": 8.8 }, "cwe": "Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')", "fixes": "8c55dedb795be8ec0cf488f98c03a1c2176f7fb1", "last_affected_version": "5.3.8", "last_modified": "2023-12-06", "nvd_text": "rtl_p2p_noa_ie in drivers/net/wireless/realtek/rtlwifi/ps.c in the Linux kernel through 5.3.6 lacks a certain upper-bound check, leading to a buffer overflow.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-17666", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-17666", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-17666", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-17666", "SUSE": "https://www.suse.com/security/cve/CVE-2019-17666", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-17666" } }, "CVE-2019-18198": { "affected_versions": "v5.3-rc1 to v5.4-rc1", "breaks": "7d9e5f422150ed00de744e02a80734d74cc9704d", "cmt_msg": "ipv6: do not free rt if FIB_LOOKUP_NOREF is set on suppress rule", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Missing Release of Resource after Effective Lifetime", "fixes": "ca7a03c4175366a92cee0ccc4fec0038c3266e26", "last_affected_version": "5.3.3", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel before 5.3.4, a reference count usage error in the fib6_rule_suppress() function in the fib6 suppression feature of net/ipv6/fib6_rules.c, when handling the FIB_LOOKUP_NOREF flag, can be exploited by a local attacker to corrupt memory, aka CID-ca7a03c41753.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-18198", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-18198", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-18198", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-18198", "SUSE": "https://www.suse.com/security/cve/CVE-2019-18198", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-18198" } }, "CVE-2019-18282": { "affected_versions": "v3.17-rc1 to v5.4-rc6", "breaks": "cb1ce2ef387b01686469487edd45994872d52d73", "cmt_msg": "net/flow_dissector: switch to siphash", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "score": 5.0 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "None", "Confidentiality": "Low", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "score": 5.3 }, "cwe": "Exposure of Sensitive Information to an Unauthorized Actor", "fixes": "55667441c84fa5e0911a0aac44fb059c15ba6da2", "last_affected_version": "5.3.9", "last_modified": "2023-12-06", "nvd_text": "The flow_dissector feature in the Linux kernel 4.3 through 5.x before 5.3.10 has a device tracking vulnerability, aka CID-55667441c84f. This occurs because the auto flowlabel of a UDP IPv6 packet relies on a 32-bit hashrnd value as a secret, and because jhash (instead of siphash) is used. The hashrnd value remains the same starting from boot time, and can be inferred by an attacker. This affects net/core/flow_dissector.c and related code.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-18282", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-18282", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-18282", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-18282", "SUSE": "https://www.suse.com/security/cve/CVE-2019-18282", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-18282" } }, "CVE-2019-18660": { "affected_versions": "v2.6.12-rc2 to v5.5-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "powerpc/book3s64: Fix link stack flush on context switch", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "score": 1.9 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 4.7 }, "cwe": "Information Exposure", "fixes": "39e72bf96f5847ba87cc5bd7a3ce0fed813dc9ad", "last_affected_version": "5.4.0", "last_modified": "2023-12-06", "nvd_text": "The Linux kernel before 5.4.1 on powerpc allows Information Exposure because the Spectre-RSB mitigation is not in place for all applicable CPUs, aka CID-39e72bf96f58. This is related to arch/powerpc/kernel/entry_64.S and arch/powerpc/kernel/security.c.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-18660", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-18660", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-18660", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-18660", "SUSE": "https://www.suse.com/security/cve/CVE-2019-18660", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-18660" } }, "CVE-2019-18675": { "affected_versions": "v2.6.17-rc1 to v4.17-rc5", "breaks": "ab33d5071de7a33616842882c11b5eb52a6c26a1", "cmt_msg": "mmap: introduce sane default mmap limits", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Integer Overflow or Wraparound", "fixes": "be83bbf806822b1b89e0a0f23cd87cddc409e429", "last_affected_version": "4.16.14", "last_modified": "2023-12-06", "nvd_text": "The Linux kernel through 5.3.13 has a start_offset+size Integer Overflow in cpia2_remap_buffer in drivers/media/usb/cpia2/cpia2_core.c because cpia2 has its own mmap implementation. This allows local users (with /dev/video0 access) to obtain read and write permissions on kernel physical pages, which can possibly result in a privilege escalation.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-18675", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-18675", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-18675", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-18675", "SUSE": "https://www.suse.com/security/cve/CVE-2019-18675", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-18675" } }, "CVE-2019-18680": { "affected_versions": "unk to unk", "alt_msg": "net: rds: Fix NULL ptr use in rds_tcp_kill_sock", "backport": true, "breaks": "cb66ddd156203daefb8d71158036b27b0e2caf63", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "score": 7.8 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 7.5 }, "cwe": "NULL Pointer Dereference", "fixes": "cb66ddd156203daefb8d71158036b27b0e2caf63", "last_affected_version": "4.4.194", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel 4.4.x before 4.4.195. There is a NULL pointer dereference in rds_tcp_kill_sock() in net/rds/tcp.c that will cause denial of service, aka CID-91573ae4aed0.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-18680", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-18680", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-18680", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-18680", "SUSE": "https://www.suse.com/security/cve/CVE-2019-18680", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-18680" } }, "CVE-2019-18683": { "affected_versions": "v3.18-rc1 to v5.5-rc1", "breaks": "3f682ffcf957b556a7868decd5593d765ed3455d", "cmt_msg": "media: vivid: Fix wrong locking that causes race conditions on streaming stop", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "score": 6.9 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.0 }, "cwe": "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", "fixes": "6dcd5d7a7a29c1e4b8016a06aed78cd650cd8c27", "last_affected_version": "5.4.0", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in drivers/media/platform/vivid in the Linux kernel through 5.3.8. It is exploitable for privilege escalation on some Linux distributions where local users have /dev/video0 access, but only if the driver happens to be loaded. There are multiple race conditions during streaming stopping in this driver (part of the V4L2 subsystem). These issues are caused by wrong mutex locking in vivid_stop_generating_vid_cap(), vivid_stop_generating_vid_out(), sdr_cap_stop_streaming(), and the corresponding kthreads. At least one of these race conditions leads to a use-after-free.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-18683", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-18683", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-18683", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-18683", "SUSE": "https://www.suse.com/security/cve/CVE-2019-18683", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-18683" } }, "CVE-2019-18786": { "affected_versions": "v4.13-rc1 to v5.5-rc1", "breaks": "7625ee981af166ddb569e2e6c0006e2af471326f", "cmt_msg": "media: rcar_drif: fix a memory disclosure", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.5 }, "cwe": "Information Exposure", "fixes": "d39083234c60519724c6ed59509a2129fd2aed41", "last_affected_version": "5.4.6", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel through 5.3.8, f->fmt.sdr.reserved is uninitialized in rcar_drif_g_fmt_sdr_cap in drivers/media/platform/rcar_drif.c, which could cause a memory disclosure problem.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-18786", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-18786", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-18786", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-18786", "SUSE": "https://www.suse.com/security/cve/CVE-2019-18786", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-18786" } }, "CVE-2019-18805": { "affected_versions": "v4.15-rc1 to v5.1-rc7", "breaks": "bd239704295c66196e6b77c5717ec4aec076ddd5", "cmt_msg": "ipv4: set the tcp_min_rtt_wlen range from 0 to one day", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "score": 7.5 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "score": 9.8 }, "cwe": "Integer Overflow or Wraparound", "fixes": "19fad20d15a6494f47f85d869f00b11343ee5c78", "last_affected_version": "5.0.10", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in net/ipv4/sysctl_net_ipv4.c in the Linux kernel before 5.0.11. There is a net/ipv4/tcp_input.c signed integer overflow in tcp_ack_update_rtt() when userspace writes a very large integer to /proc/sys/net/ipv4/tcp_min_rtt_wlen, leading to a denial of service or possibly unspecified other impact, aka CID-19fad20d15a6.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-18805", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-18805", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-18805", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-18805", "SUSE": "https://www.suse.com/security/cve/CVE-2019-18805", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-18805" } }, "CVE-2019-18806": { "affected_versions": "v2.6.21-rc2 to v5.4-rc2", "breaks": "0f8ab89e825f8c9f1c84c558ad7e2e4006aee0d3", "cmt_msg": "net: qlogic: Fix memory leak in ql_alloc_large_buffers", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Uncontrolled Resource Consumption", "fixes": "1acb8f2a7a9f10543868ddd737e37424d5c36cf4", "last_affected_version": "5.3.4", "last_modified": "2023-12-06", "nvd_text": "A memory leak in the ql_alloc_large_buffers() function in drivers/net/ethernet/qlogic/qla3xxx.c in the Linux kernel before 5.3.5 allows local users to cause a denial of service (memory consumption) by triggering pci_dma_mapping_error() failures, aka CID-1acb8f2a7a9f.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-18806", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-18806", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-18806", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-18806", "SUSE": "https://www.suse.com/security/cve/CVE-2019-18806", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-18806" } }, "CVE-2019-18807": { "affected_versions": "v5.2-rc1 to v5.4-rc2", "breaks": "8aa9ebccae87621d997707e4f25e53fddd7e30e4", "cmt_msg": "net: dsa: sja1105: Prevent leaking memory", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "score": 5.0 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 7.5 }, "cwe": "Uncontrolled Resource Consumption", "fixes": "68501df92d116b760777a2cfda314789f926476f", "last_affected_version": "5.3.4", "last_modified": "2023-12-06", "nvd_text": "Two memory leaks in the sja1105_static_config_upload() function in drivers/net/dsa/sja1105/sja1105_spi.c in the Linux kernel before 5.3.5 allow attackers to cause a denial of service (memory consumption) by triggering static_config_buf_prepare_for_upload() or sja1105_inhibit_tx() failures, aka CID-68501df92d11.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-18807", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-18807", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-18807", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-18807", "SUSE": "https://www.suse.com/security/cve/CVE-2019-18807", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-18807" } }, "CVE-2019-18808": { "affected_versions": "v4.9-rc1 to v5.5-rc1", "breaks": "4b394a232df78414442778b02ca4a388d947d059", "cmt_msg": "crypto: ccp - Release all allocated memory if sha type is invalid", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Uncontrolled Resource Consumption", "fixes": "128c66429247add5128c03dc1e144ca56f05a4e2", "last_affected_version": "5.4.55", "last_modified": "2023-12-06", "nvd_text": "A memory leak in the ccp_run_sha_cmd() function in drivers/crypto/ccp/ccp-ops.c in the Linux kernel through 5.3.9 allows attackers to cause a denial of service (memory consumption), aka CID-128c66429247.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-18808", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-18808", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-18808", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-18808", "SUSE": "https://www.suse.com/security/cve/CVE-2019-18808", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-18808" } }, "CVE-2019-18809": { "affected_versions": "v4.9-rc4 to v5.5-rc1", "breaks": "c58b84ee467bfd08b39fbda56757ba19ac50980a", "cmt_msg": "media: usb: fix memory leak in af9005_identify_state", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Physical", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 4.6 }, "cwe": "Uncontrolled Resource Consumption", "fixes": "2289adbfa559050d2a38bcd9caac1c18b800e928", "last_affected_version": "5.4.8", "last_modified": "2023-12-06", "nvd_text": "A memory leak in the af9005_identify_state() function in drivers/media/usb/dvb-usb/af9005.c in the Linux kernel through 5.3.9 allows attackers to cause a denial of service (memory consumption), aka CID-2289adbfa559.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-18809", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-18809", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-18809", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-18809", "SUSE": "https://www.suse.com/security/cve/CVE-2019-18809", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-18809" } }, "CVE-2019-18810": { "affected_versions": "v5.3-rc1 to v5.4-rc2", "breaks": "5d51f6c0da1b563e2f8eb5022a4d7748aa687be4", "cmt_msg": "drm/komeda: prevent memory leak in komeda_wb_connector_add", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "score": 7.8 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 7.5 }, "cwe": "Uncontrolled Resource Consumption", "fixes": "a0ecd6fdbf5d648123a7315c695fb6850d702835", "last_affected_version": "5.3.7", "last_modified": "2023-12-06", "nvd_text": "A memory leak in the komeda_wb_connector_add() function in drivers/gpu/drm/arm/display/komeda/komeda_wb_connector.c in the Linux kernel before 5.3.8 allows attackers to cause a denial of service (memory consumption) by triggering drm_writeback_connector_init() failures, aka CID-a0ecd6fdbf5d.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-18810", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-18810", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-18810", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-18810", "SUSE": "https://www.suse.com/security/cve/CVE-2019-18810", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-18810" } }, "CVE-2019-18811": { "affected_versions": "v5.2-rc1 to v5.4-rc7", "breaks": "54d198d5019dd98b9bcb9099a389608d7e2cccad", "cmt_msg": "ASoC: SOF: ipc: Fix memory leak in sof_set_get_large_ctrl_data", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Uncontrolled Resource Consumption", "fixes": "45c1380358b12bf2d1db20a5874e9544f56b34ab", "last_affected_version": "5.3.14", "last_modified": "2023-12-06", "nvd_text": "A memory leak in the sof_set_get_large_ctrl_data() function in sound/soc/sof/ipc.c in the Linux kernel through 5.3.9 allows attackers to cause a denial of service (memory consumption) by triggering sof_get_ctrl_copy_params() failures, aka CID-45c1380358b1.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-18811", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-18811", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-18811", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-18811", "SUSE": "https://www.suse.com/security/cve/CVE-2019-18811", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-18811" } }, "CVE-2019-18812": { "affected_versions": "v5.3-rc1 to v5.4-rc7", "breaks": "091c12e1f50cce93b1af90e56cad88787ec86dfb", "cmt_msg": "ASoC: SOF: Fix memory leak in sof_dfsentry_write", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "score": 7.8 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 7.5 }, "cwe": "Uncontrolled Resource Consumption", "fixes": "c0a333d842ef67ac04adc72ff79dc1ccc3dca4ed", "last_modified": "2023-12-06", "nvd_text": "A memory leak in the sof_dfsentry_write() function in sound/soc/sof/debug.c in the Linux kernel through 5.3.9 allows attackers to cause a denial of service (memory consumption), aka CID-c0a333d842ef.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-18812", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-18812", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-18812", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-18812", "SUSE": "https://www.suse.com/security/cve/CVE-2019-18812", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-18812" } }, "CVE-2019-18813": { "affected_versions": "v4.19-rc1 to v5.4-rc6", "breaks": "1a7b12f69a9434a766e77c43d113826f0413b032", "cmt_msg": "usb: dwc3: pci: prevent memory leak in dwc3_pci_probe", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "score": 7.8 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 7.5 }, "cwe": "Uncontrolled Resource Consumption", "fixes": "9bbfceea12a8f145097a27d7c7267af25893c060", "last_affected_version": "5.3.10", "last_modified": "2023-12-06", "nvd_text": "A memory leak in the dwc3_pci_probe() function in drivers/usb/dwc3/dwc3-pci.c in the Linux kernel through 5.3.9 allows attackers to cause a denial of service (memory consumption) by triggering platform_device_add_properties() failures, aka CID-9bbfceea12a8.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-18813", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-18813", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-18813", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-18813", "SUSE": "https://www.suse.com/security/cve/CVE-2019-18813", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-18813" } }, "CVE-2019-18814": { "affected_versions": "v4.18-rc1 to v5.7-rc7", "breaks": "52e8c38001d8ef0ca07ef428e480cd4a35e46abf", "cmt_msg": "apparmor: Fix use-after-free in aa_audit_rule_init", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "score": 7.5 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "score": 9.8 }, "cwe": "Use After Free", "fixes": "c54d481d71c6849e044690d3960aaebc730224cc", "last_affected_version": "5.6.14", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel through 5.3.9. There is a use-after-free when aa_label_parse() fails in aa_audit_rule_init() in security/apparmor/audit.c.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-18814", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-18814", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-18814", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-18814", "SUSE": "https://www.suse.com/security/cve/CVE-2019-18814", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-18814" } }, "CVE-2019-18885": { "affected_versions": "v2.6.29-rc1 to v5.1-rc1", "breaks": "2b82032c34ec40515d3c45c36cd1961f37977de8", "cmt_msg": "btrfs: merge btrfs_find_device and find_device", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "NULL Pointer Dereference", "fixes": "09ba3bc9dd150457c506e4661380a6183af651c1", "last_affected_version": "4.19.128", "last_modified": "2023-12-06", "nvd_text": "fs/btrfs/volumes.c in the Linux kernel before 5.1 allows a btrfs_verify_dev_extents NULL pointer dereference via a crafted btrfs image because fs_devices->devices is mishandled within find_device, aka CID-09ba3bc9dd15.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-18885", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-18885", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-18885", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-18885", "SUSE": "https://www.suse.com/security/cve/CVE-2019-18885", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-18885" } }, "CVE-2019-19036": { "affected_versions": "v2.6.12-rc2 to v5.4-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "btrfs: Detect unbalanced tree with empty leaf before crashing btree operations", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "score": 4.3 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "raw": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "NULL Pointer Dereference", "fixes": "62fdaa52a3d00a875da771719b6dc537ca79fce1", "last_affected_version": "5.3.3", "last_modified": "2023-12-06", "nvd_text": "btrfs_root_node in fs/btrfs/ctree.c in the Linux kernel through 5.3.12 allows a NULL pointer dereference because rcu_dereference(root->node) can be zero.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-19036", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-19036", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-19036", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-19036", "SUSE": "https://www.suse.com/security/cve/CVE-2019-19036", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19036" } }, "CVE-2019-19037": { "affected_versions": "v5.3-rc1 to v5.5-rc3", "breaks": "4e19d6b65fb4fc42e352ce9883649e049da14743", "cmt_msg": "ext4: fix ext4_empty_dir() for directories with holes", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "score": 4.3 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "raw": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "NULL Pointer Dereference", "fixes": "64d4ce892383b2ad6d782e080d25502f91bf2a38", "last_affected_version": "5.4.6", "last_modified": "2023-12-06", "nvd_text": "ext4_empty_dir in fs/ext4/namei.c in the Linux kernel through 5.3.12 allows a NULL pointer dereference because ext4_read_dirblock(inode,0,DIRENT_HTREE) can be zero.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-19037", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-19037", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-19037", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-19037", "SUSE": "https://www.suse.com/security/cve/CVE-2019-19037", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19037" } }, "CVE-2019-19039": { "affected_versions": "v2.6.12-rc2 to v5.7-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "btrfs: Don't submit any btree write bio if the fs has errors", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "score": 1.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "raw": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "score": 5.5 }, "cwe": "Information Exposure", "fixes": "b3ff8f1d380e65dddd772542aa9bff6c86bf715a", "last_affected_version": "5.6.4", "last_modified": "2023-12-06", "nvd_text": "__btrfs_free_extent in fs/btrfs/extent-tree.c in the Linux kernel through 5.3.12 calls btrfs_print_leaf in a certain ENOENT case, which allows local users to obtain potentially sensitive information about register values via the dmesg program. NOTE: The BTRFS development team disputes this issues as not being a vulnerability because \u201c1) The kernel provide facilities to restrict access to dmesg - dmesg_restrict=1 sysctl option. So it's really up to the system administrator to judge whether dmesg access shall be disallowed or not. 2) WARN/WARN_ON are widely used macros in the linux kernel. If this CVE is considered valid this would mean there are literally thousands CVE lurking in the kernel - something which clearly is not the case.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-19039", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-19039", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-19039", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-19039", "SUSE": "https://www.suse.com/security/cve/CVE-2019-19039", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19039" } }, "CVE-2019-19043": { "affected_versions": "v5.3-rc1 to v5.5-rc1", "breaks": "1d8d80b4e4ff641eefa5250cba324dfa5861a9f1", "cmt_msg": "i40e: prevent memory leak in i40e_setup_macvlans", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Uncontrolled Resource Consumption", "fixes": "27d461333459d282ffa4a2bdb6b215a59d493a8f", "last_affected_version": "5.4.13", "last_modified": "2023-12-06", "nvd_text": "A memory leak in the i40e_setup_macvlans() function in drivers/net/ethernet/intel/i40e/i40e_main.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering i40e_setup_channel() failures, aka CID-27d461333459.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-19043", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-19043", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-19043", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-19043", "SUSE": "https://www.suse.com/security/cve/CVE-2019-19043", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19043" } }, "CVE-2019-19044": { "affected_versions": "v5.3-rc1 to v5.4-rc6", "breaks": "a783a09ee76d6259296dc6aeea2b6884fa526980", "cmt_msg": "drm/v3d: Fix memory leak in v3d_submit_cl_ioctl", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "score": 7.8 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 7.5 }, "cwe": "Uncontrolled Resource Consumption", "fixes": "29cd13cfd7624726d9e6becbae9aa419ef35af7f", "last_affected_version": "5.3.10", "last_modified": "2023-12-06", "nvd_text": "Two memory leaks in the v3d_submit_cl_ioctl() function in drivers/gpu/drm/v3d/v3d_gem.c in the Linux kernel before 5.3.11 allow attackers to cause a denial of service (memory consumption) by triggering kcalloc() or v3d_job_init() failures, aka CID-29cd13cfd762.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-19044", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-19044", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-19044", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-19044", "SUSE": "https://www.suse.com/security/cve/CVE-2019-19044", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19044" } }, "CVE-2019-19045": { "affected_versions": "v4.13-rc1 to v5.4-rc6", "breaks": "537a50574175a2b68b0612ffb48cb044a394c7b4", "cmt_msg": "net/mlx5: prevent memory leak in mlx5_fpga_conn_create_cq", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "score": 4.4 }, "cwe": "Uncontrolled Resource Consumption", "fixes": "c8c2a057fdc7de1cd16f4baa51425b932a42eb39", "last_affected_version": "5.3.10", "last_modified": "2023-12-06", "nvd_text": "A memory leak in the mlx5_fpga_conn_create_cq() function in drivers/net/ethernet/mellanox/mlx5/core/fpga/conn.c in the Linux kernel before 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering mlx5_vector2eqn() failures, aka CID-c8c2a057fdc7.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-19045", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-19045", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-19045", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-19045", "SUSE": "https://www.suse.com/security/cve/CVE-2019-19045", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19045" } }, "CVE-2019-19046": { "affected_versions": "v4.15-rc1 to v5.5-rc1", "breaks": "68e7e50f195f34d0d539282779cad073d999192b", "cmt_msg": "ipmi: Fix memory leak in __ipmi_bmc_register", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "Single", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:N/AC:L/Au:S/C:N/I:N/A:C", "score": 6.8 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 6.5 }, "cwe": "Uncontrolled Resource Consumption", "fixes": "4aa7afb0ee20a97fbf0c5bab3df028d5fb85fdab", "last_affected_version": "5.4.14", "last_modified": "2023-12-06", "nvd_text": "A memory leak in the __ipmi_bmc_register() function in drivers/char/ipmi/ipmi_msghandler.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering ida_simple_get() failure, aka CID-4aa7afb0ee20. NOTE: third parties dispute the relevance of this because an attacker cannot realistically control this failure at probe time", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-19046", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-19046", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-19046", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-19046", "SUSE": "https://www.suse.com/security/cve/CVE-2019-19046", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19046" } }, "CVE-2019-19047": { "affected_versions": "v5.3-rc1 to v5.4-rc6", "breaks": "9b1f2982360579cbdb3069fa026f6cfc31c4388b", "cmt_msg": "net/mlx5: fix memory leak in mlx5_fw_fatal_reporter_dump", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Uncontrolled Resource Consumption", "fixes": "c7ed6d0183d5ea9bc31bcaeeba4070bd62546471", "last_affected_version": "5.3.10", "last_modified": "2023-12-06", "nvd_text": "A memory leak in the mlx5_fw_fatal_reporter_dump() function in drivers/net/ethernet/mellanox/mlx5/core/health.c in the Linux kernel before 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering mlx5_crdump_collect() failures, aka CID-c7ed6d0183d5.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-19047", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-19047", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-19047", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-19047", "SUSE": "https://www.suse.com/security/cve/CVE-2019-19047", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19047" } }, "CVE-2019-19048": { "affected_versions": "v4.16-rc1 to v5.4-rc3", "breaks": "579db9d45cb4e8e7cedff9e6079331a1e2ea9f5d", "cmt_msg": "virt: vbox: fix memory leak in hgcm_call_preprocess_linaddr", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "score": 7.8 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 7.5 }, "cwe": "Uncontrolled Resource Consumption", "fixes": "e0b0cb9388642c104838fac100a4af32745621e2", "last_affected_version": "5.3.8", "last_modified": "2023-12-06", "nvd_text": "A memory leak in the crypto_reportstat() function in drivers/virt/vboxguest/vboxguest_utils.c in the Linux kernel before 5.3.9 allows attackers to cause a denial of service (memory consumption) by triggering copy_form_user() failures, aka CID-e0b0cb938864.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-19048", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-19048", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-19048", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-19048", "SUSE": "https://www.suse.com/security/cve/CVE-2019-19048", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19048" } }, "CVE-2019-19049": { "affected_versions": "v3.17-rc2 to v5.4-rc5", "breaks": "b951f9dc7f25fc1e39aafda5edb4b47b38285d9f", "cmt_msg": "of: unittest: fix memory leak in unittest_data_add", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "score": 7.8 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 7.5 }, "cwe": "Uncontrolled Resource Consumption", "fixes": "e13de8fe0d6a51341671bbe384826d527afe8d44", "last_affected_version": "5.3.9", "last_modified": "2023-12-06", "nvd_text": "A memory leak in the unittest_data_add() function in drivers/of/unittest.c in the Linux kernel before 5.3.10 allows attackers to cause a denial of service (memory consumption) by triggering of_fdt_unflatten_tree() failures, aka CID-e13de8fe0d6a. NOTE: third parties dispute the relevance of this because unittest.c can only be reached during boot", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-19049", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-19049", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-19049", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-19049", "SUSE": "https://www.suse.com/security/cve/CVE-2019-19049", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19049" } }, "CVE-2019-19050": { "affected_versions": "v4.20-rc1 to v5.5-rc1", "breaks": "cac5818c25d0423bda73e2b6997404ed0a7ed9e3", "cmt_msg": "crypto: user - fix memory leak in crypto_reportstat", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "score": 7.8 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 7.5 }, "cwe": "Uncontrolled Resource Consumption", "fixes": "c03b04dcdba1da39903e23cc4d072abf8f68f2dd", "last_affected_version": "5.4.2", "last_modified": "2023-12-06", "nvd_text": "A memory leak in the crypto_reportstat() function in crypto/crypto_user_stat.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering crypto_reportstat_alg() failures, aka CID-c03b04dcdba1.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-19050", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-19050", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-19050", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-19050", "SUSE": "https://www.suse.com/security/cve/CVE-2019-19050", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19050" } }, "CVE-2019-19051": { "affected_versions": "v5.3 to v5.4-rc6", "breaks": "2507e6ab7a9a440773be476141a255934468c5ef", "cmt_msg": "wimax: i2400: Fix memory leak in i2400m_op_rfkill_sw_toggle", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Uncontrolled Resource Consumption", "fixes": "6f3ef5c25cc762687a7341c18cbea5af54461407", "last_affected_version": "5.3.10", "last_modified": "2023-12-06", "nvd_text": "A memory leak in the i2400m_op_rfkill_sw_toggle() function in drivers/net/wimax/i2400m/op-rfkill.c in the Linux kernel before 5.3.11 allows attackers to cause a denial of service (memory consumption), aka CID-6f3ef5c25cc7.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-19051", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-19051", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-19051", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-19051", "SUSE": "https://www.suse.com/security/cve/CVE-2019-19051", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19051" } }, "CVE-2019-19052": { "affected_versions": "v3.16-rc1 to v5.4-rc7", "breaks": "d08e973a77d128b25e01a08c34d89593fdf222da", "cmt_msg": "can: gs_usb: gs_can_open(): prevent memory leak", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "score": 7.8 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 7.5 }, "cwe": "Uncontrolled Resource Consumption", "fixes": "fb5be6a7b4863ecc44963bb80ca614584b6c7817", "last_affected_version": "5.3.10", "last_modified": "2023-12-06", "nvd_text": "A memory leak in the gs_can_open() function in drivers/net/can/usb/gs_usb.c in the Linux kernel before 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering usb_submit_urb() failures, aka CID-fb5be6a7b486.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-19052", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-19052", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-19052", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-19052", "SUSE": "https://www.suse.com/security/cve/CVE-2019-19052", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19052" } }, "CVE-2019-19053": { "affected_versions": "v4.20-rc1 to v5.5-rc1", "breaks": "ccf45b18ce89f598c69a0c945ced1635013fc0b1", "cmt_msg": "rpmsg: char: release allocated memory", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "score": 7.8 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 7.5 }, "cwe": "Uncontrolled Resource Consumption", "fixes": "bbe692e349e2a1edf3fe0a29a0e05899c9c94d51", "last_affected_version": "5.4.11", "last_modified": "2023-12-06", "nvd_text": "A memory leak in the rpmsg_eptdev_write_iter() function in drivers/rpmsg/rpmsg_char.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering copy_from_iter_full() failures, aka CID-bbe692e349e2.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-19053", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-19053", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-19053", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-19053", "SUSE": "https://www.suse.com/security/cve/CVE-2019-19053", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19053" } }, "CVE-2019-19054": { "affected_versions": "v2.6.33-rc1 to v5.5-rc1", "breaks": "1a0b9d89c62ddf0aed12798686fe452e7e97de42", "cmt_msg": "media: rc: prevent memory leak in cx23888_ir_probe", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "score": 4.7 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 4.7 }, "cwe": "Uncontrolled Resource Consumption", "fixes": "a7b2df76b42bdd026e3106cf2ba97db41345a177", "last_affected_version": "5.4.55", "last_modified": "2023-12-06", "nvd_text": "A memory leak in the cx23888_ir_probe() function in drivers/media/pci/cx23885/cx23888-ir.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering kfifo_alloc() failures, aka CID-a7b2df76b42b.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-19054", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-19054", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-19054", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-19054", "SUSE": "https://www.suse.com/security/cve/CVE-2019-19054", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19054" } }, "CVE-2019-19055": { "affected_versions": "v4.20-rc1 to v5.4-rc4", "breaks": "81e54d08d9d845053111f30045a93f3eb1c3ca96", "cmt_msg": "nl80211: fix memory leak in nl80211_get_ftm_responder_stats", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Uncontrolled Resource Consumption", "fixes": "1399c59fa92984836db90538cf92397fe7caaa57", "last_modified": "2023-12-06", "nvd_text": "A memory leak in the nl80211_get_ftm_responder_stats() function in net/wireless/nl80211.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering nl80211hdr_put() failures, aka CID-1399c59fa929. NOTE: third parties dispute the relevance of this because it occurs on a code path where a successful allocation has already occurred", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-19055", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-19055", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-19055", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-19055", "SUSE": "https://www.suse.com/security/cve/CVE-2019-19055", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19055" } }, "CVE-2019-19056": { "affected_versions": "v3.9-rc1 to v5.5-rc1", "breaks": "fc3314609047daf472b3ffc49f9a1c5608068713", "cmt_msg": "mwifiex: pcie: Fix memory leak in mwifiex_pcie_alloc_cmdrsp_buf", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "score": 4.7 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 4.7 }, "cwe": "Uncontrolled Resource Consumption", "fixes": "db8fd2cde93227e566a412cf53173ffa227998bc", "last_affected_version": "5.4.11", "last_modified": "2023-12-06", "nvd_text": "A memory leak in the mwifiex_pcie_alloc_cmdrsp_buf() function in drivers/net/wireless/marvell/mwifiex/pcie.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering mwifiex_map_pci_memory() failures, aka CID-db8fd2cde932.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-19056", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-19056", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-19056", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-19056", "SUSE": "https://www.suse.com/security/cve/CVE-2019-19056", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19056" } }, "CVE-2019-19057": { "affected_versions": "v3.9-rc1 to v5.5-rc1", "breaks": "fc3314609047daf472b3ffc49f9a1c5608068713", "cmt_msg": "mwifiex: pcie: Fix memory leak in mwifiex_pcie_init_evt_ring", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "Low", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "score": 3.3 }, "cwe": "Uncontrolled Resource Consumption", "fixes": "d10dcb615c8e29d403a24d35f8310a7a53e3050c", "last_affected_version": "5.4.6", "last_modified": "2023-12-06", "nvd_text": "Two memory leaks in the mwifiex_pcie_init_evt_ring() function in drivers/net/wireless/marvell/mwifiex/pcie.c in the Linux kernel through 5.3.11 allow attackers to cause a denial of service (memory consumption) by triggering mwifiex_map_pci_memory() failures, aka CID-d10dcb615c8e.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-19057", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-19057", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-19057", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-19057", "SUSE": "https://www.suse.com/security/cve/CVE-2019-19057", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19057" } }, "CVE-2019-19058": { "affected_versions": "v4.10-rc1 to v5.4-rc4", "breaks": "7e62a699aafbd97928f19a8356d719b71b0e151c", "cmt_msg": "iwlwifi: dbg_ini: fix memory leak in alloc_sgtable", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "score": 4.7 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 4.7 }, "cwe": "Uncontrolled Resource Consumption", "fixes": "b4b814fec1a5a849383f7b3886b654a13abbda7d", "last_affected_version": "4.19.96", "last_modified": "2023-12-06", "nvd_text": "A memory leak in the alloc_sgtable() function in drivers/net/wireless/intel/iwlwifi/fw/dbg.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering alloc_page() failures, aka CID-b4b814fec1a5.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-19058", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-19058", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-19058", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-19058", "SUSE": "https://www.suse.com/security/cve/CVE-2019-19058", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19058" } }, "CVE-2019-19059": { "affected_versions": "v4.19-rc1 to v5.4-rc4", "breaks": "2ee824026288eb7068e6327c5f34b8ddbea74094", "cmt_msg": "iwlwifi: pcie: fix memory leaks in iwl_pcie_ctxt_info_gen3_init", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "score": 4.7 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 4.7 }, "cwe": "Uncontrolled Resource Consumption", "fixes": "0f4f199443faca715523b0659aa536251d8b978f", "last_affected_version": "4.19.96", "last_modified": "2023-12-06", "nvd_text": "Multiple memory leaks in the iwl_pcie_ctxt_info_gen3_init() function in drivers/net/wireless/intel/iwlwifi/pcie/ctxt-info-gen3.c in the Linux kernel through 5.3.11 allow attackers to cause a denial of service (memory consumption) by triggering iwl_pcie_init_fw_sec() or dma_alloc_coherent() failures, aka CID-0f4f199443fa.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-19059", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-19059", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-19059", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-19059", "SUSE": "https://www.suse.com/security/cve/CVE-2019-19059", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19059" } }, "CVE-2019-19060": { "affected_versions": "v3.8-rc1 to v5.4-rc3", "breaks": "aacff892cbd5c6b1904a3906219548a65018d750", "cmt_msg": "iio: imu: adis16400: release allocated memory on failure", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "score": 7.8 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 7.5 }, "cwe": "Uncontrolled Resource Consumption", "fixes": "ab612b1daf415b62c58e130cb3d0f30b255a14d0", "last_affected_version": "5.3.8", "last_modified": "2023-12-06", "nvd_text": "A memory leak in the adis_update_scan_mode() function in drivers/iio/imu/adis_buffer.c in the Linux kernel before 5.3.9 allows attackers to cause a denial of service (memory consumption), aka CID-ab612b1daf41.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-19060", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-19060", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-19060", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-19060", "SUSE": "https://www.suse.com/security/cve/CVE-2019-19060", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19060" } }, "CVE-2019-19061": { "affected_versions": "v3.9-rc1 to v5.4-rc3", "breaks": "5eda3550a3cc1987a495e9f85e5998a76d15a0aa", "cmt_msg": "iio: imu: adis16400: fix memory leak", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "score": 7.8 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 7.5 }, "cwe": "Uncontrolled Resource Consumption", "fixes": "9c0530e898f384c5d279bfcebd8bb17af1105873", "last_affected_version": "5.3.8", "last_modified": "2023-12-06", "nvd_text": "A memory leak in the adis_update_scan_mode_burst() function in drivers/iio/imu/adis_buffer.c in the Linux kernel before 5.3.9 allows attackers to cause a denial of service (memory consumption), aka CID-9c0530e898f3.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-19061", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-19061", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-19061", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-19061", "SUSE": "https://www.suse.com/security/cve/CVE-2019-19061", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19061" } }, "CVE-2019-19062": { "affected_versions": "v3.2-rc1 to v5.5-rc1", "breaks": "a38f7907b926e4c6c7d389ad96cc38cec2e5a9e9", "cmt_msg": "crypto: user - fix memory leak in crypto_report", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "score": 4.7 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 4.7 }, "cwe": "Uncontrolled Resource Consumption", "fixes": "ffdde5932042600c6807d46c1550b28b0db6a3bc", "last_affected_version": "5.4.2", "last_modified": "2023-12-06", "nvd_text": "A memory leak in the crypto_report() function in crypto/crypto_user_base.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering crypto_report_alg() failures, aka CID-ffdde5932042.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-19062", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-19062", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-19062", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-19062", "SUSE": "https://www.suse.com/security/cve/CVE-2019-19062", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19062" } }, "CVE-2019-19063": { "affected_versions": "v3.4-rc3 to v5.5-rc1", "breaks": "a7959c1394d4126a70a53b914ce4105f5173d0aa", "cmt_msg": "rtlwifi: prevent memory leak in rtl_usb_probe", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Physical", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 4.6 }, "cwe": "Uncontrolled Resource Consumption", "fixes": "3f93616951138a598d930dcaec40f2bfd9ce43bb", "last_affected_version": "5.4.6", "last_modified": "2023-12-06", "nvd_text": "Two memory leaks in the rtl_usb_probe() function in drivers/net/wireless/realtek/rtlwifi/usb.c in the Linux kernel through 5.3.11 allow attackers to cause a denial of service (memory consumption), aka CID-3f9361695113.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-19063", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-19063", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-19063", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-19063", "SUSE": "https://www.suse.com/security/cve/CVE-2019-19063", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19063" } }, "CVE-2019-19064": { "affected_versions": "v5.2-rc1 to v5.5-rc1", "breaks": "944c01a889d97dc08e1b71f4ed868f4023fd6034", "cmt_msg": "spi: lpspi: fix memory leak in fsl_lpspi_probe", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "score": 7.8 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 7.5 }, "cwe": "Uncontrolled Resource Consumption", "fixes": "057b8945f78f76d0b04eeb5c27cd9225e5e7ad86", "last_affected_version": "5.4.12", "last_modified": "2023-12-06", "nvd_text": "A memory leak in the fsl_lpspi_probe() function in drivers/spi/spi-fsl-lpspi.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering pm_runtime_get_sync() failures, aka CID-057b8945f78f. NOTE: third parties dispute the relevance of this because an attacker cannot realistically control these failures at probe time", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-19064", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-19064", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-19064", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-19064", "SUSE": "https://www.suse.com/security/cve/CVE-2019-19064", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19064" } }, "CVE-2019-19065": { "affected_versions": "v4.12-rc1 to v5.4-rc3", "breaks": "5a52a7acf7e2a812d2852342992cee3dc22ad25d", "cmt_msg": "RDMA/hfi1: Prevent memory leak in sdma_init", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "score": 4.7 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 4.7 }, "cwe": "Uncontrolled Resource Consumption", "fixes": "34b3be18a04ecdc610aae4c48e5d1b799d8689f6", "last_affected_version": "5.3.8", "last_modified": "2023-12-06", "nvd_text": "A memory leak in the sdma_init() function in drivers/infiniband/hw/hfi1/sdma.c in the Linux kernel before 5.3.9 allows attackers to cause a denial of service (memory consumption) by triggering rhashtable_init() failures, aka CID-34b3be18a04e. NOTE: This has been disputed as not a vulnerability because \"rhashtable_init() can only fail if it is passed invalid values in the second parameter's struct, but when invoked from sdma_init() that is a pointer to a static const struct, so an attacker could only trigger failure if they could corrupt kernel memory (in which case a small memory leak is not a significant problem).", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-19065", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-19065", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-19065", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-19065", "SUSE": "https://www.suse.com/security/cve/CVE-2019-19065", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19065" } }, "CVE-2019-19066": { "affected_versions": "v2.6.37-rc1 to v5.5-rc1", "breaks": "a36c61f9025b8924f99f54d518763bee7aa84085", "cmt_msg": "scsi: bfa: release allocated memory in case of error", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "score": 4.7 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 4.7 }, "cwe": "Uncontrolled Resource Consumption", "fixes": "0e62395da2bd5166d7c9e14cbc7503b256a34cb0", "last_affected_version": "5.4.11", "last_modified": "2023-12-06", "nvd_text": "A memory leak in the bfad_im_get_stats() function in drivers/scsi/bfa/bfad_attr.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering bfa_port_get_stats() failures, aka CID-0e62395da2bd.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-19066", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-19066", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-19066", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-19066", "SUSE": "https://www.suse.com/security/cve/CVE-2019-19066", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19066" } }, "CVE-2019-19067": { "affected_versions": "v4.6-rc1 to v5.4-rc2", "breaks": "a8fe58cec351c25e09c393bf46117c0c47b5a17c", "cmt_msg": "drm/amdgpu: fix multiple memory leaks in acp_hw_init", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "score": 4.4 }, "cwe": "Uncontrolled Resource Consumption", "fixes": "57be09c6e8747bf48704136d9e3f92bfb93f5725", "last_affected_version": "5.3.7", "last_modified": "2023-12-06", "nvd_text": "Four memory leaks in the acp_hw_init() function in drivers/gpu/drm/amd/amdgpu/amdgpu_acp.c in the Linux kernel before 5.3.8 allow attackers to cause a denial of service (memory consumption) by triggering mfd_add_hotplug_devices() or pm_genpd_add_device() failures, aka CID-57be09c6e874. NOTE: third parties dispute the relevance of this because the attacker must already have privileges for module loading", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-19067", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-19067", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-19067", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-19067", "SUSE": "https://www.suse.com/security/cve/CVE-2019-19067", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19067" } }, "CVE-2019-19068": { "affected_versions": "v4.4-rc1 to v5.5-rc1", "breaks": "26f1fad29ad973b0fb26a9ca3dcb2a73dde781aa", "cmt_msg": "rtl8xxxu: prevent leaking urb", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Physical", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 4.6 }, "cwe": "Uncontrolled Resource Consumption", "fixes": "a2cdd07488e666aa93a49a3fc9c9b1299e27ef3c", "last_affected_version": "5.4.11", "last_modified": "2023-12-06", "nvd_text": "A memory leak in the rtl8xxxu_submit_int_urb() function in drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering usb_submit_urb() failures, aka CID-a2cdd07488e6.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-19068", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-19068", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-19068", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-19068", "SUSE": "https://www.suse.com/security/cve/CVE-2019-19068", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19068" } }, "CVE-2019-19069": { "affected_versions": "v5.1-rc1 to v5.4-rc3", "breaks": "6cffd79504ce040f460831030d3069fa1c99bb71", "cmt_msg": "misc: fastrpc: prevent memory leak in fastrpc_dma_buf_attach", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "score": 7.8 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 7.5 }, "cwe": "Uncontrolled Resource Consumption", "fixes": "fc739a058d99c9297ef6bfd923b809d85855b9a9", "last_affected_version": "5.3.8", "last_modified": "2023-12-06", "nvd_text": "A memory leak in the fastrpc_dma_buf_attach() function in drivers/misc/fastrpc.c in the Linux kernel before 5.3.9 allows attackers to cause a denial of service (memory consumption) by triggering dma_get_sgtable() failures, aka CID-fc739a058d99.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-19069", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-19069", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-19069", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-19069", "SUSE": "https://www.suse.com/security/cve/CVE-2019-19069", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19069" } }, "CVE-2019-19070": { "affected_versions": "v4.17-rc1 to v5.5-rc1", "breaks": "9b00bc7b901ff672a9252002d3810fdf9489bc64", "cmt_msg": "spi: gpio: prevent memory leak in spi_gpio_probe", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "score": 7.8 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 7.5 }, "cwe": "Uncontrolled Resource Consumption", "fixes": "d3b0ffa1d75d5305ebe34735598993afbb8a869d", "last_affected_version": "5.4.6", "last_modified": "2024-01-12", "nvd_text": "A memory leak in the spi_gpio_probe() function in drivers/spi/spi-gpio.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering devm_add_action_or_reset() failures, aka CID-d3b0ffa1d75d. NOTE: third parties dispute the relevance of this because the system must have already been out of memory before the probe began", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-19070", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-19070", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-19070", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-19070", "SUSE": "https://www.suse.com/security/cve/CVE-2019-19070", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19070" } }, "CVE-2019-19071": { "affected_versions": "v4.14-rc1 to v5.5-rc1", "breaks": "d26a9559403c7c3ec3b430f5825bc22c3d40abdb", "cmt_msg": "rsi: release skb if rsi_prepare_beacon fails", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "score": 7.8 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 7.5 }, "cwe": "Uncontrolled Resource Consumption", "fixes": "d563131ef23cbc756026f839a82598c8445bc45f", "last_affected_version": "5.4.2", "last_modified": "2023-12-06", "nvd_text": "A memory leak in the rsi_send_beacon() function in drivers/net/wireless/rsi/rsi_91x_mgmt.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering rsi_prepare_beacon() failures, aka CID-d563131ef23c.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-19071", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-19071", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-19071", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-19071", "SUSE": "https://www.suse.com/security/cve/CVE-2019-19071", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19071" } }, "CVE-2019-19072": { "affected_versions": "v4.17-rc1 to v5.4-rc1", "breaks": "80765597bc587feae8dbc8ce97a0f32e12a6e625", "cmt_msg": "tracing: Have error path in predicate_parse() free its allocated memory", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "score": 4.4 }, "cwe": "Uncontrolled Resource Consumption", "fixes": "96c5c6e6a5b6db592acae039fed54b5c8844cd35", "last_affected_version": "4.19.136", "last_modified": "2023-12-06", "nvd_text": "A memory leak in the predicate_parse() function in kernel/trace/trace_events_filter.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption), aka CID-96c5c6e6a5b6.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-19072", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-19072", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-19072", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-19072", "SUSE": "https://www.suse.com/security/cve/CVE-2019-19072", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19072" } }, "CVE-2019-19073": { "affected_versions": "v2.6.35-rc1 to v5.4-rc1", "breaks": "fb9987d0f748c983bb795a86f47522313f701a08", "cmt_msg": "ath9k_htc: release allocated buffer if timed out", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "Low", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "score": 4.0 }, "cwe": "Uncontrolled Resource Consumption", "fixes": "853acf7caf10b828102d92d05b5c101666a6142b", "last_affected_version": "4.19.136", "last_modified": "2023-12-06", "nvd_text": "Memory leaks in drivers/net/wireless/ath/ath9k/htc_hst.c in the Linux kernel through 5.3.11 allow attackers to cause a denial of service (memory consumption) by triggering wait_for_completion_timeout() failures. This affects the htc_config_pipe_credits() function, the htc_setup_complete() function, and the htc_connect_service() function, aka CID-853acf7caf10.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-19073", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-19073", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-19073", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-19073", "SUSE": "https://www.suse.com/security/cve/CVE-2019-19073", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19073" } }, "CVE-2019-19074": { "affected_versions": "v2.6.35-rc1 to v5.4-rc1", "breaks": "fb9987d0f748c983bb795a86f47522313f701a08", "cmt_msg": "ath9k: release allocated buffer if timed out", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "score": 7.8 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 7.5 }, "cwe": "Uncontrolled Resource Consumption", "fixes": "728c1e2a05e4b5fc52fab3421dce772a806612a2", "last_affected_version": "4.19.136", "last_modified": "2023-12-06", "nvd_text": "A memory leak in the ath9k_wmi_cmd() function in drivers/net/wireless/ath/ath9k/wmi.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption), aka CID-728c1e2a05e4.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-19074", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-19074", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-19074", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-19074", "SUSE": "https://www.suse.com/security/cve/CVE-2019-19074", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19074" } }, "CVE-2019-19075": { "affected_versions": "v4.12-rc1 to v5.4-rc2", "breaks": "ded845a781a578dfb0b5b2c138e5a067aa3b1242", "cmt_msg": "ieee802154: ca8210: prevent memory leak", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "score": 7.8 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 7.5 }, "cwe": "Uncontrolled Resource Consumption", "fixes": "6402939ec86eaf226c8b8ae00ed983936b164908", "last_affected_version": "5.3.7", "last_modified": "2023-12-06", "nvd_text": "A memory leak in the ca8210_probe() function in drivers/net/ieee802154/ca8210.c in the Linux kernel before 5.3.8 allows attackers to cause a denial of service (memory consumption) by triggering ca8210_get_platform_data() failures, aka CID-6402939ec86e.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-19075", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-19075", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-19075", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-19075", "SUSE": "https://www.suse.com/security/cve/CVE-2019-19075", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19075" } }, "CVE-2019-19076": { "affected_versions": "v5.0-rc1 to v5.4-rc1", "breaks": "174ab544e3bc0b0c944b8e642618203dd0c2ecdf", "cmt_msg": "nfp: abm: fix memory leak in nfp_abm_u32_knode_replace", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:N/AC:M/Au:N/C:N/I:N/A:C", "score": 7.1 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 5.9 }, "cwe": "Uncontrolled Resource Consumption", "fixes": "78beef629fd95be4ed853b2d37b832f766bd96ca", "last_affected_version": "5.3.5", "last_modified": "2023-12-06", "nvd_text": "A memory leak in the nfp_abm_u32_knode_replace() function in drivers/net/ethernet/netronome/nfp/abm/cls.c in the Linux kernel before 5.3.6 allows attackers to cause a denial of service (memory consumption), aka CID-78beef629fd9. NOTE: This has been argued as not a valid vulnerability. The upstream commit 78beef629fd9 was reverted", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-19076", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-19076", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-19076", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-19076", "SUSE": "https://www.suse.com/security/cve/CVE-2019-19076", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19076" } }, "CVE-2019-19077": { "affected_versions": "v4.16-rc1 to v5.4-rc1", "breaks": "37cb11acf1f72a007a85894a6dd2ec93932bde46", "cmt_msg": "RDMA: Fix goto target to release the allocated memory", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Uncontrolled Resource Consumption", "fixes": "4a9d46a9fe14401f21df69cea97c62396d5fb053", "last_affected_version": "4.19.96", "last_modified": "2023-12-06", "nvd_text": "A memory leak in the bnxt_re_create_srq() function in drivers/infiniband/hw/bnxt_re/ib_verbs.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering copy to udata failures, aka CID-4a9d46a9fe14.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-19077", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-19077", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-19077", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-19077", "SUSE": "https://www.suse.com/security/cve/CVE-2019-19077", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19077" } }, "CVE-2019-19078": { "affected_versions": "v4.14-rc1 to v5.5-rc1", "breaks": "4db66499df91b9398435e2dbee0e42cd6df0bc27", "cmt_msg": "ath10k: fix memory leak", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "score": 7.8 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 7.5 }, "cwe": "Missing Release of Memory after Effective Lifetime", "fixes": "b8d17e7d93d2beb89e4f34c59996376b8b544792", "last_affected_version": "5.4.11", "last_modified": "2023-12-06", "nvd_text": "A memory leak in the ath10k_usb_hif_tx_sg() function in drivers/net/wireless/ath/ath10k/usb.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering usb_submit_urb() failures, aka CID-b8d17e7d93d2.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-19078", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-19078", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-19078", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-19078", "SUSE": "https://www.suse.com/security/cve/CVE-2019-19078", "Ubuntu": "https://ubuntu.com/security/CVE-2019-19078" } }, "CVE-2019-19079": { "affected_versions": "v4.18-rc1 to v5.3", "breaks": "28fb4e59a47d7f1f0c7a26d2ed3a671c26158536", "cmt_msg": "net: qrtr: fix memort leak in qrtr_tun_write_iter", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "score": 7.8 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 7.5 }, "cwe": "Uncontrolled Resource Consumption", "fixes": "a21b7f0cff1906a93a0130b74713b15a0b36481d", "last_affected_version": "5.2", "last_modified": "2023-12-06", "nvd_text": "A memory leak in the qrtr_tun_write_iter() function in net/qrtr/tun.c in the Linux kernel before 5.3 allows attackers to cause a denial of service (memory consumption), aka CID-a21b7f0cff19.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-19079", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-19079", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-19079", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-19079", "SUSE": "https://www.suse.com/security/cve/CVE-2019-19079", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19079" } }, "CVE-2019-19080": { "affected_versions": "v4.18-rc1 to v5.4-rc1", "breaks": "b945245297416a3c68ed12f2ada1c7162f5f73fd", "cmt_msg": "nfp: flower: prevent memory leak in nfp_flower_spawn_phy_reprs", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:N/AC:M/Au:N/C:N/I:N/A:C", "score": 7.1 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 5.9 }, "cwe": "Uncontrolled Resource Consumption", "fixes": "8572cea1461a006bce1d06c0c4b0575869125fa4", "last_affected_version": "5.3.3", "last_modified": "2023-12-06", "nvd_text": "Four memory leaks in the nfp_flower_spawn_phy_reprs() function in drivers/net/ethernet/netronome/nfp/flower/main.c in the Linux kernel before 5.3.4 allow attackers to cause a denial of service (memory consumption), aka CID-8572cea1461a.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-19080", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-19080", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-19080", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-19080", "SUSE": "https://www.suse.com/security/cve/CVE-2019-19080", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19080" } }, "CVE-2019-19081": { "affected_versions": "v4.18-rc1 to v5.4-rc1", "breaks": "b945245297416a3c68ed12f2ada1c7162f5f73fd", "cmt_msg": "nfp: flower: fix memory leak in nfp_flower_spawn_vnic_reprs", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:N/AC:M/Au:N/C:N/I:N/A:C", "score": 7.1 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 5.9 }, "cwe": "Uncontrolled Resource Consumption", "fixes": "8ce39eb5a67aee25d9f05b40b673c95b23502e3e", "last_affected_version": "5.3.3", "last_modified": "2023-12-06", "nvd_text": "A memory leak in the nfp_flower_spawn_vnic_reprs() function in drivers/net/ethernet/netronome/nfp/flower/main.c in the Linux kernel before 5.3.4 allows attackers to cause a denial of service (memory consumption), aka CID-8ce39eb5a67a.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-19081", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-19081", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-19081", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-19081", "SUSE": "https://www.suse.com/security/cve/CVE-2019-19081", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19081" } }, "CVE-2019-19082": { "affected_versions": "v4.15-rc1 to v5.4-rc1", "breaks": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c", "cmt_msg": "drm/amd/display: prevent memory leak", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "score": 4.7 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 4.7 }, "cwe": "Uncontrolled Resource Consumption", "fixes": "104c307147ad379617472dd91a5bcb368d72bd6d", "last_affected_version": "4.19.136", "last_modified": "2023-12-06", "nvd_text": "Memory leaks in *create_resource_pool() functions under drivers/gpu/drm/amd/display/dc in the Linux kernel through 5.3.11 allow attackers to cause a denial of service (memory consumption). This affects the dce120_create_resource_pool() function in drivers/gpu/drm/amd/display/dc/dce120/dce120_resource.c, the dce110_create_resource_pool() function in drivers/gpu/drm/amd/display/dc/dce110/dce110_resource.c, the dce100_create_resource_pool() function in drivers/gpu/drm/amd/display/dc/dce100/dce100_resource.c, the dcn10_create_resource_pool() function in drivers/gpu/drm/amd/display/dc/dcn10/dcn10_resource.c, and the dce112_create_resource_pool() function in drivers/gpu/drm/amd/display/dc/dce112/dce112_resource.c, aka CID-104c307147ad.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-19082", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-19082", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-19082", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-19082", "SUSE": "https://www.suse.com/security/cve/CVE-2019-19082", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19082" } }, "CVE-2019-19083": { "affected_versions": "v4.15-rc1 to v5.4-rc2", "breaks": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c", "cmt_msg": "drm/amd/display: memory leak", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "score": 4.7 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 4.7 }, "cwe": "Uncontrolled Resource Consumption", "fixes": "055e547478a11a6360c7ce05e2afc3e366968a12", "last_affected_version": "None", "last_modified": "2023-12-06", "nvd_text": "Memory leaks in *clock_source_create() functions under drivers/gpu/drm/amd/display/dc in the Linux kernel before 5.3.8 allow attackers to cause a denial of service (memory consumption). This affects the dce112_clock_source_create() function in drivers/gpu/drm/amd/display/dc/dce112/dce112_resource.c, the dce100_clock_source_create() function in drivers/gpu/drm/amd/display/dc/dce100/dce100_resource.c, the dcn10_clock_source_create() function in drivers/gpu/drm/amd/display/dc/dcn10/dcn10_resource.c, the dcn20_clock_source_create() function in drivers/gpu/drm/amd/display/dc/dcn20/dcn20_resource.c, the dce120_clock_source_create() function in drivers/gpu/drm/amd/display/dc/dce120/dce120_resource.c, the dce110_clock_source_create() function in drivers/gpu/drm/amd/display/dc/dce110/dce110_resource.c, and the dce80_clock_source_create() function in drivers/gpu/drm/amd/display/dc/dce80/dce80_resource.c, aka CID-055e547478a1.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-19083", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-19083", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-19083", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-19083", "SUSE": "https://www.suse.com/security/cve/CVE-2019-19083", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19083" } }, "CVE-2019-19227": { "affected_versions": "v2.6.12-rc2 to v5.1-rc3", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "appletalk: Fix potential NULL pointer dereference in unregister_snap_client", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "NULL Pointer Dereference", "fixes": "9804501fa1228048857910a6bf23e085aade37cc", "last_affected_version": "4.19.88", "last_modified": "2023-12-06", "nvd_text": "In the AppleTalk subsystem in the Linux kernel before 5.1, there is a potential NULL pointer dereference because register_snap_client may return NULL. This will lead to denial of service in net/appletalk/aarp.c and net/appletalk/ddp.c, as demonstrated by unregister_snap_client, aka CID-9804501fa122.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-19227", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-19227", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-19227", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-19227", "SUSE": "https://www.suse.com/security/cve/CVE-2019-19227", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19227" } }, "CVE-2019-19241": { "affected_versions": "v5.5-rc1 to v5.5-rc1", "backport": true, "breaks": "771b53d033e8663abdf59704806aa856b236dcdb", "cmt_msg": "io_uring: async workers should inherit the user creds", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Unspecified", "fixes": "181e448d8709e517c9c7b523fcd209f24eb38ca7", "last_affected_version": "5.4.1", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel before 5.4.2, the io_uring feature leads to requests that inadvertently have UID 0 and full capabilities, aka CID-181e448d8709. This is related to fs/io-wq.c, fs/io_uring.c, and net/socket.c. For example, an attacker can bypass intended restrictions on adding an IPv4 address to the loopback interface. This occurs because IORING_OP_SENDMSG operations, although requested in the context of an unprivileged user, are sometimes performed by a kernel worker thread without considering that context.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-19241", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-19241", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-19241", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-19241", "SUSE": "https://www.suse.com/security/cve/CVE-2019-19241", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19241" } }, "CVE-2019-19252": { "affected_versions": "v4.19-rc1 to v5.5-rc1", "breaks": "d21b0be246bf3bbf569e6e239f56abb529c7154e", "cmt_msg": "vcs: prevent write access to vcsu devices", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Out-of-bounds Read", "fixes": "0c9acb1af77a3cb8707e43f45b72c95266903cee", "last_affected_version": "5.4.2", "last_modified": "2023-12-06", "nvd_text": "vcs_write in drivers/tty/vt/vc_screen.c in the Linux kernel through 5.3.13 does not prevent write access to vcsu devices, aka CID-0c9acb1af77a.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-19252", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-19252", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-19252", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-19252", "SUSE": "https://www.suse.com/security/cve/CVE-2019-19252", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19252" } }, "CVE-2019-19318": { "affected_versions": "v5.3-rc2 to v5.4-rc1", "breaks": "78134300579a45f527ca173ec8fdb4701b69f16e", "cmt_msg": "Btrfs: fix selftests failure due to uninitialized i_mode in test inodes", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "score": 4.4 }, "cwe": "Use After Free", "fixes": "9f7fec0ba89108b9385f1b9fb167861224912a4a", "last_affected_version": "5.3.5", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel 5.3.11, mounting a crafted btrfs image twice can cause an rwsem_down_write_slowpath use-after-free because (in rwsem_can_spin_on_owner in kernel/locking/rwsem.c) rwsem_owner_flags returns an already freed pointer,", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-19318", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-19318", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-19318", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-19318", "SUSE": "https://www.suse.com/security/cve/CVE-2019-19318", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19318" } }, "CVE-2019-19319": { "affected_versions": "v2.6.12-rc2 to v5.2-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "ext4: protect journal inode's blocks using block_validity", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "score": 4.4 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "Required", "raw": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H", "score": 6.5 }, "cwe": "Out-of-bounds Write", "fixes": "345c0dbf3a30872d9b204db96b5857cd00808cae", "last_affected_version": "4.19.72", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel before 5.2, a setxattr operation, after a mount of a crafted ext4 image, can cause a slab-out-of-bounds write access because of an ext4_xattr_set_entry use-after-free in fs/ext4/xattr.c when a large old_size value is used in a memset call, aka CID-345c0dbf3a30.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-19319", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-19319", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-19319", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-19319", "SUSE": "https://www.suse.com/security/cve/CVE-2019-19319", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19319" } }, "CVE-2019-19332": { "affected_versions": "v3.13-rc1 to v5.5-rc1", "breaks": "84cffe499b9418d6c3b4de2ad9599cc2ec50c607", "cmt_msg": "KVM: x86: fix out-of-bounds write in KVM_GET_EMULATED_CPUID (CVE-2019-19332)", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:N/I:P/A:C", "score": 5.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "Low", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H", "score": 6.1 }, "cwe": "Out-of-bounds Write", "fixes": "433f4ba1904100da65a311033f17a9bf586b287e", "last_affected_version": "5.4.2", "last_modified": "2023-12-06", "nvd_text": "An out-of-bounds memory write issue was found in the Linux Kernel, version 3.13 through 5.4, in the way the Linux kernel's KVM hypervisor handled the 'KVM_GET_EMULATED_CPUID' ioctl(2) request to get CPUID features emulated by the KVM hypervisor. A user or process able to access the '/dev/kvm' device could use this flaw to crash the system, resulting in a denial of service.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-19332", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-19332", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-19332", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-19332", "SUSE": "https://www.suse.com/security/cve/CVE-2019-19332", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19332" } }, "CVE-2019-19338": { "affected_versions": "v5.4-rc8 to v5.5-rc1", "breaks": "1b42f017415b46c317e71d41c34ec088417a1883", "cmt_msg": "KVM: x86: fix presentation of TSX feature in ARCH_CAPABILITIES", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.5 }, "cwe": "Observable Discrepancy", "fixes": "cbbaa2727aa3ae9e0a844803da7cef7fd3b94f2b", "last_affected_version": "5.4.2", "last_modified": "2023-12-06", "nvd_text": "A flaw was found in the fix for CVE-2019-11135, in the Linux upstream kernel versions before 5.5 where, the way Intel CPUs handle speculative execution of instructions when a TSX Asynchronous Abort (TAA) error occurs. When a guest is running on a host CPU affected by the TAA flaw (TAA_NO=0), but is not affected by the MDS issue (MDS_NO=1), the guest was to clear the affected buffers by using a VERW instruction mechanism. But when the MDS_NO=1 bit was exported to the guests, the guests did not use the VERW mechanism to clear the affected buffers. This issue affects guests running on Cascade Lake CPUs and requires that host has 'TSX' enabled. Confidentiality of data is the highest threat associated with this vulnerability.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-19338", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-19338", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-19338", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-19338", "SUSE": "https://www.suse.com/security/cve/CVE-2019-19338", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19338" } }, "CVE-2019-19377": { "affected_versions": "v2.6.12-rc2 to v5.7-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "btrfs: Don't submit any btree write bio if the fs has errors", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "score": 6.8 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "raw": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Use After Free", "fixes": "b3ff8f1d380e65dddd772542aa9bff6c86bf715a", "last_affected_version": "5.6.4", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel 5.0.21, mounting a crafted btrfs filesystem image, performing some operations, and unmounting can lead to a use-after-free in btrfs_queue_work in fs/btrfs/async-thread.c.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-19377", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-19377", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-19377", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-19377", "SUSE": "https://www.suse.com/security/cve/CVE-2019-19377", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19377" } }, "CVE-2019-19378": { "affected_versions": "v3.9-rc1 to unk", "breaks": "53b381b3abeb86f12787a6c40fee9b2f71edc23b", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "score": 6.8 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "raw": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Out-of-bounds Write", "fixes": "", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel 5.0.21, mounting a crafted btrfs filesystem image can lead to slab-out-of-bounds write access in index_rbio_pages in fs/btrfs/raid56.c.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-19378", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-19378", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-19378", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-19378", "SUSE": "https://www.suse.com/security/cve/CVE-2019-19378", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19378" } }, "CVE-2019-19447": { "affected_versions": "v2.6.12-rc2 to v5.5-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "ext4: work around deleting a file with i_nlink == 0 safely", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "score": 6.8 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "raw": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Use After Free", "fixes": "c7df4a1ecb8579838ec8c56b2bb6a6716e974f37", "last_affected_version": "5.4.3", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel 5.0.21, mounting a crafted ext4 filesystem image, performing some operations, and unmounting can lead to a use-after-free in ext4_put_super in fs/ext4/super.c, related to dump_orphan_list in fs/ext4/super.c.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-19447", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-19447", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-19447", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-19447", "SUSE": "https://www.suse.com/security/cve/CVE-2019-19447", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19447" } }, "CVE-2019-19448": { "affected_versions": "v2.6.31-rc5 to v5.9-rc1", "breaks": "963030817060e4f109be1993b9ae8f81dbf5e11a", "cmt_msg": "btrfs: only search for left_info if there is no right_info in try_merge_free_space", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "score": 6.8 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "raw": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Use After Free", "fixes": "bf53d4687b8f3f6b752f091eb85f62369a515dfd", "last_affected_version": "5.8.2", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel 5.0.21 and 5.3.11, mounting a crafted btrfs filesystem image, performing some operations, and then making a syncfs system call can lead to a use-after-free in try_merge_free_space in fs/btrfs/free-space-cache.c because the pointer to a left data structure can be the same as the pointer to a right data structure.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-19448", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-19448", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-19448", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-19448", "SUSE": "https://www.suse.com/security/cve/CVE-2019-19448", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19448" } }, "CVE-2019-19449": { "affected_versions": "v2.6.12-rc2 to v5.10-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "f2fs: fix to do sanity check on segment/section count", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "score": 6.8 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "raw": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Out-of-bounds Read", "fixes": "3a22e9ac71585bcb7667e44641f1bbb25295f0ce", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel 5.0.21, mounting a crafted f2fs filesystem image can lead to slab-out-of-bounds read access in f2fs_build_segment_manager in fs/f2fs/segment.c, related to init_min_max_mtime in fs/f2fs/segment.c (because the second argument to get_seg_entry is not validated).", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-19449", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-19449", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-19449", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-19449", "SUSE": "https://www.suse.com/security/cve/CVE-2019-19449", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19449" } }, "CVE-2019-19462": { "affected_versions": "v4.9-rc1 to v5.8-rc1", "breaks": "017c59c042d01fc84cae7a8ea475861e702c77ab", "cmt_msg": "kernel/relay.c: handle alloc_percpu returning NULL in relay_open", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "NULL Pointer Dereference", "fixes": "54e200ab40fc14c863bcc80a51e20b7906608fce", "last_affected_version": "5.7.0", "last_modified": "2023-12-06", "nvd_text": "relay_open in kernel/relay.c in the Linux kernel through 5.4.1 allows local users to cause a denial of service (such as relay blockage) by triggering a NULL alloc_percpu result.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-19462", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-19462", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-19462", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-19462", "SUSE": "https://www.suse.com/security/cve/CVE-2019-19462", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19462" } }, "CVE-2019-19523": { "affected_versions": "v2.6.24-rc4 to v5.4-rc3", "breaks": "f08812d5eb8f8cd1a5bd5f5c26a96eb93d97ab69", "cmt_msg": "USB: adutux: fix use-after-free on disconnect", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Physical", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 4.6 }, "cwe": "Use After Free", "fixes": "44efc269db7929f6275a1fa927ef082e533ecde0", "last_affected_version": "5.3.6", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel before 5.3.7, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/usb/misc/adutux.c driver, aka CID-44efc269db79.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-19523", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-19523", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-19523", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-19523", "SUSE": "https://www.suse.com/security/cve/CVE-2019-19523", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19523" } }, "CVE-2019-19524": { "affected_versions": "v2.6.19-rc1 to v5.4-rc8", "breaks": "7d928a2b14eede1f333db7b7b684c57f7fa7f456", "cmt_msg": "Input: ff-memless - kill timer in destroy()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Physical", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 4.6 }, "cwe": "Use After Free", "fixes": "fa3a5a1880c91bb92594ad42dfe9eedad7996b86", "last_affected_version": "5.3.11", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel before 5.3.12, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/input/ff-memless.c driver, aka CID-fa3a5a1880c9.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-19524", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-19524", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-19524", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-19524", "SUSE": "https://www.suse.com/security/cve/CVE-2019-19524", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19524" } }, "CVE-2019-19525": { "affected_versions": "v4.2-rc1 to v5.4-rc2", "breaks": "7490b008d123f9bd781f51ad86b543aed49f6200", "cmt_msg": "ieee802154: atusb: fix use-after-free at disconnect", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Physical", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 4.6 }, "cwe": "Use After Free", "fixes": "7fd25e6fc035f4b04b75bca6d7e8daa069603a76", "last_affected_version": "5.3.5", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel before 5.3.6, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/net/ieee802154/atusb.c driver, aka CID-7fd25e6fc035.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-19525", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-19525", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-19525", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-19525", "SUSE": "https://www.suse.com/security/cve/CVE-2019-19525", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19525" } }, "CVE-2019-19526": { "affected_versions": "v4.12-rc1 to v5.4-rc4", "breaks": "32ecc75ded72e0425713a7ffe2050fef6e54e564", "cmt_msg": "NFC: pn533: fix use-after-free and memleaks", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Physical", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 4.6 }, "cwe": "Use After Free", "fixes": "6af3aa57a0984e061f61308fe181a9a12359fecc", "last_affected_version": "5.3.8", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel before 5.3.9, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/nfc/pn533/usb.c driver, aka CID-6af3aa57a098.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-19526", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-19526", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-19526", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-19526", "SUSE": "https://www.suse.com/security/cve/CVE-2019-19526", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19526" } }, "CVE-2019-19527": { "affected_versions": "v2.6.30-rc1 to v5.3-rc4", "breaks": "0361a28d3f9a4315a100c7b37ba0b55cfe15fe07", "cmt_msg": "HID: hiddev: do cleanup in failure of opening a device", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Physical", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "score": 6.8 }, "cwe": "Use After Free", "fixes": "6d4472d7bec39917b54e4e80245784ea5d60ce49", "last_affected_version": "5.2.9", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel before 5.2.10, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/hid/usbhid/hiddev.c driver, aka CID-9c09b214f30e.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-19527", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-19527", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-19527", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-19527", "SUSE": "https://www.suse.com/security/cve/CVE-2019-19527", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19527" } }, "CVE-2019-19528": { "affected_versions": "v2.6.24-rc2 to v5.4-rc3", "breaks": "03f36e885fc26cb0ea299fb6df5171a51e814548", "cmt_msg": "USB: iowarrior: fix use-after-free on disconnect", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:C", "score": 5.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Physical", "Availability": "High", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "score": 6.1 }, "cwe": "Use After Free", "fixes": "edc4746f253d907d048de680a621e121517f484b", "last_affected_version": "5.3.6", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel before 5.3.7, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/usb/misc/iowarrior.c driver, aka CID-edc4746f253d.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-19528", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-19528", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-19528", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-19528", "SUSE": "https://www.suse.com/security/cve/CVE-2019-19528", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19528" } }, "CVE-2019-19529": { "affected_versions": "v4.12-rc1 to v5.4-rc7", "breaks": "51f3baad7de943780ce0c17bd7975df567dd6e14", "cmt_msg": "can: mcba_usb: fix use-after-free on disconnect", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "score": 6.9 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Physical", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:P/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 6.3 }, "cwe": "Use After Free", "fixes": "4d6636498c41891d0482a914dd570343a838ad79", "last_affected_version": "5.3.10", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel before 5.3.11, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/net/can/usb/mcba_usb.c driver, aka CID-4d6636498c41.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-19529", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-19529", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-19529", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-19529", "SUSE": "https://www.suse.com/security/cve/CVE-2019-19529", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19529" } }, "CVE-2019-19530": { "affected_versions": "v3.3-rc1 to v5.3-rc5", "breaks": "7fb57a019f94ea0c1290c39b8da753be155af41c", "cmt_msg": "usb: cdc-acm: make sure a refcount is taken early enough", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Physical", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 4.6 }, "cwe": "Use After Free", "fixes": "c52873e5a1ef72f845526d9f6a50704433f9c625", "last_affected_version": "5.2.9", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel before 5.2.10, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/usb/class/cdc-acm.c driver, aka CID-c52873e5a1ef.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-19530", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-19530", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-19530", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-19530", "SUSE": "https://www.suse.com/security/cve/CVE-2019-19530", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19530" } }, "CVE-2019-19531": { "affected_versions": "v2.6.37-rc1 to v5.3-rc4", "breaks": "6bc235a2e24a5ef677daee3fd4f74f6cd643e23c", "cmt_msg": "usb: yurex: Fix use-after-free in yurex_delete", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Physical", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "score": 6.8 }, "cwe": "Use After Free", "fixes": "fc05481b2fcabaaeccf63e32ac1baab54e5b6963", "last_affected_version": "5.2.8", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel before 5.2.9, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/usb/misc/yurex.c driver, aka CID-fc05481b2fca.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-19531", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-19531", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-19531", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-19531", "SUSE": "https://www.suse.com/security/cve/CVE-2019-19531", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19531" } }, "CVE-2019-19532": { "affected_versions": "v2.6.12-rc2 to v5.4-rc6", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "HID: Fix assumption that devices have inputs", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Physical", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "score": 6.8 }, "cwe": "Out-of-bounds Write", "fixes": "d9d4b1e46d9543a82c23f6df03f4ad697dab361b", "last_affected_version": "5.3.8", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel before 5.3.9, there are multiple out-of-bounds write bugs that can be caused by a malicious USB device in the Linux kernel HID drivers, aka CID-d9d4b1e46d95. This affects drivers/hid/hid-axff.c, drivers/hid/hid-dr.c, drivers/hid/hid-emsff.c, drivers/hid/hid-gaff.c, drivers/hid/hid-holtekff.c, drivers/hid/hid-lg2ff.c, drivers/hid/hid-lg3ff.c, drivers/hid/hid-lg4ff.c, drivers/hid/hid-lgff.c, drivers/hid/hid-logitech-hidpp.c, drivers/hid/hid-microsoft.c, drivers/hid/hid-sony.c, drivers/hid/hid-tmff.c, and drivers/hid/hid-zpff.c.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-19532", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-19532", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-19532", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-19532", "SUSE": "https://www.suse.com/security/cve/CVE-2019-19532", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19532" } }, "CVE-2019-19533": { "affected_versions": "v2.6.12-rc2 to v5.4-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "media: ttusb-dec: Fix info-leak in ttusb_dec_send_command()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Physical", "Availability": "None", "Confidentiality": "Low", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "score": 2.4 }, "cwe": "Missing Release of Resource after Effective Lifetime", "fixes": "a10feaf8c464c3f9cfdd3a8a7ce17e1c0d498da1", "last_affected_version": "5.3.3", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel before 5.3.4, there is an info-leak bug that can be caused by a malicious USB device in the drivers/media/usb/ttusb-dec/ttusb_dec.c driver, aka CID-a10feaf8c464.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-19533", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-19533", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-19533", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-19533", "SUSE": "https://www.suse.com/security/cve/CVE-2019-19533", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19533" } }, "CVE-2019-19534": { "affected_versions": "v3.4-rc1 to v5.4-rc7", "breaks": "bb4785551f64e18b2c8bb15a3bd2b22f5ebf624d", "cmt_msg": "can: peak_usb: fix slab info leak", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Physical", "Availability": "None", "Confidentiality": "Low", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "score": 2.4 }, "cwe": "Information Exposure", "fixes": "f7a1337f0d29b98733c8824e165fca3371d7d4fd", "last_affected_version": "5.3.10", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel before 5.3.11, there is an info-leak bug that can be caused by a malicious USB device in the drivers/net/can/usb/peak_usb/pcan_usb_core.c driver, aka CID-f7a1337f0d29.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-19534", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-19534", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-19534", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-19534", "SUSE": "https://www.suse.com/security/cve/CVE-2019-19534", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19534" } }, "CVE-2019-19535": { "affected_versions": "v4.0-rc1 to v5.3-rc4", "breaks": "0a25e1f4f18566b750ebd3ae995af64e23111e63", "cmt_msg": "can: peak_usb: pcan_usb_fd: Fix info-leaks to USB devices", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Physical", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "score": 4.6 }, "cwe": "Information Exposure", "fixes": "30a8beeb3042f49d0537b7050fd21b490166a3d9", "last_affected_version": "5.2.8", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel before 5.2.9, there is an info-leak bug that can be caused by a malicious USB device in the drivers/net/can/usb/peak_usb/pcan_usb_fd.c driver, aka CID-30a8beeb3042.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-19535", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-19535", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-19535", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-19535", "SUSE": "https://www.suse.com/security/cve/CVE-2019-19535", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19535" } }, "CVE-2019-19536": { "affected_versions": "v3.10-rc5 to v5.3-rc4", "breaks": "f14e22435a27ef183bbfa78f77ad86644c0b354c", "cmt_msg": "can: peak_usb: pcan_usb_pro: Fix info-leaks to USB devices", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Physical", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "score": 4.6 }, "cwe": "Information Exposure", "fixes": "ead16e53c2f0ed946d82d4037c630e2f60f4ab69", "last_affected_version": "5.2.8", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel before 5.2.9, there is an info-leak bug that can be caused by a malicious USB device in the drivers/net/can/usb/peak_usb/pcan_usb_pro.c driver, aka CID-ead16e53c2f0.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-19536", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-19536", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-19536", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-19536", "SUSE": "https://www.suse.com/security/cve/CVE-2019-19536", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19536" } }, "CVE-2019-19537": { "affected_versions": "v2.6.12-rc2 to v5.3-rc5", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "USB: core: Fix races in character device registration and deregistraion", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "score": 4.7 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Physical", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 4.2 }, "cwe": "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", "fixes": "303911cfc5b95d33687d9046133ff184cf5043ff", "last_affected_version": "5.2.9", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel before 5.2.10, there is a race condition bug that can be caused by a malicious USB device in the USB character device driver layer, aka CID-303911cfc5b9. This affects drivers/usb/core/file.c.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-19537", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-19537", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-19537", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-19537", "SUSE": "https://www.suse.com/security/cve/CVE-2019-19537", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19537" } }, "CVE-2019-19543": { "affected_versions": "v4.10-rc1 to v5.2-rc1", "breaks": "b66db53f8d85f6e8ce1b2b827d3fb3b0f0bf64c6", "cmt_msg": "media: serial_ir: Fix use-after-free in serial_ir_init_module", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Use After Free", "fixes": "56cd26b618855c9af48c8301aa6754ced8dd0beb", "last_affected_version": "5.1.5", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel before 5.1.6, there is a use-after-free in serial_ir_init_module() in drivers/media/rc/serial_ir.c.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-19543", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-19543", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-19543", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-19543", "SUSE": "https://www.suse.com/security/cve/CVE-2019-19543", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19543" } }, "CVE-2019-19602": { "affected_versions": "v5.2-rc1 to v5.5-rc1", "breaks": "5f409e20b794565e2d60ad333e79334630a6c798", "cmt_msg": "x86/fpu: Don't cache access to fpu_fpregs_owner_ctx", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Complete", "Integrity Impact": "None", "raw": "AV:L/AC:M/Au:N/C:C/I:N/A:P", "score": 5.4 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "Low", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L", "score": 6.1 }, "cwe": "Incorrect Permission Assignment for Critical Resource", "fixes": "59c4bd853abcea95eccc167a7d7fd5f1a5f47b98", "last_affected_version": "5.4.1", "last_modified": "2023-12-06", "nvd_text": "fpregs_state_valid in arch/x86/include/asm/fpu/internal.h in the Linux kernel before 5.4.2, when GCC 9 is used, allows context-dependent attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact because of incorrect fpu_fpregs_owner_ctx caching, as demonstrated by mishandling of signal-based non-cooperative preemption in Go 1.14 prereleases on amd64, aka CID-59c4bd853abc.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-19602", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-19602", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-19602", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-19602", "SUSE": "https://www.suse.com/security/cve/CVE-2019-19602", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19602" } }, "CVE-2019-19767": { "affected_versions": "v4.13-rc4 to v5.5-rc1", "breaks": "c03b45b853f5829816d871283c792e7527a7ded1", "cmt_msg": "ext4: add more paranoia checking in ext4_expand_extra_isize handling", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "score": 4.3 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "raw": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Use After Free", "fixes": "4ea99936a1630f51fc3a2d61a58ec4a1c4b7d55a", "last_affected_version": "5.4.1", "last_modified": "2023-12-06", "nvd_text": "The Linux kernel before 5.4.2 mishandles ext4_expand_extra_isize, as demonstrated by use-after-free errors in __ext4_expand_extra_isize and ext4_xattr_set_entry, related to fs/ext4/inode.c and fs/ext4/super.c, aka CID-4ea99936a163.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-19767", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-19767", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-19767", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-19767", "SUSE": "https://www.suse.com/security/cve/CVE-2019-19767", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19767" } }, "CVE-2019-19768": { "affected_versions": "v2.6.17-rc1 to v5.6-rc4", "breaks": "2056a782f8e7e65fd4bfd027506b4ce1c5e9ccd4", "cmt_msg": "blktrace: Protect q->blk_trace with RCU", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "score": 5.0 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 7.5 }, "cwe": "Use After Free", "fixes": "c780e86dd48ef6467a1146cf7d0fe1e05a635039", "last_affected_version": "5.5.7", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel 5.4.0-rc2, there is a use-after-free (read) in the __blk_add_trace function in kernel/trace/blktrace.c (which is used to fill out a blk_io_trace structure and place it in a per-cpu sub-buffer).", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-19768", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-19768", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-19768", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-19768", "SUSE": "https://www.suse.com/security/cve/CVE-2019-19768", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19768" } }, "CVE-2019-19769": { "affected_versions": "v5.0-rc1 to v5.6-rc5", "breaks": "16306a61d3b7c433c7a127ec6224867b88ece687", "cmt_msg": "locks: fix a potential use-after-free problem when wakeup a waiter", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "Single", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "score": 6.5 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "score": 6.7 }, "cwe": "Use After Free", "fixes": "6d390e4b5d48ec03bb87e63cf0a2bff5f4e116da", "last_affected_version": "5.5.11", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel 5.3.10, there is a use-after-free (read) in the perf_trace_lock_acquire function (related to include/trace/events/lock.h).", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-19769", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-19769", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-19769", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-19769", "SUSE": "https://www.suse.com/security/cve/CVE-2019-19769", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19769" } }, "CVE-2019-19770": { "affected_versions": "v4.11-rc1 to v5.9-rc1", "breaks": "6ac93117ab009d3901ed5d3d0f79056eb5fc0afd", "cmt_msg": "blktrace: fix debugfs use after free", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:N/AC:L/Au:N/C:P/I:N/A:P", "score": 6.4 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "Low", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H", "score": 8.2 }, "cwe": "Use After Free", "fixes": "bad8e64fb19d3a0de5e564d9a7271c31bd684369", "last_affected_version": "5.8.1", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel 4.19.83, there is a use-after-free (read) in the debugfs_remove function in fs/debugfs/inode.c (which is used to remove a file or directory in debugfs that was previously created with a call to another debugfs function such as debugfs_create_file). NOTE: Linux kernel developers dispute this issue as not being an issue with debugfs, instead this is an issue with misuse of debugfs within blktrace", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-19770", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-19770", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-19770", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-19770", "SUSE": "https://www.suse.com/security/cve/CVE-2019-19770", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19770" } }, "CVE-2019-19807": { "affected_versions": "v5.2-rc1 to v5.4-rc7", "breaks": "41672c0c24a62699d20aab53b98d843b16483053", "cmt_msg": "ALSA: timer: Fix incorrectly assigned timer instance", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Use After Free", "fixes": "e7af6307a8a54f0b873960b32b6a644f2d0fbd97", "last_affected_version": "5.3.10", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel before 5.3.11, sound/core/timer.c has a use-after-free caused by erroneous code refactoring, aka CID-e7af6307a8a5. This is related to snd_timer_open and snd_timer_close_locked. The timeri variable was originally intended to be for a newly created timer instance, but was used for a different purpose after refactoring.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-19807", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-19807", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-19807", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-19807", "SUSE": "https://www.suse.com/security/cve/CVE-2019-19807", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19807" } }, "CVE-2019-19813": { "affected_versions": "v2.6.12-rc2 to v5.2-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "btrfs: inode: Verify inode mode to avoid NULL pointer dereference", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:N/AC:M/Au:N/C:N/I:N/A:C", "score": 7.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "raw": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Use After Free", "fixes": "6bf9e4bd6a277840d3fe8c5d5d530a1fbd3db592", "last_affected_version": "4.19.136", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel 5.0.21, mounting a crafted btrfs filesystem image, performing some operations, and then making a syncfs system call can lead to a use-after-free in __mutex_lock in kernel/locking/mutex.c. This is related to mutex_can_spin_on_owner in kernel/locking/mutex.c, __btrfs_qgroup_free_meta in fs/btrfs/qgroup.c, and btrfs_insert_delayed_items in fs/btrfs/delayed-inode.c.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-19813", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-19813", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-19813", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-19813", "SUSE": "https://www.suse.com/security/cve/CVE-2019-19813", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19813" } }, "CVE-2019-19814": { "affected_versions": "unk to unk", "breaks": "", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "score": 9.3 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "raw": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Out-of-bounds Write", "fixes": "", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel 5.0.21, mounting a crafted f2fs filesystem image can cause __remove_dirty_segment slab-out-of-bounds write access because an array is bounded by the number of dirty types (8) but the array index can exceed this.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-19814", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-19814", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-19814", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-19814", "SUSE": "https://www.suse.com/security/cve/CVE-2019-19814", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19814" } }, "CVE-2019-19815": { "affected_versions": "v3.18-rc1 to v5.3-rc1", "breaks": "9850cf4a8908886370b1f15aacf83d291f098c72", "cmt_msg": "f2fs: support swap file w/ DIO", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:N/AC:M/Au:N/C:N/I:N/A:C", "score": 7.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "raw": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "NULL Pointer Dereference", "fixes": "4969c06a0d83c9c3dc50b8efcdc8eeedfce896f6", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel 5.0.21, mounting a crafted f2fs filesystem image can cause a NULL pointer dereference in f2fs_recover_fsync_data in fs/f2fs/recovery.c. This is related to F2FS_P_SB in fs/f2fs/f2fs.h.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-19815", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-19815", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-19815", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-19815", "SUSE": "https://www.suse.com/security/cve/CVE-2019-19815", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19815" } }, "CVE-2019-19816": { "affected_versions": "v2.6.12-rc2 to v5.2-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "btrfs: inode: Verify inode mode to avoid NULL pointer dereference", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "score": 9.3 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "raw": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Out-of-bounds Write", "fixes": "6bf9e4bd6a277840d3fe8c5d5d530a1fbd3db592", "last_affected_version": "4.19.136", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel 5.0.21, mounting a crafted btrfs filesystem image and performing some operations can cause slab-out-of-bounds write access in __btrfs_map_block in fs/btrfs/volumes.c, because a value of 1 for the number of data stripes is mishandled.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-19816", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-19816", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-19816", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-19816", "SUSE": "https://www.suse.com/security/cve/CVE-2019-19816", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19816" } }, "CVE-2019-19922": { "affected_versions": "v4.18-rc4 to v5.4-rc1", "backport": true, "breaks": "512ac999d2755d2b7109e996a76b6fb8b888631d", "cmt_msg": "sched/fair: Fix low cpu usage with high throttling by removing expiration of cpu-local slices", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Uncontrolled Resource Consumption", "fixes": "de53fd7aedb100f03e5d2231cfce0e4993282425", "last_affected_version": "5.3.8", "last_modified": "2023-12-06", "nvd_text": "kernel/sched/fair.c in the Linux kernel before 5.3.9, when cpu.cfs_quota_us is used (e.g., with Kubernetes), allows attackers to cause a denial of service against non-cpu-bound applications by generating a workload that triggers unwanted slice expiration, aka CID-de53fd7aedb1. (In other words, although this slice expiration would typically be seen with benign workloads, it is possible that an attacker could calculate how many stray requests are required to force an entire Kubernetes cluster into a low-performance state caused by slice expiration, and ensure that a DDoS attack sent that number of stray requests. An attack does not affect the stability of the kernel; it only causes mismanagement of application execution.)", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-19922", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-19922", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-19922", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-19922", "SUSE": "https://www.suse.com/security/cve/CVE-2019-19922", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19922" } }, "CVE-2019-19927": { "affected_versions": "v5.1-rc6 to v5.1-rc6", "backport": true, "breaks": "ac1e516d5a4c56bf0cb4a3dfc0672f689131cfd4", "cmt_msg": "drm/ttm: fix incrementing the page pointer for huge pages", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:P", "score": 3.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H", "score": 6.0 }, "cwe": "Out-of-bounds Read", "fixes": "453393369dc9806d2455151e329c599684762428", "last_affected_version": "4.19.96", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel 5.0.0-rc7 (as distributed in ubuntu/linux.git on kernel.ubuntu.com), mounting a crafted f2fs filesystem image and performing some operations can lead to slab-out-of-bounds read access in ttm_put_pages in drivers/gpu/drm/ttm/ttm_page_alloc.c. This is related to the vmwgfx or ttm module.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-19927", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-19927", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-19927", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-19927", "SUSE": "https://www.suse.com/security/cve/CVE-2019-19927", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19927" } }, "CVE-2019-19947": { "affected_versions": "v4.19-rc1 to v5.5-rc3", "breaks": "7259124eac7d1b76b41c7a9cb2511a30556deebe", "cmt_msg": "can: kvaser_usb: kvaser_usb_leaf: Fix some info-leaks to USB devices", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Physical", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "score": 4.6 }, "cwe": "Exposure of Sensitive Information to an Unauthorized Actor", "fixes": "da2311a6385c3b499da2ed5d9be59ce331fa93e9", "last_affected_version": "5.4.6", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel through 5.4.6, there are information leaks of uninitialized memory to a USB device in the drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c driver, aka CID-da2311a6385c.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-19947", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-19947", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-19947", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-19947", "SUSE": "https://www.suse.com/security/cve/CVE-2019-19947", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19947" } }, "CVE-2019-19965": { "affected_versions": "v2.6.19-rc1 to v5.5-rc2", "breaks": "2908d778ab3e244900c310974e1fc1c69066e450", "cmt_msg": "scsi: libsas: stop discovering if oob mode is disconnected", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:M/Au:N/C:N/I:N/A:P", "score": 1.9 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 4.7 }, "cwe": "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", "fixes": "f70267f379b5e5e11bdc5d72a56bf17e5feed01f", "last_affected_version": "5.4.8", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel through 5.4.6, there is a NULL pointer dereference in drivers/scsi/libsas/sas_discover.c because of mishandling of port disconnection during discovery, related to a PHY down race condition, aka CID-f70267f379b5.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-19965", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-19965", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-19965", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-19965", "SUSE": "https://www.suse.com/security/cve/CVE-2019-19965", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19965" } }, "CVE-2019-19966": { "affected_versions": "v2.6.17-rc1 to v5.2-rc1", "breaks": "ab33d5071de7a33616842882c11b5eb52a6c26a1", "cmt_msg": "media: cpia2: Fix use-after-free in cpia2_exit", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Physical", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 4.6 }, "cwe": "Use After Free", "fixes": "dea37a97265588da604c6ba80160a287b72c7bfd", "last_affected_version": "5.1.5", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel before 5.1.6, there is a use-after-free in cpia2_exit() in drivers/media/usb/cpia2/cpia2_v4l.c that will cause denial of service, aka CID-dea37a972655.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-19966", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-19966", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-19966", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-19966", "SUSE": "https://www.suse.com/security/cve/CVE-2019-19966", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19966" } }, "CVE-2019-1999": { "affected_versions": "v2.6.12-rc2 to v5.1-rc3", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "binder: fix race between munmap() and direct reclaim", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Double Free", "fixes": "5cec2d2e5839f9c0fec319c523a911e0a7fd299f", "last_affected_version": "4.19.48", "last_modified": "2023-12-06", "nvd_text": "In binder_alloc_free_page of binder_alloc.c, there is a possible double free due to improper locking. This could lead to local escalation of privilege in the kernel with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android kernel. Android ID: A-120025196.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-1999", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-1999", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-1999", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-1999", "SUSE": "https://www.suse.com/security/cve/CVE-2019-1999", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-1999" } }, "CVE-2019-20054": { "affected_versions": "v3.4-rc1 to v5.1-rc3", "breaks": "0e47c99d7fe25e0f3907d9f3401079169d904891", "cmt_msg": "fs/proc/proc_sysctl.c: fix NULL pointer dereference in put_links", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "NULL Pointer Dereference", "fixes": "23da9588037ecdd4901db76a5b79a42b529c4ec3", "last_affected_version": "5.0.5", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel before 5.0.6, there is a NULL pointer dereference in drop_sysctl_table() in fs/proc/proc_sysctl.c, related to put_links, aka CID-23da9588037e.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-20054", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-20054", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-20054", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-20054", "SUSE": "https://www.suse.com/security/cve/CVE-2019-20054", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-20054" } }, "CVE-2019-20095": { "affected_versions": "v4.9-rc1 to v5.2-rc1", "breaks": "3935ccc14d2c68488bd96448fc073da48eaeebf0", "cmt_msg": "mwifiex: Fix mem leak in mwifiex_tm_cmd", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Missing Release of Resource after Effective Lifetime", "fixes": "003b686ace820ce2d635a83f10f2d7f9c147dabc", "last_affected_version": "5.1.5", "last_modified": "2023-12-06", "nvd_text": "mwifiex_tm_cmd in drivers/net/wireless/marvell/mwifiex/cfg80211.c in the Linux kernel before 5.1.6 has some error-handling cases that did not free allocated hostcmd memory, aka CID-003b686ace82. This will cause a memory leak and denial of service.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-20095", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-20095", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-20095", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-20095", "SUSE": "https://www.suse.com/security/cve/CVE-2019-20095", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-20095" } }, "CVE-2019-20096": { "affected_versions": "v2.6.29-rc1 to v5.1-rc4", "breaks": "e8ef967a54f401ac5e8637b7f7f8bddb006144c4", "cmt_msg": "dccp: Fix memleak in __feat_register_sp", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Uncontrolled Resource Consumption", "fixes": "1d3ff0950e2b40dc861b1739029649d03f591820", "last_affected_version": "4.19.96", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel before 5.1, there is a memory leak in __feat_register_sp() in net/dccp/feat.c, which may cause denial of service, aka CID-1d3ff0950e2b.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-20096", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-20096", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-20096", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-20096", "SUSE": "https://www.suse.com/security/cve/CVE-2019-20096", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-20096" } }, "CVE-2019-2024": { "affected_versions": "v3.15-rc1 to v4.16-rc1", "breaks": "425f53aaf76cce77b3bedd8ed4902bc94ed254ff", "cmt_msg": "media: em28xx: Fix use-after-free when disconnecting", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Use After Free", "fixes": "910b0797fa9e8af09c44a3fa36cb310ba7a7218d", "last_affected_version": "4.14.85", "last_modified": "2023-12-06", "nvd_text": "In em28xx_unregister_dvb of em28xx-dvb.c, there is a possible use after free issue. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-111761954References: Upstream kernel", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-2024", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-2024", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-2024", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-2024", "SUSE": "https://www.suse.com/security/cve/CVE-2019-2024", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-2024" } }, "CVE-2019-2025": { "affected_versions": "v2.6.12-rc2 to v4.20-rc5", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "binder: fix race that allows malicious free of live buffer", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Use After Free", "fixes": "7bada55ab50697861eee6bb7d60b41e68a961a9c", "last_affected_version": "4.19.6", "last_modified": "2023-12-06", "nvd_text": "In binder_thread_read of binder.c, there is a possible use-after-free due to improper locking. This could lead to local escalation of privilege in the kernel with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-116855682References: Upstream kernel", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-2025", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-2025", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-2025", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-2025", "SUSE": "https://www.suse.com/security/cve/CVE-2019-2025", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-2025" } }, "CVE-2019-20422": { "affected_versions": "v5.3-rc1 to v5.4-rc1", "breaks": "d64a1f574a2957b4bcb06452d36cc1c6bf16e9fc", "cmt_msg": "ipv6: fix a typo in fib6_rule_lookup()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Improper Handling of Exceptional Conditions", "fixes": "7b09c2d052db4b4ad0b27b97918b46a7746966fa", "last_affected_version": "5.3.3", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel before 5.3.4, fib6_rule_lookup in net/ipv6/ip6_fib.c mishandles the RT6_LOOKUP_F_DST_NOREF flag in a reference-count decision, leading to (for example) a crash that was identified by syzkaller, aka CID-7b09c2d052db.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-20422", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-20422", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-20422", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-20422", "SUSE": "https://www.suse.com/security/cve/CVE-2019-20422", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-20422" } }, "CVE-2019-2054": { "affected_versions": "v2.6.12-rc2 to v4.8-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "arm/ptrace: run seccomp after ptrace", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Unspecified", "fixes": "0f3912fd934cdfd03d93f2dc6f064099795bf638", "last_modified": "2023-12-06", "nvd_text": "In the seccomp implementation prior to kernel version 4.8, there is a possible seccomp bypass due to seccomp policies that allow the use of ptrace. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android Versions: Android kernel Android ID: A-119769499", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-2054", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-2054", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-2054", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-2054", "SUSE": "https://www.suse.com/security/cve/CVE-2019-2054", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-2054" } }, "CVE-2019-20636": { "affected_versions": "v2.6.12-rc2 to v5.5-rc6", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "Input: add safety guards to input_set_keycode()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "score": 6.7 }, "cwe": "Out-of-bounds Write", "fixes": "cb222aed03d798fc074be55e59d9a112338ee784", "last_affected_version": "5.4.11", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel before 5.4.12, drivers/input/input.c has out-of-bounds writes via a crafted keycode table, as demonstrated by input_set_keycode, aka CID-cb222aed03d7.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-20636", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-20636", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-20636", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-20636", "SUSE": "https://www.suse.com/security/cve/CVE-2019-20636", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-20636" } }, "CVE-2019-20794": { "affected_versions": "unk to unk", "breaks": "", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "score": 4.7 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 4.7 }, "cwe": "Uncontrolled Resource Consumption", "fixes": "", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel 4.18 through 5.6.11 when unprivileged user namespaces are allowed. A user can create their own PID namespace, and mount a FUSE filesystem. Upon interaction with this FUSE filesystem, if the userspace component is terminated via a kill of the PID namespace's pid 1, it will result in a hung task, and resources being permanently locked up until system reboot. This can result in resource exhaustion.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-20794", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-20794", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-20794", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-20794", "SUSE": "https://www.suse.com/security/cve/CVE-2019-20794", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-20794" } }, "CVE-2019-20806": { "affected_versions": "v2.6.12-rc2 to v5.2-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "media: tw5864: Fix possible NULL pointer dereference in tw5864_handle_frame", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "score": 4.4 }, "cwe": "NULL Pointer Dereference", "fixes": "2e7682ebfc750177a4944eeb56e97a3f05734528", "last_affected_version": "4.19.98", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel before 5.2. There is a NULL pointer dereference in tw5864_handle_frame() in drivers/media/pci/tw5864/tw5864-video.c, which may cause denial of service, aka CID-2e7682ebfc75.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-20806", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-20806", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-20806", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-20806", "SUSE": "https://www.suse.com/security/cve/CVE-2019-20806", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-20806" } }, "CVE-2019-20810": { "affected_versions": "v3.15-rc1 to v5.6-rc1", "breaks": "a4f2473d39eb72915d37d65bdd8dd734c7ee4f8a", "cmt_msg": "media: go7007: fix a miss of snd_card_free", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Missing Release of Resource after Effective Lifetime", "fixes": "9453264ef58638ce8976121ac44c07a3ef375983", "last_affected_version": "5.4.47", "last_modified": "2023-12-06", "nvd_text": "go7007_snd_init in drivers/media/usb/go7007/snd-go7007.c in the Linux kernel before 5.6 does not call snd_card_free for a failure path, which causes a memory leak, aka CID-9453264ef586.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-20810", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-20810", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-20810", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-20810", "SUSE": "https://www.suse.com/security/cve/CVE-2019-20810", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-20810" } }, "CVE-2019-20811": { "affected_versions": "v2.6.38-rc1 to v5.1-rc3", "breaks": "fe8222406c8277a21172479d3a8283d31c209028", "cmt_msg": "net-sysfs: call dev_hold if kobject_init_and_add success", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "None", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "None", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "score": 5.5 }, "cwe": "Unspecified", "fixes": "a3e23f719f5c4a38ffb3d30c8d7632a4ed8ccd9e", "last_affected_version": "5.0.5", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel before 5.0.6. In rx_queue_add_kobject() and netdev_queue_add_kobject() in net/core/net-sysfs.c, a reference count is mishandled, aka CID-a3e23f719f5c.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-20811", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-20811", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-20811", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-20811", "SUSE": "https://www.suse.com/security/cve/CVE-2019-20811", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-20811" } }, "CVE-2019-20812": { "affected_versions": "v3.2-rc1 to v5.5-rc3", "breaks": "f6fb8f100b807378fda19e83e5ac6828b638603a", "cmt_msg": "af_packet: set defaule value for tmo", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Uncontrolled Resource Consumption", "fixes": "b43d1f9f7067c6759b1051e8ecb84e82cef569fe", "last_affected_version": "5.4.6", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel before 5.4.7. The prb_calc_retire_blk_tmo() function in net/packet/af_packet.c can result in a denial of service (CPU consumption and soft lockup) in a certain failure case involving TPACKET_V3, aka CID-b43d1f9f7067.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-20812", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-20812", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-20812", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-20812", "SUSE": "https://www.suse.com/security/cve/CVE-2019-20812", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-20812" } }, "CVE-2019-20908": { "affected_versions": "v2.6.12-rc2 to v5.4-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "efi: Restrict efivar_ssdt_load when the kernel is locked down", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "score": 6.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "score": 6.7 }, "cwe": "Unspecified", "fixes": "1957a85b0032a81e6482ca4aab883643b8dae06e", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in drivers/firmware/efi/efi.c in the Linux kernel before 5.4. Incorrect access permissions for the efivar_ssdt ACPI variable could be used by attackers to bypass lockdown or secure boot restrictions, aka CID-1957a85b0032.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-20908", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-20908", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-20908", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-20908", "SUSE": "https://www.suse.com/security/cve/CVE-2019-20908", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-20908" } }, "CVE-2019-20934": { "affected_versions": "v3.13-rc1 to v5.3-rc2", "breaks": "82727018b0d33d188e9916bcf76f18387484cb04", "cmt_msg": "sched/fair: Don't free p->numa_faults with concurrent readers", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:M/Au:N/C:P/I:N/A:C", "score": 5.4 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "Low", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:H", "score": 5.3 }, "cwe": "Use After Free", "fixes": "16d51a590a8ce3befb1308e0e7ab77f3b661af33", "last_affected_version": "5.2.5", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel before 5.2.6. On NUMA systems, the Linux fair scheduler has a use-after-free in show_numa_stats() because NUMA fault statistics are inappropriately freed, aka CID-16d51a590a8c.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-20934", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-20934", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-20934", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-20934", "SUSE": "https://www.suse.com/security/cve/CVE-2019-20934", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-20934" } }, "CVE-2019-2101": { "affected_versions": "v2.6.12-rc2 to v5.1-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "media: uvcvideo: Fix 'type' check leading to overflow", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.5 }, "cwe": "Out-of-bounds Read", "fixes": "47bb117911b051bbc90764a8bff96543cbd2005f", "last_affected_version": "5.0.1", "last_modified": "2023-12-06", "nvd_text": "In uvc_parse_standard_control of uvc_driver.c, there is a possible out-of-bound read due to improper input validation. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android kernel. Android ID: A-111760968.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-2101", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-2101", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-2101", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-2101", "SUSE": "https://www.suse.com/security/cve/CVE-2019-2101", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-2101" } }, "CVE-2019-2181": { "affected_versions": "v2.6.12-rc2 to v5.2-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "binder: check for overflow when alloc for security context", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "score": 6.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "raw": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Integer Overflow or Wraparound", "fixes": "0b0509508beff65c1d50541861bc0d4973487dc5", "last_modified": "2023-12-06", "nvd_text": "In binder_transaction of binder.c in the Android kernel, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-2181", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-2181", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-2181", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-2181", "SUSE": "https://www.suse.com/security/cve/CVE-2019-2181", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-2181" } }, "CVE-2019-2182": { "affected_versions": "v4.6-rc1 to v4.16-rc3", "breaks": "324420bf91f60582bb481133db9547111768ef17", "cmt_msg": "arm64: Enforce BBM for huge IO/VMAP mappings", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Unspecified", "fixes": "15122ee2c515a253b0c66a3e618bc7ebe35105eb", "last_affected_version": "4.14.165", "last_modified": "2023-12-06", "nvd_text": "In the Android kernel in the kernel MMU code there is a possible execution path leaving some kernel text and rodata pages writable. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-2182", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-2182", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-2182", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-2182", "SUSE": "https://www.suse.com/security/cve/CVE-2019-2182", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-2182" } }, "CVE-2019-2213": { "affected_versions": "v2.6.29-rc1 to v5.2-rc6", "breaks": "457b9a6f09f011ebcb9b52cc203a6331a6fc2de7", "cmt_msg": "binder: fix possible UAF when freeing buffer", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "score": 6.9 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "score": 7.4 }, "cwe": "Use After Free", "fixes": "a370003cc301d4361bae20c9ef615f89bf8d1e8a", "last_affected_version": "5.1.14", "last_modified": "2023-12-06", "nvd_text": "In binder_free_transaction of binder.c, there is a possible use-after-free due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-133758011References: Upstream kernel", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-2213", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-2213", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-2213", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-2213", "SUSE": "https://www.suse.com/security/cve/CVE-2019-2213", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-2213" } }, "CVE-2019-2214": { "affected_versions": "v5.1-rc1 to v5.3-rc2", "breaks": "ec74136ded792deed80780a2f8baf3521eeb72f9", "cmt_msg": "binder: Set end of SG buffer area properly.", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Improper Privilege Management", "fixes": "a56587065094fd96eb4c2b5ad65571daad32156d", "last_affected_version": "5.2.4", "last_modified": "2023-12-06", "nvd_text": "In binder_transaction of binder.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-136210786References: Upstream kernel", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-2214", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-2214", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-2214", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-2214", "SUSE": "https://www.suse.com/security/cve/CVE-2019-2214", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-2214" } }, "CVE-2019-2215": { "affected_versions": "v2.6.12-rc2 to v4.16-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "ANDROID: binder: remove waitqueue when thread exits.", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Use After Free", "fixes": "f5cb779ba16334b45ba8946d6bfa6d9834d1527f", "last_affected_version": "4.15.0", "last_modified": "2023-12-06", "nvd_text": "A use-after-free in binder.c allows an elevation of privilege from an application to the Linux Kernel. No user interaction is required to exploit this vulnerability, however exploitation does require either the installation of a malicious local application or a separate vulnerability in a network facing application.Product: AndroidAndroid ID: A-141720095", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-2215", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-2215", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-2215", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-2215", "SUSE": "https://www.suse.com/security/cve/CVE-2019-2215", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-2215" } }, "CVE-2019-25044": { "affected_versions": "v5.2-rc3 to v5.2-rc4", "breaks": "47cdee29ef9d94e485eb08f962c74943023a5271", "cmt_msg": "block: free sched's request pool in blk_cleanup_queue", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Use After Free", "fixes": "c3e2219216c92919a6bd1711f340f5faa98695e6", "last_modified": "2023-12-06", "nvd_text": "The block subsystem in the Linux kernel before 5.2 has a use-after-free that can lead to arbitrary code execution in the kernel context and privilege escalation, aka CID-c3e2219216c9. This is related to blk_mq_free_rqs and blk_cleanup_queue.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-25044", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-25044", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-25044", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-25044", "SUSE": "https://www.suse.com/security/cve/CVE-2019-25044", "Ubuntu": "https://ubuntu.com/security/CVE-2019-25044" } }, "CVE-2019-25045": { "affected_versions": "v4.15-rc6 to v5.1", "breaks": "6a53b7593233ab9e4f96873ebacc0f653a55c3e1", "cmt_msg": "xfrm: clean up xfrm protocol checks", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Use After Free", "fixes": "dbb2483b2a46fbaf833cfb5deb5ed9cace9c7399", "last_affected_version": "5.0", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel before 5.0.19. The XFRM subsystem has a use-after-free, related to an xfrm_state_fini panic, aka CID-dbb2483b2a46.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-25045", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-25045", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-25045", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-25045", "SUSE": "https://www.suse.com/security/cve/CVE-2019-25045", "Ubuntu": "https://ubuntu.com/security/CVE-2019-25045" } }, "CVE-2019-25160": { "affected_versions": "v2.6.19-rc1 to v5.0", "breaks": "446fda4f26822b2d42ab3396aafcedf38a9ff2b6", "cmt_msg": "netlabel: fix out-of-bounds memory accesses", "fixes": "5578de4834fe0f2a34fedc7374be691443396d1f", "last_affected_version": "5.-1", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetlabel: fix out-of-bounds memory accesses\n\nThere are two array out-of-bounds memory accesses, one in\ncipso_v4_map_lvl_valid(), the other in netlbl_bitmap_walk(). Both\nerrors are embarassingly simple, and the fixes are straightforward.\n\nAs a FYI for anyone backporting this patch to kernels prior to v4.8,\nyou'll want to apply the netlbl_bitmap_walk() patch to\ncipso_v4_bitmap_walk() as netlbl_bitmap_walk() doesn't exist before\nLinux v4.8.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-25160", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-25160", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-25160", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-25160", "SUSE": "https://www.suse.com/security/cve/CVE-2019-25160", "Ubuntu": "https://ubuntu.com/security/CVE-2019-25160" } }, "CVE-2019-25162": { "affected_versions": "v4.3-rc1 to v6.0-rc1", "breaks": "611e12ea0f121a31d9e9c4ce2a18a77abc2f28d6", "cmt_msg": "i2c: Fix a potential use after free", "fixes": "e4c72c06c367758a14f227c847f9d623f1994ecf", "last_affected_version": "5.18.17", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: Fix a potential use after free\n\nFree the adap structure only after we are done using it.\nThis patch just moves the put_device() down a bit to avoid the\nuse after free.\n\n[wsa: added comment to the code, added Fixes tag]", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-25162", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-25162", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-25162", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-25162", "SUSE": "https://www.suse.com/security/cve/CVE-2019-25162", "Ubuntu": "https://ubuntu.com/security/CVE-2019-25162" } }, "CVE-2019-3016": { "affected_versions": "v4.10-rc1 to v5.6-rc1", "breaks": "0b9f6c4615c993d2b552e0d2bd1ade49b56e5beb", "cmt_msg": "x86/kvm: Be careful not to clear KVM_VCPU_FLUSH_TLB bit", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "score": 1.9 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 4.7 }, "cwe": "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", "fixes": "8c6de56a42e0c657955e12b882a81ef07d1d073e", "last_affected_version": "5.5.2", "last_modified": "2023-12-06", "nvd_text": "In a Linux KVM guest that has PV TLB enabled, a process in the guest kernel may be able to read memory locations from another process in the same guest. This problem is limit to the host running linux kernel 4.10 with a guest running linux kernel 4.16 or later. The problem mainly affects AMD processors but Intel CPUs cannot be ruled out.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-3016", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-3016", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-3016", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-3016", "SUSE": "https://www.suse.com/security/cve/CVE-2019-3016", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-3016" } }, "CVE-2019-3459": { "affected_versions": "v2.6.12-rc2 to v5.1-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "Bluetooth: Verify that l2cap_get_conf_opt provides large enough buffer", "cvss2": { "Access Complexity": "Low", "Access Vector": "Adjacent Network", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:A/AC:L/Au:N/C:P/I:N/A:N", "score": 3.3 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Adjacent", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "score": 6.5 }, "cwe": "Information Leak / Disclosure", "fixes": "7c9cbd0b5e38a1672fcd137894ace3b042dfbf69", "last_affected_version": "5.0.5", "last_modified": "2023-12-06", "nvd_text": "A heap address information leak while using L2CAP_GET_CONF_OPT was discovered in the Linux kernel before 5.1-rc1.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-3459", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-3459", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-3459", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-3459", "SUSE": "https://www.suse.com/security/cve/CVE-2019-3459", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-3459" } }, "CVE-2019-3460": { "affected_versions": "v2.6.12-rc2 to v5.1-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "Bluetooth: Check L2CAP option sizes returned from l2cap_get_conf_opt", "cvss2": { "Access Complexity": "Low", "Access Vector": "Adjacent Network", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:A/AC:L/Au:N/C:P/I:N/A:N", "score": 3.3 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Adjacent", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "score": 6.5 }, "cwe": "Information Leak / Disclosure", "fixes": "af3d5d1c87664a4f150fcf3534c6567cb19909b0", "last_affected_version": "5.0.5", "last_modified": "2023-12-06", "nvd_text": "A heap data infoleak in multiple locations including L2CAP_PARSE_CONF_RSP was found in the Linux kernel before 5.1-rc1.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-3460", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-3460", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-3460", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-3460", "SUSE": "https://www.suse.com/security/cve/CVE-2019-3460", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-3460" } }, "CVE-2019-3701": { "affected_versions": "v3.2-rc1 to v5.0-rc3", "breaks": "c1aabdf379bc2feeb0df7057ed5bad96f492133e", "cmt_msg": "can: gw: ensure DLC boundaries after CAN frame modification", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "score": 4.4 }, "cwe": "Out-of-bounds Write", "fixes": "0aaa81377c5a01f686bcdb8c7a6929a7bf330c68", "last_affected_version": "4.20.3", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in can_can_gw_rcv in net/can/gw.c in the Linux kernel through 4.19.13. The CAN frame modification rules allow bitwise logical operations that can be also applied to the can_dlc field. The privileged user \"root\" with CAP_NET_ADMIN can create a CAN frame modification rule that makes the data length code a higher value than the available CAN frame data size. In combination with a configured checksum calculation where the result is stored relatively to the end of the data (e.g. cgw_csum_xor_rel) the tail of the skb (e.g. frag_list pointer in skb_shared_info) can be rewritten which finally can cause a system crash. Because of a missing check, the CAN drivers may write arbitrary content beyond the data registers in the CAN controller's I/O memory when processing can-gw manipulated outgoing frames.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-3701", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-3701", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-3701", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-3701", "SUSE": "https://www.suse.com/security/cve/CVE-2019-3701", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-3701" } }, "CVE-2019-3819": { "affected_versions": "v4.18-rc5 to v5.0-rc6", "breaks": "717adfdaf14704fd3ec7fa2c04520c0723247eac", "cmt_msg": "HID: debug: fix the ring buffer implementation", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "score": 4.4 }, "cwe": "Uncontrolled Resource Consumption ('Resource Exhaustion')", "fixes": "13054abbaa4f1fd4e6f3b4b63439ec033b4c8035", "last_affected_version": "4.20.7", "last_modified": "2023-12-06", "nvd_text": "A flaw was found in the Linux kernel in the function hid_debug_events_read() in drivers/hid/hid-debug.c file which may enter an infinite loop with certain parameters passed from a userspace. A local privileged user (\"root\") can cause a system lock up and a denial of service. Versions from v4.18 and newer are vulnerable.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-3819", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-3819", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-3819", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-3819", "SUSE": "https://www.suse.com/security/cve/CVE-2019-3819", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-3819" } }, "CVE-2019-3837": { "affected_versions": "v2.6.18-rc1 to v3.18-rc1", "breaks": "db21733488f84a596faaad0d05430b3f51804692", "cmt_msg": "net_dma: simple removal", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "Low", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H", "score": 6.1 }, "cwe": "Buffer Errors", "fixes": "7bced397510ab569d31de4c70b39e13355046387", "last_modified": "2023-12-06", "nvd_text": "It was found that the net_dma code in tcp_recvmsg() in the 2.6.32 kernel as shipped in RHEL6 is thread-unsafe. So an unprivileged multi-threaded userspace application calling recvmsg() for the same network socket in parallel executed on ioatdma-enabled hardware with net_dma enabled can leak the memory, crash the host leading to a denial-of-service or cause a random memory corruption.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-3837", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-3837", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-3837", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-3837", "SUSE": "https://www.suse.com/security/cve/CVE-2019-3837", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-3837" } }, "CVE-2019-3846": { "affected_versions": "v3.0-rc1 to v5.2-rc6", "breaks": "5e6e3a92b9a4c9416b17f468fa5c7fa2233b8b4e", "cmt_msg": "mwifiex: Fix possible buffer overflows at parsing bss descriptor", "cvss2": { "Access Complexity": "Low", "Access Vector": "Adjacent Network", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:A/AC:L/Au:N/C:C/I:C/A:C", "score": 8.3 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Adjacent", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "score": 8.8 }, "cwe": "Buffer Errors", "fixes": "13ec7f10b87f5fc04c4ccbd491c94c7980236a74", "last_affected_version": "5.1.17", "last_modified": "2023-12-06", "nvd_text": "A flaw that allowed an attacker to corrupt memory and possibly escalate privileges was found in the mwifiex kernel module while connecting to a malicious wireless network.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-3846", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-3846", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-3846", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-3846", "SUSE": "https://www.suse.com/security/cve/CVE-2019-3846", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-3846" } }, "CVE-2019-3874": { "affected_versions": "v2.6.12-rc2 to v5.2-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "sctp: implement memory accounting on tx path", "cvss2": { "Access Complexity": "Low", "Access Vector": "Adjacent Network", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:A/AC:L/Au:N/C:N/I:N/A:P", "score": 3.3 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Adjacent", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 6.5 }, "cwe": "Buffer Errors", "fixes": "1033990ac5b2ab6cee93734cb6d301aa3a35bcaa", "last_affected_version": "4.19.136", "last_modified": "2023-12-06", "nvd_text": "The SCTP socket buffer used by a userspace application is not accounted by the cgroups subsystem. An attacker can use this flaw to cause a denial of service attack. Kernel 3.10.x and 4.18.x branches are believed to be vulnerable.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-3874", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-3874", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-3874", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-3874", "SUSE": "https://www.suse.com/security/cve/CVE-2019-3874", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-3874" } }, "CVE-2019-3882": { "affected_versions": "v3.6-rc1 to v5.1-rc4", "breaks": "73fa0d10d077d9521ee2dace2307ae2c9a965336", "cmt_msg": "vfio/type1: Limit DMA mappings per container", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Uncontrolled Resource Consumption ('Resource Exhaustion')", "fixes": "492855939bdb59c6f947b0b5b44af9ad82b7e38c", "last_affected_version": "5.0.10", "last_modified": "2023-12-06", "nvd_text": "A flaw was found in the Linux kernel's vfio interface implementation that permits violation of the user's locked memory limit. If a device is bound to a vfio driver, such as vfio-pci, and the local attacker is administratively granted ownership of the device, it may cause a system memory exhaustion and thus a denial of service (DoS). Versions 3.10, 4.14 and 4.18 are vulnerable.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-3882", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-3882", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-3882", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-3882", "SUSE": "https://www.suse.com/security/cve/CVE-2019-3882", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-3882" } }, "CVE-2019-3887": { "affected_versions": "v4.16-rc1 to v5.1-rc4", "breaks": "15303ba5d1cd9b28d03a980456c0978c0ea3b208", "cmt_msg": "KVM: x86: nVMX: close leak of L0's x2APIC MSRs (CVE-2019-3887)", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "score": 4.7 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Changed", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:H", "score": 5.6 }, "cwe": "Input Validation", "fixes": "acff78477b9b4f26ecdf65733a4ed77fe837e9dc", "last_affected_version": "5.0.7", "last_modified": "2023-12-06", "nvd_text": "A flaw was found in the way KVM hypervisor handled x2APIC Machine Specific Rregister (MSR) access with nested(=1) virtualization enabled. In that, L1 guest could access L0's APIC register values via L2 guest, when 'virtualize x2APIC mode' is enabled. A guest could use this flaw to potentially crash the host kernel resulting in DoS issue. Kernel versions from 4.16 and newer are vulnerable to this issue.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-3887", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-3887", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-3887", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-3887", "SUSE": "https://www.suse.com/security/cve/CVE-2019-3887", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-3887" } }, "CVE-2019-3892": { "affected_versions": "v2.6.12-rc2 to v5.1-rc6", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "coredump: fix race condition between mmget_not_zero()/get_task_mm() and core dumping", "fixes": "04f5866e41fb70690e28397487d8bd8eea7d712a", "last_affected_version": "5.0.9", "last_modified": "2023-12-06", "nvd_text": "Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2019-11599. Reason: This candidate is a reservation duplicate of CVE-2019-11599. Notes: All CVE users should reference CVE-2019-11599 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-3892", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-3892", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-3892", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-3892", "SUSE": "https://www.suse.com/security/cve/CVE-2019-3892", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-3892" }, "rejected": true }, "CVE-2019-3896": { "affected_versions": "v2.6.12-rc2 to v2.6.35-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Double Free", "fixes": "2dcb22b346be7b7b7e630a8970d69cf3f1111ec1", "last_modified": "2023-12-06", "nvd_text": "A double-free can happen in idr_remove_all() in lib/idr.c in the Linux kernel 2.6 branch. An unprivileged local attacker can use this flaw for a privilege escalation or for a system crash and a denial of service (DoS).", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-3896", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-3896", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-3896", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-3896", "SUSE": "https://www.suse.com/security/cve/CVE-2019-3896", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-3896" } }, "CVE-2019-3900": { "affected_versions": "v3.14 to v5.2-rc4", "breaks": "d8316f3991d207fe32881a9ac20241be8fa2bad0", "cmt_msg": "vhost_net: fix possible infinite loop", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "Single", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:N/AC:L/Au:S/C:N/I:N/A:C", "score": 6.8 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Changed", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H", "score": 7.7 }, "cwe": "Uncontrolled Resource Consumption ('Resource Exhaustion')", "fixes": "e2412c07f8f3040593dfb88207865a3cd58680c0", "last_affected_version": "4.19.63", "last_modified": "2023-12-06", "nvd_text": "An infinite loop issue was found in the vhost_net kernel module in Linux Kernel up to and including v5.1-rc6, while handling incoming packets in handle_rx(). It could occur if one end sends packets faster than the other end can process them. A guest user, maybe remote one, could use this flaw to stall the vhost_net kernel thread, resulting in a DoS scenario.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-3900", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-3900", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-3900", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-3900", "SUSE": "https://www.suse.com/security/cve/CVE-2019-3900", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-3900" } }, "CVE-2019-3901": { "affected_versions": "v2.6.12-rc2 to v4.6-rc6", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "perf/core: Fix perf_event_open() vs. execve() race", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "score": 1.9 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 4.7 }, "cwe": "Race Conditions", "fixes": "79c9ce57eb2d5f1497546a3946b4ae21b6fdc438", "last_affected_version": "4.5.5", "last_modified": "2023-12-06", "nvd_text": "A race condition in perf_event_open() allows local attackers to leak sensitive data from setuid programs. As no relevant locks (in particular the cred_guard_mutex) are held during the ptrace_may_access() call, it is possible for the specified target task to perform an execve() syscall with setuid execution before perf_event_alloc() actually attaches to it, allowing an attacker to bypass the ptrace_may_access() check and the perf_event_exit_task(current) call that is performed in install_exec_creds() during privileged execve() calls. This issue affects kernel versions before 4.8.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-3901", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-3901", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-3901", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-3901", "SUSE": "https://www.suse.com/security/cve/CVE-2019-3901", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-3901" } }, "CVE-2019-5108": { "affected_versions": "v2.6.25-rc1 to v5.3", "breaks": "4fd6931ebe24640bec72b91ba612325843a5e3cc", "cmt_msg": "mac80211: Do not send Layer 2 Update frame before authorization", "cvss2": { "Access Complexity": "Low", "Access Vector": "Adjacent Network", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:A/AC:L/Au:N/C:N/I:N/A:P", "score": 3.3 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Adjacent", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 6.5 }, "cwe": "Improper Input Validation", "fixes": "3e493173b7841259a08c5c8e5cbe90adb349da7e", "last_affected_version": "5.2", "last_modified": "2023-12-06", "nvd_text": "An exploitable denial-of-service vulnerability exists in the Linux kernel prior to mainline 5.3. An attacker could exploit this vulnerability by triggering AP to send IAPP location updates for stations before the required authentication process has completed. This could lead to different denial-of-service scenarios, either by causing CAM table attacks, or by leading to traffic flapping if faking already existing clients in other nearby APs of the same wireless infrastructure. An attacker can forge Authentication and Association Request packets to trigger this vulnerability.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-5108", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-5108", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-5108", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-5108", "SUSE": "https://www.suse.com/security/cve/CVE-2019-5108", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-5108" } }, "CVE-2019-5489": { "backport": true, "breaks": "134fca9063ad4851de767d1768180e5dede9a881", "cmt_msg": "Change mincore() to count \"mapped\" pages rather than \"cached\" pages", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.5 }, "cwe": "Information Leak / Disclosure", "fixes": "574823bfab82d9d8fa47f422778043fbb4b4f50e", "last_modified": "2023-12-06", "nvd_text": "The mincore() implementation in mm/mincore.c in the Linux kernel through 4.19.13 allowed local attackers to observe page cache access patterns of other processes on the same system, potentially allowing sniffing of secret information. (Fixing this affects the output of the fincore program.) Limited remote exploitation may be possible, as demonstrated by latency differences in accessing public files from an Apache HTTP Server.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-5489", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-5489", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-5489", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-5489", "SUSE": "https://www.suse.com/security/cve/CVE-2019-5489", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-5489" } }, "CVE-2019-6133": { "affected_versions": "v2.6.12-rc2 to v5.0-rc2", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "fork: record start_time late", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "score": 4.4 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "Required", "raw": "CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H", "score": 6.7 }, "cwe": "Improper Access Control", "fixes": "7b55851367136b1efd84d98fea81ba57a98304cf", "last_affected_version": "4.20.1", "last_modified": "2023-12-06", "nvd_text": "In PolicyKit (aka polkit) 0.115, the \"start time\" protection mechanism can be bypassed because fork() is not atomic, and therefore authorization decisions are improperly cached. This is related to lack of uid checking in polkitbackend/polkitbackendinteractiveauthority.c.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-6133", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-6133", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-6133", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-6133", "SUSE": "https://www.suse.com/security/cve/CVE-2019-6133", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-6133" } }, "CVE-2019-6974": { "affected_versions": "v3.10-rc1 to v5.0-rc6", "breaks": "852b6d57dc7fa378019786fa84727036e56839ea", "cmt_msg": "kvm: fix kvm_ioctl_create_device() reference counting (CVE-2019-6974)", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "score": 6.8 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "score": 8.1 }, "cwe": "Race Conditions", "fixes": "cfa39381173d5f969daf43582c95ad679189cbc9", "last_affected_version": "4.20.7", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel before 4.20.8, kvm_ioctl_create_device in virt/kvm/kvm_main.c mishandles reference counting because of a race condition, leading to a use-after-free.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-6974", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-6974", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-6974", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-6974", "SUSE": "https://www.suse.com/security/cve/CVE-2019-6974", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-6974" } }, "CVE-2019-7221": { "affected_versions": "v3.15-rc1 to v5.0-rc6", "breaks": "f4124500c2c13eb1208c6143b3f6d469709dea10", "cmt_msg": "KVM: nVMX: unconditionally cancel preemption timer in free_nested (CVE-2019-7221)", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Use After Free", "fixes": "ecec76885bcfe3294685dc363fd1273df0d5d65f", "last_affected_version": "4.20.7", "last_modified": "2023-12-06", "nvd_text": "The KVM implementation in the Linux kernel through 4.20.5 has a Use-after-Free.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-7221", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-7221", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-7221", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-7221", "SUSE": "https://www.suse.com/security/cve/CVE-2019-7221", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-7221" } }, "CVE-2019-7222": { "affected_versions": "v2.6.12-rc2 to v5.0-rc6", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "KVM: x86: work around leak of uninitialized stack contents (CVE-2019-7222)", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.5 }, "cwe": "Unspecified", "fixes": "353c0956a618a07ba4bbe7ad00ff29fe70e8412a", "last_affected_version": "4.20.7", "last_modified": "2023-12-06", "nvd_text": "The KVM implementation in the Linux kernel through 4.20.5 has an Information Leak.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-7222", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-7222", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-7222", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-7222", "SUSE": "https://www.suse.com/security/cve/CVE-2019-7222", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-7222" } }, "CVE-2019-7308": { "affected_versions": "v4.15-rc8 to v5.0-rc3", "backport": true, "breaks": "b2157399cc9898260d6031c5bfe45fe137c1fbe7", "cmt_msg": "bpf: fix sanitation of alu op with pointer / scalar type from different paths", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Complete", "Integrity Impact": "None", "raw": "AV:L/AC:M/Au:N/C:C/I:N/A:N", "score": 4.7 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Changed", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N", "score": 5.6 }, "cwe": "Numeric Errors", "fixes": "d3bd7413e0ca40b60cf60d4003246d067cafdeda", "last_affected_version": "4.20.5", "last_modified": "2023-12-06", "nvd_text": "kernel/bpf/verifier.c in the Linux kernel before 4.20.6 performs undesirable out-of-bounds speculation on pointer arithmetic in various cases, including cases of different branches with different state or limits to sanitize, leading to side-channel attacks.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-7308", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-7308", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-7308", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-7308", "SUSE": "https://www.suse.com/security/cve/CVE-2019-7308", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-7308" } }, "CVE-2019-8912": { "affected_versions": "v4.10-rc1 to v5.0-rc8", "breaks": "86741ec25462e4c8cdce6df2f41ead05568c7d5e", "cmt_msg": "net: crypto set sk to NULL when af_alg_release.", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Use After Free", "fixes": "9060cb719e61b685ec0102574e10337fa5f445ea", "last_affected_version": "4.20.11", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel through 4.20.11, af_alg_release() in crypto/af_alg.c neglects to set a NULL value for a certain structure member, which leads to a use-after-free in sockfs_setattr.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-8912", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-8912", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-8912", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-8912", "SUSE": "https://www.suse.com/security/cve/CVE-2019-8912", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-8912" } }, "CVE-2019-8956": { "affected_versions": "v4.17-rc1 to v5.0-rc6", "breaks": "4910280503f3af2857d5aa77e35b22d93a8960a8", "cmt_msg": "sctp: walk the list of asoc safely", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Use After Free", "fixes": "ba59fb0273076637f0add4311faa990a5eec27c0", "last_affected_version": "4.20.7", "last_modified": "2023-12-06", "nvd_text": "In the Linux Kernel before versions 4.20.8 and 4.19.21 a use-after-free error in the \"sctp_sendmsg()\" function (net/sctp/socket.c) when handling SCTP_SENDALL flag can be exploited to corrupt memory.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-8956", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-8956", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-8956", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-8956", "SUSE": "https://www.suse.com/security/cve/CVE-2019-8956", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-8956" } }, "CVE-2019-8980": { "affected_versions": "v4.7-rc1 to v5.1-rc1", "breaks": "39d637af5aa7577f655c58b9e55587566c63a0af", "cmt_msg": "exec: Fix mem leak in kernel_read_file", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "score": 7.8 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 7.5 }, "cwe": "Resource Management Errors", "fixes": "f612acfae86af7ecad754ae6a46019be9da05b8e", "last_affected_version": "5.0.0", "last_modified": "2023-12-06", "nvd_text": "A memory leak in the kernel_read_file function in fs/exec.c in the Linux kernel through 4.20.11 allows attackers to cause a denial of service (memory consumption) by triggering vfs_read failures.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-8980", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-8980", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-8980", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-8980", "SUSE": "https://www.suse.com/security/cve/CVE-2019-8980", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-8980" } }, "CVE-2019-9003": { "affected_versions": "v4.18-rc1 to v5.0-rc4", "breaks": "e86ee2d44b44056243da17c120ad258717cedf9b", "cmt_msg": "ipmi: fix use-after-free of user->release_barrier.rda", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "score": 7.8 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 7.5 }, "cwe": "Use After Free", "fixes": "77f8269606bf95fcb232ee86f6da80886f1dfae8", "last_affected_version": "4.20.4", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel before 4.20.5, attackers can trigger a drivers/char/ipmi/ipmi_msghandler.c use-after-free and OOPS by arranging for certain simultaneous execution of the code, as demonstrated by a \"service ipmievd restart\" loop.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-9003", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-9003", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-9003", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-9003", "SUSE": "https://www.suse.com/security/cve/CVE-2019-9003", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-9003" } }, "CVE-2019-9162": { "affected_versions": "v4.16-rc1 to v5.0-rc7", "breaks": "cc2d58634e0f489d28b5564c05abc69930b4d920", "cmt_msg": "netfilter: nf_nat_snmp_basic: add missing length checks in ASN.1 cbs", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Improper Validation of Array Index", "fixes": "c4c07b4d6fa1f11880eab8e076d3d060ef3f55fc", "last_affected_version": "4.20.11", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel before 4.20.12, net/ipv4/netfilter/nf_nat_snmp_basic_main.c in the SNMP NAT module has insufficient ASN.1 length checks (aka an array index error), making out-of-bounds read and write operations possible, leading to an OOPS or local privilege escalation. This affects snmp_version and snmp_helper.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-9162", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-9162", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-9162", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-9162", "SUSE": "https://www.suse.com/security/cve/CVE-2019-9162", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-9162" } }, "CVE-2019-9213": { "affected_versions": "v2.6.24-rc5 to v5.0", "breaks": "8869477a49c3e99def1fcdadd6bbc407fea14b45", "cmt_msg": "mm: enforce min addr even if capable() in expand_downwards()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "NULL Pointer Dereference", "fixes": "0a1d52994d440e21def1c2174932410b4f2a98a1", "last_affected_version": "5.-1", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel before 4.20.14, expand_downwards in mm/mmap.c lacks a check for the mmap minimum address, which makes it easier for attackers to exploit kernel NULL pointer dereferences on non-SMAP platforms. This is related to a capability check for the wrong task.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-9213", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-9213", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-9213", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-9213", "SUSE": "https://www.suse.com/security/cve/CVE-2019-9213", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-9213" } }, "CVE-2019-9245": { "affected_versions": "v4.11-rc1 to v5.0-rc1", "breaks": "ba38c27eb93e2d36bf940ca65c145f6e2aaa6d5c", "cmt_msg": "f2fs: sanity check of xattr entry size", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "score": 4.4 }, "cwe": "Out-of-bounds Read", "fixes": "64beba0558fce7b59e9a8a7afd77290e82a22163", "last_affected_version": "4.20.0", "last_modified": "2023-12-06", "nvd_text": "In the Android kernel in the f2fs driver there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-9245", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-9245", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-9245", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-9245", "SUSE": "https://www.suse.com/security/cve/CVE-2019-9245", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-9245" } }, "CVE-2019-9444": { "affected_versions": "v4.9-rc1 to v4.15-rc2", "breaks": "35538d7822e86cb38015c21bb708a433f8814af0", "cmt_msg": "printk: hash addresses printed with %p", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "score": 4.4 }, "cwe": "Exposure of Sensitive Information to an Unauthorized Actor", "fixes": "ad67b74d2469d9b82aaa572d76474c95bc484d57", "last_modified": "2023-12-06", "nvd_text": "In the Android kernel in sync debug fs driver there is a kernel pointer leak due to the usage of printf with %p. This could lead to local information disclosure with system execution privileges needed. User interaction is not needed for exploitation.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-9444", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-9444", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-9444", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-9444", "SUSE": "https://www.suse.com/security/cve/CVE-2019-9444", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-9444" } }, "CVE-2019-9445": { "affected_versions": "v3.8-rc1 to v5.1-rc1", "breaks": "6b4ea0160ae236a6561defa28e19f973aedda9ff", "cmt_msg": "f2fs: check if file namelen exceeds max value", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "score": 4.4 }, "cwe": "Out-of-bounds Read", "fixes": "720db068634c91553a8e1d9a0fcd8c7050e06d2b", "last_affected_version": "4.19.96", "last_modified": "2023-12-06", "nvd_text": "In the Android kernel in F2FS driver there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with system execution privileges needed. User interaction is not needed for exploitation.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-9445", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-9445", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-9445", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-9445", "SUSE": "https://www.suse.com/security/cve/CVE-2019-9445", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-9445" } }, "CVE-2019-9453": { "affected_versions": "v3.12-rc1 to v5.2-rc1", "breaks": "dd9cfe236f95bbda9ceb5a4ca419b9fb574c95f9", "cmt_msg": "f2fs: fix to avoid accessing xattr across the boundary", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "score": 4.4 }, "cwe": "Improper Input Validation", "fixes": "2777e654371dd4207a3a7f4fb5fa39550053a080", "last_affected_version": "5.1.11", "last_modified": "2023-12-06", "nvd_text": "In the Android kernel in F2FS touch driver there is a possible out of bounds read due to improper input validation. This could lead to local information disclosure with system execution privileges needed. User interaction is not needed for exploitation.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-9453", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-9453", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-9453", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-9453", "SUSE": "https://www.suse.com/security/cve/CVE-2019-9453", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-9453" } }, "CVE-2019-9454": { "affected_versions": "v2.6.12-rc2 to v4.15-rc9", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "i2c: core-smbus: prevent stack corruption on read I2C_BLOCK_DATA", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "score": 6.7 }, "cwe": "Out-of-bounds Write", "fixes": "89c6efa61f5709327ecfa24bff18e57a4e80c7fa", "last_affected_version": "4.14.14", "last_modified": "2023-12-06", "nvd_text": "In the Android kernel in i2c driver there is a possible out of bounds write due to memory corruption. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-9454", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-9454", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-9454", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-9454", "SUSE": "https://www.suse.com/security/cve/CVE-2019-9454", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-9454" } }, "CVE-2019-9455": { "affected_versions": "v4.2-rc1 to v5.0-rc1", "breaks": "77a3c6fd90c94f635edb00d4a65f485687538791", "cmt_msg": "media: videobuf2-v4l2: drop WARN_ON in vb2_warn_zero_bytesused()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "Low", "Integrity": "None", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N", "score": 2.3 }, "cwe": "Information Exposure", "fixes": "5e99456c20f712dcc13d9f6ca4278937d5367355", "last_affected_version": "4.19.30", "last_modified": "2023-12-06", "nvd_text": "In the Android kernel in the video driver there is a kernel pointer leak due to a WARN_ON statement. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-9455", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-9455", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-9455", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-9455", "SUSE": "https://www.suse.com/security/cve/CVE-2019-9455", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-9455" } }, "CVE-2019-9456": { "affected_versions": "v2.6.12-rc2 to v4.16-rc6", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "usb: usbmon: Read text within supplied buffer size", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "score": 6.7 }, "cwe": "Out-of-bounds Write", "fixes": "a5f596830e27e15f7a0ecd6be55e433d776986d8", "last_affected_version": "4.15.10", "last_modified": "2023-12-06", "nvd_text": "In the Android kernel in Pixel C USB monitor driver there is a possible OOB write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-9456", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-9456", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-9456", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-9456", "SUSE": "https://www.suse.com/security/cve/CVE-2019-9456", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-9456" } }, "CVE-2019-9457": { "affected_versions": "unk to v4.13-rc1", "breaks": "", "cmt_msg": "exec: Limit arg stack to at most 75% of _STK_LIM", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "score": "4.6" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "score": "7.8" }, "cwe": "Integer Overflow or Wraparound", "fixes": "da029c11e6b12f321f36dac8771e833b65cec962", "last_affected_version": "4.12.2", "last_modified": "2023-12-06", "nvd_text": "Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2018-14634. Reason: This candidate is a reservation duplicate of CVE-2018-14634. Notes: All CVE users should reference CVE-2018-14634 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-9457", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-9457", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-9457", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-9457", "SUSE": "https://www.suse.com/security/cve/CVE-2019-9457", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-9457" }, "rejected": true }, "CVE-2019-9458": { "affected_versions": "v2.6.35-rc1 to v4.19-rc7", "breaks": "c3b5b0241f620a356c97d8f43343e721c718806d", "cmt_msg": "media: v4l: event: Prevent freeing event subscriptions while accessed", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "score": 4.4 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.0 }, "cwe": "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", "fixes": "ad608fbcf166fec809e402d548761768f602702c", "last_affected_version": "4.18.11", "last_modified": "2023-12-06", "nvd_text": "In the Android kernel in the video driver there is a use after free due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-9458", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-9458", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-9458", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-9458", "SUSE": "https://www.suse.com/security/cve/CVE-2019-9458", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-9458" } }, "CVE-2019-9466": { "affected_versions": "v2.6.12-rc2 to v5.1-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "brcmfmac: add subtype check for event handling in data path", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "score": "7.5" }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "score": "9.8" }, "cwe": "Improper Input Validation", "fixes": "a4176ec356c73a46c07c181c6d04039fafa34a9f", "last_affected_version": "5.0.19", "last_modified": "2023-12-06", "nvd_text": "Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2019-9503. Reason: This candidate is a duplicate of CVE-2019-9503. Notes: All CVE users should reference CVE-2019-9503 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-9466", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-9466", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-9466", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-9466", "SUSE": "https://www.suse.com/security/cve/CVE-2019-9466", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-9466" }, "rejected": true }, "CVE-2019-9500": { "affected_versions": "v4.5-rc1 to v5.1-rc1", "breaks": "3021ad9a4f009265e6063e617fb91306980af16c", "cmt_msg": "brcmfmac: assure SSID length from firmware is limited", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Adjacent Network", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:A/AC:M/Au:N/C:C/I:C/A:C", "score": 7.9 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Adjacent", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Changed", "User Interaction": "None", "raw": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "score": 8.3 }, "cwe": "Out-of-bounds Write", "fixes": "1b5e2423164b3670e8bc9174e4762d297990deff", "last_affected_version": "5.0.19", "last_modified": "2023-12-06", "nvd_text": "The Broadcom brcmfmac WiFi driver prior to commit 1b5e2423164b3670e8bc9174e4762d297990deff is vulnerable to a heap buffer overflow. If the Wake-up on Wireless LAN functionality is configured, a malicious event frame can be constructed to trigger an heap buffer overflow in the brcmf_wowl_nd_results function. This vulnerability can be exploited with compromised chipsets to compromise the host, or when used in combination with CVE-2019-9503, can be used remotely. In the worst case scenario, by sending specially-crafted WiFi packets, a remote, unauthenticated attacker may be able to execute arbitrary code on a vulnerable system. More typically, this vulnerability will result in denial-of-service conditions.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-9500", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-9500", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-9500", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-9500", "SUSE": "https://www.suse.com/security/cve/CVE-2019-9500", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-9500" } }, "CVE-2019-9503": { "affected_versions": "v3.2-rc1 to v5.1-rc1", "breaks": "5b435de0d786869c95d1962121af0d7df2542009", "cmt_msg": "brcmfmac: add subtype check for event handling in data path", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Adjacent Network", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:A/AC:M/Au:N/C:C/I:C/A:C", "score": 7.9 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Adjacent", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Changed", "User Interaction": "None", "raw": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "score": 8.3 }, "cwe": "Improper Input Validation", "fixes": "a4176ec356c73a46c07c181c6d04039fafa34a9f", "last_affected_version": "5.0.19", "last_modified": "2023-12-06", "nvd_text": "The Broadcom brcmfmac WiFi driver prior to commit a4176ec356c73a46c07c181c6d04039fafa34a9f is vulnerable to a frame validation bypass. If the brcmfmac driver receives a firmware event frame from a remote source, the is_wlc_event_frame function will cause this frame to be discarded and unprocessed. If the driver receives the firmware event frame from the host, the appropriate handler is called. This frame validation can be bypassed if the bus used is USB (for instance by a wifi dongle). This can allow firmware event frames from a remote source to be processed. In the worst case scenario, by sending specially-crafted WiFi packets, a remote, unauthenticated attacker may be able to execute arbitrary code on a vulnerable system. More typically, this vulnerability will result in denial-of-service conditions.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-9503", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-9503", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-9503", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-9503", "SUSE": "https://www.suse.com/security/cve/CVE-2019-9503", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-9503" } }, "CVE-2019-9506": { "affected_versions": "v2.6.12-rc2 to v5.2", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "Bluetooth: Fix faulty expression for minimum encryption key size check", "cvss2": { "Access Complexity": "Low", "Access Vector": "Adjacent Network", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:A/AC:L/Au:N/C:P/I:P/A:N", "score": 4.8 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Adjacent", "Availability": "None", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "score": 8.1 }, "cwe": "Cryptographic Issues", "fixes": "eca94432934fe5f141d084f2e36ee2c0e614cc04", "last_affected_version": "5.1", "last_modified": "2023-12-06", "name": "KNOB", "nvd_text": "The Bluetooth BR/EDR specification up to and including version 5.1 permits sufficiently low encryption key length and does not prevent an attacker from influencing the key length negotiation. This allows practical brute-force attacks (aka \"KNOB\") that can decrypt traffic and inject arbitrary ciphertext without the victim noticing.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-9506", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-9506", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-9506", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-9506", "SUSE": "https://www.suse.com/security/cve/CVE-2019-9506", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-9506" } }, "CVE-2019-9857": { "affected_versions": "v4.19-rc1 to v5.1-rc2", "breaks": "4d97f7d53da7dc830dbf416a3d2a6778d267ae68", "cmt_msg": "inotify: Fix fsnotify_mark refcount leak in inotify_update_existing_watch()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Resource Management Errors", "fixes": "62c9d2674b31d4c8a674bee86b7edc6da2803aea", "last_affected_version": "5.0.8", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel through 5.0.2, the function inotify_update_existing_watch() in fs/notify/inotify/inotify_user.c neglects to call fsnotify_put_mark() with IN_MASK_CREATE after fsnotify_find_mark(), which will cause a memory leak (aka refcount leak). Finally, this will cause a denial of service.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2019-9857", "ExploitDB": "https://www.exploit-db.com/search?cve=2019-9857", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2019-9857", "Red Hat": "https://access.redhat.com/security/cve/CVE-2019-9857", "SUSE": "https://www.suse.com/security/cve/CVE-2019-9857", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-9857" } }, "CVE-2020-0009": { "affected_versions": "v3.3-rc1 to v5.6-rc3", "breaks": "11980c2ac4ccfad21a5f8ee9e12059f1e687bb40", "cmt_msg": "staging: android: ashmem: Disallow ashmem memory from being remapped", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "None", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "None", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "score": 5.5 }, "cwe": "Incorrect Default Permissions", "fixes": "6d67b0290b4b84c477e6a2fc6e005e174d3c7786", "last_affected_version": "5.5.6", "last_modified": "2023-12-06", "nvd_text": "In calc_vm_may_flags of ashmem.c, there is a possible arbitrary write to shared memory due to a permissions bypass. This could lead to local escalation of privilege by corrupting memory shared between processes, with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android Versions: Android kernel Android ID: A-142938932", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-0009", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-0009", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-0009", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-0009", "SUSE": "https://www.suse.com/security/cve/CVE-2020-0009", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-0009" } }, "CVE-2020-0030": { "affected_versions": "v2.6.29-rc1 to v4.16-rc3", "breaks": "457b9a6f09f011ebcb9b52cc203a6331a6fc2de7", "cmt_msg": "ANDROID: binder: synchronize_rcu() when using POLLFREE.", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "score": 6.9 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.0 }, "cwe": "Use After Free", "fixes": "5eeb2ca02a2f6084fc57ae5c244a38baab07033a", "last_affected_version": "4.15.5", "last_modified": "2023-12-06", "nvd_text": "In binder_thread_release of binder.c, there is a possible use after free due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-145286050References: Upstream kernel", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-0030", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-0030", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-0030", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-0030", "SUSE": "https://www.suse.com/security/cve/CVE-2020-0030", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-0030" } }, "CVE-2020-0041": { "affected_versions": "v5.1-rc1 to v5.5-rc2", "breaks": "bde4a19fc04f5f46298c86b1acb7a4af1d5f138d", "cmt_msg": "binder: fix incorrect calculation for num_valid", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Out-of-bounds Write", "fixes": "16981742717b04644a41052570fb502682a315d2", "last_affected_version": "5.4.3", "last_modified": "2023-12-06", "nvd_text": "In binder_transaction of binder.c, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-145988638References: Upstream kernel", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-0041", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-0041", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-0041", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-0041", "SUSE": "https://www.suse.com/security/cve/CVE-2020-0041", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-0041" } }, "CVE-2020-0066": { "affected_versions": "v3.1-rc1 to v4.3-rc7", "breaks": "c7ac8679bec9397afe8918f788cbcef88c38da54", "cmt_msg": "netlink: Trim skb to alloc size to avoid MSG_TRUNC", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "score": 6.9 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "score": 6.4 }, "cwe": "Out-of-bounds Write", "fixes": "db65a3aaf29ecce2e34271d52e8d2336b97bd9fe", "last_affected_version": "4.1.11", "last_modified": "2023-12-06", "nvd_text": "In the netlink driver, there is a possible out of bounds write due to a race condition. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-65025077", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-0066", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-0066", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-0066", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-0066", "SUSE": "https://www.suse.com/security/cve/CVE-2020-0066", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-0066" } }, "CVE-2020-0067": { "affected_versions": "v3.8-rc1 to v5.5-rc1", "breaks": "af48b85b8cd3fbb12c9b6759c16db6d69c0b03da", "cmt_msg": "f2fs: fix to avoid memory leakage in f2fs_listxattr", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "score": 4.4 }, "cwe": "Out-of-bounds Read", "fixes": "688078e7f36c293dae25b338ddc9e0a2790f6e06", "last_affected_version": "5.4.35", "last_modified": "2023-12-06", "nvd_text": "In f2fs_xattr_generic_list of xattr.c, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not required for exploitation.Product: Android. Versions: Android kernel. Android ID: A-120551147.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-0067", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-0067", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-0067", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-0067", "SUSE": "https://www.suse.com/security/cve/CVE-2020-0067", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-0067" } }, "CVE-2020-0110": { "affected_versions": "v5.2-rc1 to v5.6-rc2", "breaks": "0e94682b73bfa6c44c98af7a26771c9c08c055d5", "cmt_msg": "sched/psi: Fix OOB write when writing 0 bytes to PSI files", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Out-of-bounds Write", "fixes": "6fcca0fa48118e6d63733eb4644c6cd880c15b8f", "last_affected_version": "5.5.6", "last_modified": "2023-12-06", "nvd_text": "In psi_write of psi.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-148159562References: Upstream kernel", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-0110", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-0110", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-0110", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-0110", "SUSE": "https://www.suse.com/security/cve/CVE-2020-0110", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-0110" } }, "CVE-2020-0255": { "affected_versions": "v2.6.12-rc2 to v5.7-rc4", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "selinux: properly handle multiple messages in selinux_netlink_send()", "fixes": "fb73974172ffaaf57a7c42f35424d9aece1a5af6", "last_affected_version": "5.6.10", "last_modified": "2023-12-06", "nvd_text": "Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2020-10751. Reason: This candidate is a duplicate of CVE-2020-10751. Notes: All CVE users should reference CVE-2020-10751 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-0255", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-0255", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-0255", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-0255", "SUSE": "https://www.suse.com/security/cve/CVE-2020-0255", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-0255" }, "rejected": true }, "CVE-2020-0305": { "affected_versions": "v2.6.12-rc2 to v5.5-rc6", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "chardev: Avoid potential use-after-free in 'chrdev_open()'", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "score": 4.4 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "score": 6.4 }, "cwe": "Use After Free", "fixes": "68faa679b8be1a74e6663c21c3a9d25d32f1c079", "last_affected_version": "5.4.11", "last_modified": "2023-12-06", "nvd_text": "In cdev_get of char_dev.c, there is a possible use-after-free due to a race condition. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-153467744", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-0305", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-0305", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-0305", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-0305", "SUSE": "https://www.suse.com/security/cve/CVE-2020-0305", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-0305" } }, "CVE-2020-0347": { "affected_versions": "unk to unk", "breaks": "", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "score": 6.7 }, "cwe": "Out-of-bounds Write", "fixes": "", "last_modified": "2023-12-06", "nvd_text": "In iptables, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-136658008", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-0347", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-0347", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-0347", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-0347", "SUSE": "https://www.suse.com/security/cve/CVE-2020-0347", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-0347" } }, "CVE-2020-0404": { "affected_versions": "v2.6.26-rc9 to v5.6-rc1", "breaks": "c0efd232929c2cd87238de2cccdaf4e845be5b0c", "cmt_msg": "media: uvcvideo: Avoid cyclic entity chains due to malformed USB descriptors", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Improper Privilege Management", "fixes": "68035c80e129c4cfec659aac4180354530b26527", "last_affected_version": "5.5.2", "last_modified": "2023-12-06", "nvd_text": "In uvc_scan_chain_forward of uvc_driver.c, there is a possible linked list corruption due to an unusual root cause. This could lead to local escalation of privilege in the kernel with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-111893654References: Upstream kernel", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-0404", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-0404", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-0404", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-0404", "SUSE": "https://www.suse.com/security/cve/CVE-2020-0404", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-0404" } }, "CVE-2020-0423": { "affected_versions": "v4.14-rc1 to v5.10-rc1", "breaks": "72196393a5e3d28c21679e3b745c06dd4a5b24c9", "cmt_msg": "binder: fix UAF when releasing todo list", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Improper Locking", "fixes": "f3277cbfba763cd2826396521b9296de67cf1bbc", "last_affected_version": "5.9.1", "last_modified": "2023-12-06", "nvd_text": "In binder_release_work of binder.c, there is a possible use-after-free due to improper locking. This could lead to local escalation of privilege in the kernel with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-161151868References: N/A", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-0423", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-0423", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-0423", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-0423", "SUSE": "https://www.suse.com/security/cve/CVE-2020-0423", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-0423" } }, "CVE-2020-0427": { "affected_versions": "v2.6.12-rc2 to v5.5-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "pinctrl: devicetree: Avoid taking direct reference to device name string", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.5 }, "cwe": "Use After Free", "fixes": "be4c60b563edee3712d392aaeb0943a768df7023", "last_affected_version": "5.4.6", "last_modified": "2023-12-06", "nvd_text": "In create_pinctrl of core.c, there is a possible out of bounds read due to a use after free. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-140550171", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-0427", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-0427", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-0427", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-0427", "SUSE": "https://www.suse.com/security/cve/CVE-2020-0427", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-0427" } }, "CVE-2020-0429": { "affected_versions": "v2.6.12-rc2 to v4.14-rc4", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "l2tp: fix race between l2tp_session_delete() and l2tp_tunnel_closeall()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "score": 6.7 }, "cwe": "Use After Free", "fixes": "b228a94066406b6c456321d69643b0d7ce11cfa6", "last_affected_version": "4.9.218", "last_modified": "2023-12-06", "nvd_text": "In l2tp_session_delete and related functions of l2tp_core.c, there is possible memory corruption due to a use after free. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-152735806", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-0429", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-0429", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-0429", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-0429", "SUSE": "https://www.suse.com/security/cve/CVE-2020-0429", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-0429" } }, "CVE-2020-0430": { "affected_versions": "v4.14-rc1 to v4.18-rc1", "breaks": "f1174f77b50c94eecaa658fdc56fa69b421de4b8", "cmt_msg": "bpf: reject passing modified ctx to helper functions", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Out-of-bounds Read", "fixes": "58990d1ff3f7896ee341030e9a7c2e4002570683", "last_affected_version": "4.17.6", "last_modified": "2023-12-06", "nvd_text": "In skb_headlen of /include/linux/skbuff.h, there is a possible out of bounds read due to memory corruption. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-153881554", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-0430", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-0430", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-0430", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-0430", "SUSE": "https://www.suse.com/security/cve/CVE-2020-0430", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-0430" } }, "CVE-2020-0431": { "affected_versions": "v2.6.12-rc2 to v5.5-rc6", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "HID: hid-input: clear unmapped usages", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "score": 6.7 }, "cwe": "Out-of-bounds Write", "fixes": "4f3882177240a1f55e45a3d241d3121341bead78", "last_affected_version": "5.4.11", "last_modified": "2023-12-06", "nvd_text": "In kbd_keycode of keyboard.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-144161459", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-0431", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-0431", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-0431", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-0431", "SUSE": "https://www.suse.com/security/cve/CVE-2020-0431", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-0431" } }, "CVE-2020-0432": { "affected_versions": "v2.6.12-rc2 to v5.6-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "staging: most: net: fix buffer overflow", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Integer Overflow or Wraparound", "fixes": "4d1356ac12f4d5180d0df345d85ff0ee42b89c72", "last_affected_version": "5.5.0", "last_modified": "2023-12-06", "nvd_text": "In skb_to_mamac of networking.c, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-143560807", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-0432", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-0432", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-0432", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-0432", "SUSE": "https://www.suse.com/security/cve/CVE-2020-0432", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-0432" } }, "CVE-2020-0433": { "affected_versions": "v2.6.12-rc2 to v4.19-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "blk-mq: sync the update nr_hw_queues with blk_mq_queue_tag_busy_iter", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Use After Free", "fixes": "f5bbbbe4d63577026f908a809f22f5fd5a90ea1f", "last_affected_version": "4.14.175", "last_modified": "2023-12-06", "nvd_text": "In blk_mq_queue_tag_busy_iter of blk-mq-tag.c, there is a possible use after free due to improper locking. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-151939299", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-0433", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-0433", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-0433", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-0433", "SUSE": "https://www.suse.com/security/cve/CVE-2020-0433", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-0433" } }, "CVE-2020-0435": { "affected_versions": "unk to v4.19-rc1", "breaks": "", "cmt_msg": "f2fs: fix to do sanity check with i_extra_isize", "fixes": "18dd6470c2d14d10f5a2dd926925dc80dbd3abfd", "last_affected_version": "4.14.85", "last_modified": "2023-12-06", "nvd_text": "Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2018-14615. Reason: This candidate is a duplicate of CVE-2018-14615. Notes: All CVE users should reference CVE-2018-14615 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-0435", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-0435", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-0435", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-0435", "SUSE": "https://www.suse.com/security/cve/CVE-2020-0435", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-0435" }, "rejected": true }, "CVE-2020-0444": { "affected_versions": "v3.18-rc1 to v5.6-rc4", "breaks": "219ca39427bf6c46c4e1473493e33bc00635e99b", "cmt_msg": "audit: fix error handling in audit_data_to_entry()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Improper Privilege Management", "fixes": "2ad3e17ebf94b7b7f3f64c050ff168f9915345eb", "last_affected_version": "5.5.7", "last_modified": "2023-12-06", "nvd_text": "In audit_free_lsm_field of auditfilter.c, there is a possible bad kfree due to a logic error in audit_data_to_entry. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-150693166References: Upstream kernel", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-0444", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-0444", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-0444", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-0444", "SUSE": "https://www.suse.com/security/cve/CVE-2020-0444", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-0444" } }, "CVE-2020-0465": { "affected_versions": "v2.6.12-rc2 to v5.9-rc4", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "HID: core: Sanitize event code and type when mapping input", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Physical", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "score": 6.8 }, "cwe": "Out-of-bounds Write", "fixes": "35556bed836f8dc07ac55f69c8d17dce3e7f0e25", "last_affected_version": "5.8.6", "last_modified": "2023-12-06", "nvd_text": "In various methods of hid-multitouch.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-162844689References: Upstream kernel", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-0465", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-0465", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-0465", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-0465", "SUSE": "https://www.suse.com/security/cve/CVE-2020-0465", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-0465" } }, "CVE-2020-0466": { "affected_versions": "v2.6.12-rc2 to v5.9-rc2", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "do_epoll_ctl(): clean the failure exits up a bit", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Use After Free", "fixes": "52c479697c9b73f628140dcdfcd39ea302d05482", "last_affected_version": "5.8.3", "last_modified": "2023-12-06", "nvd_text": "In do_epoll_ctl and ep_loop_check_proc of eventpoll.c, there is a possible use after free due to a logic error. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-147802478References: Upstream kernel", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-0466", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-0466", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-0466", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-0466", "SUSE": "https://www.suse.com/security/cve/CVE-2020-0466", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-0466" } }, "CVE-2020-0543": { "affected_versions": "unk to v5.8-rc1", "breaks": "", "cmt_msg": "x86/cpu: Add 'table' argument to cpu_matches()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.5 }, "cwe": "Exposure of Sensitive Information to an Unauthorized Actor", "fixes": "3798cc4d106e91382bfe016caa2edada27c2bb3f", "last_affected_version": "5.7.1", "last_modified": "2023-12-06", "nvd_text": "Incomplete cleanup from specific special register read operations in some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-0543", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-0543", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-0543", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-0543", "SUSE": "https://www.suse.com/security/cve/CVE-2020-0543", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-0543" } }, "CVE-2020-10135": { "affected_versions": "v2.6.12-rc2 to v5.8-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "Bluetooth: Consolidate encryption handling in hci_encrypt_cfm", "cvss2": { "Access Complexity": "Low", "Access Vector": "Adjacent Network", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:A/AC:L/Au:N/C:P/I:P/A:N", "score": 4.8 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Adjacent", "Availability": "None", "Confidentiality": "Low", "Integrity": "Low", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "score": 5.4 }, "cwe": "Improper Authentication", "fixes": "3ca44c16b0dcc764b641ee4ac226909f5c421aa3", "last_affected_version": "5.4.71", "last_modified": "2023-12-06", "nvd_text": "Legacy pairing and secure-connections pairing authentication in Bluetooth BR/EDR Core Specification v5.2 and earlier may allow an unauthenticated user to complete authentication without pairing credentials via adjacent access. An unauthenticated, adjacent attacker could impersonate a Bluetooth BR/EDR master or slave to pair with a previously paired remote device to successfully complete the authentication procedure without knowing the link key.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-10135", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-10135", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-10135", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-10135", "SUSE": "https://www.suse.com/security/cve/CVE-2020-10135", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-10135" } }, "CVE-2020-10690": { "affected_versions": "v3.0-rc1 to v5.5-rc5", "breaks": "d94ba80ebbea17f036cecb104398fbcd788aa742", "cmt_msg": "ptp: fix the race between the release of ptp_clock and cdev", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "score": 4.4 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "score": 6.4 }, "cwe": "Use After Free", "fixes": "a33121e5487b424339636b25c35d3a180eaa5f5e", "last_affected_version": "5.4.7", "last_modified": "2023-12-06", "nvd_text": "There is a use-after-free in kernel versions before 5.5 due to a race condition between the release of ptp_clock and cdev while resource deallocation. When a (high privileged) process allocates a ptp device file (like /dev/ptpX) and voluntarily goes to sleep. During this time if the underlying device is removed, it can cause an exploitable condition as the process wakes up to terminate and clean all attached files. The system crashes due to the cdev structure being invalid (as already freed) which is pointed to by the inode.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-10690", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-10690", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-10690", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-10690", "SUSE": "https://www.suse.com/security/cve/CVE-2020-10690", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-10690" } }, "CVE-2020-10708": { "affected_versions": "unk to unk", "breaks": "", "fixes": "", "last_modified": "2023-12-06", "nvd_text": "Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-10708", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-10708", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-10708", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-10708", "SUSE": "https://www.suse.com/security/cve/CVE-2020-10708", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-10708" }, "rejected": true }, "CVE-2020-10711": { "affected_versions": "v3.17-rc1 to v5.7-rc6", "breaks": "4b8feff251da3d7058b5779e21b33a85c686b974", "cmt_msg": "netlabel: cope with NULL catmap", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "score": 4.3 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 5.9 }, "cwe": "NULL Pointer Dereference", "fixes": "eead1c2ea2509fd754c6da893a94f0e69e83ebe4", "last_affected_version": "5.6.13", "last_modified": "2023-12-06", "nvd_text": "A NULL pointer dereference flaw was found in the Linux kernel's SELinux subsystem in versions before 5.7. This flaw occurs while importing the Commercial IP Security Option (CIPSO) protocol's category bitmap into the SELinux extensible bitmap via the' ebitmap_netlbl_import' routine. While processing the CIPSO restricted bitmap tag in the 'cipso_v4_parsetag_rbm' routine, it sets the security attribute to indicate that the category bitmap is present, even if it has not been allocated. This issue leads to a NULL pointer dereference issue while importing the same category bitmap into SELinux. This flaw allows a remote network user to crash the system kernel, resulting in a denial of service.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-10711", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-10711", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-10711", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-10711", "SUSE": "https://www.suse.com/security/cve/CVE-2020-10711", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-10711" } }, "CVE-2020-10720": { "affected_versions": "v3.15-rc1 to v5.2-rc3", "breaks": "a50e233c50dbc881abaa0e4070789064e8d12d70", "cmt_msg": "net-gro: fix use-after-free read in napi_gro_frags()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Use After Free", "fixes": "a4270d6795b0580287453ea55974d948393e66ef", "last_affected_version": "5.1.6", "last_modified": "2023-12-06", "nvd_text": "A flaw was found in the Linux kernel's implementation of GRO in versions before 5.2. This flaw allows an attacker with local access to crash the system.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-10720", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-10720", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-10720", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-10720", "SUSE": "https://www.suse.com/security/cve/CVE-2020-10720", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-10720" } }, "CVE-2020-10732": { "affected_versions": "v2.6.25-rc1 to v5.7", "breaks": "4206d3aa1978e44f58bfa4e1c9d8d35cbf19c187", "cmt_msg": "fs/binfmt_elf.c: allocate initialized memory in fill_thread_core_info()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:P", "score": 3.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "Low", "Confidentiality": "Low", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L", "score": 4.4 }, "cwe": "Exposure of Sensitive Information to an Unauthorized Actor", "fixes": "1d605416fb7175e1adf094251466caa52093b413", "last_affected_version": "5.6", "last_modified": "2023-12-06", "nvd_text": "A flaw was found in the Linux kernel's implementation of Userspace core dumps. This flaw allows an attacker with a local account to crash a trivial program and exfiltrate private kernel data.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-10732", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-10732", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-10732", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-10732", "SUSE": "https://www.suse.com/security/cve/CVE-2020-10732", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-10732" } }, "CVE-2020-10742": { "affected_versions": "v2.6.12-rc2 to v3.16-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "new helper: iov_iter_get_pages_alloc()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:P", "score": 3.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H", "score": 6.0 }, "cwe": "Out-of-bounds Write", "fixes": "91f79c43d1b54d7154b118860d81b39bad07dfff", "last_modified": "2023-12-06", "nvd_text": "A flaw was found in the Linux kernel. An index buffer overflow during Direct IO write leading to the NFS client to crash. In some cases, a reach out of the index after one memory allocation by kmalloc will cause a kernel panic. The highest threat from this vulnerability is to data confidentiality and system availability.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-10742", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-10742", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-10742", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-10742", "SUSE": "https://www.suse.com/security/cve/CVE-2020-10742", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-10742" } }, "CVE-2020-10751": { "affected_versions": "v2.6.12-rc2 to v5.7-rc4", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "selinux: properly handle multiple messages in selinux_netlink_send()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:N", "score": 3.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "Low", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N", "score": 6.1 }, "cwe": "Insufficient Verification of Data Authenticity", "fixes": "fb73974172ffaaf57a7c42f35424d9aece1a5af6", "last_affected_version": "5.6.10", "last_modified": "2023-12-06", "nvd_text": "A flaw was found in the Linux kernels SELinux LSM hook implementation before version 5.7, where it incorrectly assumed that an skb would only contain a single netlink message. The hook would incorrectly only validate the first netlink message in the skb and allow or deny the rest of the messages within the skb with the granted permission without further processing.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-10751", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-10751", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-10751", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-10751", "SUSE": "https://www.suse.com/security/cve/CVE-2020-10751", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-10751" } }, "CVE-2020-10757": { "affected_versions": "v4.5-rc1 to v5.8-rc1", "breaks": "5c7fb56e5e3f7035dd798a8e1adee639f87043e5", "cmt_msg": "mm: Fix mremap not considering huge pmd devmap", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "score": 6.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Improper Restriction of Operations within the Bounds of a Memory Buffer", "fixes": "5bfea2d9b17f1034a68147a8b03b9789af5700f9", "last_affected_version": "5.7.0", "last_modified": "2023-12-06", "nvd_text": "A flaw was found in the Linux Kernel in versions after 4.5-rc1 in the way mremap handled DAX Huge Pages. This flaw allows a local attacker with access to a DAX enabled storage to escalate their privileges on the system.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-10757", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-10757", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-10757", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-10757", "SUSE": "https://www.suse.com/security/cve/CVE-2020-10757", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-10757" } }, "CVE-2020-10766": { "affected_versions": "v4.20-rc5 to v5.8-rc1", "backport": true, "breaks": "5bfbe3ad5840d941b89bcac54b821ba14f50a0ba", "cmt_msg": "x86/speculation: Prevent rogue cross-process SSBD shutdown", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.5 }, "cwe": "Unspecified", "fixes": "dbbe2ad02e9df26e372f38cc3e70dab9222c832e", "last_affected_version": "5.7.2", "last_modified": "2023-12-06", "nvd_text": "A logic bug flaw was found in Linux kernel before 5.8-rc1 in the implementation of SSBD. A bug in the logic handling allows an attacker with a local account to disable SSBD protection during a context switch when additional speculative execution mitigations are in place. This issue was introduced when the per task/process conditional STIPB switching was added on top of the existing SSBD switching. The highest threat from this vulnerability is to confidentiality.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-10766", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-10766", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-10766", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-10766", "SUSE": "https://www.suse.com/security/cve/CVE-2020-10766", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-10766" } }, "CVE-2020-10767": { "affected_versions": "v4.20-rc5 to v5.8-rc1", "backport": true, "breaks": "7cc765a67d8e04ef7d772425ca5a2a1e2b894c15", "cmt_msg": "x86/speculation: Avoid force-disabling IBPB based on STIBP and enhanced IBRS.", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "score": 1.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.5 }, "cwe": "Unspecified", "fixes": "21998a351512eba4ed5969006f0c55882d995ada", "last_affected_version": "5.7.2", "last_modified": "2023-12-06", "nvd_text": "A flaw was found in the Linux kernel before 5.8-rc1 in the implementation of the Enhanced IBPB (Indirect Branch Prediction Barrier). The IBPB mitigation will be disabled when STIBP is not available or when the Enhanced Indirect Branch Restricted Speculation (IBRS) is available. This flaw allows a local attacker to perform a Spectre V2 style attack when this configuration is active. The highest threat from this vulnerability is to confidentiality.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-10767", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-10767", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-10767", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-10767", "SUSE": "https://www.suse.com/security/cve/CVE-2020-10767", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-10767" } }, "CVE-2020-10768": { "affected_versions": "v4.20-rc5 to v5.8-rc1", "backport": true, "breaks": "9137bb27e60e554dab694eafa4cca241fa3a694f", "cmt_msg": "x86/speculation: PR_SPEC_FORCE_DISABLE enforcement for indirect branches.", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.5 }, "cwe": "Unspecified", "fixes": "4d8df8cbb9156b0a0ab3f802b80cb5db57acc0bf", "last_affected_version": "5.7.2", "last_modified": "2023-12-06", "nvd_text": "A flaw was found in the Linux Kernel before 5.8-rc1 in the prctl() function, where it can be used to enable indirect branch speculation after it has been disabled. This call incorrectly reports it as being 'force disabled' when it is not and opens the system to Spectre v2 attacks. The highest threat from this vulnerability is to confidentiality.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-10768", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-10768", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-10768", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-10768", "SUSE": "https://www.suse.com/security/cve/CVE-2020-10768", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-10768" } }, "CVE-2020-10769": { "affected_versions": "v2.6.12-rc2 to v5.0-rc3", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "crypto: authenc - fix parsing key with misaligned rta_len", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Out-of-bounds Read", "fixes": "8f9c469348487844328e162db57112f7d347c49f", "last_affected_version": "4.20.3", "last_modified": "2023-12-06", "nvd_text": "A buffer over-read flaw was found in RH kernel versions before 5.0 in crypto_authenc_extractkeys in crypto/authenc.c in the IPsec Cryptographic algorithm's module, authenc. When a payload longer than 4 bytes, and is not following 4-byte alignment boundary guidelines, it causes a buffer over-read threat, leading to a system crash. This flaw allows a local attacker with user privileges to cause a denial of service.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-10769", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-10769", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-10769", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-10769", "SUSE": "https://www.suse.com/security/cve/CVE-2020-10769", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-10769" } }, "CVE-2020-10773": { "affected_versions": "v2.6.12-rc2 to v5.4-rc6", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "s390/cmm: fix information leak in cmm_timeout_handler()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "score": 4.4 }, "cwe": "Unspecified", "fixes": "b8e51a6a9db94bc1fb18ae831b3dab106b5a4b5f", "last_affected_version": "5.3.8", "last_modified": "2023-12-06", "nvd_text": "A stack information leak flaw was found in s390/s390x in the Linux kernel\u2019s memory manager functionality, where it incorrectly writes to the /proc/sys/vm/cmm_timeout file. This flaw allows a local user to see the kernel data.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-10773", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-10773", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-10773", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-10773", "SUSE": "https://www.suse.com/security/cve/CVE-2020-10773", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-10773" } }, "CVE-2020-10774": { "affected_versions": "unk to unk", "breaks": "", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.5 }, "cwe": "Buffer Access with Incorrect Length Value", "fixes": "", "last_modified": "2023-12-06", "nvd_text": "A memory disclosure flaw was found in the Linux kernel's versions before 4.18.0-193.el8 in the sysctl subsystem when reading the /proc/sys/kernel/rh_features file. This flaw allows a local user to read uninitialized values from the kernel memory. The highest threat from this vulnerability is to confidentiality.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-10774", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-10774", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-10774", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-10774", "SUSE": "https://www.suse.com/security/cve/CVE-2020-10774", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-10774" }, "vendor_specific": true }, "CVE-2020-10781": { "affected_versions": "v4.13-rc1 to v5.8-rc6", "breaks": "f40609d1591fbbd9d391f1f8220173237911ab23", "cmt_msg": "Revert \"zram: convert remaining CLASS_ATTR() to CLASS_ATTR_RO()\"", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Uncontrolled Resource Consumption", "fixes": "853eab68afc80f59f36bbdeb715e5c88c501e680", "last_affected_version": "5.7.9", "last_modified": "2023-12-06", "nvd_text": "A flaw was found in the Linux Kernel before 5.8-rc6 in the ZRAM kernel module, where a user with a local account and the ability to read the /sys/class/zram-control/hot_add file can create ZRAM device nodes in the /dev/ directory. This read allocates kernel memory and is not accounted for a user that triggers the creation of that ZRAM device. With this vulnerability, continually reading the device may consume a large amount of system memory and cause the Out-of-Memory (OOM) killer to activate and terminate random userspace processes, possibly making the system inoperable.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-10781", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-10781", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-10781", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-10781", "SUSE": "https://www.suse.com/security/cve/CVE-2020-10781", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-10781" } }, "CVE-2020-10942": { "affected_versions": "v2.6.34-rc1 to v5.6-rc4", "breaks": "3a4d5c94e959359ece6d6b55045c3f046677f55c", "cmt_msg": "vhost: Check docket sk_family instead of call getname", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "Partial", "raw": "AV:L/AC:M/Au:N/C:N/I:P/A:C", "score": 5.4 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "Low", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H", "score": 5.3 }, "cwe": "Out-of-bounds Write", "fixes": "42d84c8490f9f0931786f1623191fcab397c3d64", "last_affected_version": "5.5.7", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel before 5.5.8, get_raw_socket in drivers/vhost/net.c lacks validation of an sk_family field, which might allow attackers to trigger kernel stack corruption via crafted system calls.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-10942", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-10942", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-10942", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-10942", "SUSE": "https://www.suse.com/security/cve/CVE-2020-10942", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-10942" } }, "CVE-2020-11494": { "affected_versions": "v2.6.38-rc1 to v5.7-rc1", "breaks": "a1044e36e457fb6dbdf90ce756d578b251d99b5e", "cmt_msg": "slcan: Don't transmit uninitialized stack data in padding", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "score": 4.4 }, "cwe": "Exposure of Sensitive Information to an Unauthorized Actor", "fixes": "b9258a2cece4ec1f020715fe3554bc2e360f6264", "last_affected_version": "5.6.3", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in slc_bump in drivers/net/can/slcan.c in the Linux kernel 3.16 through 5.6.2. It allows attackers to read uninitialized can_frame data, potentially containing sensitive information from kernel stack memory, if the configuration lacks CONFIG_INIT_STACK_ALL, aka CID-b9258a2cece4.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-11494", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-11494", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-11494", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-11494", "SUSE": "https://www.suse.com/security/cve/CVE-2020-11494", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-11494" } }, "CVE-2020-11565": { "affected_versions": "v2.6.26-rc1 to v5.7-rc1", "breaks": "095f1fc4ebf36c64fddf9b6db29b1ab5517378e6", "cmt_msg": "mm: mempolicy: require at least one nodeid for MPOL_PREFERRED", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:N/I:P/A:P", "score": 3.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "High", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H", "score": 6.0 }, "cwe": "Out-of-bounds Write", "fixes": "aa9f7d5172fac9bf1f09e678c35e287a40a7b7dd", "last_affected_version": "5.6.2", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel through 5.6.2. mpol_parse_str in mm/mempolicy.c has a stack-based out-of-bounds write because an empty nodelist is mishandled during mount option parsing, aka CID-aa9f7d5172fa. NOTE: Someone in the security community disagrees that this is a vulnerability because the issue \u201cis a bug in parsing mount options which can only be specified by a privileged user, so triggering the bug does not grant any powers not already held.\u201d", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-11565", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-11565", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-11565", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-11565", "SUSE": "https://www.suse.com/security/cve/CVE-2020-11565", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-11565" } }, "CVE-2020-11608": { "affected_versions": "v2.6.31-rc1 to v5.7-rc1", "breaks": "1876bb923c98c605eca69f0bfe295f7b5f5eba28", "cmt_msg": "media: ov519: add missing endpoint sanity checks", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Physical", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 4.3 }, "cwe": "NULL Pointer Dereference", "fixes": "998912346c0da53a6dbb71fab3a138586b596b30", "last_affected_version": "5.6.0", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel before 5.6.1. drivers/media/usb/gspca/ov519.c allows NULL pointer dereferences in ov511_mode_init_regs and ov518_mode_init_regs when there are zero endpoints, aka CID-998912346c0d.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-11608", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-11608", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-11608", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-11608", "SUSE": "https://www.suse.com/security/cve/CVE-2020-11608", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-11608" } }, "CVE-2020-11609": { "affected_versions": "v2.6.38-rc1 to v5.7-rc1", "breaks": "c0b33bdc5b8d9c1120dece660480d4dd86b817ee", "cmt_msg": "media: stv06xx: add missing descriptor sanity checks", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Physical", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 4.3 }, "cwe": "NULL Pointer Dereference", "fixes": "485b06aadb933190f4bc44e006076bc27a23f205", "last_affected_version": "5.6.0", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the stv06xx subsystem in the Linux kernel before 5.6.1. drivers/media/usb/gspca/stv06xx/stv06xx.c and drivers/media/usb/gspca/stv06xx/stv06xx_pb0100.c mishandle invalid descriptors, as demonstrated by a NULL pointer dereference, aka CID-485b06aadb93.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-11609", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-11609", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-11609", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-11609", "SUSE": "https://www.suse.com/security/cve/CVE-2020-11609", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-11609" } }, "CVE-2020-11668": { "affected_versions": "v2.6.37-rc1 to v5.7-rc1", "breaks": "59f8b0bf3c12598cf4a5b333b0287774dbbdbe1f", "cmt_msg": "media: xirlink_cit: add missing descriptor sanity checks", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:N/I:P/A:C", "score": 5.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "score": 7.1 }, "cwe": "Improper Input Validation", "fixes": "a246b4d547708f33ff4d4b9a7a5dbac741dc89d8", "last_affected_version": "5.6.0", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel before 5.6.1, drivers/media/usb/gspca/xirlink_cit.c (aka the Xirlink camera USB driver) mishandles invalid descriptors, aka CID-a246b4d54770.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-11668", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-11668", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-11668", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-11668", "SUSE": "https://www.suse.com/security/cve/CVE-2020-11668", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-11668" } }, "CVE-2020-11669": { "affected_versions": "v2.6.12-rc2 to v5.2-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "powerpc/powernv/idle: Restore AMR/UAMOR/AMOR after idle", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Unspecified", "fixes": "53a712bae5dd919521a58d7bad773b949358add0", "last_affected_version": "4.19.115", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel before 5.2 on the powerpc platform. arch/powerpc/kernel/idle_book3s.S does not have save/restore functionality for PNV_POWERSAVE_AMR, PNV_POWERSAVE_UAMOR, and PNV_POWERSAVE_AMOR, aka CID-53a712bae5dd.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-11669", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-11669", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-11669", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-11669", "SUSE": "https://www.suse.com/security/cve/CVE-2020-11669", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-11669" } }, "CVE-2020-11725": { "affected_versions": "v4.1-rc1 to unk", "breaks": "2225e79b9b0370bc179f44756bee809b5e7b4d06", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Unspecified", "fixes": "", "last_modified": "2023-12-06", "nvd_text": "snd_ctl_elem_add in sound/core/control.c in the Linux kernel through 5.6.3 has a count=info->owner line, which later affects a private_size*count multiplication for unspecified \"interesting side effects.\" NOTE: kernel engineers dispute this finding, because it could be relevant only if new callers were added that were unfamiliar with the misuse of the info->owner field to represent data unrelated to the \"owner\" concept. The existing callers, SNDRV_CTL_IOCTL_ELEM_ADD and SNDRV_CTL_IOCTL_ELEM_REPLACE, have been designed to misuse the info->owner field in a safe way", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-11725", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-11725", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-11725", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-11725", "SUSE": "https://www.suse.com/security/cve/CVE-2020-11725", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-11725" } }, "CVE-2020-11884": { "affected_versions": "v4.15-rc1 to v5.7-rc4", "breaks": "0aaba41b58bc5f3074c0c0a6136b9500b5e29e19", "cmt_msg": "s390/mm: fix page table upgrade vs 2ndary address mode accesses", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "score": 6.9 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.0 }, "cwe": "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", "fixes": "316ec154810960052d4586b634156c54d0778f74", "last_affected_version": "5.6.7", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel 4.19 through 5.6.7 on the s390 platform, code execution may occur because of a race condition, as demonstrated by code in enable_sacf_uaccess in arch/s390/lib/uaccess.c that fails to protect against a concurrent page table upgrade, aka CID-3f777e19d171. A crash could also occur.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-11884", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-11884", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-11884", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-11884", "SUSE": "https://www.suse.com/security/cve/CVE-2020-11884", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-11884" } }, "CVE-2020-11935": { "affected_versions": "unk to unk", "breaks": "", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Unspecified", "fixes": "", "last_modified": "2023-12-06", "nvd_text": "It was discovered that aufs improperly managed inode reference counts in the vfsub_dentry_open() method. A local attacker could use this vulnerability to cause a denial of service attack.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-11935", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-11935", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-11935", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-11935", "SUSE": "https://www.suse.com/security/cve/CVE-2020-11935", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-11935" }, "vendor_specific": true }, "CVE-2020-12114": { "affected_versions": "v3.10-rc1 to v5.3-rc1", "alt_msg": "fs/namespace.c: fix mountpoint reference counter race", "breaks": "84d17192d2afd52aeba88c71ae4959a015f56a38", "cmt_msg": "make struct mountpoint bear the dentry reference to mountpoint, not struct mount", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:M/Au:N/C:N/I:N/A:P", "score": 1.9 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 4.7 }, "cwe": "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", "fixes": "4edbe133f851c9e3a2f2a1db367e826b01e72594", "last_affected_version": "4.19.118", "last_modified": "2023-12-06", "nvd_text": "A pivot_root race condition in fs/namespace.c in the Linux kernel 4.4.x before 4.4.221, 4.9.x before 4.9.221, 4.14.x before 4.14.178, 4.19.x before 4.19.119, and 5.x before 5.3 allows local users to cause a denial of service (panic) by corrupting a mountpoint reference counter.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-12114", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-12114", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-12114", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-12114", "SUSE": "https://www.suse.com/security/cve/CVE-2020-12114", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-12114" } }, "CVE-2020-12351": { "affected_versions": "v4.8-rc5 to v5.10-rc1", "breaks": "dbb50887c8f619fc5c3489783ebc3122bc134a31", "cmt_msg": "Bluetooth: L2CAP: Fix calling sk_filter on non-socket based channel", "cvss2": { "Access Complexity": "Low", "Access Vector": "Adjacent Network", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:A/AC:L/Au:N/C:P/I:P/A:P", "score": 5.8 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Adjacent", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "score": 8.8 }, "cwe": "Improper Input Validation", "fixes": "f19425641cb2572a33cb074d5e30283720bd4d22", "last_affected_version": "5.9.0", "last_modified": "2023-12-06", "nvd_text": "Improper input validation in BlueZ may allow an unauthenticated user to potentially enable escalation of privilege via adjacent access.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-12351", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-12351", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-12351", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-12351", "SUSE": "https://www.suse.com/security/cve/CVE-2020-12351", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-12351" } }, "CVE-2020-12352": { "affected_versions": "v3.6-rc1 to v5.10-rc1", "breaks": "47f2d97d38816aaca94c9b6961c6eff1cfcd0bd6", "cmt_msg": "Bluetooth: A2MP: Fix not initializing all members", "cvss2": { "Access Complexity": "Low", "Access Vector": "Adjacent Network", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:A/AC:L/Au:N/C:P/I:N/A:N", "score": 3.3 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Adjacent", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "score": 6.5 }, "cwe": "Exposure of Sensitive Information to an Unauthorized Actor", "fixes": "eddb7732119d53400f48a02536a84c509692faa8", "last_affected_version": "5.9.0", "last_modified": "2023-12-06", "nvd_text": "Improper access control in BlueZ may allow an unauthenticated user to potentially enable information disclosure via adjacent access.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-12352", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-12352", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-12352", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-12352", "SUSE": "https://www.suse.com/security/cve/CVE-2020-12352", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-12352" } }, "CVE-2020-12362": { "affected_versions": "v2.6.12-rc2 to v5.11-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "drm/i915/guc: Update to use firmware v49.0.1", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Integer Overflow or Wraparound", "fixes": "c784e5249e773689e38d2bc1749f08b986621a26", "last_modified": "2023-12-06", "nvd_text": "Integer overflow in the firmware for some Intel(R) Graphics Drivers for Windows * before version 26.20.100.7212 and before Linux kernel version 5.5 may allow a privileged user to potentially enable an escalation of privilege via local access.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-12362", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-12362", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-12362", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-12362", "SUSE": "https://www.suse.com/security/cve/CVE-2020-12362", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-12362" } }, "CVE-2020-12363": { "affected_versions": "v2.6.12-rc2 to v5.11-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "drm/i915/guc: Update to use firmware v49.0.1", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Improper Input Validation", "fixes": "c784e5249e773689e38d2bc1749f08b986621a26", "last_modified": "2023-12-06", "nvd_text": "Improper input validation in some Intel(R) Graphics Drivers for Windows* before version 26.20.100.7212 and before Linux kernel version 5.5 may allow a privileged user to potentially enable a denial of service via local access.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-12363", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-12363", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-12363", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-12363", "SUSE": "https://www.suse.com/security/cve/CVE-2020-12363", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-12363" } }, "CVE-2020-12364": { "affected_versions": "v2.6.12-rc2 to v5.11-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "drm/i915/guc: Update to use firmware v49.0.1", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "NULL Pointer Dereference", "fixes": "c784e5249e773689e38d2bc1749f08b986621a26", "last_modified": "2023-12-06", "nvd_text": "Null pointer reference in some Intel(R) Graphics Drivers for Windows* before version 26.20.100.7212 and before version Linux kernel version 5.5 may allow a privileged user to potentially enable a denial of service via local access.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-12364", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-12364", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-12364", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-12364", "SUSE": "https://www.suse.com/security/cve/CVE-2020-12364", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-12364" } }, "CVE-2020-12464": { "affected_versions": "v2.6.12-rc2 to v5.7-rc3", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "USB: core: Fix free-while-in-use bug in the USB S-Glibrary", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "score": 6.7 }, "cwe": "Use After Free", "fixes": "056ad39ee9253873522f6469c3364964a322912b", "last_affected_version": "5.6.7", "last_modified": "2023-12-06", "nvd_text": "usb_sg_cancel in drivers/usb/core/message.c in the Linux kernel before 5.6.8 has a use-after-free because a transfer occurs without a reference, aka CID-056ad39ee925.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-12464", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-12464", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-12464", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-12464", "SUSE": "https://www.suse.com/security/cve/CVE-2020-12464", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-12464" } }, "CVE-2020-12465": { "affected_versions": "v4.16-rc1 to v5.6-rc6", "breaks": "17f1de56df051229988aab37e01971c9713c4a31", "cmt_msg": "mt76: fix array overflow on receiving too many fragments for a packet", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "score": 6.7 }, "cwe": "Out-of-bounds Write", "fixes": "b102f0c522cf668c8382c56a4f771b37d011cda2", "last_affected_version": "5.5.9", "last_modified": "2023-12-06", "nvd_text": "An array overflow was discovered in mt76_add_fragment in drivers/net/wireless/mediatek/mt76/dma.c in the Linux kernel before 5.5.10, aka CID-b102f0c522cf. An oversized packet with too many rx fragments can corrupt memory of adjacent pages.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-12465", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-12465", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-12465", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-12465", "SUSE": "https://www.suse.com/security/cve/CVE-2020-12465", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-12465" } }, "CVE-2020-12652": { "affected_versions": "v2.6.12-rc2 to v5.5-rc7", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "scsi: mptfusion: Fix double fetch bug in ioctl", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "score": 4.7 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H", "score": 4.1 }, "cwe": "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", "fixes": "28d76df18f0ad5bcf5fa48510b225f0ed262a99b", "last_affected_version": "5.4.13", "last_modified": "2023-12-06", "nvd_text": "The __mptctl_ioctl function in drivers/message/fusion/mptctl.c in the Linux kernel before 5.4.14 allows local users to hold an incorrect lock during the ioctl operation and trigger a race condition, i.e., a \"double fetch\" vulnerability, aka CID-28d76df18f0a. NOTE: the vendor states \"The security impact of this bug is not as bad as it could have been because these operations are all privileged and root already has enormous destructive power.\"", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-12652", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-12652", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-12652", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-12652", "SUSE": "https://www.suse.com/security/cve/CVE-2020-12652", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-12652" } }, "CVE-2020-12653": { "affected_versions": "v2.6.12-rc2 to v5.6-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "mwifiex: Fix possible buffer overflows in mwifiex_cmd_append_vsie_tlv()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Improper Privilege Management", "fixes": "b70261a288ea4d2f4ac7cd04be08a9f0f2de4f4d", "last_affected_version": "5.5.3", "last_modified": "2023-12-06", "nvd_text": "An issue was found in Linux kernel before 5.5.4. The mwifiex_cmd_append_vsie_tlv() function in drivers/net/wireless/marvell/mwifiex/scan.c allows local users to gain privileges or cause a denial of service because of an incorrect memcpy and buffer overflow, aka CID-b70261a288ea.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-12653", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-12653", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-12653", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-12653", "SUSE": "https://www.suse.com/security/cve/CVE-2020-12653", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-12653" } }, "CVE-2020-12654": { "affected_versions": "v2.6.12-rc2 to v5.6-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "mwifiex: Fix possible buffer overflows in mwifiex_ret_wmm_get_status()", "cvss2": { "Access Complexity": "High", "Access Vector": "Adjacent Network", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:A/AC:H/Au:N/C:P/I:P/A:P", "score": 4.3 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Adjacent", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "raw": "CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "score": 7.1 }, "cwe": "Out-of-bounds Write", "fixes": "3a9b153c5591548612c3955c9600a98150c81875", "last_affected_version": "5.5.3", "last_modified": "2023-12-06", "nvd_text": "An issue was found in Linux kernel before 5.5.4. mwifiex_ret_wmm_get_status() in drivers/net/wireless/marvell/mwifiex/wmm.c allows a remote AP to trigger a heap-based buffer overflow because of an incorrect memcpy, aka CID-3a9b153c5591.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-12654", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-12654", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-12654", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-12654", "SUSE": "https://www.suse.com/security/cve/CVE-2020-12654", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-12654" } }, "CVE-2020-12655": { "affected_versions": "v2.6.12-rc2 to v5.7-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "xfs: add agf freeblocks verify in xfs_agf_verify", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Uncontrolled Resource Consumption", "fixes": "d0c7feaf87678371c2c09b3709400be416b2dc62", "last_affected_version": "5.4.49", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in xfs_agf_verify in fs/xfs/libxfs/xfs_alloc.c in the Linux kernel through 5.6.10. Attackers may trigger a sync of excessive duration via an XFS v5 image with crafted metadata, aka CID-d0c7feaf8767.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-12655", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-12655", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-12655", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-12655", "SUSE": "https://www.suse.com/security/cve/CVE-2020-12655", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-12655" } }, "CVE-2020-12656": { "affected_versions": "v2.6.12-rc2 to v5.8-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "sunrpc: check that domain table is empty at module unload.", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Missing Release of Resource after Effective Lifetime", "fixes": "f45db2b909c7e76f35850e78f017221f30282b8e", "last_affected_version": "5.7.12", "last_modified": "2023-12-06", "nvd_text": "gss_mech_free in net/sunrpc/auth_gss/gss_mech_switch.c in the rpcsec_gss_krb5 implementation in the Linux kernel through 5.6.10 lacks certain domain_release calls, leading to a memory leak. Note: This was disputed with the assertion that the issue does not grant any access not already available. It is a problem that on unloading a specific kernel module some memory is leaked, but loading kernel modules is a privileged operation. A user could also write a kernel module to consume any amount of memory they like and load that replicating the effect of this bug", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-12656", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-12656", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-12656", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-12656", "SUSE": "https://www.suse.com/security/cve/CVE-2020-12656", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-12656" } }, "CVE-2020-12657": { "affected_versions": "v4.12-rc1 to v5.7-rc1", "breaks": "aee69d78dec0ffdf82e35d57c626e80dddc314d5", "cmt_msg": "block, bfq: fix use-after-free in bfq_idle_slice_timer_body", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Use After Free", "fixes": "2f95fa5c955d0a9987ffdc3a095e2f4e62c5f2a9", "last_affected_version": "5.6.4", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel before 5.6.5. There is a use-after-free in block/bfq-iosched.c related to bfq_idle_slice_timer_body.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-12657", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-12657", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-12657", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-12657", "SUSE": "https://www.suse.com/security/cve/CVE-2020-12657", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-12657" } }, "CVE-2020-12659": { "affected_versions": "v4.18-rc1 to v5.7-rc2", "breaks": "c0c77d8fb787cfe0c3fca689c2a30d1dad4eaba7", "cmt_msg": "xsk: Add missing check on user supplied headroom size", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "score": 6.7 }, "cwe": "Out-of-bounds Write", "fixes": "99e3a236dd43d06c65af0a2ef9cb44306aef6e02", "last_affected_version": "5.6.6", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel before 5.6.7. xdp_umem_reg in net/xdp/xdp_umem.c has an out-of-bounds write (by a user with the CAP_NET_ADMIN capability) because of a lack of headroom validation.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-12659", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-12659", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-12659", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-12659", "SUSE": "https://www.suse.com/security/cve/CVE-2020-12659", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-12659" } }, "CVE-2020-12768": { "affected_versions": "v4.16-rc1 to v5.6-rc4", "breaks": "70cd94e60c733e3afc18b0e6aab789c13b5571da", "cmt_msg": "KVM: SVM: Fix potential memory leak in svm_cpu_init()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Missing Release of Resource after Effective Lifetime", "fixes": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068", "last_affected_version": "5.4.42", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel before 5.6. svm_cpu_uninit in arch/x86/kvm/svm.c has a memory leak, aka CID-d80b64ff297e. NOTE: third parties dispute this issue because it's a one-time leak at the boot, the size is negligible, and it can't be triggered at will", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-12768", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-12768", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-12768", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-12768", "SUSE": "https://www.suse.com/security/cve/CVE-2020-12768", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-12768" } }, "CVE-2020-12769": { "affected_versions": "v2.6.33-rc1 to v5.5-rc6", "breaks": "e24c745272072fd2abe55209f1949b7b7ee602a7", "cmt_msg": "spi: spi-dw: Add lock protect dw_spi rx/tx to prevent concurrent calls", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Improper Input Validation", "fixes": "19b61392c5a852b4e8a0bf35aecb969983c5932d", "last_affected_version": "5.4.16", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel before 5.4.17. drivers/spi/spi-dw.c allows attackers to cause a panic via concurrent calls to dw_spi_irq and dw_spi_transfer_one, aka CID-19b61392c5a8.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-12769", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-12769", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-12769", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-12769", "SUSE": "https://www.suse.com/security/cve/CVE-2020-12769", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-12769" } }, "CVE-2020-12770": { "affected_versions": "v2.6.12-rc2 to v5.7-rc3", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "scsi: sg: add sg_remove_request in sg_write", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "score": 6.7 }, "cwe": "Unspecified", "fixes": "83c6f2390040f188cc25b270b4befeb5628c1aee", "last_affected_version": "5.6.11", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel through 5.6.11. sg_write lacks an sg_remove_request call in a certain failure case, aka CID-83c6f2390040.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-12770", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-12770", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-12770", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-12770", "SUSE": "https://www.suse.com/security/cve/CVE-2020-12770", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-12770" } }, "CVE-2020-12771": { "affected_versions": "v3.15-rc1 to v5.8-rc2", "breaks": "2a285686c109816ba71a00b9278262cf02648258", "cmt_msg": "bcache: fix potential deadlock problem in btree_gc_coalesce", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Improper Input Validation", "fixes": "be23e837333a914df3f24bf0b32e87b0331ab8d1", "last_affected_version": "5.7.5", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel through 5.6.11. btree_gc_coalesce in drivers/md/bcache/btree.c has a deadlock if a coalescing operation fails.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-12771", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-12771", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-12771", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-12771", "SUSE": "https://www.suse.com/security/cve/CVE-2020-12771", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-12771" } }, "CVE-2020-12826": { "affected_versions": "v2.6.12-rc2 to v5.7-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "signal: Extend exec_id to 64bits", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "score": 4.4 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "Low", "Confidentiality": "Low", "Integrity": "Low", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "score": 5.3 }, "cwe": "Integer Overflow or Wraparound", "fixes": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da", "last_affected_version": "5.6.4", "last_modified": "2023-12-06", "nvd_text": "A signal access-control issue was discovered in the Linux kernel before 5.6.5, aka CID-7395ea4e65c2. Because exec_id in include/linux/sched.h is only 32 bits, an integer overflow can interfere with a do_notify_parent protection mechanism. A child process can send an arbitrary signal to a parent process in a different security domain. Exploitation limitations include the amount of elapsed time before an integer overflow occurs, and the lack of scenarios where signals to a parent process present a substantial operational threat.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-12826", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-12826", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-12826", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-12826", "SUSE": "https://www.suse.com/security/cve/CVE-2020-12826", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-12826" } }, "CVE-2020-12888": { "affected_versions": "v2.6.12-rc2 to v5.8-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "vfio-pci: Invalidate mmaps and block MMIO access on disabled memory", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "score": 4.7 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "High", "Scope": "Changed", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H", "score": 5.3 }, "cwe": "Improper Handling of Exceptional Conditions", "fixes": "abafbc551fddede3e0a08dee1dcde08fc0eb8476", "last_affected_version": "5.4.63", "last_modified": "2023-12-06", "nvd_text": "The VFIO PCI driver in the Linux kernel through 5.6.13 mishandles attempts to access disabled memory space.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-12888", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-12888", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-12888", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-12888", "SUSE": "https://www.suse.com/security/cve/CVE-2020-12888", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-12888" } }, "CVE-2020-12912": { "affected_versions": "v5.8-rc1 to v5.10-rc4", "breaks": "8abee9566b7e8eecf566c4daf6be062a27369890", "cmt_msg": "hwmon: (amd_energy) modify the visibility of the counters", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.5 }, "cwe": "Observable Differences in Behavior to Error Inputs", "fixes": "60268b0e8258fdea9a3c9f4b51e161c123571db3", "last_affected_version": "5.9.8", "last_modified": "2023-12-06", "nvd_text": "A potential vulnerability in the AMD extension to Linux \"hwmon\" service may allow an attacker to use the Linux-based Running Average Power Limit (RAPL) interface to show various side channel attacks. In line with industry partners, AMD has updated the RAPL interface to require privileged access.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-12912", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-12912", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-12912", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-12912", "SUSE": "https://www.suse.com/security/cve/CVE-2020-12912", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-12912" } }, "CVE-2020-13143": { "affected_versions": "v3.10-rc1 to v5.7-rc6", "breaks": "88af8bbe4ef781031ad3370847553f3b42ba0076", "cmt_msg": "USB: gadget: fix illegal array access in binding with UDC", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "score": 4.3 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "score": 6.5 }, "cwe": "Out-of-bounds Read", "fixes": "15753588bcd4bbffae1cca33c8ced5722477fe1f", "last_affected_version": "5.6.13", "last_modified": "2023-12-06", "nvd_text": "gadget_dev_desc_UDC_store in drivers/usb/gadget/configfs.c in the Linux kernel 3.16 through 5.6.13 relies on kstrdup without considering the possibility of an internal '\\0' value, which allows attackers to trigger an out-of-bounds read, aka CID-15753588bcd4.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-13143", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-13143", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-13143", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-13143", "SUSE": "https://www.suse.com/security/cve/CVE-2020-13143", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-13143" } }, "CVE-2020-13974": { "affected_versions": "v2.6.12-rc2 to v5.8-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "vt: keyboard: avoid signed integer overflow in k_ascii", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Integer Overflow or Wraparound", "fixes": "b86dab054059b970111b5516ae548efaae5b3aae", "last_affected_version": "5.7.1", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel 4.4 through 5.7.1. drivers/tty/vt/keyboard.c has an integer overflow if k_ascii is called several times in a row, aka CID-b86dab054059. NOTE: Members in the community argue that the integer overflow does not lead to a security issue in this case.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-13974", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-13974", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-13974", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-13974", "SUSE": "https://www.suse.com/security/cve/CVE-2020-13974", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-13974" } }, "CVE-2020-14304": { "affected_versions": "unk to unk", "breaks": "", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "score": 4.4 }, "cwe": "Improper Handling of Exceptional Conditions", "fixes": "", "last_modified": "2023-12-06", "nvd_text": "A memory disclosure flaw was found in the Linux kernel's ethernet drivers, in the way it read data from the EEPROM of the device. This flaw allows a local user to read uninitialized values from the kernel memory. The highest threat from this vulnerability is to confidentiality.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-14304", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-14304", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-14304", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-14304", "SUSE": "https://www.suse.com/security/cve/CVE-2020-14304", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-14304" } }, "CVE-2020-14305": { "affected_versions": "v3.6-rc1 to v4.12-rc1", "breaks": "1afc56794e03229fa53cfa3c5012704d226e1dec", "cmt_msg": "netfilter: helpers: remove data_len usage for inkernel helpers", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:N/AC:M/Au:N/C:P/I:P/A:C", "score": 8.3 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "score": 8.1 }, "cwe": "Out-of-bounds Write", "fixes": "9f0f3ebeda47a5518817f33c40f6d3ea9c0275b8", "last_modified": "2023-12-06", "nvd_text": "An out-of-bounds memory write flaw was found in how the Linux kernel\u2019s Voice Over IP H.323 connection tracking functionality handled connections on ipv6 port 1720. This flaw allows an unauthenticated remote user to crash the system, causing a denial of service. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-14305", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-14305", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-14305", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-14305", "SUSE": "https://www.suse.com/security/cve/CVE-2020-14305", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-14305" } }, "CVE-2020-14314": { "affected_versions": "v2.6.23-rc7 to v5.9-rc2", "breaks": "ef2b02d3e617cb0400eedf2668f86215e1b0e6af", "cmt_msg": "ext4: fix potential negative array index in do_split()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Out-of-bounds Read", "fixes": "5872331b3d91820e14716632ebb56b1399b34fe1", "last_affected_version": "5.8.3", "last_modified": "2023-12-06", "nvd_text": "A memory out-of-bounds read flaw was found in the Linux kernel before 5.9-rc2 with the ext3/ext4 file system, in the way it accesses a directory with broken indexing. This flaw allows a local user to crash the system if the directory exists. The highest threat from this vulnerability is to system availability.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-14314", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-14314", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-14314", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-14314", "SUSE": "https://www.suse.com/security/cve/CVE-2020-14314", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-14314" } }, "CVE-2020-14331": { "affected_versions": "v2.6.17-rc1 to v5.9-rc1", "breaks": "15bdab959c9bb909c0317480dd9b35748a8f7887", "cmt_msg": "vgacon: Fix for missing check in scrollback handling", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Physical", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 6.6 }, "cwe": "Out-of-bounds Write", "fixes": "ebfdfeeae8c01fcb2b3b74ffaf03876e20835d2d", "last_affected_version": "5.8.0", "last_modified": "2023-12-06", "nvd_text": "A flaw was found in the Linux kernel\u2019s implementation of the invert video code on VGA consoles when a local attacker attempts to resize the console, calling an ioctl VT_RESIZE, which causes an out-of-bounds write to occur. This flaw allows a local user with access to the VGA console to crash the system, potentially escalating their privileges on the system. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-14331", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-14331", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-14331", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-14331", "SUSE": "https://www.suse.com/security/cve/CVE-2020-14331", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-14331" } }, "CVE-2020-14351": { "affected_versions": "v3.10-rc7 to v5.10-rc1", "breaks": "9bb5d40cd93c9dd4be74834b1dcb1ba03629716b", "cmt_msg": "perf/core: Fix race in the perf_mmap_close() function", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Use After Free", "fixes": "f91072ed1b7283b13ca57fcfbece5a3b92726143", "last_affected_version": "5.9.1", "last_modified": "2023-12-06", "nvd_text": "A flaw was found in the Linux kernel. A use-after-free memory flaw was found in the perf subsystem allowing a local attacker with permission to monitor perf events to corrupt memory and possibly escalate privileges. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-14351", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-14351", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-14351", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-14351", "SUSE": "https://www.suse.com/security/cve/CVE-2020-14351", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-14351" } }, "CVE-2020-14353": { "affected_versions": "v2.6.26-rc1 to v4.14-rc3", "breaks": "69664cf16af4f31cd54d77948a4baf9c7e0ca7b9", "cmt_msg": "KEYS: prevent creating a different user's keyrings", "fixes": "237bbd29f7a049d310d907f4b2716a7feef9abf3", "last_affected_version": "4.13.4", "last_modified": "2023-12-06", "nvd_text": "Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2017-18270. Reason: This candidate is a duplicate of CVE-2017-18270. Notes: All CVE users should reference CVE-2017-18270 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-14353", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-14353", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-14353", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-14353", "SUSE": "https://www.suse.com/security/cve/CVE-2020-14353", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-14353" }, "rejected": true }, "CVE-2020-14356": { "affected_versions": "v4.5-rc1 to v5.8-rc5", "breaks": "bd1060a1d67128bb8fbe2e1384c518912cbe54e7", "cmt_msg": "cgroup: fix cgroup_sk_alloc() for sk_clone_lock()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "NULL Pointer Dereference", "fixes": "ad0f75e5f57ccbceec13274e1e242f2b5a6397ed", "last_affected_version": "5.7.9", "last_modified": "2023-12-06", "nvd_text": "A flaw null pointer dereference in the Linux kernel cgroupv2 subsystem in versions before 5.7.10 was found in the way when reboot the system. A local user could use this flaw to crash the system or escalate their privileges on the system.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-14356", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-14356", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-14356", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-14356", "SUSE": "https://www.suse.com/security/cve/CVE-2020-14356", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-14356" } }, "CVE-2020-14381": { "affected_versions": "v2.6.12-rc2 to v5.6-rc6", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "futex: Fix inode life-time issue", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Use After Free", "fixes": "8019ad13ef7f64be44d4f892af9c840179009254", "last_affected_version": "5.5.11", "last_modified": "2023-12-06", "nvd_text": "A flaw was found in the Linux kernel\u2019s futex implementation. This flaw allows a local attacker to corrupt system memory or escalate their privileges when creating a futex on a filesystem that is about to be unmounted. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-14381", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-14381", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-14381", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-14381", "SUSE": "https://www.suse.com/security/cve/CVE-2020-14381", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-14381" } }, "CVE-2020-14385": { "affected_versions": "v4.16-rc1 to v5.9-rc4", "breaks": "1e1bbd8e7ee0624034e9bf1e91ac11a7aaa2f8a6", "cmt_msg": "xfs: fix boundary test in xfs_attr_shortform_verify", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "score": 4.7 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Incorrect Calculation of Buffer Size", "fixes": "f4020438fab05364018c91f7e02ebdd192085933", "last_affected_version": "5.8.7", "last_modified": "2023-12-06", "nvd_text": "A flaw was found in the Linux kernel before 5.9-rc4. A failure of the file system metadata validator in XFS can cause an inode with a valid, user-creatable extended attribute to be flagged as corrupt. This can lead to the filesystem being shutdown, or otherwise rendered inaccessible until it is remounted, leading to a denial of service. The highest threat from this vulnerability is to system availability.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-14385", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-14385", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-14385", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-14385", "SUSE": "https://www.suse.com/security/cve/CVE-2020-14385", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-14385" } }, "CVE-2020-14386": { "affected_versions": "v4.6-rc1 to v5.9-rc4", "breaks": "58d19b19cd99b438541eea4cdbf5c171900b25e5", "cmt_msg": "net/packet: fix overflow in tpacket_rcv", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Out-of-bounds Write", "fixes": "acf69c946233259ab4d64f8869d4037a198c7f06", "last_affected_version": "5.8.7", "last_modified": "2023-12-06", "nvd_text": "A flaw was found in the Linux kernel before 5.9-rc4. Memory corruption can be exploited to gain root privileges from unprivileged processes. The highest threat from this vulnerability is to data confidentiality and integrity.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-14386", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-14386", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-14386", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-14386", "SUSE": "https://www.suse.com/security/cve/CVE-2020-14386", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-14386" } }, "CVE-2020-14390": { "affected_versions": "v2.6.12-rc2 to v5.9-rc6", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "fbcon: remove soft scrollback code", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "Low", "Integrity": "Low", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:H", "score": 5.6 }, "cwe": "Out-of-bounds Write", "fixes": "50145474f6ef4a9c19205b173da6264a644c7489", "last_affected_version": "5.8.9", "last_modified": "2023-12-06", "nvd_text": "A flaw was found in the Linux kernel in versions before 5.9-rc6. When changing screen size, an out-of-bounds memory write can occur leading to memory corruption or a denial of service. Due to the nature of the flaw, privilege escalation cannot be fully ruled out.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-14390", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-14390", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-14390", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-14390", "SUSE": "https://www.suse.com/security/cve/CVE-2020-14390", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-14390" } }, "CVE-2020-14416": { "affected_versions": "v2.6.12-rc2 to v5.5", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "can, slip: Protect tty->disc_data in write_wakeup and close with RCU", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "score": 4.7 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "Required", "raw": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:H", "score": 4.2 }, "cwe": "Use After Free", "fixes": "0ace17d56824165c7f4c68785d6b58971db954dd", "last_affected_version": "5.4", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel before 5.4.16, a race condition in tty->disc_data handling in the slip and slcan line discipline could lead to a use-after-free, aka CID-0ace17d56824. This affects drivers/net/slip/slip.c and drivers/net/can/slcan.c.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-14416", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-14416", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-14416", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-14416", "SUSE": "https://www.suse.com/security/cve/CVE-2020-14416", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-14416" } }, "CVE-2020-15393": { "affected_versions": "v2.6.12-rc2 to v5.8-rc3", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "usb: usbtest: fix missing kfree(dev->buf) in usbtest_disconnect", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Missing Release of Resource after Effective Lifetime", "fixes": "28ebeb8db77035e058a510ce9bd17c2b9a009dba", "last_affected_version": "5.7.7", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel 4.4 through 5.7.6, usbtest_disconnect in drivers/usb/misc/usbtest.c has a memory leak, aka CID-28ebeb8db770.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-15393", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-15393", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-15393", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-15393", "SUSE": "https://www.suse.com/security/cve/CVE-2020-15393", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-15393" } }, "CVE-2020-15436": { "affected_versions": "v2.6.38-rc1 to v5.8-rc2", "breaks": "77ea887e433ad8389d416826936c110fa7910f80", "cmt_msg": "block: Fix use-after-free in blkdev_get()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "score": 6.7 }, "cwe": "Use After Free", "fixes": "2d3a8e2deddea6c89961c422ec0c5b851e648c14", "last_affected_version": "5.7.5", "last_modified": "2023-12-06", "nvd_text": "Use-after-free vulnerability in fs/block_dev.c in the Linux kernel before 5.8 allows local users to gain privileges or cause a denial of service by leveraging improper access to a certain error field.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-15436", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-15436", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-15436", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-15436", "SUSE": "https://www.suse.com/security/cve/CVE-2020-15436", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-15436" } }, "CVE-2020-15437": { "affected_versions": "v2.6.12-rc2 to v5.8-rc7", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "serial: 8250: fix null-ptr-deref in serial8250_start_tx()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "score": 4.4 }, "cwe": "NULL Pointer Dereference", "fixes": "f4c23a140d80ef5e6d3d1f8f57007649014b60fa", "last_affected_version": "5.7.10", "last_modified": "2023-12-06", "nvd_text": "The Linux kernel before version 5.8 is vulnerable to a NULL pointer dereference in drivers/tty/serial/8250/8250_core.c:serial8250_isa_init_ports() that allows local users to cause a denial of service by using the p->serial_in pointer which uninitialized.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-15437", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-15437", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-15437", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-15437", "SUSE": "https://www.suse.com/security/cve/CVE-2020-15437", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-15437" } }, "CVE-2020-15780": { "affected_versions": "v4.8-rc1 to v5.8-rc3", "breaks": "0bf54fcd95042bd178cb25368422cf4474fc8492", "cmt_msg": "ACPI: configfs: Disallow loading ACPI tables when locked down", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "score": 6.7 }, "cwe": "Incorrect Authorization", "fixes": "75b0cea7bf307f362057cc778efe89af4c615354", "last_affected_version": "5.7.6", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in drivers/acpi/acpi_configfs.c in the Linux kernel before 5.7.7. Injection of malicious ACPI tables via configfs could be used by attackers to bypass lockdown and secure boot restrictions, aka CID-75b0cea7bf30.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-15780", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-15780", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-15780", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-15780", "SUSE": "https://www.suse.com/security/cve/CVE-2020-15780", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-15780" } }, "CVE-2020-15802": { "affected_versions": "unk to unk", "breaks": "", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "None", "Integrity Impact": "Partial", "raw": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "score": 4.3 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Network", "Availability": "None", "Confidentiality": "None", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "score": 5.9 }, "cwe": "Improper Authentication", "fixes": "", "last_modified": "2023-12-06", "nvd_text": "Devices supporting Bluetooth before 5.1 may allow man-in-the-middle attacks, aka BLURtooth. Cross Transport Key Derivation in Bluetooth Core Specification v4.2 and v5.0 may permit an unauthenticated user to establish a bonding with one transport, either LE or BR/EDR, and replace a bonding already established on the opposing transport, BR/EDR or LE, potentially overwriting an authenticated key with an unauthenticated key, or a key with greater entropy with one with less.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-15802", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-15802", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-15802", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-15802", "SUSE": "https://www.suse.com/security/cve/CVE-2020-15802", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-15802" } }, "CVE-2020-15852": { "affected_versions": "v5.5-rc1 to v5.8-rc6", "breaks": "22fe5b0439dd53643fd6f4c582c46c6dba0fde53", "cmt_msg": "x86/ioperm: Fix io bitmap invalidation on Xen PV", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Incorrect Default Permissions", "fixes": "cadfad870154e14f745ec845708bc17d166065f2", "last_affected_version": "5.7.9", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel 5.5 through 5.7.9, as used in Xen through 4.13.x for x86 PV guests. An attacker may be granted the I/O port permissions of an unrelated task. This occurs because tss_invalidate_io_bitmap mishandling causes a loss of synchronization between the I/O bitmaps of TSS and Xen, aka CID-cadfad870154.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-15852", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-15852", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-15852", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-15852", "SUSE": "https://www.suse.com/security/cve/CVE-2020-15852", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-15852" } }, "CVE-2020-16119": { "affected_versions": "v4.17-rc7 to v5.15-rc2", "breaks": "2677d20677314101293e6da0094ede7b5526d2b1", "cmt_msg": "dccp: don't duplicate ccid when cloning dccp sock", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Use After Free", "fixes": "d9ea761fdd197351890418acd462c51f241014a7", "last_affected_version": "5.14.6", "last_modified": "2023-12-06", "nvd_text": "Use-after-free vulnerability in the Linux kernel exploitable by a local attacker due to reuse of a DCCP socket with an attached dccps_hc_tx_ccid object as a listener after being released. Fixed in Ubuntu Linux kernel 5.4.0-51.56, 5.3.0-68.63, 4.15.0-121.123, 4.4.0-193.224, 3.13.0.182.191 and 3.2.0-149.196.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-16119", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-16119", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-16119", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-16119", "SUSE": "https://www.suse.com/security/cve/CVE-2020-16119", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-16119" } }, "CVE-2020-16120": { "affected_versions": "v2.6.12-rc2 to v5.8-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "ovl: switch to mounter creds in readdir", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "score": 4.4 }, "cwe": "Unspecified", "fixes": "48bd024b8a40d73ad6b086de2615738da0c7004f", "last_modified": "2023-12-06", "nvd_text": "Overlayfs did not properly perform permission checking when copying up files in an overlayfs and could be exploited from within a user namespace, if, for example, unprivileged user namespaces were allowed. It was possible to have a file not readable by an unprivileged user to be copied to a mountpoint controlled by the user, like a removable device. This was introduced in kernel version 4.19 by commit d1d04ef (\"ovl: stack file ops\"). This was fixed in kernel version 5.8 by commits 56230d9 (\"ovl: verify permissions in ovl_path_open()\"), 48bd024 (\"ovl: switch to mounter creds in readdir\") and 05acefb (\"ovl: check permission to open real file\"). Additionally, commits 130fdbc (\"ovl: pass correct flags for opening real directory\") and 292f902 (\"ovl: call secutiry hook in ovl_real_ioctl()\") in kernel 5.8 might also be desired or necessary. These additional commits introduced a regression in overlay mounts within user namespaces which prevented access to files with ownership outside of the user namespace. This regression was mitigated by subsequent commit b6650da (\"ovl: do not fail because of O_NOATIMEi\") in kernel 5.11.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-16120", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-16120", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-16120", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-16120", "SUSE": "https://www.suse.com/security/cve/CVE-2020-16120", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-16120" } }, "CVE-2020-16166": { "affected_versions": "v2.6.12-rc2 to v5.8", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "random32: update the net random state on interrupt and activity", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "score": 4.3 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Network", "Availability": "None", "Confidentiality": "Low", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "score": 3.7 }, "cwe": "Exposure of Sensitive Information to an Unauthorized Actor", "fixes": "f227e3ec3b5cad859ad15666874405e8c1bbc1d4", "last_affected_version": "5.7", "last_modified": "2023-12-06", "nvd_text": "The Linux kernel through 5.7.11 allows remote attackers to make observations that help to obtain sensitive information about the internal state of the network RNG, aka CID-f227e3ec3b5c. This is related to drivers/char/random.c and kernel/time/timer.c.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-16166", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-16166", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-16166", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-16166", "SUSE": "https://www.suse.com/security/cve/CVE-2020-16166", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-16166" } }, "CVE-2020-1749": { "affected_versions": "v2.6.12-rc2 to v5.5-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "net: ipv6_stub: use ip6_dst_lookup_flow instead of ip6_dst_lookup", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "score": 5.0 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "score": 7.5 }, "cwe": "Cleartext Transmission of Sensitive Information", "fixes": "6c8991f41546c3c472503dff1ea9daaddf9331c2", "last_affected_version": "5.4.4", "last_modified": "2023-12-06", "nvd_text": "A flaw was found in the Linux kernel's implementation of some networking protocols in IPsec, such as VXLAN and GENEVE tunnels over IPv6. When an encrypted tunnel is created between two hosts, the kernel isn't correctly routing tunneled data over the encrypted link; rather sending the data unencrypted. This would allow anyone in between the two endpoints to read the traffic unencrypted. The main threat from this vulnerability is to data confidentiality.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-1749", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-1749", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-1749", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-1749", "SUSE": "https://www.suse.com/security/cve/CVE-2020-1749", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1749" } }, "CVE-2020-24394": { "affected_versions": "v4.10-rc1 to v5.8-rc4", "breaks": "47057abde515155a4fee53038e7772d6b387e0aa", "cmt_msg": "nfsd: apply umask on fs without ACL support", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:N", "score": 3.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "score": 7.1 }, "cwe": "Incorrect Default Permissions", "fixes": "22cf8419f1319ff87ec759d0ebdff4cbafaee832", "last_affected_version": "5.7.7", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel before 5.7.8, fs/nfsd/vfs.c (in the NFS server) can set incorrect permissions on new filesystem objects when the filesystem lacks ACL support, aka CID-22cf8419f131. This occurs because the current umask is not considered.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-24394", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-24394", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-24394", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-24394", "SUSE": "https://www.suse.com/security/cve/CVE-2020-24394", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-24394" } }, "CVE-2020-24490": { "affected_versions": "v4.19-rc1 to v5.8", "breaks": "c215e9397b00b3045a668120ed7dbd89f2866e74", "cmt_msg": "Bluetooth: fix kernel oops in store_pending_adv_report", "cvss2": { "Access Complexity": "Low", "Access Vector": "Adjacent Network", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:A/AC:L/Au:N/C:N/I:N/A:P", "score": 3.3 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Adjacent", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 6.5 }, "cwe": "Unspecified", "fixes": "a2ec905d1e160a33b2e210e45ad30445ef26ce0e", "last_affected_version": "5.7", "last_modified": "2023-12-06", "nvd_text": "Improper buffer restrictions in BlueZ may allow an unauthenticated user to potentially enable denial of service via adjacent access. This affects all Linux kernel versions that support BlueZ.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-24490", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-24490", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-24490", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-24490", "SUSE": "https://www.suse.com/security/cve/CVE-2020-24490", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-24490" } }, "CVE-2020-24502": { "affected_versions": "unk to unk", "breaks": "", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Improper Input Validation", "fixes": "", "last_modified": "2023-12-06", "nvd_text": "Improper input validation in some Intel(R) Ethernet E810 Adapter drivers for Linux before version 1.0.4 and before version 1.4.29.0 for Windows*, may allow an authenticated user to potentially enable a denial of service via local access.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-24502", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-24502", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-24502", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-24502", "SUSE": "https://www.suse.com/security/cve/CVE-2020-24502", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-24502" } }, "CVE-2020-24503": { "affected_versions": "unk to unk", "breaks": "", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.5 }, "cwe": "Unspecified", "fixes": "", "last_modified": "2023-12-06", "nvd_text": "Insufficient access control in some Intel(R) Ethernet E810 Adapter drivers for Linux before version 1.0.4 may allow an authenticated user to potentially enable information disclosure via local access.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-24503", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-24503", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-24503", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-24503", "SUSE": "https://www.suse.com/security/cve/CVE-2020-24503", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-24503" } }, "CVE-2020-24504": { "affected_versions": "v4.17-rc1 to v5.12-rc1-dontuse", "breaks": "837f08fdecbe4b2ffc7725624342e73b886665a8", "cmt_msg": "ice: create scheduler aggregator node config and move VSIs", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Uncontrolled Resource Consumption", "fixes": "b126bd6bcd6710aa984104e979a5c930f44561b4", "last_modified": "2023-12-06", "nvd_text": "Uncontrolled resource consumption in some Intel(R) Ethernet E810 Adapter drivers for Linux before version 1.0.4 may allow an authenticated user to potentially enable denial of service via local access.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-24504", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-24504", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-24504", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-24504", "SUSE": "https://www.suse.com/security/cve/CVE-2020-24504", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-24504" } }, "CVE-2020-24586": { "affected_versions": "v2.6.12-rc2 to v5.13-rc4", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "mac80211: prevent mixed key and fragment cache attacks", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Adjacent Network", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:A/AC:M/Au:N/C:P/I:N/A:N", "score": 2.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Adjacent", "Availability": "None", "Confidentiality": "Low", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "raw": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "score": 3.5 }, "cwe": "Unspecified", "fixes": "94034c40ab4a3fcf581fbc7f8fdf4e29943c4a24", "last_affected_version": "5.12.8", "last_modified": "2023-12-06", "nvd_text": "The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP, CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-24586", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-24586", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-24586", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-24586", "SUSE": "https://www.suse.com/security/cve/CVE-2020-24586", "Ubuntu": "https://ubuntu.com/security/CVE-2020-24586" } }, "CVE-2020-24587": { "affected_versions": "v2.6.12-rc2 to v5.13-rc4", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "mac80211: prevent mixed key and fragment cache attacks", "cvss2": { "Access Complexity": "High", "Access Vector": "Adjacent Network", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:A/AC:H/Au:N/C:P/I:N/A:N", "score": 1.8 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Adjacent", "Availability": "None", "Confidentiality": "Low", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "raw": "CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N", "score": 2.6 }, "cwe": "Inadequate Encryption Strength", "fixes": "94034c40ab4a3fcf581fbc7f8fdf4e29943c4a24", "last_affected_version": "5.12.8", "last_modified": "2023-12-06", "nvd_text": "The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP encryption key is periodically renewed.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-24587", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-24587", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-24587", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-24587", "SUSE": "https://www.suse.com/security/cve/CVE-2020-24587", "Ubuntu": "https://ubuntu.com/security/CVE-2020-24587" } }, "CVE-2020-24588": { "affected_versions": "v2.6.12-rc2 to v5.13-rc4", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "cfg80211: mitigate A-MSDU aggregation attacks", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Adjacent Network", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "None", "Integrity Impact": "Partial", "raw": "AV:A/AC:M/Au:N/C:N/I:P/A:N", "score": 2.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Adjacent", "Availability": "None", "Confidentiality": "None", "Integrity": "Low", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "raw": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "score": 3.5 }, "cwe": "Missing Authentication for Critical Function", "fixes": "2b8a1fee3488c602aca8bea004a087e60806a5cf", "last_affected_version": "5.12.8", "last_modified": "2023-12-06", "nvd_text": "The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated. Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an adversary can abuse this to inject arbitrary network packets.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-24588", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-24588", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-24588", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-24588", "SUSE": "https://www.suse.com/security/cve/CVE-2020-24588", "Ubuntu": "https://ubuntu.com/security/CVE-2020-24588" } }, "CVE-2020-25211": { "affected_versions": "v2.6.16-rc1 to v5.9-rc7", "breaks": "c1d10adb4a521de5760112853f42aaeefcec96eb", "cmt_msg": "netfilter: ctnetlink: add a range check for l3/l4 protonum", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:N/I:P/A:P", "score": 3.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "High", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H", "score": 6.0 }, "cwe": "Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')", "fixes": "1cc5ef91d2ff94d2bf2de3b3585423e8a1051cb6", "last_affected_version": "5.8.12", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel through 5.8.7, local attackers able to inject conntrack netlink configuration could overflow a local buffer, causing crashes or triggering use of incorrect protocol numbers in ctnetlink_parse_tuple_filter in net/netfilter/nf_conntrack_netlink.c, aka CID-1cc5ef91d2ff.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-25211", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-25211", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-25211", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-25211", "SUSE": "https://www.suse.com/security/cve/CVE-2020-25211", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-25211" } }, "CVE-2020-25212": { "affected_versions": "v3.11-rc1 to v5.9-rc1", "breaks": "aa9c2669626ca7e5e5bab28e6caeb583fd40099b", "cmt_msg": "nfs: Fix getxattr kernel panic and memory overflow", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "score": 4.4 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.0 }, "cwe": "Time-of-check Time-of-use (TOCTOU) Race Condition", "fixes": "b4487b93545214a9db8cbf32e86411677b0cca21", "last_affected_version": "5.8.2", "last_modified": "2023-12-06", "nvd_text": "A TOCTOU mismatch in the NFS client code in the Linux kernel before 5.8.3 could be used by local attackers to corrupt memory or possibly have unspecified other impact because a size check is in fs/nfs/nfs4proc.c instead of fs/nfs/nfs4xdr.c, aka CID-b4487b935452.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-25212", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-25212", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-25212", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-25212", "SUSE": "https://www.suse.com/security/cve/CVE-2020-25212", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-25212" } }, "CVE-2020-25220": { "affected_versions": "v5.8-rc5 to unk", "alt_msg": "Add skcd->no_refcnt check which is missed when backporting", "breaks": "ad0f75e5f57ccbceec13274e1e242f2b5a6397ed", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Use After Free", "fixes": "1bfba2f4270c64c912756fc76621bbce959ddf2e", "last_modified": "2023-12-06", "nvd_text": "The Linux kernel 4.9.x before 4.9.233, 4.14.x before 4.14.194, and 4.19.x before 4.19.140 has a use-after-free because skcd->no_refcnt was not considered during a backport of a CVE-2020-14356 patch. This is related to the cgroups feature.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-25220", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-25220", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-25220", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-25220", "SUSE": "https://www.suse.com/security/cve/CVE-2020-25220", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-25220" } }, "CVE-2020-25221": { "affected_versions": "v5.7-rc1 to v5.9-rc4", "breaks": "3faa52c03f440d1b9ddef18c4f189f4790d52d7e", "cmt_msg": "mm: fix pin vs. gup mismatch with gate pages", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Operation on a Resource after Expiration or Release", "fixes": "9fa2dd946743ae6f30dc4830da19147bf100a7f2", "last_affected_version": "5.8.6", "last_modified": "2023-12-06", "nvd_text": "get_gate_page in mm/gup.c in the Linux kernel 5.7.x and 5.8.x before 5.8.7 allows privilege escalation because of incorrect reference counting (caused by gate page mishandling) of the struct page that backs the vsyscall page. The result is a refcount underflow. This can be triggered by any 64-bit process that can use ptrace() or process_vm_readv(), aka CID-9fa2dd946743.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-25221", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-25221", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-25221", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-25221", "SUSE": "https://www.suse.com/security/cve/CVE-2020-25221", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-25221" } }, "CVE-2020-25284": { "affected_versions": "v2.6.37-rc1 to v5.9-rc5", "breaks": "602adf400201636e95c3fed9f31fba54a3d7e844", "cmt_msg": "rbd: require global CAP_SYS_ADMIN for mapping and unmapping", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "None", "Integrity Impact": "Partial", "raw": "AV:L/AC:M/Au:N/C:N/I:P/A:N", "score": 1.9 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "None", "Integrity": "High", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:N", "score": 4.1 }, "cwe": "Improper Preservation of Permissions", "fixes": "f44d04e696feaf13d192d942c4f14ad2e117065a", "last_affected_version": "5.8.9", "last_modified": "2023-12-06", "nvd_text": "The rbd block device driver in drivers/block/rbd.c in the Linux kernel through 5.8.9 used incomplete permission checking for access to rbd devices, which could be leveraged by local attackers to map or unmap rbd block devices, aka CID-f44d04e696fe.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-25284", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-25284", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-25284", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-25284", "SUSE": "https://www.suse.com/security/cve/CVE-2020-25284", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-25284" } }, "CVE-2020-25285": { "affected_versions": "v2.6.27-rc1 to v5.9-rc4", "breaks": "e5ff215941d59f8ae6bf58f6428dc5c26745a612", "cmt_msg": "mm/hugetlb: fix a race between hugetlb sysctl handlers", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "score": 4.4 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "score": 6.4 }, "cwe": "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", "fixes": "17743798d81238ab13050e8e2833699b54e15467", "last_affected_version": "5.8.7", "last_modified": "2023-12-06", "nvd_text": "A race condition between hugetlb sysctl handlers in mm/hugetlb.c in the Linux kernel before 5.8.8 could be used by local attackers to corrupt memory, cause a NULL pointer dereference, or possibly have unspecified other impact, aka CID-17743798d812.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-25285", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-25285", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-25285", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-25285", "SUSE": "https://www.suse.com/security/cve/CVE-2020-25285", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-25285" } }, "CVE-2020-25639": { "affected_versions": "v5.1-rc1 to v5.12-rc1", "breaks": "eeaf06ac1a5584e41cf289f8351e446bb131374b", "cmt_msg": "drm/nouveau: bail out of nouveau_channel_new if channel init fails", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "score": 4.4 }, "cwe": "NULL Pointer Dereference", "fixes": "eaba3b28401f50e22d64351caa8afe8d29509f27", "last_affected_version": "5.11.2", "last_modified": "2023-12-06", "nvd_text": "A NULL pointer dereference flaw was found in the Linux kernel's GPU Nouveau driver functionality in versions prior to 5.12-rc1 in the way the user calls ioctl DRM_IOCTL_NOUVEAU_CHANNEL_ALLOC. This flaw allows a local user to crash the system.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-25639", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-25639", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-25639", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-25639", "SUSE": "https://www.suse.com/security/cve/CVE-2020-25639", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-25639" } }, "CVE-2020-25641": { "affected_versions": "v4.8-rc1 to v5.9-rc4", "breaks": "1bdc76aea1159a750846c2fc98e404403eb7d51c", "cmt_msg": "block: allow for_each_bvec to support zero len bvec", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Loop with Unreachable Exit Condition ('Infinite Loop')", "fixes": "7e24969022cbd61ddc586f14824fc205661bb124", "last_affected_version": "5.8.7", "last_modified": "2023-12-06", "nvd_text": "A flaw was found in the Linux kernel's implementation of biovecs in versions before 5.9-rc7. A zero-length biovec request issued by the block subsystem could cause the kernel to enter an infinite loop, causing a denial of service. This flaw allows a local attacker with basic privileges to issue requests to a block device, resulting in a denial of service. The highest threat from this vulnerability is to system availability.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-25641", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-25641", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-25641", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-25641", "SUSE": "https://www.suse.com/security/cve/CVE-2020-25641", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-25641" } }, "CVE-2020-25643": { "affected_versions": "v2.6.29-rc1 to v5.9-rc7", "breaks": "e022c2f07ae52bfbd92faa273db0db2f34eb28e8", "cmt_msg": "hdlc_ppp: add range checks in ppp_cp_parse_cr()", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "Single", "Availability Impact": "Complete", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:N/AC:M/Au:S/C:P/I:P/A:C", "score": 7.5 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "score": 7.2 }, "cwe": "Improper Input Validation", "fixes": "66d42ed8b25b64eb63111a2b8582c5afc8bf1105", "last_affected_version": "5.8.11", "last_modified": "2023-12-06", "nvd_text": "A flaw was found in the HDLC_PPP module of the Linux kernel in versions before 5.9-rc7. Memory corruption and a read overflow is caused by improper input validation in the ppp_cp_parse_cr function which can cause the system to crash or cause a denial of service. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-25643", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-25643", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-25643", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-25643", "SUSE": "https://www.suse.com/security/cve/CVE-2020-25643", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-25643" } }, "CVE-2020-25645": { "affected_versions": "v4.2-rc1 to v5.9-rc7", "breaks": "2d07dc79fe04a43d82a346ced6bbf07bdb523f1b", "cmt_msg": "geneve: add transport ports in route lookup for geneve", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "score": 5.0 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "score": 7.5 }, "cwe": "Cleartext Transmission of Sensitive Information", "fixes": "34beb21594519ce64a55a498c2fe7d567bc1ca20", "last_affected_version": "5.8.11", "last_modified": "2023-12-06", "nvd_text": "A flaw was found in the Linux kernel in versions before 5.9-rc7. Traffic between two Geneve endpoints may be unencrypted when IPsec is configured to encrypt traffic for the specific UDP port used by the GENEVE tunnel allowing anyone between the two endpoints to read the traffic unencrypted. The main threat from this vulnerability is to data confidentiality.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-25645", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-25645", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-25645", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-25645", "SUSE": "https://www.suse.com/security/cve/CVE-2020-25645", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-25645" } }, "CVE-2020-25656": { "affected_versions": "v2.6.12-rc2 to v5.10-rc2", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "vt: keyboard, extend func_buf_lock to readers", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "score": 1.9 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N", "score": 4.1 }, "cwe": "Use After Free", "fixes": "82e61c3909db51d91b9d3e2071557b6435018b80", "last_affected_version": "5.9.4", "last_modified": "2023-12-06", "nvd_text": "A flaw was found in the Linux kernel. A use-after-free was found in the way the console subsystem was using ioctls KDGKBSENT and KDSKBSENT. A local user could use this flaw to get read memory access out of bounds. The highest threat from this vulnerability is to data confidentiality.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-25656", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-25656", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-25656", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-25656", "SUSE": "https://www.suse.com/security/cve/CVE-2020-25656", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-25656" } }, "CVE-2020-25661": { "affected_versions": "unk to unk", "breaks": "", "cvss2": { "Access Complexity": "Low", "Access Vector": "Adjacent Network", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:A/AC:L/Au:N/C:C/I:C/A:C", "score": 8.3 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Adjacent", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "score": 8.8 }, "cwe": "Access of Resource Using Incompatible Type ('Type Confusion')", "fixes": "", "last_modified": "2023-12-06", "nvd_text": "A Red Hat only CVE-2020-12351 regression issue was found in the way the Linux kernel's Bluetooth implementation handled L2CAP packets with A2MP CID. This flaw allows a remote attacker in an adjacent range to crash the system, causing a denial of service or potentially executing arbitrary code on the system by sending a specially crafted L2CAP packet. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-25661", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-25661", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-25661", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-25661", "SUSE": "https://www.suse.com/security/cve/CVE-2020-25661", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-25661" }, "vendor_specific": true }, "CVE-2020-25662": { "affected_versions": "unk to unk", "breaks": "", "cvss2": { "Access Complexity": "Low", "Access Vector": "Adjacent Network", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:A/AC:L/Au:N/C:P/I:N/A:N", "score": 3.3 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Adjacent", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "score": 6.5 }, "cwe": "Exposure of Sensitive Information to an Unauthorized Actor", "fixes": "", "last_modified": "2023-12-06", "nvd_text": "A Red Hat only CVE-2020-12352 regression issue was found in the way the Linux kernel's Bluetooth stack implementation handled the initialization of stack memory when handling certain AMP packets. This flaw allows a remote attacker in an adjacent range to leak small portions of stack memory on the system by sending specially crafted AMP packets. The highest threat from this vulnerability is to data confidentiality.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-25662", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-25662", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-25662", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-25662", "SUSE": "https://www.suse.com/security/cve/CVE-2020-25662", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-25662" }, "vendor_specific": true }, "CVE-2020-25668": { "affected_versions": "v2.6.12-rc2 to v5.10-rc3", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "tty: make FONTX ioctl use the tty pointer they were actually passed", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "score": 6.9 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.0 }, "cwe": "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", "fixes": "90bfdeef83f1d6c696039b6a917190dcbbad3220", "last_affected_version": "5.9.4", "last_modified": "2023-12-06", "nvd_text": "A flaw was found in Linux Kernel because access to the global variable fg_console is not properly synchronized leading to a use after free in con_font_op.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-25668", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-25668", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-25668", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-25668", "SUSE": "https://www.suse.com/security/cve/CVE-2020-25668", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-25668" } }, "CVE-2020-25669": { "affected_versions": "v2.6.12-rc2 to v5.10-rc5", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "Input: sunkbd - avoid use-after-free in teardown paths", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Use After Free", "fixes": "77e70d351db7de07a46ac49b87a6c3c7a60fca7e", "last_affected_version": "5.9.9", "last_modified": "2023-12-06", "nvd_text": "A vulnerability was found in the Linux Kernel where the function sunkbd_reinit having been scheduled by sunkbd_interrupt before sunkbd being freed. Though the dangling pointer is set to NULL in sunkbd_disconnect, there is still an alias in sunkbd_reinit causing Use After Free.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-25669", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-25669", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-25669", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-25669", "SUSE": "https://www.suse.com/security/cve/CVE-2020-25669", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-25669" } }, "CVE-2020-25670": { "affected_versions": "v3.6-rc1 to v5.12-rc7", "breaks": "c7aa12252f5142b9eee2f6e34ca8870a8e7e048c", "cmt_msg": "nfc: fix refcount leak in llcp_sock_bind()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Use After Free", "fixes": "c33b1cc62ac05c1dbb1cdafe2eb66da01c76ca8d", "last_affected_version": "5.11.13", "last_modified": "2023-12-06", "nvd_text": "A vulnerability was found in Linux Kernel where refcount leak in llcp_sock_bind() causing use-after-free which might lead to privilege escalations.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-25670", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-25670", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-25670", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-25670", "SUSE": "https://www.suse.com/security/cve/CVE-2020-25670", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-25670" } }, "CVE-2020-25671": { "affected_versions": "v3.6-rc1 to v5.12-rc7", "breaks": "c7aa12252f5142b9eee2f6e34ca8870a8e7e048c", "cmt_msg": "nfc: fix refcount leak in llcp_sock_connect()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Use After Free", "fixes": "8a4cd82d62b5ec7e5482333a72b58a4eea4979f0", "last_affected_version": "5.11.13", "last_modified": "2023-12-06", "nvd_text": "A vulnerability was found in Linux Kernel, where a refcount leak in llcp_sock_connect() causing use-after-free which might lead to privilege escalations.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-25671", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-25671", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-25671", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-25671", "SUSE": "https://www.suse.com/security/cve/CVE-2020-25671", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-25671" } }, "CVE-2020-25672": { "affected_versions": "v3.3-rc1 to v5.12-rc7", "breaks": "d646960f7986fefb460a2b062d5ccc8ccfeacc3a", "cmt_msg": "nfc: fix memory leak in llcp_sock_connect()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "score": 5.0 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 7.5 }, "cwe": "Missing Release of Memory after Effective Lifetime", "fixes": "7574fcdbdcb335763b6b322f6928dc0fd5730451", "last_affected_version": "5.11.13", "last_modified": "2023-12-06", "nvd_text": "A memory leak vulnerability was found in Linux kernel in llcp_sock_connect", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-25672", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-25672", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-25672", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-25672", "SUSE": "https://www.suse.com/security/cve/CVE-2020-25672", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-25672" } }, "CVE-2020-25673": { "affected_versions": "v3.11-rc1 to v5.12-rc7", "breaks": "b4011239a08e7e6c2c6e970dfa9e8ecb73139261", "cmt_msg": "nfc: Avoid endless loops caused by repeated llcp_sock_connect()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Uncontrolled Resource Consumption", "fixes": "4b5db93e7f2afbdfe3b78e37879a85290187e6f1", "last_affected_version": "5.11.13", "last_modified": "2023-12-06", "nvd_text": "A vulnerability was found in Linux kernel where non-blocking socket in llcp_sock_connect() leads to leak and eventually hanging-up the system.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-25673", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-25673", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-25673", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-25673", "SUSE": "https://www.suse.com/security/cve/CVE-2020-25673", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-25673" } }, "CVE-2020-25704": { "affected_versions": "v4.7-rc1 to v5.10-rc3", "breaks": "375637bc524952f1122ea22caf5a8f1fecad8228", "cmt_msg": "perf/core: Fix a memory leak in perf_event_parse_addr_filter()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Uncontrolled Resource Consumption", "fixes": "7bdb157cdebbf95a1cd94ed2e01b338714075d00", "last_affected_version": "5.9.6", "last_modified": "2023-12-06", "nvd_text": "A flaw memory leak in the Linux kernel performance monitoring subsystem was found in the way if using PERF_EVENT_IOC_SET_FILTER. A local user could use this flaw to starve the resources causing denial of service.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-25704", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-25704", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-25704", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-25704", "SUSE": "https://www.suse.com/security/cve/CVE-2020-25704", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-25704" } }, "CVE-2020-25705": { "affected_versions": "v3.18-rc1 to v5.10-rc1", "breaks": "4cdf507d54525842dfd9f6313fdafba039084046", "cmt_msg": "icmp: randomize the global rate limiter", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "score": 5.8 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Network", "Availability": "None", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "score": 7.4 }, "cwe": "Use of Insufficiently Random Values", "fixes": "b38e7819cae946e2edf869e604af1e65a5d241c5", "last_affected_version": "5.9.1", "last_modified": "2023-12-06", "nvd_text": "A flaw in ICMP packets in the Linux kernel may allow an attacker to quickly scan open UDP ports. This flaw allows an off-path remote attacker to effectively bypass source port UDP randomization. Software that relies on UDP source port randomization are indirectly affected as well on the Linux Based Products (RUGGEDCOM RM1224: All versions between v5.0 and v6.4, SCALANCE M-800: All versions between v5.0 and v6.4, SCALANCE S615: All versions between v5.0 and v6.4, SCALANCE SC-600: All versions prior to v2.1.3, SCALANCE W1750D: v8.3.0.1, v8.6.0, and v8.7.0, SIMATIC Cloud Connect 7: All versions, SIMATIC MV500 Family: All versions, SIMATIC NET CP 1243-1 (incl. SIPLUS variants): Versions 3.1.39 and later, SIMATIC NET CP 1243-7 LTE EU: Version", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-25705", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-25705", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-25705", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-25705", "SUSE": "https://www.suse.com/security/cve/CVE-2020-25705", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-25705" } }, "CVE-2020-26088": { "affected_versions": "v3.16-rc1 to v5.9-rc1", "breaks": "57be1f3f3ec1ccab6432615ca161c4c9ece2a2aa", "cmt_msg": "net/nfc/rawsock.c: add CAP_NET_RAW check.", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "None", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "None", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "score": 5.5 }, "cwe": "Incorrect Default Permissions", "fixes": "26896f01467a28651f7a536143fe5ac8449d4041", "last_affected_version": "5.8.1", "last_modified": "2023-12-06", "nvd_text": "A missing CAP_NET_RAW check in NFC socket creation in net/nfc/rawsock.c in the Linux kernel before 5.8.2 could be used by local attackers to create raw sockets, bypassing security mechanisms, aka CID-26896f01467a.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-26088", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-26088", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-26088", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-26088", "SUSE": "https://www.suse.com/security/cve/CVE-2020-26088", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-26088" } }, "CVE-2020-26139": { "affected_versions": "v2.6.12-rc2 to v5.13-rc4", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "mac80211: do not accept/forward invalid EAPOL frames", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Adjacent Network", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:A/AC:M/Au:N/C:N/I:N/A:P", "score": 2.9 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Adjacent", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 5.3 }, "cwe": "Improper Authentication", "fixes": "a8c4d76a8dd4fb9666fc8919a703d85fb8f44ed8", "last_affected_version": "5.12.8", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other clients even though the sender has not yet successfully authenticated to the AP. This might be abused in projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier to exploit other vulnerabilities in connected clients.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-26139", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-26139", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-26139", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-26139", "SUSE": "https://www.suse.com/security/cve/CVE-2020-26139", "Ubuntu": "https://ubuntu.com/security/CVE-2020-26139" } }, "CVE-2020-26140": { "affected_versions": "unk to unk", "breaks": "", "cvss2": { "Access Complexity": "Low", "Access Vector": "Adjacent Network", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "None", "Integrity Impact": "Partial", "raw": "AV:A/AC:L/Au:N/C:N/I:P/A:N", "score": 3.3 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Adjacent", "Availability": "None", "Confidentiality": "None", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "score": 6.5 }, "cwe": "Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')", "fixes": "", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The WEP, WPA, WPA2, and WPA3 implementations accept plaintext frames in a protected Wi-Fi network. An adversary can abuse this to inject arbitrary data frames independent of the network configuration.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-26140", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-26140", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-26140", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-26140", "SUSE": "https://www.suse.com/security/cve/CVE-2020-26140", "Ubuntu": "https://ubuntu.com/security/CVE-2020-26140" } }, "CVE-2020-26141": { "affected_versions": "v2.6.12-rc2 to v5.13-rc4", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "ath10k: Fix TKIP Michael MIC verification for PCIe", "cvss2": { "Access Complexity": "Low", "Access Vector": "Adjacent Network", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "None", "Integrity Impact": "Partial", "raw": "AV:A/AC:L/Au:N/C:N/I:P/A:N", "score": 3.3 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Adjacent", "Availability": "None", "Confidentiality": "None", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "score": 6.5 }, "cwe": "Improper Validation of Integrity Check Value", "fixes": "0dc267b13f3a7e8424a898815dd357211b737330", "last_affected_version": "5.12.8", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-confidentiality protocol.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-26141", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-26141", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-26141", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-26141", "SUSE": "https://www.suse.com/security/cve/CVE-2020-26141", "Ubuntu": "https://ubuntu.com/security/CVE-2020-26141" } }, "CVE-2020-26142": { "affected_versions": "unk to unk", "breaks": "", "cvss2": { "Access Complexity": "High", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "None", "Integrity Impact": "Partial", "raw": "AV:N/AC:H/Au:N/C:N/I:P/A:N", "score": 2.6 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Network", "Availability": "None", "Confidentiality": "None", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "raw": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N", "score": 5.3 }, "cwe": "Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')", "fixes": "", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the kernel in OpenBSD 6.6. The WEP, WPA, WPA2, and WPA3 implementations treat fragmented frames as full frames. An adversary can abuse this to inject arbitrary network packets, independent of the network configuration.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-26142", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-26142", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-26142", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-26142", "SUSE": "https://www.suse.com/security/cve/CVE-2020-26142", "Ubuntu": "https://ubuntu.com/security/CVE-2020-26142" } }, "CVE-2020-26143": { "affected_versions": "unk to unk", "breaks": "", "cvss2": { "Access Complexity": "Low", "Access Vector": "Adjacent Network", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "None", "Integrity Impact": "Partial", "raw": "AV:A/AC:L/Au:N/C:N/I:P/A:N", "score": 3.3 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Adjacent", "Availability": "None", "Confidentiality": "None", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "score": 6.5 }, "cwe": "Improper Input Validation", "fixes": "", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the ALFA Windows 10 driver 1030.36.604 for AWUS036ACH. The WEP, WPA, WPA2, and WPA3 implementations accept fragmented plaintext frames in a protected Wi-Fi network. An adversary can abuse this to inject arbitrary data frames independent of the network configuration.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-26143", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-26143", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-26143", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-26143", "SUSE": "https://www.suse.com/security/cve/CVE-2020-26143", "Ubuntu": "https://ubuntu.com/security/CVE-2020-26143" } }, "CVE-2020-26145": { "affected_versions": "v2.6.12-rc2 to v5.13-rc4", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "ath10k: drop fragments with multicast DA for PCIe", "cvss2": { "Access Complexity": "Low", "Access Vector": "Adjacent Network", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "None", "Integrity Impact": "Partial", "raw": "AV:A/AC:L/Au:N/C:N/I:P/A:N", "score": 3.3 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Adjacent", "Availability": "None", "Confidentiality": "None", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "score": 6.5 }, "cwe": "Improper Input Validation", "fixes": "65c415a144ad8132b6a6d97d4a1919ffc728e2d1", "last_affected_version": "5.12.8", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3 implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets independent of the network configuration.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-26145", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-26145", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-26145", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-26145", "SUSE": "https://www.suse.com/security/cve/CVE-2020-26145", "Ubuntu": "https://ubuntu.com/security/CVE-2020-26145" } }, "CVE-2020-26147": { "affected_versions": "v2.6.12-rc2 to v5.13-rc4", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "mac80211: assure all fragments are encrypted", "cvss2": { "Access Complexity": "High", "Access Vector": "Adjacent Network", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:A/AC:H/Au:N/C:P/I:P/A:N", "score": 3.2 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Adjacent", "Availability": "None", "Confidentiality": "Low", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "raw": "CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N", "score": 5.4 }, "cwe": "Unspecified", "fixes": "965a7d72e798eb7af0aa67210e37cf7ecd1c9cad", "last_affected_version": "5.12.8", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-26147", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-26147", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-26147", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-26147", "SUSE": "https://www.suse.com/security/cve/CVE-2020-26147", "Ubuntu": "https://ubuntu.com/security/CVE-2020-26147" } }, "CVE-2020-26541": { "affected_versions": "v2.6.12-rc2 to v5.13-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "certs: Add EFI_CERT_X509_GUID support for dbx entries", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "score": 6.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "Required", "raw": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H", "score": 6.5 }, "cwe": "Unspecified", "fixes": "56c5812623f95313f6a46fbf0beee7fa17c68bbf", "last_affected_version": "5.12.13", "last_modified": "2023-12-06", "nvd_text": "The Linux kernel through 5.8.13 does not properly enforce the Secure Boot Forbidden Signature Database (aka dbx) protection mechanism. This affects certs/blacklist.c and certs/system_keyring.c.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-26541", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-26541", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-26541", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-26541", "SUSE": "https://www.suse.com/security/cve/CVE-2020-26541", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-26541" } }, "CVE-2020-26555": { "affected_versions": "v2.6.12-rc2 to v5.13-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "Bluetooth: SMP: Fail if remote and local public keys are identical", "cvss2": { "Access Complexity": "Low", "Access Vector": "Adjacent Network", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:A/AC:L/Au:N/C:P/I:P/A:N", "score": 4.8 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Adjacent", "Availability": "None", "Confidentiality": "Low", "Integrity": "Low", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "score": 5.4 }, "cwe": "Incorrect Authorization", "fixes": "6d19628f539fccf899298ff02ee4c73e4bf6df3f", "last_affected_version": "5.12.6", "last_modified": "2023-12-06", "nvd_text": "Bluetooth legacy BR/EDR PIN code pairing in Bluetooth Core Specification 1.0B through 5.2 may permit an unauthenticated nearby device to spoof the BD_ADDR of the peer device to complete pairing without knowledge of the PIN.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-26555", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-26555", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-26555", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-26555", "SUSE": "https://www.suse.com/security/cve/CVE-2020-26555", "Ubuntu": "https://ubuntu.com/security/CVE-2020-26555" } }, "CVE-2020-26556": { "affected_versions": "unk to unk", "breaks": "", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Adjacent Network", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:A/AC:M/Au:N/C:P/I:N/A:N", "score": 2.9 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Adjacent", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "score": 7.5 }, "cwe": "Improper Restriction of Excessive Authentication Attempts", "fixes": "", "last_modified": "2023-12-06", "nvd_text": "Mesh Provisioning in the Bluetooth Mesh profile 1.0 and 1.0.1 may permit a nearby device, able to conduct a successful brute-force attack on an insufficiently random AuthValue before the provisioning procedure times out, to complete authentication by leveraging Malleable Commitment.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-26556", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-26556", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-26556", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-26556", "SUSE": "https://www.suse.com/security/cve/CVE-2020-26556", "Ubuntu": "https://ubuntu.com/security/CVE-2020-26556" } }, "CVE-2020-26557": { "affected_versions": "unk to unk", "breaks": "", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Adjacent Network", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:A/AC:M/Au:N/C:P/I:N/A:N", "score": 2.9 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Adjacent", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "score": 7.5 }, "cwe": "Incorrect Authorization", "fixes": "", "last_modified": "2023-12-06", "nvd_text": "Mesh Provisioning in the Bluetooth Mesh profile 1.0 and 1.0.1 may permit a nearby device (without possession of the AuthValue used in the provisioning protocol) to determine the AuthValue via a brute-force attack (unless the AuthValue is sufficiently random and changed each time).", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-26557", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-26557", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-26557", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-26557", "SUSE": "https://www.suse.com/security/cve/CVE-2020-26557", "Ubuntu": "https://ubuntu.com/security/CVE-2020-26557" } }, "CVE-2020-26558": { "affected_versions": "v2.6.12-rc2 to v5.13-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "Bluetooth: SMP: Fail if remote and local public keys are identical", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Adjacent Network", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:A/AC:M/Au:N/C:P/I:P/A:N", "score": 4.3 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Adjacent", "Availability": "None", "Confidentiality": "Low", "Integrity": "Low", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "score": 4.2 }, "cwe": "Improper Authentication", "fixes": "6d19628f539fccf899298ff02ee4c73e4bf6df3f", "last_affected_version": "5.12.6", "last_modified": "2023-12-06", "nvd_text": "Bluetooth LE and BR/EDR secure pairing in Bluetooth Core Specification 2.1 through 5.2 may permit a nearby man-in-the-middle attacker to identify the Passkey used during pairing (in the Passkey authentication procedure) by reflection of the public key and the authentication evidence of the initiating device, potentially permitting this attacker to complete authenticated pairing with the responding device using the correct Passkey for the pairing session. The attack methodology determines the Passkey value one bit at a time.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-26558", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-26558", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-26558", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-26558", "SUSE": "https://www.suse.com/security/cve/CVE-2020-26558", "Ubuntu": "https://ubuntu.com/security/CVE-2020-26558" } }, "CVE-2020-26559": { "affected_versions": "unk to unk", "breaks": "", "cvss2": { "Access Complexity": "Low", "Access Vector": "Adjacent Network", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:A/AC:L/Au:N/C:P/I:P/A:P", "score": 5.8 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Adjacent", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "score": 8.8 }, "cwe": "Incorrect Authorization", "fixes": "", "last_modified": "2023-12-06", "nvd_text": "Bluetooth Mesh Provisioning in the Bluetooth Mesh profile 1.0 and 1.0.1 may permit a nearby device (participating in the provisioning protocol) to identify the AuthValue used given the Provisioner\u2019s public key, and the confirmation number and nonce provided by the provisioning device. This could permit a device without the AuthValue to complete provisioning without brute-forcing the AuthValue.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-26559", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-26559", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-26559", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-26559", "SUSE": "https://www.suse.com/security/cve/CVE-2020-26559", "Ubuntu": "https://ubuntu.com/security/CVE-2020-26559" } }, "CVE-2020-26560": { "affected_versions": "unk to unk", "breaks": "", "cvss2": { "Access Complexity": "Low", "Access Vector": "Adjacent Network", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:A/AC:L/Au:N/C:P/I:P/A:N", "score": 4.8 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Adjacent", "Availability": "None", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "score": 8.1 }, "cwe": "Incorrect Authorization", "fixes": "", "last_modified": "2023-12-06", "nvd_text": "Bluetooth Mesh Provisioning in the Bluetooth Mesh profile 1.0 and 1.0.1 may permit a nearby device, reflecting the authentication evidence from a Provisioner, to complete authentication without possessing the AuthValue, and potentially acquire a NetKey and AppKey.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-26560", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-26560", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-26560", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-26560", "SUSE": "https://www.suse.com/security/cve/CVE-2020-26560", "Ubuntu": "https://ubuntu.com/security/CVE-2020-26560" } }, "CVE-2020-27066": { "affected_versions": "v2.6.35-rc1 to v5.6", "breaks": "ea2dea9dacc256fe927857feb423872051642ae7", "cmt_msg": "xfrm: policy: Fix doulbe free in xfrm_policy_timer", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "score": 6.7 }, "cwe": "Use After Free", "fixes": "4c59406ed00379c8663f8663d82b2537467ce9d7", "last_affected_version": "5.5", "last_modified": "2023-12-06", "nvd_text": "In xfrm6_tunnel_free_spi of net/ipv6/xfrm6_tunnel.c, there is a possible use after free due to improper locking. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-168043318", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-27066", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-27066", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-27066", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-27066", "SUSE": "https://www.suse.com/security/cve/CVE-2020-27066", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-27066" } }, "CVE-2020-27067": { "affected_versions": "v2.6.35-rc1 to v4.14-rc4", "breaks": "d9e31d17ceba5f0736f5a34bbc236239cd42b420", "cmt_msg": "l2tp: fix l2tp_eth module loading", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "score": 4.4 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "score": 6.4 }, "cwe": "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", "fixes": "9f775ead5e570e7e19015b9e4e2f3dd6e71a5935", "last_affected_version": "4.13.5", "last_modified": "2023-12-06", "nvd_text": "In the l2tp subsystem, there is a possible use after free due to a race condition. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-152409173", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-27067", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-27067", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-27067", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-27067", "SUSE": "https://www.suse.com/security/cve/CVE-2020-27067", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-27067" } }, "CVE-2020-27068": { "affected_versions": "v2.6.12-rc2 to v5.6-rc2", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "cfg80211: add missing policy for NL80211_ATTR_STATUS_CODE", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "score": 7.5 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "score": 9.8 }, "cwe": "Unspecified", "fixes": "ea75080110a4c1fa011b0a73cb8f42227143ee3e", "last_affected_version": "5.5.7", "last_modified": "2023-12-06", "nvd_text": "Product: AndroidVersions: Android kernelAndroid ID: A-127973231References: Upstream kernel", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-27068", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-27068", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-27068", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-27068", "SUSE": "https://www.suse.com/security/cve/CVE-2020-27068", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-27068" } }, "CVE-2020-27152": { "affected_versions": "v5.6-rc1 to v5.10-rc1", "breaks": "f458d039db7e8518041db4169d657407e3217008", "cmt_msg": "KVM: ioapic: break infinite recursion on lazy EOI", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Loop with Unreachable Exit Condition ('Infinite Loop')", "fixes": "77377064c3a94911339f13ce113b3abf265e06da", "last_affected_version": "5.9.1", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in ioapic_lazy_update_eoi in arch/x86/kvm/ioapic.c in the Linux kernel before 5.9.2. It has an infinite loop related to improper interaction between a resampler and edge triggering, aka CID-77377064c3a9.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-27152", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-27152", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-27152", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-27152", "SUSE": "https://www.suse.com/security/cve/CVE-2020-27152", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-27152" } }, "CVE-2020-27170": { "affected_versions": "v5.10-rc1 to v5.12-rc5", "breaks": "7c6967326267bd5c0dded0a99541357d70dd11ac", "cmt_msg": "bpf: Prohibit alu ops for pointer types not defining ptr_limit", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "score": 1.9 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 4.7 }, "cwe": "Observable Discrepancy", "fixes": "f232326f6966cf2a1d1db7bc917a4ce5f9f55f76", "last_affected_version": "5.11.7", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel before 5.11.8. kernel/bpf/verifier.c performs undesirable out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory, aka CID-f232326f6966. This affects pointer types that do not define a ptr_limit.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-27170", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-27170", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-27170", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-27170", "SUSE": "https://www.suse.com/security/cve/CVE-2020-27170", "Ubuntu": "https://ubuntu.com/security/CVE-2020-27170" } }, "CVE-2020-27171": { "affected_versions": "v5.10-rc1 to v5.12-rc5", "breaks": "7c6967326267bd5c0dded0a99541357d70dd11ac", "cmt_msg": "bpf: Fix off-by-one for area size in creating mask to left", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:P", "score": 3.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H", "score": 6.0 }, "cwe": "Off-by-one Error", "fixes": "10d2bb2e6b1d8c4576c56a748f697dbeb8388899", "last_affected_version": "5.11.7", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel before 5.11.8. kernel/bpf/verifier.c has an off-by-one error (with a resultant integer underflow) affecting out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory, aka CID-10d2bb2e6b1d.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-27171", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-27171", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-27171", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-27171", "SUSE": "https://www.suse.com/security/cve/CVE-2020-27171", "Ubuntu": "https://ubuntu.com/security/CVE-2020-27171" } }, "CVE-2020-27194": { "affected_versions": "v5.7-rc1 to v5.9", "breaks": "3f50f132d8400e129fc9eb68b5020167ef80a244", "cmt_msg": "bpf: Fix scalar32_min_max_or bounds tracking", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Improper Restriction of Operations within the Bounds of a Memory Buffer", "fixes": "5b9fbeb75b6a98955f628e205ac26689bcb1383e", "last_affected_version": "5.8", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel before 5.8.15. scalar32_min_max_or in kernel/bpf/verifier.c mishandles bounds tracking during use of 64-bit values, aka CID-5b9fbeb75b6a.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-27194", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-27194", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-27194", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-27194", "SUSE": "https://www.suse.com/security/cve/CVE-2020-27194", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-27194" } }, "CVE-2020-2732": { "affected_versions": "v2.6.12-rc2 to v5.6-rc4", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "KVM: nVMX: Don't emulate instructions in guest mode", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Adjacent Network", "Authentication": "Single", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:A/AC:M/Au:S/C:P/I:N/A:N", "score": 2.3 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Adjacent", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Changed", "User Interaction": "None", "raw": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "score": 6.8 }, "cwe": "Exposure of Sensitive Information to an Unauthorized Actor", "fixes": "07721feee46b4b248402133228235318199b05ec", "last_affected_version": "5.5.6", "last_modified": "2023-12-06", "nvd_text": "A flaw was discovered in the way that the KVM hypervisor handled instruction emulation for an L2 guest when nested virtualisation is enabled. Under some circumstances, an L2 guest may trick the L0 guest into accessing sensitive L1 resources that should be inaccessible to the L2 guest.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-2732", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-2732", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-2732", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-2732", "SUSE": "https://www.suse.com/security/cve/CVE-2020-2732", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-2732" } }, "CVE-2020-27418": { "affected_versions": "v2.6.14-rc5 to v5.6-rc5", "breaks": "0aec4867dca149e2049e8439b76bd82ad9dac52c", "cmt_msg": "vgacon: Fix a UAF in vgacon_invert_region", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "score": 4.4 }, "fixes": "513dc792d6060d5ef572e43852683097a8420f56", "last_affected_version": "5.5.8", "last_modified": "2023-12-06", "nvd_text": "A Use After Free vulnerability in Fedora Linux kernel 5.9.0-rc9 allows attackers to obatin sensitive information via vgacon_invert_region() function.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-27418", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-27418", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-27418", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-27418", "SUSE": "https://www.suse.com/security/cve/CVE-2020-27418", "Ubuntu": "https://ubuntu.com/security/CVE-2020-27418" } }, "CVE-2020-27673": { "affected_versions": "v2.6.12-rc2 to v5.10-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "xen/events: add a proper barrier to 2-level uevent unmasking", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Unspecified", "fixes": "4d3fe31bd993ef504350989786858aefdb877daa", "last_affected_version": "5.9.4", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel through 5.9.1, as used with Xen through 4.14.x. Guest OS users can cause a denial of service (host OS hang) via a high rate of events to dom0, aka CID-e99502f76271.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-27673", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-27673", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-27673", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-27673", "SUSE": "https://www.suse.com/security/cve/CVE-2020-27673", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-27673" } }, "CVE-2020-27675": { "affected_versions": "v2.6.12-rc2 to v5.10-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "xen/events: avoid removing an event channel while handling it", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "score": 4.7 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 4.7 }, "cwe": "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", "fixes": "073d0552ead5bfc7a3a9c01de590e924f11b5dd2", "last_affected_version": "5.9.4", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel through 5.9.1, as used with Xen through 4.14.x. drivers/xen/events/events_base.c allows event-channel removal during the event-handling loop (a race condition). This can cause a use-after-free or NULL pointer dereference, as demonstrated by a dom0 crash via events for an in-reconfiguration paravirtualized device, aka CID-073d0552ead5.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-27675", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-27675", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-27675", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-27675", "SUSE": "https://www.suse.com/security/cve/CVE-2020-27675", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-27675" } }, "CVE-2020-27777": { "affected_versions": "v2.6.12-rc2 to v5.10-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "powerpc/rtas: Restrict RTAS requests from userspace", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "score": 6.7 }, "cwe": "Missing Authorization", "fixes": "bd59380c5ba4147dcbaad3e582b55ccfd120b764", "last_affected_version": "5.9.4", "last_modified": "2023-12-06", "nvd_text": "A flaw was found in the way RTAS handled memory accesses in userspace to kernel communication. On a locked down (usually due to Secure Boot) guest system running on top of PowerVM or KVM hypervisors (pseries platform) a root like local user could use this flaw to further increase their privileges to that of a running kernel.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-27777", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-27777", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-27777", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-27777", "SUSE": "https://www.suse.com/security/cve/CVE-2020-27777", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-27777" } }, "CVE-2020-27784": { "affected_versions": "v4.1-rc1 to v5.10-rc1", "breaks": "b26394bd567e5ebe57ec4dee7fe6cd14023c96e9", "cmt_msg": "usb: gadget: function: printer: fix use-after-free in __lock_acquire", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Use After Free", "fixes": "e8d5f92b8d30bb4ade76494490c3c065e12411b1", "last_affected_version": "5.9.1", "last_modified": "2023-12-06", "nvd_text": "A vulnerability was found in the Linux kernel, where accessing a deallocated instance in printer_ioctl() printer_ioctl() tries to access of a printer_dev instance. However, use-after-free arises because it had been freed by gprinter_free().", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-27784", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-27784", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-27784", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-27784", "SUSE": "https://www.suse.com/security/cve/CVE-2020-27784", "Ubuntu": "https://ubuntu.com/security/CVE-2020-27784" } }, "CVE-2020-27786": { "affected_versions": "v2.6.12-rc2 to v5.7-rc6", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "ALSA: rawmidi: Fix racy buffer resize under concurrent accesses", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Use After Free", "fixes": "c1f6e3c818dd734c30f6a7eeebf232ba2cf3181d", "last_affected_version": "5.6.13", "last_modified": "2023-12-06", "nvd_text": "A flaw was found in the Linux kernel\u2019s implementation of MIDI, where an attacker with a local account and the permissions to issue ioctl commands to midi devices could trigger a use-after-free issue. A write to this specific memory while freed and before use causes the flow of execution to change and possibly allow for memory corruption or privilege escalation. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-27786", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-27786", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-27786", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-27786", "SUSE": "https://www.suse.com/security/cve/CVE-2020-27786", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-27786" } }, "CVE-2020-27815": { "affected_versions": "v2.6.12-rc2 to v5.11-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "jfs: Fix array index bounds check in dbAdjTree", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:C", "score": 6.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Improper Restriction of Operations within the Bounds of a Memory Buffer", "fixes": "c61b3e4839007668360ed8b87d7da96d2e59fc6c", "last_affected_version": "5.10.3", "last_modified": "2023-12-06", "nvd_text": "A flaw was found in the JFS filesystem code in the Linux Kernel which allows a local attacker with the ability to set extended attributes to panic the system, causing memory corruption or escalating privileges. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-27815", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-27815", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-27815", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-27815", "SUSE": "https://www.suse.com/security/cve/CVE-2020-27815", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-27815" } }, "CVE-2020-27820": { "affected_versions": "v2.6.12-rc2 to v5.16-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "drm/nouveau: use drm_dev_unplug() during device removal", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "score": 4.7 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 4.7 }, "cwe": "Use After Free", "fixes": "aff2299e0d81b26304ccc6a1ec0170e437f38efc", "last_affected_version": "5.15.4", "last_modified": "2023-12-06", "nvd_text": "A vulnerability was found in Linux kernel, where a use-after-frees in nouveau's postclose() handler could happen if removing device (that is not common to remove video card physically without power-off, but same happens if \"unbind\" the driver).", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-27820", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-27820", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-27820", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-27820", "SUSE": "https://www.suse.com/security/cve/CVE-2020-27820", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-27820" } }, "CVE-2020-27825": { "affected_versions": "v3.5-rc1 to v5.10-rc1", "breaks": "83f40318dab00e3298a1f6d0b12ac025e84e478d", "cmt_msg": "tracing: Fix race in trace_open and buffer resize call", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:M/Au:N/C:P/I:N/A:C", "score": 5.4 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:H", "score": 5.7 }, "cwe": "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", "fixes": "bbeb97464eefc65f506084fd9f18f21653e01137", "last_affected_version": "5.9.4", "last_modified": "2023-12-06", "nvd_text": "A use-after-free flaw was found in kernel/trace/ring_buffer.c in Linux kernel (before 5.10-rc1). There was a race problem in trace_open and resize of cpu buffer running parallely on different cpus, may cause a denial of service problem (DOS). This flaw could even allow a local attacker with special user privilege to a kernel information leak threat.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-27825", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-27825", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-27825", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-27825", "SUSE": "https://www.suse.com/security/cve/CVE-2020-27825", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-27825" } }, "CVE-2020-27830": { "affected_versions": "v4.13-rc1 to v5.10-rc7", "breaks": "6b9ad1c742bf227b1005a41d8baa315b747e3e8d", "cmt_msg": "speakup: Reject setting the speakup line discipline outside of speakup", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "NULL Pointer Dereference", "fixes": "f0992098cadb4c9c6a00703b66cafe604e178fea", "last_affected_version": "5.9.13", "last_modified": "2023-12-06", "nvd_text": "A vulnerability was found in Linux Kernel where in the spk_ttyio_receive_buf2() function, it would dereference spk_ttyio_synth without checking whether it is NULL or not, and may lead to a NULL-ptr deref crash.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-27830", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-27830", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-27830", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-27830", "SUSE": "https://www.suse.com/security/cve/CVE-2020-27830", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-27830" } }, "CVE-2020-27835": { "affected_versions": "v4.8-rc4 to v5.10-rc6", "breaks": "e0cf75deab8155334c8228eb7f097b15127d0a49", "cmt_msg": "IB/hfi1: Ensure correct mm is used at all times", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "score": 4.4 }, "cwe": "Use After Free", "fixes": "3d2a9d642512c21a12d19b9250e7a835dcb41a79", "last_affected_version": "5.9.11", "last_modified": "2023-12-06", "nvd_text": "A use after free in the Linux kernel infiniband hfi1 driver in versions prior to 5.10-rc6 was found in the way user calls Ioctl after open dev file and fork. A local user could use this flaw to crash the system.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-27835", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-27835", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-27835", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-27835", "SUSE": "https://www.suse.com/security/cve/CVE-2020-27835", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-27835" } }, "CVE-2020-28097": { "affected_versions": "v2.6.12-rc2 to v5.9-rc6", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "vgacon: remove software scrollback support", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:P", "score": 3.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Physical", "Availability": "High", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "score": 5.9 }, "cwe": "Out-of-bounds Read", "fixes": "973c096f6a85e5b5f2a295126ba6928d9a6afd45", "last_affected_version": "5.8.9", "last_modified": "2023-12-06", "nvd_text": "The vgacon subsystem in the Linux kernel before 5.8.10 mishandles software scrollback. There is a vgacon_scrolldelta out-of-bounds read, aka CID-973c096f6a85.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-28097", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-28097", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-28097", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-28097", "SUSE": "https://www.suse.com/security/cve/CVE-2020-28097", "Ubuntu": "https://ubuntu.com/security/CVE-2020-28097" } }, "CVE-2020-28374": { "affected_versions": "v3.12-rc1 to v5.11-rc4", "breaks": "cbf031f425fd0b30ff10ba83b612753189a6bbbf", "cmt_msg": "scsi: target: Fix XCOPY NAA identifier lookup", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "Single", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:N/AC:L/Au:S/C:P/I:P/A:N", "score": 5.5 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "None", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "score": 8.1 }, "cwe": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "fixes": "2896c93811e39d63a4d9b63ccf12a8fbc226e5e4", "last_affected_version": "5.10.6", "last_modified": "2023-12-06", "nvd_text": "In drivers/target/target_core_xcopy.c in the Linux kernel before 5.10.7, insufficient identifier checking in the LIO SCSI target code can be used by remote attackers to read or write files via directory traversal in an XCOPY request, aka CID-2896c93811e3. For example, an attack can occur over a network if the attacker has access to one iSCSI LUN. The attacker gains control over file access because I/O operations are proxied via an attacker-selected backstore.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-28374", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-28374", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-28374", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-28374", "SUSE": "https://www.suse.com/security/cve/CVE-2020-28374", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-28374" } }, "CVE-2020-28588": { "affected_versions": "v5.1-rc4 to v5.10-rc7", "breaks": "631b7abacd02b88f4b0795c08b54ad4fc3e7c7c0", "cmt_msg": "lib/syscall: fix syscall registers retrieval on 32-bit platforms", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.5 }, "cwe": "Incorrect Conversion between Numeric Types", "fixes": "4f134b89a24b965991e7c345b9a4591821f7c2a6", "last_affected_version": "5.9.13", "last_modified": "2023-12-06", "nvd_text": "An information disclosure vulnerability exists in the /proc/pid/syscall functionality of Linux Kernel 5.1 Stable and 5.4.66. More specifically, this issue has been introduced in v5.1-rc4 (commit 631b7abacd02b88f4b0795c08b54ad4fc3e7c7c0) and is still present in v5.10-rc4, so it\u2019s likely that all versions in between are affected. An attacker can read /proc/pid/syscall to trigger this vulnerability, which leads to the kernel leaking memory contents.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-28588", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-28588", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-28588", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-28588", "SUSE": "https://www.suse.com/security/cve/CVE-2020-28588", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-28588" } }, "CVE-2020-28915": { "affected_versions": "v2.6.12-rc2 to v5.9", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "fbcon: Fix global-out-of-bounds read in fbcon_get_font()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:C", "score": 6.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Physical", "Availability": "High", "Confidentiality": "Low", "Integrity": "High", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:P/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:H", "score": 5.8 }, "cwe": "Out-of-bounds Read", "fixes": "5af08640795b2b9a940c9266c0260455377ae262", "last_affected_version": "5.8", "last_modified": "2023-12-06", "nvd_text": "A buffer over-read (at the framebuffer layer) in the fbcon code in the Linux kernel before 5.8.15 could be used by local attackers to read kernel memory, aka CID-6735b4632def.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-28915", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-28915", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-28915", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-28915", "SUSE": "https://www.suse.com/security/cve/CVE-2020-28915", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-28915" } }, "CVE-2020-28941": { "affected_versions": "v4.13-rc1 to v5.10-rc5", "breaks": "6b9ad1c742bf227b1005a41d8baa315b747e3e8d", "cmt_msg": "speakup: Do not let the line discipline be used several times", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Release of Invalid Pointer or Reference", "fixes": "d4122754442799187d5d537a9c039a49a67e57f1", "last_affected_version": "5.9.10", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in drivers/accessibility/speakup/spk_ttyio.c in the Linux kernel through 5.9.9. Local attackers on systems with the speakup driver could cause a local denial of service attack, aka CID-d41227544427. This occurs because of an invalid free when the line discipline is used more than once.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-28941", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-28941", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-28941", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-28941", "SUSE": "https://www.suse.com/security/cve/CVE-2020-28941", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-28941" } }, "CVE-2020-28974": { "affected_versions": "v2.6.12-rc2 to v5.10-rc3", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "vt: Disable KD_FONT_OP_COPY", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:C", "score": 6.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Physical", "Availability": "High", "Confidentiality": "Low", "Integrity": "Low", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:P/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:H", "score": 5.0 }, "cwe": "Out-of-bounds Read", "fixes": "3c4e0dff2095c579b142d5a0693257f1c58b4804", "last_affected_version": "5.9.6", "last_modified": "2023-12-06", "nvd_text": "A slab-out-of-bounds read in fbcon in the Linux kernel before 5.9.7 could be used by local attackers to read privileged information or potentially crash the kernel, aka CID-3c4e0dff2095. This occurs because KD_FONT_OP_COPY in drivers/tty/vt/vt.c can be used for manipulations such as font height.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-28974", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-28974", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-28974", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-28974", "SUSE": "https://www.suse.com/security/cve/CVE-2020-28974", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-28974" } }, "CVE-2020-29368": { "affected_versions": "v4.6 to v5.8-rc1", "breaks": "6d0a07edd17cfc12fdc1f36de8072fa17cc3666f", "cmt_msg": "mm: thp: make the THP mapcount atomic against __split_huge_pmd_locked()", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "score": 6.9 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.0 }, "cwe": "Out-of-bounds Write", "fixes": "c444eb564fb16645c172d550359cb3d75fe8a040", "last_affected_version": "5.7.4", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in __split_huge_pmd in mm/huge_memory.c in the Linux kernel before 5.7.5. The copy-on-write implementation can grant unintended write access because of a race condition in a THP mapcount check, aka CID-c444eb564fb1.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-29368", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-29368", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-29368", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-29368", "SUSE": "https://www.suse.com/security/cve/CVE-2020-29368", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-29368" } }, "CVE-2020-29369": { "affected_versions": "v4.20-rc1 to v5.8-rc7", "breaks": "dd2283f2605e3b3e9c61bcae844b34f2afa4813f", "cmt_msg": "mm/mmap.c: close race between munmap() and expand_upwards()/downwards()", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "score": 6.9 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.0 }, "cwe": "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", "fixes": "246c320a8cfe0b11d81a4af38fa9985ef0cc9a4c", "last_affected_version": "5.7.10", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in mm/mmap.c in the Linux kernel before 5.7.11. There is a race condition between certain expand functions (expand_downwards and expand_upwards) and page-table free operations from an munmap call, aka CID-246c320a8cfe.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-29369", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-29369", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-29369", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-29369", "SUSE": "https://www.suse.com/security/cve/CVE-2020-29369", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-29369" } }, "CVE-2020-29370": { "affected_versions": "v4.3-rc1 to v5.6-rc7", "breaks": "ebe909e0fdb34b980c5cf636c495e4f0bb0dfda8", "cmt_msg": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "score": 4.4 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.0 }, "cwe": "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", "fixes": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8", "last_affected_version": "5.5.10", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in kmem_cache_alloc_bulk in mm/slub.c in the Linux kernel before 5.5.11. The slowpath lacks the required TID increment, aka CID-fd4d9c7d0c71.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-29370", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-29370", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-29370", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-29370", "SUSE": "https://www.suse.com/security/cve/CVE-2020-29370", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-29370" } }, "CVE-2020-29371": { "affected_versions": "v2.6.30-rc1 to v5.9-rc2", "breaks": "da4458bda237aa0cb1688f6c359477f203788f6a", "cmt_msg": "romfs: fix uninitialized memory leak in romfs_dev_read()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "Low", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "score": 3.3 }, "cwe": "Use of Uninitialized Resource", "fixes": "bcf85fcedfdd17911982a3e3564fcfec7b01eebd", "last_affected_version": "5.8.3", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in romfs_dev_read in fs/romfs/storage.c in the Linux kernel before 5.8.4. Uninitialized memory leaks to userspace, aka CID-bcf85fcedfdd.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-29371", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-29371", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-29371", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-29371", "SUSE": "https://www.suse.com/security/cve/CVE-2020-29371", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-29371" } }, "CVE-2020-29372": { "affected_versions": "v5.6-rc1 to v5.7-rc3", "breaks": "c1ca757bd6f4632c510714631ddcc2d13030fe1e", "cmt_msg": "mm: check that mm is still valid in madvise()", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "score": 4.7 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 4.7 }, "cwe": "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", "fixes": "bc0c4d1e176eeb614dc8734fc3ace34292771f11", "last_affected_version": "5.6.7", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in do_madvise in mm/madvise.c in the Linux kernel before 5.6.8. There is a race condition between coredump operations and the IORING_OP_MADVISE implementation, aka CID-bc0c4d1e176e.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-29372", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-29372", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-29372", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-29372", "SUSE": "https://www.suse.com/security/cve/CVE-2020-29372", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-29372" } }, "CVE-2020-29373": { "affected_versions": "v5.1-rc1 to v5.6-rc2", "breaks": "2b188cc1bb857a9d4701ae59aa7768b5124e262e", "cmt_msg": "io_uring: grab ->fs as part of async preparation", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Changed", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "score": 6.5 }, "cwe": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "fixes": "ff002b30181d30cdfbca316dadd099c3ca0d739c", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in fs/io_uring.c in the Linux kernel before 5.6. It unsafely handles the root directory during path lookups, and thus a process inside a mount namespace can escape to unintended filesystem locations, aka CID-ff002b30181d.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-29373", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-29373", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-29373", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-29373", "SUSE": "https://www.suse.com/security/cve/CVE-2020-29373", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-29373" } }, "CVE-2020-29374": { "affected_versions": "v2.6.12-rc2 to v5.8-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "gup: document and work around \"COW can break either way\" issue", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:M/Au:N/C:P/I:P/A:N", "score": 3.3 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "Low", "Integrity": "Low", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N", "score": 3.6 }, "cwe": "Incorrect Authorization", "fixes": "17839856fd588f4ab6b789f482ed3ffd7c403e1f", "last_affected_version": "5.7.2", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel before 5.7.3, related to mm/gup.c and mm/huge_memory.c. The get_user_pages (aka gup) implementation, when used for a copy-on-write page, does not properly consider the semantics of read operations and therefore can grant unintended write access, aka CID-17839856fd58.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-29374", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-29374", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-29374", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-29374", "SUSE": "https://www.suse.com/security/cve/CVE-2020-29374", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-29374" } }, "CVE-2020-29534": { "affected_versions": "v5.1-rc1 to v5.10-rc1", "breaks": "2b188cc1bb857a9d4701ae59aa7768b5124e262e", "cmt_msg": "io_uring: don't rely on weak ->files references", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Unspecified", "fixes": "0f2122045b946241a9e549c2a76cea54fa58a7ff", "last_affected_version": "5.9.2", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel before 5.9.3. io_uring takes a non-refcounted reference to the files_struct of the process that submitted a request, causing execve() to incorrectly optimize unshare_fd(), aka CID-0f2122045b94.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-29534", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-29534", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-29534", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-29534", "SUSE": "https://www.suse.com/security/cve/CVE-2020-29534", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-29534" } }, "CVE-2020-29568": { "affected_versions": "v2.6.12-rc2 to v5.11-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "xen/xenbus: Allow watches discard events before queueing", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Changed", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H", "score": 6.5 }, "cwe": "Improper Restriction of Operations within the Bounds of a Memory Buffer", "fixes": "fed1755b118147721f2c87b37b9d66e62c39b668", "last_affected_version": "5.10.3", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in Xen through 4.14.x. Some OSes (such as Linux, FreeBSD, and NetBSD) are processing watch events using a single thread. If the events are received faster than the thread is able to handle, they will get queued. As the queue is unbounded, a guest may be able to trigger an OOM in the backend. All systems with a FreeBSD, Linux, or NetBSD (any version) dom0 are vulnerable.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-29568", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-29568", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-29568", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-29568", "SUSE": "https://www.suse.com/security/cve/CVE-2020-29568", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-29568" } }, "CVE-2020-29569": { "affected_versions": "v4.12-rc7 to v5.11-rc1", "breaks": "a24fa22ce22ae302b3bf8f7008896d52d5d57b8d", "cmt_msg": "xen-blkback: set ring->xenblkd to NULL after kthread_stop()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Changed", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "score": 8.8 }, "cwe": "Unchecked Return Value", "fixes": "1c728719a4da6e654afb9cc047164755072ed7c9", "last_affected_version": "5.10.3", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel through 5.10.1, as used with Xen through 4.14.x. The Linux kernel PV block backend expects the kernel thread handler to reset ring->xenblkd to NULL when stopped. However, the handler may not have time to run if the frontend quickly toggles between the states connect and disconnect. As a consequence, the block backend may re-use a pointer after it was freed. A misbehaving guest can trigger a dom0 crash by continuously connecting / disconnecting a block frontend. Privilege escalation and information leaks cannot be ruled out. This only affects systems with a Linux blkback.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-29569", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-29569", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-29569", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-29569", "SUSE": "https://www.suse.com/security/cve/CVE-2020-29569", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-29569" } }, "CVE-2020-29660": { "affected_versions": "v2.6.12-rc2 to v5.10-rc7", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "tty: Fix ->session locking", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "score": 4.4 }, "cwe": "Improper Locking", "fixes": "c8bcd9c5be24fb9e6132e97da5a35e55a83e36b9", "last_affected_version": "5.9.13", "last_modified": "2023-12-06", "nvd_text": "A locking inconsistency issue was discovered in the tty subsystem of the Linux kernel through 5.9.13. drivers/tty/tty_io.c and drivers/tty/tty_jobctrl.c may allow a read-after-free attack against TIOCGSID, aka CID-c8bcd9c5be24.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-29660", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-29660", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-29660", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-29660", "SUSE": "https://www.suse.com/security/cve/CVE-2020-29660", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-29660" } }, "CVE-2020-29661": { "affected_versions": "v2.6.26-rc1 to v5.10-rc7", "breaks": "47f86834bbd4193139d61d659bebf9ab9d691e37", "cmt_msg": "tty: Fix ->pgrp locking in tiocspgrp()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Improper Locking", "fixes": "54ffccbf053b5b6ca4f6e45094b942fab92a25fc", "last_affected_version": "5.9.13", "last_modified": "2023-12-06", "nvd_text": "A locking issue was discovered in the tty subsystem of the Linux kernel through 5.9.13. drivers/tty/tty_jobctrl.c allows a use-after-free attack against TIOCSPGRP, aka CID-54ffccbf053b.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-29661", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-29661", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-29661", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-29661", "SUSE": "https://www.suse.com/security/cve/CVE-2020-29661", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-29661" } }, "CVE-2020-35499": { "affected_versions": "v5.10-rc1 to v5.11-rc1", "breaks": "0fc1a726f897acfa774b17eeb62b38480d1c9ea0", "cmt_msg": "Bluetooth: sco: Fix crash when using BT_SNDMTU/BT_RCVMTU option", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "score": 6.7 }, "cwe": "NULL Pointer Dereference", "fixes": "f6b8c6b5543983e9de29dc14716bfa4eb3f157c4", "last_affected_version": "5.10.3", "last_modified": "2023-12-06", "nvd_text": "A NULL pointer dereference flaw in Linux kernel versions prior to 5.11 may be seen if sco_sock_getsockopt function in net/bluetooth/sco.c do not have a sanity check for a socket connection, when using BT_SNDMTU/BT_RCVMTU for SCO sockets. This could allow a local attacker with a special user privilege to crash the system (DOS) or leak kernel internal information.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-35499", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-35499", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-35499", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-35499", "SUSE": "https://www.suse.com/security/cve/CVE-2020-35499", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-35499" } }, "CVE-2020-35501": { "affected_versions": "unk to unk", "breaks": "", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:N", "score": 3.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "Low", "Integrity": "Low", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N", "score": 3.4 }, "cwe": "Unspecified", "fixes": "", "last_modified": "2023-12-06", "nvd_text": "A flaw was found in the Linux kernels implementation of audit rules, where a syscall can unexpectedly not be correctly not be logged by the audit subsystem", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-35501", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-35501", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-35501", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-35501", "SUSE": "https://www.suse.com/security/cve/CVE-2020-35501", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-35501" } }, "CVE-2020-35508": { "affected_versions": "v3.4-rc1 to v5.10-rc3", "breaks": "5f8aadd8b9966d71a77bba52b9d499cc2f38269f", "cmt_msg": "fork: fix copy_process(CLONE_PARENT) race with the exiting ->real_parent", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "score": 4.4 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "Low", "Confidentiality": "Low", "Integrity": "Low", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L", "score": 4.5 }, "cwe": "Improper Initialization", "fixes": "b4e00444cab4c3f3fec876dc0cccc8cbb0d1a948", "last_affected_version": "5.9.6", "last_modified": "2023-12-06", "nvd_text": "A flaw possibility of race condition and incorrect initialization of the process id was found in the Linux kernel child/parent process identification handling while filtering signal handlers. A local attacker is able to abuse this flaw to bypass checks to send any signal to a privileged process.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-35508", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-35508", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-35508", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-35508", "SUSE": "https://www.suse.com/security/cve/CVE-2020-35508", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-35508" } }, "CVE-2020-35513": { "affected_versions": "v4.10-rc1 to v4.17-rc1", "breaks": "47057abde515155a4fee53038e7772d6b387e0aa", "cmt_msg": "nfsd: fix incorrect umasks", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "Single", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:N/AC:L/Au:S/C:N/I:N/A:P", "score": 4.0 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "score": 4.9 }, "cwe": "Privilege Dropping / Lowering Errors", "fixes": "880a3a5325489a143269a8e172e7563ebf9897bc", "last_affected_version": "4.16.2", "last_modified": "2023-12-06", "nvd_text": "A flaw incorrect umask during file or directory modification in the Linux kernel NFS (network file system) functionality was found in the way user create and delete object using NFSv4.2 or newer if both simultaneously accessing the NFS by the other process that is not using new NFSv4.2. A user with access to the NFS could use this flaw to starve the resources causing denial of service.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-35513", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-35513", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-35513", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-35513", "SUSE": "https://www.suse.com/security/cve/CVE-2020-35513", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-35513" } }, "CVE-2020-35519": { "affected_versions": "v2.6.12-rc2 to v5.10-rc7", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "net/x25: prevent a couple of overflows", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:C/I:P/A:C", "score": 6.8 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Out-of-bounds Read", "fixes": "6ee50c8e262a0f0693dad264c3c99e30e6442a56", "last_affected_version": "5.9.12", "last_modified": "2023-12-06", "nvd_text": "An out-of-bounds (OOB) memory access flaw was found in x25_bind in net/x25/af_x25.c in the Linux kernel version v5.12-rc5. A bounds check failure allows a local attacker with a user account on the system to gain access to out-of-bounds memory, leading to a system crash or a leak of internal kernel information. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-35519", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-35519", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-35519", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-35519", "SUSE": "https://www.suse.com/security/cve/CVE-2020-35519", "Ubuntu": "https://ubuntu.com/security/CVE-2020-35519" } }, "CVE-2020-36158": { "affected_versions": "v3.0-rc1 to v5.11-rc1", "breaks": "5e6e3a92b9a4c9416b17f468fa5c7fa2233b8b4e", "cmt_msg": "mwifiex: Fix possible buffer overflows in mwifiex_cmd_802_11_ad_hoc_start", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "score": 6.7 }, "cwe": "Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')", "fixes": "5c455c5ab332773464d02ba17015acdca198f03d", "last_affected_version": "5.10.5", "last_modified": "2023-12-06", "nvd_text": "mwifiex_cmd_802_11_ad_hoc_start in drivers/net/wireless/marvell/mwifiex/join.c in the Linux kernel through 5.10.4 might allow remote attackers to execute arbitrary code via a long SSID value, aka CID-5c455c5ab332.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-36158", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-36158", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-36158", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-36158", "SUSE": "https://www.suse.com/security/cve/CVE-2020-36158", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-36158" } }, "CVE-2020-36310": { "affected_versions": "v2.6.12-rc2 to v5.8-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "KVM: SVM: avoid infinite loop on NPF from bad address", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Loop with Unreachable Exit Condition ('Infinite Loop')", "fixes": "e72436bc3a5206f95bb384e741154166ddb3202e", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel before 5.8. arch/x86/kvm/svm/svm.c allows a set_memory_region_test infinite loop for certain nested page faults, aka CID-e72436bc3a52.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-36310", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-36310", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-36310", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-36310", "SUSE": "https://www.suse.com/security/cve/CVE-2020-36310", "Ubuntu": "https://ubuntu.com/security/CVE-2020-36310" } }, "CVE-2020-36311": { "affected_versions": "v4.16-rc1 to v5.9-rc5", "breaks": "5dd0a57cf38eeb8b6be1d9c3df9add2f5756d974", "cmt_msg": "KVM: SVM: Periodically schedule when unregistering regions on destroy", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Unspecified", "fixes": "7be74942f184fdfba34ddd19a0d995deb34d4a03", "last_affected_version": "5.4.130", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel before 5.9. arch/x86/kvm/svm/sev.c allows attackers to cause a denial of service (soft lockup) by triggering destruction of a large SEV VM (which requires unregistering many encrypted regions), aka CID-7be74942f184.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-36311", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-36311", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-36311", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-36311", "SUSE": "https://www.suse.com/security/cve/CVE-2020-36311", "Ubuntu": "https://ubuntu.com/security/CVE-2020-36311" } }, "CVE-2020-36312": { "affected_versions": "v4.11-rc5 to v5.9-rc5", "breaks": "90db10434b163e46da413d34db8d0e77404cc645", "cmt_msg": "KVM: fix memory leak in kvm_io_bus_unregister_dev()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Missing Release of Memory after Effective Lifetime", "fixes": "f65886606c2d3b562716de030706dfe1bea4ed5e", "last_affected_version": "5.8.9", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel before 5.8.10. virt/kvm/kvm_main.c has a kvm_io_bus_unregister_dev memory leak upon a kmalloc failure, aka CID-f65886606c2d.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-36312", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-36312", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-36312", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-36312", "SUSE": "https://www.suse.com/security/cve/CVE-2020-36312", "Ubuntu": "https://ubuntu.com/security/CVE-2020-36312" } }, "CVE-2020-36313": { "affected_versions": "v5.7-rc1 to v5.7-rc1", "backport": true, "breaks": "36947254e5f981aeeedab1c7dfa35fc34d330e80", "cmt_msg": "KVM: Fix out of range accesses to memslots", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Use After Free", "fixes": "0774a964ef561b7170d8d1b1bfe6f88002b6d219", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel before 5.7. The KVM subsystem allows out-of-range access to memslots after a deletion, aka CID-0774a964ef56. This affects arch/s390/kvm/kvm-s390.c, include/linux/kvm_host.h, and virt/kvm/kvm_main.c.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-36313", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-36313", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-36313", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-36313", "SUSE": "https://www.suse.com/security/cve/CVE-2020-36313", "Ubuntu": "https://ubuntu.com/security/CVE-2020-36313" } }, "CVE-2020-36322": { "affected_versions": "v2.6.12-rc2 to v5.11-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "fuse: fix bad inode", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Incomplete Cleanup", "fixes": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "last_affected_version": "5.10.5", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the FUSE filesystem implementation in the Linux kernel before 5.10.6, aka CID-5d069dbe8aaf. fuse_do_getattr() calls make_bad_inode() in inappropriate situations, causing a system crash. NOTE: the original fix for this vulnerability was incomplete, and its incompleteness is tracked as CVE-2021-28950.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-36322", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-36322", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-36322", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-36322", "SUSE": "https://www.suse.com/security/cve/CVE-2020-36322", "Ubuntu": "https://ubuntu.com/security/CVE-2020-36322" } }, "CVE-2020-36385": { "affected_versions": "v2.6.25-rc1 to v5.10-rc1", "breaks": "88314e4dda1e158aabce76429ef4d017b48f8b92", "cmt_msg": "RDMA/ucma: Rework ucma_migrate_id() to avoid races with destroy", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "score": 6.8 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "raw": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Use After Free", "fixes": "f5449e74802c1112dea984aec8af7a33c4516af1", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel before 5.10. drivers/infiniband/core/ucma.c has a use-after-free because the ctx is reached via the ctx_list in some ucma_migrate_id situations where ucma_close is called, aka CID-f5449e74802c.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-36385", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-36385", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-36385", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-36385", "SUSE": "https://www.suse.com/security/cve/CVE-2020-36385", "Ubuntu": "https://ubuntu.com/security/CVE-2020-36385" } }, "CVE-2020-36386": { "affected_versions": "v2.6.12-rc2 to v5.9-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:C", "score": 5.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "score": 7.1 }, "cwe": "Out-of-bounds Read", "fixes": "51c19bf3d5cfaa66571e4b88ba2a6f6295311101", "last_affected_version": "5.8.0", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel before 5.8.1. net/bluetooth/hci_event.c has a slab out-of-bounds read in hci_extended_inquiry_result_evt, aka CID-51c19bf3d5cf.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-36386", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-36386", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-36386", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-36386", "SUSE": "https://www.suse.com/security/cve/CVE-2020-36386", "Ubuntu": "https://ubuntu.com/security/CVE-2020-36386" } }, "CVE-2020-36387": { "affected_versions": "v5.7-rc1 to v5.9-rc1", "breaks": "b41e98524e424d104aa7851d54fd65820759875a", "cmt_msg": "io_uring: hold 'ctx' reference around task_work queue + execute", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Use After Free", "fixes": "6d816e088c359866f9867057e04f244c608c42fe", "last_affected_version": "5.8.1", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel before 5.8.2. fs/io_uring.c has a use-after-free related to io_async_task_func and ctx reference holding, aka CID-6d816e088c35.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-36387", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-36387", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-36387", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-36387", "SUSE": "https://www.suse.com/security/cve/CVE-2020-36387", "Ubuntu": "https://ubuntu.com/security/CVE-2020-36387" } }, "CVE-2020-36516": { "affected_versions": "v3.16-rc1 to v5.17-rc2", "breaks": "73f156a6e8c1074ac6327e0abd1169e95eb66463", "cmt_msg": "ipv4: avoid using shared IP generator for connected sockets", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "Single", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "Partial", "raw": "AV:N/AC:M/Au:S/C:N/I:P/A:P", "score": 4.9 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Network", "Availability": "Low", "Confidentiality": "None", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:L", "score": 5.9 }, "cwe": "Use of a Broken or Risky Cryptographic Algorithm", "fixes": "23f57406b82de51809d5812afd96f210f8b627f3", "last_affected_version": "5.16.4", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel through 5.16.11. The mixed IPID assignment method with the hash-based IPID assignment policy allows an off-path attacker to inject data into a victim's TCP session or terminate that session.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-36516", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-36516", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-36516", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-36516", "SUSE": "https://www.suse.com/security/cve/CVE-2020-36516", "Ubuntu": "https://ubuntu.com/security/CVE-2020-36516" } }, "CVE-2020-36557": { "affected_versions": "v3.4-rc1 to v5.7-rc1", "breaks": "4001d7b7fc271052ebff43f327c26dc64806bbdf", "cmt_msg": "vt: vt_ioctl: fix VT_DISALLOCATE freeing in-use virtual console", "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 5.1 }, "cwe": "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", "fixes": "ca4463bf8438b403596edd0ec961ca0d4fbe0220", "last_affected_version": "5.6.1", "last_modified": "2023-12-06", "nvd_text": "A race condition in the Linux kernel before 5.6.2 between the VT_DISALLOCATE ioctl and closing/opening of ttys could lead to a use-after-free.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-36557", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-36557", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-36557", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-36557", "SUSE": "https://www.suse.com/security/cve/CVE-2020-36557", "Ubuntu": "https://ubuntu.com/security/CVE-2020-36557" } }, "CVE-2020-36558": { "affected_versions": "v2.6.12-rc2 to v5.6-rc3", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "vt: vt_ioctl: fix race in VT_RESIZEX", "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 5.1 }, "cwe": "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", "fixes": "6cd1ed50efd88261298577cd92a14f2768eddeeb", "last_affected_version": "5.5.6", "last_modified": "2023-12-06", "nvd_text": "A race condition in the Linux kernel before 5.5.7 involving VT_RESIZEX could lead to a NULL pointer dereference and general protection fault.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-36558", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-36558", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-36558", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-36558", "SUSE": "https://www.suse.com/security/cve/CVE-2020-36558", "Ubuntu": "https://ubuntu.com/security/CVE-2020-36558" } }, "CVE-2020-36691": { "affected_versions": "v2.6.12-rc2 to v5.8-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "netlink: limit recursion depth in policy validation", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "fixes": "7690aa1cdf7c4565ad6b013b324c28b685505e24", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel before 5.8. lib/nlattr.c allows attackers to cause a denial of service (unbounded recursion) via a nested Netlink policy with a back reference.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-36691", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-36691", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-36691", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-36691", "SUSE": "https://www.suse.com/security/cve/CVE-2020-36691", "Ubuntu": "https://ubuntu.com/security/CVE-2020-36691" } }, "CVE-2020-36694": { "affected_versions": "v4.15-rc1 to v5.10", "breaks": "80055dab5de0c8677bc148c4717ddfc753a9148e", "cmt_msg": "netfilter: x_tables: Switch synchronization to RCU", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "score": 6.7 }, "fixes": "cc00bcaa589914096edef7fb87ca5cee4a166b5c", "last_affected_version": "5.9", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in netfilter in the Linux kernel before 5.10. There can be a use-after-free in the packet processing context, because the per-CPU sequence count is mishandled during concurrent iptables rules replacement. This could be exploited with the CAP_NET_ADMIN capability in an unprivileged namespace. NOTE: cc00bca was reverted in 5.12.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-36694", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-36694", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-36694", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-36694", "SUSE": "https://www.suse.com/security/cve/CVE-2020-36694", "Ubuntu": "https://ubuntu.com/security/CVE-2020-36694" } }, "CVE-2020-36766": { "affected_versions": "v4.8-rc1 to v5.9-rc1", "breaks": "ca684386e6e21ba1511061f71577cdb6c3f2b3d3", "cmt_msg": "cec-api: prevent leaking memory through hole in structure", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "Low", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "score": 3.3 }, "cwe": "Unspecified", "fixes": "6c42227c3467549ddc65efe99c869021d2f4a570", "last_affected_version": "5.8.5", "last_modified": "2024-02-09", "nvd_text": "An issue was discovered in the Linux kernel before 5.8.6. drivers/media/cec/core/cec-api.c leaks one byte of kernel memory on specific hardware to unprivileged users, because of directly assigning log_addrs with a hole in the struct.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-36766", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-36766", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-36766", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-36766", "SUSE": "https://www.suse.com/security/cve/CVE-2020-36766", "Ubuntu": "https://ubuntu.com/security/CVE-2020-36766" } }, "CVE-2020-36775": { "affected_versions": "v2.6.12-rc2 to v5.7-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "f2fs: fix to avoid potential deadlock", "fixes": "df77fbd8c5b222c680444801ffd20e8bbc90a56e", "last_affected_version": "5.6.6", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to avoid potential deadlock\n\nUsing f2fs_trylock_op() in f2fs_write_compressed_pages() to avoid potential\ndeadlock like we did in f2fs_write_single_data_page().", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-36775", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-36775", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-36775", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-36775", "SUSE": "https://www.suse.com/security/cve/CVE-2020-36775", "Ubuntu": "https://ubuntu.com/security/CVE-2020-36775" } }, "CVE-2020-36776": { "affected_versions": "v5.8-rc4 to v5.13-rc1", "breaks": "371a3bc79c11b707d7a1b7a2c938dc3cc042fffb", "cmt_msg": "thermal/drivers/cpufreq_cooling: Fix slab OOB issue", "fixes": "34ab17cc6c2c1ac93d7e5d53bb972df9a968f085", "last_affected_version": "5.12.2", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nthermal/drivers/cpufreq_cooling: Fix slab OOB issue\n\nSlab OOB issue is scanned by KASAN in cpu_power_to_freq().\nIf power is limited below the power of OPP0 in EM table,\nit will cause slab out-of-bound issue with negative array\nindex.\n\nReturn the lowest frequency if limited power cannot found\na suitable OPP in EM table to fix this issue.\n\nBacktrace:\n[] die+0x104/0x5ac\n[] bug_handler+0x64/0xd0\n[] brk_handler+0x160/0x258\n[] do_debug_exception+0x248/0x3f0\n[] el1_dbg+0x14/0xbc\n[] __kasan_report+0x1dc/0x1e0\n[] kasan_report+0x10/0x20\n[] __asan_report_load8_noabort+0x18/0x28\n[] cpufreq_power2state+0x180/0x43c\n[] power_actor_set_power+0x114/0x1d4\n[] allocate_power+0xaec/0xde0\n[] power_allocator_throttle+0x3ec/0x5a4\n[] handle_thermal_trip+0x160/0x294\n[] thermal_zone_device_check+0xe4/0x154\n[] process_one_work+0x5e4/0xe28\n[] worker_thread+0xa4c/0xfac\n[] kthread+0x33c/0x358\n[] ret_from_fork+0xc/0x18", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-36776", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-36776", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-36776", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-36776", "SUSE": "https://www.suse.com/security/cve/CVE-2020-36776", "Ubuntu": "https://ubuntu.com/security/CVE-2020-36776" } }, "CVE-2020-36777": { "affected_versions": "v4.5-rc1 to v5.13-rc1", "breaks": "0230d60e4661d9ced6fb0b9a30f182ebdafbba7a", "cmt_msg": "media: dvbdev: Fix memory leak in dvb_media_device_free()", "fixes": "bf9a40ae8d722f281a2721779595d6df1c33a0bf", "last_affected_version": "5.12.2", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: dvbdev: Fix memory leak in dvb_media_device_free()\n\ndvb_media_device_free() is leaking memory. Free `dvbdev->adapter->conn`\nbefore setting it to NULL, as documented in include/media/media-device.h:\n\"The media_entity instance itself must be freed explicitly by the driver\nif required.\"", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-36777", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-36777", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-36777", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-36777", "SUSE": "https://www.suse.com/security/cve/CVE-2020-36777", "Ubuntu": "https://ubuntu.com/security/CVE-2020-36777" } }, "CVE-2020-36778": { "affected_versions": "v5.6-rc1 to v5.13-rc1", "breaks": "10b17004a74c384c6f410af355b0d6d7a168f613", "cmt_msg": "i2c: xiic: fix reference leak when pm_runtime_get_sync fails", "fixes": "a85c5c7a3aa8041777ff691400b4046e56149fd3", "last_affected_version": "5.12.3", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: xiic: fix reference leak when pm_runtime_get_sync fails\n\nThe PM reference count is not expected to be incremented on\nreturn in xiic_xfer and xiic_i2c_remove.\n\nHowever, pm_runtime_get_sync will increment the PM reference\ncount even failed. Forgetting to putting operation will result\nin a reference leak here.\n\nReplace it with pm_runtime_resume_and_get to keep usage\ncounter balanced.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-36778", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-36778", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-36778", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-36778", "SUSE": "https://www.suse.com/security/cve/CVE-2020-36778", "Ubuntu": "https://ubuntu.com/security/CVE-2020-36778" } }, "CVE-2020-36779": { "affected_versions": "v5.6-rc1 to v5.13-rc1", "breaks": "ea6dd25deeb5b797a145be7f860e3085e7d104c3", "cmt_msg": "i2c: stm32f7: fix reference leak when pm_runtime_get_sync fails", "fixes": "2c662660ce2bd3b09dae21a9a9ac9395e1e6c00b", "last_affected_version": "5.12.3", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: stm32f7: fix reference leak when pm_runtime_get_sync fails\n\nThe PM reference count is not expected to be incremented on\nreturn in these stm32f7_i2c_xx serious functions.\n\nHowever, pm_runtime_get_sync will increment the PM reference\ncount even failed. Forgetting to putting operation will result\nin a reference leak here.\n\nReplace it with pm_runtime_resume_and_get to keep usage\ncounter balanced.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-36779", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-36779", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-36779", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-36779", "SUSE": "https://www.suse.com/security/cve/CVE-2020-36779", "Ubuntu": "https://ubuntu.com/security/CVE-2020-36779" } }, "CVE-2020-36780": { "affected_versions": "unk to v5.13-rc1", "breaks": "", "cmt_msg": "i2c: sprd: fix reference leak when pm_runtime_get_sync fails", "fixes": "3a4f326463117cee3adcb72999ca34a9aaafda93", "last_affected_version": "5.12.3", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: sprd: fix reference leak when pm_runtime_get_sync fails\n\nThe PM reference count is not expected to be incremented on\nreturn in sprd_i2c_master_xfer() and sprd_i2c_remove().\n\nHowever, pm_runtime_get_sync will increment the PM reference\ncount even failed. Forgetting to putting operation will result\nin a reference leak here.\n\nReplace it with pm_runtime_resume_and_get to keep usage\ncounter balanced.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-36780", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-36780", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-36780", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-36780", "SUSE": "https://www.suse.com/security/cve/CVE-2020-36780", "Ubuntu": "https://ubuntu.com/security/CVE-2020-36780" } }, "CVE-2020-36781": { "affected_versions": "unk to v5.13-rc1", "breaks": "", "cmt_msg": "i2c: imx: fix reference leak when pm_runtime_get_sync fails", "fixes": "47ff617217ca6a13194fcb35c6c3a0c57c080693", "last_affected_version": "5.12.3", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: imx: fix reference leak when pm_runtime_get_sync fails\n\nIn i2c_imx_xfer() and i2c_imx_remove(), the pm reference count\nis not expected to be incremented on return.\n\nHowever, pm_runtime_get_sync will increment pm reference count\neven failed. Forgetting to putting operation will result in a\nreference leak here.\n\nReplace it with pm_runtime_resume_and_get to keep usage\ncounter balanced.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-36781", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-36781", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-36781", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-36781", "SUSE": "https://www.suse.com/security/cve/CVE-2020-36781", "Ubuntu": "https://ubuntu.com/security/CVE-2020-36781" } }, "CVE-2020-36782": { "affected_versions": "v4.16-rc1 to v5.13-rc1", "breaks": "13d6eb20fc79a1e606307256dad4098375539a09", "cmt_msg": "i2c: imx-lpi2c: fix reference leak when pm_runtime_get_sync fails", "fixes": "278e5bbdb9a94fa063c0f9bcde2479d0b8042462", "last_affected_version": "5.12.3", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: imx-lpi2c: fix reference leak when pm_runtime_get_sync fails\n\nThe PM reference count is not expected to be incremented on\nreturn in lpi2c_imx_master_enable.\n\nHowever, pm_runtime_get_sync will increment the PM reference\ncount even failed. Forgetting to putting operation will result\nin a reference leak here.\n\nReplace it with pm_runtime_resume_and_get to keep usage\ncounter balanced.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-36782", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-36782", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-36782", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-36782", "SUSE": "https://www.suse.com/security/cve/CVE-2020-36782", "Ubuntu": "https://ubuntu.com/security/CVE-2020-36782" } }, "CVE-2020-36783": { "affected_versions": "v4.15-rc1 to v5.13-rc1", "breaks": "93222bd9b966105f43418fd336654ad10045783a", "cmt_msg": "i2c: img-scb: fix reference leak when pm_runtime_get_sync fails", "fixes": "223125e37af8a641ea4a09747a6a52172fc4b903", "last_affected_version": "5.12.3", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: img-scb: fix reference leak when pm_runtime_get_sync fails\n\nThe PM reference count is not expected to be incremented on\nreturn in functions img_i2c_xfer and img_i2c_init.\n\nHowever, pm_runtime_get_sync will increment the PM reference\ncount even failed. Forgetting to putting operation will result\nin a reference leak here.\n\nReplace it with pm_runtime_resume_and_get to keep usage\ncounter balanced.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-36783", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-36783", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-36783", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-36783", "SUSE": "https://www.suse.com/security/cve/CVE-2020-36783", "Ubuntu": "https://ubuntu.com/security/CVE-2020-36783" } }, "CVE-2020-36784": { "affected_versions": "v4.5-rc1 to v5.13-rc1", "breaks": "7fa32329ca03148fb2c07b4ef3247b8fc0488d6a", "cmt_msg": "i2c: cadence: fix reference leak when pm_runtime_get_sync fails", "fixes": "23ceb8462dc6f4b4decdb5536a7e5fc477cdf0b6", "last_affected_version": "5.12.3", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: cadence: fix reference leak when pm_runtime_get_sync fails\n\nThe PM reference count is not expected to be incremented on\nreturn in functions cdns_i2c_master_xfer and cdns_reg_slave.\n\nHowever, pm_runtime_get_sync will increment pm usage counter\neven failed. Forgetting to putting operation will result in a\nreference leak here.\n\nReplace it with pm_runtime_resume_and_get to keep usage\ncounter balanced.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-36784", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-36784", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-36784", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-36784", "SUSE": "https://www.suse.com/security/cve/CVE-2020-36784", "Ubuntu": "https://ubuntu.com/security/CVE-2020-36784" } }, "CVE-2020-36785": { "affected_versions": "v5.8-rc1 to v5.13-rc1", "breaks": "ad85094b293e40e7a2f831b0311a389d952ebd5e", "cmt_msg": "media: atomisp: Fix use after free in atomisp_alloc_css_stat_bufs()", "fixes": "ba11bbf303fafb33989e95473e409f6ab412b18d", "last_affected_version": "5.12.3", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: atomisp: Fix use after free in atomisp_alloc_css_stat_bufs()\n\nThe \"s3a_buf\" is freed along with all the other items on the\n\"asd->s3a_stats\" list. It leads to a double free and a use after free.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-36785", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-36785", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-36785", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-36785", "SUSE": "https://www.suse.com/security/cve/CVE-2020-36785", "Ubuntu": "https://ubuntu.com/security/CVE-2020-36785" } }, "CVE-2020-36786": { "affected_versions": "v5.10-rc1 to v5.13-rc1", "breaks": "9289cdf399922a1bd801a8cd946a79581c00a380", "cmt_msg": "media: [next] staging: media: atomisp: fix memory leak of object flash", "fixes": "6045b01dd0e3cd3759eafe7f290ed04c957500b1", "last_affected_version": "5.12.3", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: [next] staging: media: atomisp: fix memory leak of object flash\n\nIn the case where the call to lm3554_platform_data_func returns an\nerror there is a memory leak on the error return path of object\nflash. Fix this by adding an error return path that will free\nflash and rename labels fail2 to fail3 and fail1 to fail2.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-36786", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-36786", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-36786", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-36786", "SUSE": "https://www.suse.com/security/cve/CVE-2020-36786", "Ubuntu": "https://ubuntu.com/security/CVE-2020-36786" } }, "CVE-2020-36787": { "affected_versions": "v5.0-rc1 to v5.13-rc1", "breaks": "d2b4387f3bdf016e266d23cf657465f557721488", "cmt_msg": "media: aspeed: fix clock handling logic", "fixes": "3536169f8531c2c5b153921dc7d1ac9fd570cda7", "last_affected_version": "5.12.3", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: aspeed: fix clock handling logic\n\nVideo engine uses eclk and vclk for its clock sources and its reset\ncontrol is coupled with eclk so the current clock enabling sequence works\nlike below.\n\n Enable eclk\n De-assert Video Engine reset\n 10ms delay\n Enable vclk\n\nIt introduces improper reset on the Video Engine hardware and eventually\nthe hardware generates unexpected DMA memory transfers that can corrupt\nmemory region in random and sporadic patterns. This issue is observed\nvery rarely on some specific AST2500 SoCs but it causes a critical\nkernel panic with making a various shape of signature so it's extremely\nhard to debug. Moreover, the issue is observed even when the video\nengine is not actively used because udevd turns on the video engine\nhardware for a short time to make a query in every boot.\n\nTo fix this issue, this commit changes the clock handling logic to make\nthe reset de-assertion triggered after enabling both eclk and vclk. Also,\nit adds clk_unprepare call for a case when probe fails.\n\nclk: ast2600: fix reset settings for eclk and vclk\nVideo engine reset setting should be coupled with eclk to match it\nwith the setting for previous Aspeed SoCs which is defined in\nclk-aspeed.c since all Aspeed SoCs are sharing a single video engine\ndriver. Also, reset bit 6 is defined as 'Video Engine' reset in\ndatasheet so it should be de-asserted when eclk is enabled. This\ncommit fixes the setting.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-36787", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-36787", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-36787", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-36787", "SUSE": "https://www.suse.com/security/cve/CVE-2020-36787", "Ubuntu": "https://ubuntu.com/security/CVE-2020-36787" } }, "CVE-2020-3702": { "affected_versions": "v2.6.12-rc2 to v5.12-rc1-dontuse", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "ath: Use safer key clearing with key cache entries", "cvss2": { "Access Complexity": "Low", "Access Vector": "Adjacent Network", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:A/AC:L/Au:N/C:P/I:N/A:N", "score": 3.3 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Adjacent", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "score": 6.5 }, "cwe": "Cleartext Transmission of Sensitive Information", "fixes": "56c5485c9e444c2e85e11694b6c44f1338fc20fd", "last_affected_version": "5.10.60", "last_modified": "2023-12-06", "nvd_text": "u'Specifically timed and handcrafted traffic can cause internal errors in a WLAN device that lead to improper layer 2 Wi-Fi encryption with a consequent possibility of information disclosure over the air for a discrete set of traffic' in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables, Snapdragon Wired Infrastructure and Networking in APQ8053, IPQ4019, IPQ8064, MSM8909W, MSM8996AU, QCA9531, QCN5502, QCS405, SDX20, SM6150, SM7150", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-3702", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-3702", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-3702", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-3702", "SUSE": "https://www.suse.com/security/cve/CVE-2020-3702", "Ubuntu": "https://ubuntu.com/security/CVE-2020-3702" } }, "CVE-2020-4788": { "affected_versions": "v2.6.12-rc2 to v5.10-rc5", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "powerpc/64s: flush L1D on kernel entry", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "score": 1.9 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 4.7 }, "cwe": "Unspecified", "fixes": "f79643787e0a0762d2409b7b8334e83f22d85695", "last_affected_version": "5.9.9", "last_modified": "2023-12-06", "nvd_text": "IBM Power9 (AIX 7.1, 7.2, and VIOS 3.1) processors could allow a local user to obtain sensitive information from the data in the L1 cache under extenuating circumstances. IBM X-Force ID: 189296.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-4788", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-4788", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-4788", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-4788", "SUSE": "https://www.suse.com/security/cve/CVE-2020-4788", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-4788" } }, "CVE-2020-7053": { "affected_versions": "v4.14-rc1 to v5.2-rc1", "breaks": "1acfc104cdf8a3408f0e83b4115d4419c6315005", "cmt_msg": "drm/i915: Introduce a mutex for file_priv->context_idr", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Use After Free", "fixes": "7dc40713618c884bf07c030d1ab1f47a9dc1f310", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel 4.14 longterm through 4.14.165 and 4.19 longterm through 4.19.96 (and 5.x before 5.2), there is a use-after-free (write) in the i915_ppgtt_close function in drivers/gpu/drm/i915/i915_gem_gtt.c, aka CID-7dc40713618c. This is related to i915_gem_context_destroy_ioctl in drivers/gpu/drm/i915/i915_gem_context.c.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-7053", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-7053", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-7053", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-7053", "SUSE": "https://www.suse.com/security/cve/CVE-2020-7053", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-7053" } }, "CVE-2020-8428": { "affected_versions": "v4.19-rc1 to v5.5", "breaks": "30aba6656f61ed44cba445a3c0d38b296fa9e8f5", "cmt_msg": "do_last(): fetch directory ->i_mode and ->i_uid before it's too late", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:P", "score": 3.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "score": 7.1 }, "cwe": "Use After Free", "fixes": "d0cb50185ae942b03c4327be322055d622dc79f6", "last_affected_version": "5.4", "last_modified": "2023-12-06", "nvd_text": "fs/namei.c in the Linux kernel before 5.5 has a may_create_in_sticky use-after-free, which allows local users to cause a denial of service (OOPS) or possibly obtain sensitive information from kernel memory, aka CID-d0cb50185ae9. One attack vector may be an open system call for a UNIX domain socket, if the socket is being moved to a new parent directory and its old parent directory is being removed.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-8428", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-8428", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-8428", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-8428", "SUSE": "https://www.suse.com/security/cve/CVE-2020-8428", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-8428" } }, "CVE-2020-8647": { "affected_versions": "v2.6.14-rc5 to v5.6-rc5", "breaks": "0aec4867dca149e2049e8439b76bd82ad9dac52c", "cmt_msg": "vgacon: Fix a UAF in vgacon_invert_region", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:P", "score": 3.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "Low", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H", "score": 6.1 }, "cwe": "Use After Free", "fixes": "513dc792d6060d5ef572e43852683097a8420f56", "last_affected_version": "5.5.8", "last_modified": "2023-12-06", "nvd_text": "There is a use-after-free vulnerability in the Linux kernel through 5.5.2 in the vc_do_resize function in drivers/tty/vt/vt.c.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-8647", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-8647", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-8647", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-8647", "SUSE": "https://www.suse.com/security/cve/CVE-2020-8647", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-8647" } }, "CVE-2020-8648": { "affected_versions": "v2.6.12-rc2 to v5.6-rc3", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "vt: selection, close sel_buffer race", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:P", "score": 3.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "score": 7.1 }, "cwe": "Use After Free", "fixes": "07e6124a1a46b4b5a9b3cacc0c306b50da87abf5", "last_affected_version": "5.5.8", "last_modified": "2023-12-06", "nvd_text": "There is a use-after-free vulnerability in the Linux kernel through 5.5.2 in the n_tty_receive_buf_common function in drivers/tty/n_tty.c.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-8648", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-8648", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-8648", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-8648", "SUSE": "https://www.suse.com/security/cve/CVE-2020-8648", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-8648" } }, "CVE-2020-8649": { "affected_versions": "v2.6.14-rc5 to v5.6-rc5", "breaks": "0aec4867dca149e2049e8439b76bd82ad9dac52c", "cmt_msg": "vgacon: Fix a UAF in vgacon_invert_region", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:P", "score": 3.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Physical", "Availability": "High", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "score": 5.9 }, "cwe": "Use After Free", "fixes": "513dc792d6060d5ef572e43852683097a8420f56", "last_affected_version": "5.5.8", "last_modified": "2023-12-06", "nvd_text": "There is a use-after-free vulnerability in the Linux kernel through 5.5.2 in the vgacon_invert_region function in drivers/video/console/vgacon.c.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-8649", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-8649", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-8649", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-8649", "SUSE": "https://www.suse.com/security/cve/CVE-2020-8649", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-8649" } }, "CVE-2020-8694": { "affected_versions": "v3.13-rc1 to v5.10-rc4", "breaks": "2d281d8196e38dd3a4ee9af26621ddde8329f269", "cmt_msg": "powercap: restrict energy meter to root access", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.5 }, "cwe": "Unspecified", "fixes": "949dd0104c496fa7c14991a23c03c62e44637e71", "last_affected_version": "5.9.7", "last_modified": "2023-12-06", "nvd_text": "Insufficient access control in the Linux kernel driver for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-8694", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-8694", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-8694", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-8694", "SUSE": "https://www.suse.com/security/cve/CVE-2020-8694", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-8694" } }, "CVE-2020-8832": { "affected_versions": "unk to unk", "backport": true, "breaks": "bc8a76a152c5f9ef3b48104154a65a68a8b76946", "cmt_msg": "drm/i915: Record the default hw state after reset upon load", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.5 }, "cwe": "Exposure of Sensitive Information to an Unauthorized Actor", "fixes": "d2b4b97933f5adacfba42dc3b9200d0e21fbe2c4", "last_modified": "2023-12-06", "nvd_text": "The fix for the Linux kernel in Ubuntu 18.04 LTS for CVE-2019-14615 (\"The Linux kernel did not properly clear data structures on context switches for certain Intel graphics processors.\") was discovered to be incomplete, meaning that in versions of the kernel before 4.15.0-91.92, an attacker could use this vulnerability to expose sensitive information.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-8832", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-8832", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-8832", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-8832", "SUSE": "https://www.suse.com/security/cve/CVE-2020-8832", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-8832" } }, "CVE-2020-8834": { "affected_versions": "v4.8-rc1 to v4.18-rc1", "breaks": "f024ee098476a3e620232e4a78cfac505f121245", "cmt_msg": "KVM: PPC: Book3S HV: Factor fake-suspend handling out of kvmppc_save/restore_tm", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Changed", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H", "score": 6.5 }, "cwe": "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", "fixes": "7b0e827c6970e8ca77c60ae87592204c39e41245", "last_modified": "2023-12-06", "nvd_text": "KVM in the Linux kernel on Power8 processors has a conflicting use of HSTATE_HOST_R1 to store r1 state in kvmppc_hv_entry plus in kvmppc_{save,restore}_tm, leading to a stack corruption. Because of this, an attacker with the ability run code in kernel space of a guest VM can cause the host kernel to panic. There were two commits that, according to the reporter, introduced the vulnerability: f024ee098476 (\"KVM: PPC: Book3S HV: Pull out TM state save/restore into separate procedures\") 87a11bb6a7f7 (\"KVM: PPC: Book3S HV: Work around XER[SO] bug in fake suspend mode\") The former landed in 4.8, the latter in 4.17. This was fixed without realizing the impact in 4.18 with the following three commits, though it's believed the first is the only strictly necessary commit: 6f597c6b63b6 (\"KVM: PPC: Book3S PR: Add guest MSR parameter for kvmppc_save_tm()/kvmppc_restore_tm()\") 7b0e827c6970 (\"KVM: PPC: Book3S HV: Factor fake-suspend handling out of kvmppc_save/restore_tm\") 009c872a8bc4 (\"KVM: PPC: Book3S PR: Move kvmppc_save_tm/kvmppc_restore_tm to separate file\")", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-8834", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-8834", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-8834", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-8834", "SUSE": "https://www.suse.com/security/cve/CVE-2020-8834", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-8834" } }, "CVE-2020-8835": { "affected_versions": "v5.5-rc1 to v5.7-rc1", "breaks": "581738a681b6faae5725c2555439189ca81c0f1f", "cmt_msg": "bpf: Undo incorrect __reg_bound_offset32 handling", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Improper Restriction of Operations within the Bounds of a Memory Buffer", "fixes": "f2d67fec0b43edce8c416101cdc52e71145b5fef", "last_affected_version": "5.6.0", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel 5.5.0 and newer, the bpf verifier (kernel/bpf/verifier.c) did not properly restrict the register bounds for 32-bit operations, leading to out-of-bounds reads and writes in kernel memory. The vulnerability also affects the Linux 5.4 stable series, starting with v5.4.7, as the introducing commit was backported to that branch. This vulnerability was fixed in 5.6.1, 5.5.14, and 5.4.29. (issue is aka ZDI-CAN-10780)", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-8835", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-8835", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-8835", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-8835", "SUSE": "https://www.suse.com/security/cve/CVE-2020-8835", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-8835" } }, "CVE-2020-8992": { "affected_versions": "v5.2-rc1 to v5.6-rc2", "breaks": "345c0dbf3a30872d9b204db96b5857cd00808cae", "cmt_msg": "ext4: add cond_resched() to ext4_protect_reserved_inode", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Uncontrolled Resource Consumption", "fixes": "af133ade9a40794a37104ecbcc2827c0ea373a3c", "last_affected_version": "5.5.4", "last_modified": "2023-12-06", "nvd_text": "ext4_protect_reserved_inode in fs/ext4/block_validity.c in the Linux kernel through 5.5.3 allows attackers to cause a denial of service (soft lockup) via a crafted journal size.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-8992", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-8992", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-8992", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-8992", "SUSE": "https://www.suse.com/security/cve/CVE-2020-8992", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-8992" } }, "CVE-2020-9383": { "affected_versions": "v2.6.12-rc2 to v5.6-rc4", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "floppy: check FDC index for errors before assigning it", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:P", "score": 3.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "score": 7.1 }, "cwe": "Out-of-bounds Read", "fixes": "2e90ca68b0d2f5548804f22f0dd61145516171e3", "last_affected_version": "5.5.6", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel 3.16 through 5.5.6. set_fdc in drivers/block/floppy.c leads to a wait_til_ready out-of-bounds read because the FDC index is not checked for errors before assigning it, aka CID-2e90ca68b0d2.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-9383", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-9383", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-9383", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-9383", "SUSE": "https://www.suse.com/security/cve/CVE-2020-9383", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-9383" } }, "CVE-2020-9391": { "affected_versions": "v5.4-rc1 to v5.6-rc3", "breaks": "ce18d171cb7368557e6498a3ce111d7d3dc03e4d", "cmt_msg": "mm: Avoid creating virtual address aliases in brk()/mmap()/mremap()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Improper Restriction of Operations within the Bounds of a Memory Buffer", "fixes": "dcde237319e626d1ec3c9d8b7613032f0fd4663a", "last_affected_version": "5.5.6", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel 5.4 and 5.5 through 5.5.6 on the AArch64 architecture. It ignores the top byte in the address passed to the brk system call, potentially moving the memory break downwards when the application expects it to move upwards, aka CID-dcde237319e6. This has been observed to cause heap corruption with the GNU C Library malloc implementation.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2020-9391", "ExploitDB": "https://www.exploit-db.com/search?cve=2020-9391", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2020-9391", "Red Hat": "https://access.redhat.com/security/cve/CVE-2020-9391", "SUSE": "https://www.suse.com/security/cve/CVE-2020-9391", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-9391" } }, "CVE-2021-0129": { "affected_versions": "v2.6.12-rc2 to v5.13-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "Bluetooth: SMP: Fail if remote and local public keys are identical", "cvss2": { "Access Complexity": "Low", "Access Vector": "Adjacent Network", "Authentication": "Single", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:A/AC:L/Au:S/C:P/I:N/A:N", "score": 2.7 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Adjacent", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.7 }, "cwe": "Unspecified", "fixes": "6d19628f539fccf899298ff02ee4c73e4bf6df3f", "last_affected_version": "5.12.6", "last_modified": "2023-12-06", "nvd_text": "Improper access control in BlueZ may allow an authenticated user to potentially enable information disclosure via adjacent access.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-0129", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-0129", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-0129", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-0129", "SUSE": "https://www.suse.com/security/cve/CVE-2021-0129", "Ubuntu": "https://ubuntu.com/security/CVE-2021-0129" } }, "CVE-2021-0342": { "affected_versions": "v4.15-rc1 to v5.8-rc1", "breaks": "90e33d45940793def6f773b2d528e9f3c84ffdc7", "cmt_msg": "tun: correct header offsets in napi frags mode", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "score": 6.7 }, "cwe": "Use After Free", "fixes": "96aa1b22bd6bb9fccf62f6261f390ed6f3e7967f", "last_affected_version": "5.7.2", "last_modified": "2023-12-06", "nvd_text": "In tun_get_user of tun.c, there is possible memory corruption due to a use after free. This could lead to local escalation of privilege with System execution privileges required. User interaction is not required for exploitation. Product: Android; Versions: Android kernel; Android ID: A-146554327.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-0342", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-0342", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-0342", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-0342", "SUSE": "https://www.suse.com/security/cve/CVE-2021-0342", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2021/CVE-2021-0342" } }, "CVE-2021-0399": { "affected_versions": "unk to unk", "breaks": "", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Use After Free", "fixes": "", "last_modified": "2023-12-06", "nvd_text": "In qtaguid_untag of xt_qtaguid.c, there is a possible memory corruption due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-176919394References: Upstream kernel", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-0399", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-0399", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-0399", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-0399", "SUSE": "https://www.suse.com/security/cve/CVE-2021-0399", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2021/CVE-2021-0399" } }, "CVE-2021-0447": { "affected_versions": "v2.6.12-rc2 to v4.15-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "l2tp: protect sock pointer of struct pppol2tp_session with RCU", "fixes": "ee40fb2e1eb5bc0ddd3f2f83c6e39a454ef5a741", "last_affected_version": "4.14.181", "last_modified": "2021-03-17", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-0447", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-0447", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-0447", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-0447", "SUSE": "https://www.suse.com/security/cve/CVE-2021-0447", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2021/CVE-2021-0447" } }, "CVE-2021-0448": { "affected_versions": "v2.6.16-rc1 to v5.9-rc7", "breaks": "c1d10adb4a521de5760112853f42aaeefcec96eb", "cmt_msg": "netfilter: ctnetlink: add a range check for l3/l4 protonum", "fixes": "1cc5ef91d2ff94d2bf2de3b3585423e8a1051cb6", "last_affected_version": "5.8.12", "last_modified": "2021-03-17", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-0448", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-0448", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-0448", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-0448", "SUSE": "https://www.suse.com/security/cve/CVE-2021-0448", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2021/CVE-2021-0448" } }, "CVE-2021-0512": { "affected_versions": "v2.6.12-rc2 to v5.12-rc1-dontuse", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "HID: make arrays usage and value to be the same", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Out-of-bounds Write", "fixes": "ed9be64eefe26d7d8b0b5b9fa3ffdf425d87a01f", "last_affected_version": "5.11.1", "last_modified": "2023-12-06", "nvd_text": "In __hidinput_change_resolution_multipliers of hid-input.c, there is a possible out of bounds write due to a heap buffer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-173843328References: Upstream kernel", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-0512", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-0512", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-0512", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-0512", "SUSE": "https://www.suse.com/security/cve/CVE-2021-0512", "Ubuntu": "https://ubuntu.com/security/CVE-2021-0512" } }, "CVE-2021-0605": { "affected_versions": "v3.15-rc1 to v5.8", "breaks": "d3623099d3509fa68fa28235366049dd3156c63a", "cmt_msg": "af_key: pfkey_dump needs parameter validation", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Complete", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:C/I:N/A:N", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "score": 4.4 }, "cwe": "Out-of-bounds Read", "fixes": "37bd22420f856fcd976989f1d4f1f7ad28e1fcac", "last_affected_version": "5.7", "last_modified": "2023-12-06", "nvd_text": "In pfkey_dump of af_key.c, there is a possible out-of-bounds read due to a missing bounds check. This could lead to local information disclosure in the kernel with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-110373476", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-0605", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-0605", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-0605", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-0605", "SUSE": "https://www.suse.com/security/cve/CVE-2021-0605", "Ubuntu": "https://ubuntu.com/security/CVE-2021-0605" } }, "CVE-2021-0606": { "affected_versions": "unk to unk", "breaks": "5fb252cad61f20ae5d5a8b199f6cc4faf6f418e1", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "score": 6.7 }, "cwe": "Use After Free", "fixes": "328ec6286a78a71500b74255448e8f3c83d2b2c4", "last_modified": "2023-12-06", "nvd_text": "In drm_syncobj_handle_to_fd of drm_syncobj.c, there is a possible use after free due to incorrect refcounting. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-168034487", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-0606", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-0606", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-0606", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-0606", "SUSE": "https://www.suse.com/security/cve/CVE-2021-0606", "Ubuntu": "https://ubuntu.com/security/CVE-2021-0606" }, "vendor_specific": true }, "CVE-2021-0695": { "affected_versions": "unk to unk", "breaks": "", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.5 }, "cwe": "Use After Free", "fixes": "", "last_modified": "2023-12-06", "nvd_text": "In get_sock_stat of xt_qtaguid.c, there is a possible out of bounds read due to a use after free. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-184018316References: Upstream kernel", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-0695", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-0695", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-0695", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-0695", "SUSE": "https://www.suse.com/security/cve/CVE-2021-0695", "Ubuntu": "https://ubuntu.com/security/CVE-2021-0695" }, "vendor_specific": true }, "CVE-2021-0707": { "affected_versions": "v5.8-rc4 to v5.11-rc3", "breaks": "4ab59c3c638c6c8952bf07739805d20eb6358a4d", "cmt_msg": "dmabuf: fix use-after-free of dmabuf's file->f_inode", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Use After Free", "fixes": "05cd84691eafcd7959a1e120d5e72c0dd98c5d91", "last_affected_version": "5.10.6", "last_modified": "2023-12-06", "nvd_text": "In dma_buf_release of dma-buf.c, there is a possible memory corruption due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-155756045References: Upstream kernel", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-0707", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-0707", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-0707", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-0707", "SUSE": "https://www.suse.com/security/cve/CVE-2021-0707", "Ubuntu": "https://ubuntu.com/security/CVE-2021-0707" } }, "CVE-2021-0920": { "affected_versions": "v2.6.12-rc2 to v5.14-rc4", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "af_unix: fix garbage collect vs MSG_PEEK", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "score": 6.9 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "score": 6.4 }, "cwe": "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", "fixes": "cbcf01128d0a92e131bd09f1688fe032480b65ca", "last_affected_version": "5.13.6", "last_modified": "2023-12-06", "nvd_text": "In unix_scm_to_skb of af_unix.c, there is a possible use after free bug due to a race condition. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-196926917References: Upstream kernel", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-0920", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-0920", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-0920", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-0920", "SUSE": "https://www.suse.com/security/cve/CVE-2021-0920", "Ubuntu": "https://ubuntu.com/security/CVE-2021-0920" } }, "CVE-2021-0924": { "affected_versions": "unk to unk", "breaks": "", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Out-of-bounds Read", "fixes": "", "last_modified": "2023-12-06", "nvd_text": "In xhci_vendor_get_ops of xhci.c, there is a possible out of bounds read due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-194461020References: Upstream kernel", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-0924", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-0924", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-0924", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-0924", "SUSE": "https://www.suse.com/security/cve/CVE-2021-0924", "Ubuntu": "https://ubuntu.com/security/CVE-2021-0924" }, "vendor_specific": true }, "CVE-2021-0929": { "affected_versions": "unk to v5.6-rc1", "breaks": "", "cmt_msg": "staging/android/ion: delete dma_buf->kmap/unmap implemenation", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Use After Free", "fixes": "3e9e0c5c764704218c0960ffdb139de075afaadf", "last_modified": "2023-12-06", "nvd_text": "In ion_dma_buf_end_cpu_access and related functions of ion.c, there is a possible way to corrupt memory due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-187527909References: Upstream kernel", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-0929", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-0929", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-0929", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-0929", "SUSE": "https://www.suse.com/security/cve/CVE-2021-0929", "Ubuntu": "https://ubuntu.com/security/CVE-2021-0929" } }, "CVE-2021-0935": { "affected_versions": "v4.12 to v4.16-rc7", "breaks": "85cb73ff9b74785a7fc752875d7f0fe17ca3ea7c", "cmt_msg": "net: ipv6: keep sk status consistent after datagram connect failure", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "score": 6.7 }, "cwe": "Out-of-bounds Write", "fixes": "2f987a76a97773beafbc615b9c4d8fe79129a7f4", "last_affected_version": "4.15.14", "last_modified": "2023-12-06", "nvd_text": "In ip6_xmit of ip6_output.c, there is a possible out of bounds write due to a use after free. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-168607263References: Upstream kernel", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-0935", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-0935", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-0935", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-0935", "SUSE": "https://www.suse.com/security/cve/CVE-2021-0935", "Ubuntu": "https://ubuntu.com/security/CVE-2021-0935" } }, "CVE-2021-0936": { "affected_versions": "unk to unk", "breaks": "", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Use After Free", "fixes": "", "last_modified": "2023-12-06", "nvd_text": "In acc_read of f_accessory.c, there is a possible memory corruption due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-173789633References: Upstream kernel", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-0936", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-0936", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-0936", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-0936", "SUSE": "https://www.suse.com/security/cve/CVE-2021-0936", "Ubuntu": "https://ubuntu.com/security/CVE-2021-0936" }, "vendor_specific": true }, "CVE-2021-0937": { "affected_versions": "v2.6.19-rc1 to v5.12-rc8", "breaks": "9fa492cdc160cd27ce1046cb36f47d3b2b1efa21", "cmt_msg": "netfilter: x_tables: fix compat match/target pad out-of-bound write", "fixes": "b29c457a6511435960115c0f548c4360d5f4801d", "last_affected_version": "5.11.14", "last_modified": "2021-10-12", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-0937", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-0937", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-0937", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-0937", "SUSE": "https://www.suse.com/security/cve/CVE-2021-0937", "Ubuntu": "https://ubuntu.com/security/CVE-2021-0937" } }, "CVE-2021-0938": { "affected_versions": "v4.19-rc1 to v5.10-rc4", "breaks": "815f0ddb346c196018d4d8f8f55c12b83da1de3f", "cmt_msg": "compiler.h: fix barrier_data() on clang", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.5 }, "cwe": "Use of Uninitialized Resource", "fixes": "3347acc6fcd4ee71ad18a9ff9d9dac176b517329", "last_affected_version": "5.9.14", "last_modified": "2023-12-06", "nvd_text": "In memzero_explicit of compiler-clang.h, there is a possible bypass of defense in depth due to uninitialized data. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-171418586References: Upstream kernel", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-0938", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-0938", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-0938", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-0938", "SUSE": "https://www.suse.com/security/cve/CVE-2021-0938", "Ubuntu": "https://ubuntu.com/security/CVE-2021-0938" } }, "CVE-2021-0941": { "affected_versions": "v2.6.12-rc2 to v5.12-rc1-dontuse", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "bpf: Remove MTU check in __bpf_skb_max_len", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "score": 6.7 }, "cwe": "Out-of-bounds Read", "fixes": "6306c1189e77a513bf02720450bb43bd4ba5d8ae", "last_affected_version": "5.11.11", "last_modified": "2023-12-06", "nvd_text": "In bpf_skb_change_head of filter.c, there is a possible out of bounds read due to a use after free. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-154177719References: Upstream kernel", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-0941", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-0941", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-0941", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-0941", "SUSE": "https://www.suse.com/security/cve/CVE-2021-0941", "Ubuntu": "https://ubuntu.com/security/CVE-2021-0941" } }, "CVE-2021-0961": { "affected_versions": "unk to unk", "breaks": "", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "score": 4.4 }, "cwe": "Missing Initialization of Resource", "fixes": "", "last_modified": "2023-12-06", "nvd_text": "In quota_proc_write of xt_quota2.c, there is a possible way to read kernel memory due to uninitialized data. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-196046570References: Upstream kernel", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-0961", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-0961", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-0961", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-0961", "SUSE": "https://www.suse.com/security/cve/CVE-2021-0961", "Ubuntu": "https://ubuntu.com/security/CVE-2021-0961" }, "vendor_specific": true }, "CVE-2021-1048": { "affected_versions": "v5.9-rc2 to v5.9-rc4", "backport": true, "breaks": "a9ed4a6560b8562b7e2e2bed9527e88001f7b682", "cmt_msg": "fix regression in \"epoll: Keep a reference on files added to the check list\"", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Use After Free", "fixes": "77f4689de17c0887775bb77896f4cc11a39bf848", "last_affected_version": "5.8.7", "last_modified": "2023-12-06", "nvd_text": "In ep_loop_check_proc of eventpoll.c, there is a possible way to corrupt memory due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-204573007References: Upstream kernel", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-1048", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-1048", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-1048", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-1048", "SUSE": "https://www.suse.com/security/cve/CVE-2021-1048", "Ubuntu": "https://ubuntu.com/security/CVE-2021-1048" } }, "CVE-2021-20177": { "affected_versions": "v4.19-rc1 to v5.5-rc1", "breaks": "17266ee939849cb095ed7dd9edbec4162172226b", "cmt_msg": "netfilter: add and use nf_hook_slow_list()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "score": 4.4 }, "cwe": "Out-of-bounds Read", "fixes": "ca58fbe06c54795f00db79e447f94c2028d30124", "last_modified": "2023-12-06", "nvd_text": "A flaw was found in the Linux kernel's implementation of string matching within a packet. A privileged user (with root or CAP_NET_ADMIN) when inserting iptables rules could insert a rule which can panic the system. Kernel before kernel 5.5-rc1 is affected.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-20177", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-20177", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-20177", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-20177", "SUSE": "https://www.suse.com/security/cve/CVE-2021-20177", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2021/CVE-2021-20177" } }, "CVE-2021-20194": { "affected_versions": "v5.5-rc1 to v5.10-rc1", "breaks": "fcb323cc53e29d9cc696d606bb42736b32dd9825", "cmt_msg": "io_uring: don't rely on weak ->files references", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Improper Input Validation", "fixes": "0f2122045b946241a9e549c2a76cea54fa58a7ff", "last_affected_version": "5.10.14", "last_modified": "2023-12-06", "nvd_text": "There is a vulnerability in the linux kernel versions higher than 5.2 (if kernel compiled with config params CONFIG_BPF_SYSCALL=y , CONFIG_BPF=y , CONFIG_CGROUPS=y , CONFIG_CGROUP_BPF=y , CONFIG_HARDENED_USERCOPY not set, and BPF hook to getsockopt is registered). As result of BPF execution, the local user can trigger bug in __cgroup_bpf_run_filter_getsockopt() function that can lead to heap overflow (because of non-hardened usercopy). The impact of attack could be deny of service or possibly privileges escalation.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-20194", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-20194", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-20194", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-20194", "SUSE": "https://www.suse.com/security/cve/CVE-2021-20194", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2021/CVE-2021-20194" } }, "CVE-2021-20219": { "affected_versions": "unk to unk", "breaks": "", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Incorrect Comparison", "fixes": "", "last_modified": "2023-12-06", "nvd_text": "A denial of service vulnerability was found in n_tty_receive_char_special in drivers/tty/n_tty.c of the Linux kernel. In this flaw a local attacker with a normal user privilege could delay the loop (due to a changing ldata->read_head, and a missing sanity check) and cause a threat to the system availability.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-20219", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-20219", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-20219", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-20219", "SUSE": "https://www.suse.com/security/cve/CVE-2021-20219", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2021/CVE-2021-20219" }, "vendor_specific": true }, "CVE-2021-20226": { "affected_versions": "v5.5-rc1 to v5.10-rc1", "breaks": "fcb323cc53e29d9cc696d606bb42736b32dd9825", "cmt_msg": "io_uring: don't rely on weak ->files references", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:C", "score": 6.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Use After Free", "fixes": "0f2122045b946241a9e549c2a76cea54fa58a7ff", "last_affected_version": "5.9.2", "last_modified": "2023-12-06", "nvd_text": "A use-after-free flaw was found in the io_uring in Linux kernel, where a local attacker with a user privilege could cause a denial of service problem on the system The issue results from the lack of validating the existence of an object prior to performing operations on the object by not incrementing the file reference counter while in use. The highest threat from this vulnerability is to data integrity, confidentiality and system availability.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-20226", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-20226", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-20226", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-20226", "SUSE": "https://www.suse.com/security/cve/CVE-2021-20226", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2021/CVE-2021-20226" } }, "CVE-2021-20239": { "affected_versions": "v5.3-rc1 to v5.9-rc1", "breaks": "0d01da6afc5402f60325c5da31b22f7d56689b49", "cmt_msg": "net: pass a sockptr_t into ->setsockopt", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "Low", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "score": 3.3 }, "cwe": "Exposure of Sensitive Information to an Unauthorized Actor", "fixes": "a7b75c5a8c41445f33efb663887ff5f5c3b4454b", "last_affected_version": "None", "last_modified": "2023-12-06", "nvd_text": "A flaw was found in the Linux kernel in versions before 5.4.92 in the BPF protocol. This flaw allows an attacker with a local account to leak information about kernel internal addresses. The highest threat from this vulnerability is to confidentiality.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-20239", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-20239", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-20239", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-20239", "SUSE": "https://www.suse.com/security/cve/CVE-2021-20239", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2021/CVE-2021-20239" } }, "CVE-2021-20261": { "affected_versions": "v2.6.12-rc2 to v4.5-rc5", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "floppy: fix lock_fdc() signal handling", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "score": 4.4 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "score": 6.4 }, "cwe": "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", "fixes": "a0c80efe5956ccce9fe7ae5c78542578c07bc20a", "last_affected_version": "4.4.261", "last_modified": "2023-12-06", "nvd_text": "A race condition was found in the Linux kernels implementation of the floppy disk drive controller driver software. The impact of this issue is lessened by the fact that the default permissions on the floppy device (/dev/fd0) are restricted to root. If the permissions on the device have changed the impact changes greatly. In the default configuration root (or equivalent) permissions are required to attack this flaw.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-20261", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-20261", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-20261", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-20261", "SUSE": "https://www.suse.com/security/cve/CVE-2021-20261", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2021/CVE-2021-20261" } }, "CVE-2021-20265": { "affected_versions": "v2.6.38 to v4.5-rc3", "breaks": "b3ca9b02b00704053a38bfe4c31dbbb9c13595d0", "cmt_msg": "af_unix: fix struct pid memory leak", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Uncontrolled Resource Consumption", "fixes": "fa0dc04df259ba2df3ce1920e9690c7842f8fa4b", "last_affected_version": "4.4.3", "last_modified": "2023-12-06", "nvd_text": "A flaw was found in the way memory resources were freed in the unix_stream_recvmsg function in the Linux kernel when a signal was pending. This flaw allows an unprivileged local user to crash the system by exhausting available memory. The highest threat from this vulnerability is to system availability.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-20265", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-20265", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-20265", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-20265", "SUSE": "https://www.suse.com/security/cve/CVE-2021-20265", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2021/CVE-2021-20265" } }, "CVE-2021-20268": { "affected_versions": "v5.7-rc1 to v5.11-rc5", "breaks": "3f50f132d8400e129fc9eb68b5020167ef80a244", "cmt_msg": "bpf: Fix signed_{sub,add32}_overflows type handling", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Improper Input Validation", "fixes": "bc895e8b2a64e502fbba72748d59618272052a8b", "last_affected_version": "5.10.9", "last_modified": "2023-12-06", "nvd_text": "An out-of-bounds access flaw was found in the Linux kernel's implementation of the eBPF code verifier in the way a user running the eBPF script calls dev_map_init_map or sock_map_alloc. This flaw allows a local user to crash the system or possibly escalate their privileges. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-20268", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-20268", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-20268", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-20268", "SUSE": "https://www.suse.com/security/cve/CVE-2021-20268", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2021/CVE-2021-20268" } }, "CVE-2021-20292": { "affected_versions": "v2.6.12-rc2 to v5.9-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "drm/ttm/nouveau: don't call tt destroy callback on alloc failure.", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "score": 6.7 }, "cwe": "Use After Free", "fixes": "5de5b6ecf97a021f29403aa272cb4e03318ef586", "last_affected_version": "5.8.1", "last_modified": "2023-12-06", "nvd_text": "There is a flaw reported in the Linux kernel in versions before 5.9 in drivers/gpu/drm/nouveau/nouveau_sgdma.c in nouveau_sgdma_create_ttm in Nouveau DRM subsystem. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker with a local account with a root privilege, can leverage this vulnerability to escalate privileges and execute code in the context of the kernel.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-20292", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-20292", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-20292", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-20292", "SUSE": "https://www.suse.com/security/cve/CVE-2021-20292", "Ubuntu": "https://ubuntu.com/security/CVE-2021-20292" } }, "CVE-2021-20317": { "affected_versions": "v2.6.12-rc2 to v5.4-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "lib/timerqueue: Rely on rbtree semantics for next timer", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "score": 4.4 }, "cwe": "Improper Initialization", "fixes": "511885d7061eda3eb1faf3f57dcc936ff75863f1", "last_affected_version": "4.19.209", "last_modified": "2023-12-06", "nvd_text": "A flaw was found in the Linux kernel. A corrupted timer tree caused the task wakeup to be missing in the timerqueue_add function in lib/timerqueue.c. This flaw allows a local attacker with special user privileges to cause a denial of service, slowing and eventually stopping the system while running OSP.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-20317", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-20317", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-20317", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-20317", "SUSE": "https://www.suse.com/security/cve/CVE-2021-20317", "Ubuntu": "https://ubuntu.com/security/CVE-2021-20317" } }, "CVE-2021-20320": { "affected_versions": "v4.1-rc1 to v5.15-rc3", "breaks": "054623105728b06852f077299e2bf1bf3d5f2b0b", "cmt_msg": "s390/bpf: Fix optimizing out zero-extensions", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.5 }, "cwe": "Unspecified", "fixes": "db7bee653859ef7179be933e7d1384644f795f26", "last_affected_version": "5.14.6", "last_modified": "2023-12-06", "nvd_text": "A flaw was found in s390 eBPF JIT in bpf_jit_insn in arch/s390/net/bpf_jit_comp.c in the Linux kernel. In this flaw, a local attacker with special user privilege can circumvent the verifier and may lead to a confidentiality problem.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-20320", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-20320", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-20320", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-20320", "SUSE": "https://www.suse.com/security/cve/CVE-2021-20320", "Ubuntu": "https://ubuntu.com/security/CVE-2021-20320" } }, "CVE-2021-20321": { "affected_versions": "v2.6.12-rc2 to v5.15-rc5", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "ovl: fix missing negative dentry check in ovl_rename()", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "score": 4.7 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 4.7 }, "cwe": "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", "fixes": "a295aef603e109a47af355477326bd41151765b6", "last_affected_version": "5.14.11", "last_modified": "2023-12-06", "nvd_text": "A race condition accessing file object in the Linux kernel OverlayFS subsystem was found in the way users do rename in specific way with OverlayFS. A local user could use this flaw to crash the system.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-20321", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-20321", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-20321", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-20321", "SUSE": "https://www.suse.com/security/cve/CVE-2021-20321", "Ubuntu": "https://ubuntu.com/security/CVE-2021-20321" } }, "CVE-2021-20322": { "affected_versions": "v4.15-rc1 to v5.15-rc1", "breaks": "35732d01fe311ec13c4e42936878b782b8e7ea85", "cmt_msg": "ipv6: make exception cache less predictible", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "score": 5.8 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Network", "Availability": "None", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "score": 7.4 }, "cwe": "Use of Insufficiently Random Values", "fixes": "a00df2caffed3883c341d5685f830434312e4a43", "last_affected_version": "5.14.3", "last_modified": "2023-12-06", "nvd_text": "A flaw in the processing of received ICMP errors (ICMP fragment needed and ICMP redirect) in the Linux kernel functionality was found to allow the ability to quickly scan open UDP ports. This flaw allows an off-path remote user to effectively bypass the source port UDP randomization. The highest threat from this vulnerability is to confidentiality and possibly integrity, because software that relies on UDP source port randomization are indirectly affected as well.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-20322", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-20322", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-20322", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-20322", "SUSE": "https://www.suse.com/security/cve/CVE-2021-20322", "Ubuntu": "https://ubuntu.com/security/CVE-2021-20322" } }, "CVE-2021-21781": { "affected_versions": "v2.6.12-rc2 to v5.11-rc7", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "ARM: ensure the signal page contains defined contents", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "Low", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "score": 3.3 }, "cwe": "Use of Uninitialized Resource", "fixes": "9c698bff66ab4914bb3d71da7dc6112519bde23e", "last_affected_version": "5.10.16", "last_modified": "2023-12-06", "nvd_text": "An information disclosure vulnerability exists in the ARM SIGPAGE functionality of Linux Kernel v5.4.66 and v5.4.54. The latest version (5.11-rc4) seems to still be vulnerable. A userland application can read the contents of the sigpage, which can leak kernel memory contents. An attacker can read a process\u2019s memory at a specific offset to trigger this vulnerability. This was fixed in kernel releases: 4.14.222 4.19.177 5.4.99 5.10.17 5.11", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-21781", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-21781", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-21781", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-21781", "SUSE": "https://www.suse.com/security/cve/CVE-2021-21781", "Ubuntu": "https://ubuntu.com/security/CVE-2021-21781" } }, "CVE-2021-22543": { "affected_versions": "v2.6.12-rc2 to v5.13", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "KVM: do not allow mapping valid but non-reference-counted pages", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Improper Restriction of Operations within the Bounds of a Memory Buffer", "fixes": "f8be156be163a052a067306417cd0ff679068c97", "last_affected_version": "5.12", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in Linux: KVM through Improper handling of VM_IO|VM_PFNMAP vmas in KVM can bypass RO checks and can lead to pages being freed while still accessible by the VMM and guest. This allows users with the ability to start and control a VM to read/write random pages of memory and can result in local privilege escalation.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-22543", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-22543", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-22543", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-22543", "SUSE": "https://www.suse.com/security/cve/CVE-2021-22543", "Ubuntu": "https://ubuntu.com/security/CVE-2021-22543" } }, "CVE-2021-22555": { "affected_versions": "v2.6.19-rc1 to v5.12-rc8", "breaks": "9fa492cdc160cd27ce1046cb36f47d3b2b1efa21", "cmt_msg": "netfilter: x_tables: fix compat match/target pad out-of-bound write", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Out-of-bounds Write", "fixes": "b29c457a6511435960115c0f548c4360d5f4801d", "last_affected_version": "5.11.14", "last_modified": "2023-12-06", "nvd_text": "A heap out-of-bounds write affecting Linux since v2.6.19-rc1 was discovered in net/netfilter/x_tables.c. This allows an attacker to gain privileges or cause a DoS (via heap memory corruption) through user name space", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-22555", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-22555", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-22555", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-22555", "SUSE": "https://www.suse.com/security/cve/CVE-2021-22555", "Ubuntu": "https://ubuntu.com/security/CVE-2021-22555" } }, "CVE-2021-22600": { "affected_versions": "v5.6 to v5.16-rc6", "breaks": "61fad6816fc10fb8793a925d5c1256d1c3db0cd2", "cmt_msg": "net/packet: rx_owner_map depends on pg_vec", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.0 }, "cwe": "Double Free", "fixes": "ec6af094ea28f0f2dda1a6a33b14cd57e36a9755", "last_affected_version": "5.15.10", "last_modified": "2023-12-06", "nvd_text": "A double free bug in packet_set_ring() in net/packet/af_packet.c can be exploited by a local user through crafted syscalls to escalate privileges or deny service. We recommend upgrading kernel past the effected versions or rebuilding past ec6af094ea28f0f2dda1a6a33b14cd57e36a9755", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-22600", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-22600", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-22600", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-22600", "SUSE": "https://www.suse.com/security/cve/CVE-2021-22600", "Ubuntu": "https://ubuntu.com/security/CVE-2021-22600" } }, "CVE-2021-23133": { "affected_versions": "v4.10-rc1 to v5.12-rc8", "breaks": "61023658760032e97869b07d54be9681d2529e77", "cmt_msg": "net/sctp: fix race condition in sctp_destroy_sock", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "score": 6.9 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.0 }, "cwe": "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", "fixes": "b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "last_affected_version": "5.11.15", "last_modified": "2023-12-06", "nvd_text": "A race condition in Linux kernel SCTP sockets (net/sctp/socket.c) before 5.12-rc8 can lead to kernel privilege escalation from the context of a network service or an unprivileged process. If sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock then an element is removed from the auto_asconf_splist list without any proper locking. This can be exploited by an attacker with network service privileges to escalate to root or from the context of an unprivileged user directly if a BPF_CGROUP_INET_SOCK_CREATE is attached which denies creation of some SCTP socket.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-23133", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-23133", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-23133", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-23133", "SUSE": "https://www.suse.com/security/cve/CVE-2021-23133", "Ubuntu": "https://ubuntu.com/security/CVE-2021-23133" } }, "CVE-2021-23134": { "affected_versions": "v5.12-rc7 to v5.13-rc1", "breaks": "8a4cd82d62b5ec7e5482333a72b58a4eea4979f0", "cmt_msg": "net/nfc: fix use-after-free llcp_sock_bind/connect", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Use After Free", "fixes": "c61760e6940dd4039a7f5e84a6afc9cdbf4d82b6", "last_affected_version": "5.12.3", "last_modified": "2023-12-06", "nvd_text": "Use After Free vulnerability in nfc sockets in the Linux Kernel before 5.12.4 allows local attackers to elevate their privileges. In typical configurations, the issue can only be triggered by a privileged local user with the CAP_NET_RAW capability.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-23134", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-23134", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-23134", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-23134", "SUSE": "https://www.suse.com/security/cve/CVE-2021-23134", "Ubuntu": "https://ubuntu.com/security/CVE-2021-23134" } }, "CVE-2021-26401": { "affected_versions": "v2.6.12-rc2 to v5.17-rc8", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "x86/speculation: Use generic retpoline by default on AMD", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "score": 1.9 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Changed", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N", "score": 5.6 }, "cwe": "Unspecified", "fixes": "244d00b5dd4755f8df892c86cab35fb2cfd4f14b", "last_affected_version": "5.16.13", "last_modified": "2023-12-06", "nvd_text": "LFENCE/JMP (mitigation V2-2) may not sufficiently mitigate CVE-2017-5715 on some AMD CPUs.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-26401", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-26401", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-26401", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-26401", "SUSE": "https://www.suse.com/security/cve/CVE-2021-26401", "Ubuntu": "https://ubuntu.com/security/CVE-2021-26401" } }, "CVE-2021-26708": { "affected_versions": "v5.5-rc1 to v5.11-rc7", "breaks": "c0cfa2d8a788fcf45df5bf4070ab2474c88d543a", "cmt_msg": "vsock: fix the race conditions in multi-transport support", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "score": 6.9 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.0 }, "cwe": "Improper Privilege Management", "fixes": "c518adafa39f37858697ac9309c6cf1805581446", "last_affected_version": "5.10.12", "last_modified": "2023-12-06", "nvd_text": "A local privilege escalation was discovered in the Linux kernel before 5.10.13. Multiple race conditions in the AF_VSOCK implementation are caused by wrong locking in net/vmw_vsock/af_vsock.c. The race conditions were implicitly introduced in the commits that added VSOCK multi-transport support.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-26708", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-26708", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-26708", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-26708", "SUSE": "https://www.suse.com/security/cve/CVE-2021-26708", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2021/CVE-2021-26708" } }, "CVE-2021-26930": { "affected_versions": "v2.6.12-rc2 to v5.12-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "xen-blkback: fix error handling in xen_blkbk_map()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Unspecified", "fixes": "871997bc9e423f05c7da7c9178e62dde5df2a7f8", "last_affected_version": "5.11.0", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel 3.11 through 5.10.16, as used by Xen. To service requests to the PV backend, the driver maps grant references provided by the frontend. In this process, errors may be encountered. In one case, an error encountered earlier might be discarded by later processing, resulting in the caller assuming successful mapping, and hence subsequent operations trying to access space that wasn't mapped. In another case, internal state would be insufficiently updated, preventing safe recovery from the error. This affects drivers/block/xen-blkback/blkback.c.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-26930", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-26930", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-26930", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-26930", "SUSE": "https://www.suse.com/security/cve/CVE-2021-26930", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2021/CVE-2021-26930" } }, "CVE-2021-26931": { "affected_versions": "v2.6.12-rc2 to v5.12-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "xen-blkback: don't \"handle\" error by BUG()", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:M/Au:N/C:N/I:N/A:P", "score": 1.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Allocation of Resources Without Limits or Throttling", "fixes": "5a264285ed1cd32e26d9de4f3c8c6855e467fd63", "last_affected_version": "5.11.0", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel 2.6.39 through 5.10.16, as used in Xen. Block, net, and SCSI backends consider certain errors a plain bug, deliberately causing a kernel crash. For errors potentially being at least under the influence of guests (such as out of memory conditions), it isn't correct to assume a plain bug. Memory allocations potentially causing such crashes occur only when Linux is running in PV mode, though. This affects drivers/block/xen-blkback/blkback.c and drivers/xen/xen-scsiback.c.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-26931", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-26931", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-26931", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-26931", "SUSE": "https://www.suse.com/security/cve/CVE-2021-26931", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2021/CVE-2021-26931" } }, "CVE-2021-26932": { "affected_versions": "v2.6.12-rc2 to v5.12-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "Xen/x86: don't bail early from clear_foreign_p2m_mapping()", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:M/Au:N/C:N/I:N/A:P", "score": 1.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Unspecified", "fixes": "a35f2ef3b7376bfd0a57f7844bd7454389aae1fc", "last_affected_version": "5.11.0", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel 3.2 through 5.10.16, as used by Xen. Grant mapping operations often occur in batch hypercalls, where a number of operations are done in a single hypercall, the success or failure of each one is reported to the backend driver, and the backend driver then loops over the results, performing follow-up actions based on the success or failure of each operation. Unfortunately, when running in PV mode, the Linux backend drivers mishandle this: Some errors are ignored, effectively implying their success from the success of related batch elements. In other cases, errors resulting from one batch element lead to further batch elements not being inspected, and hence successful ones to not be possible to properly unmap upon error recovery. Only systems with Linux backends running in PV mode are vulnerable. Linux backends run in HVM / PVH modes are not vulnerable. This affects arch/*/xen/p2m.c and drivers/xen/gntdev.c.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-26932", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-26932", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-26932", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-26932", "SUSE": "https://www.suse.com/security/cve/CVE-2021-26932", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2021/CVE-2021-26932" } }, "CVE-2021-26934": { "affected_versions": "v4.18-rc1 to unk", "breaks": "c575b7eeb89f94356997abd62d6d5a0590e259b7", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Unspecified", "fixes": "", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel 4.18 through 5.10.16, as used by Xen. The backend allocation (aka be-alloc) mode of the drm_xen_front drivers was not meant to be a supported configuration, but this wasn't stated accordingly in its support status entry.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-26934", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-26934", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-26934", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-26934", "SUSE": "https://www.suse.com/security/cve/CVE-2021-26934", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2021/CVE-2021-26934" } }, "CVE-2021-27363": { "affected_versions": "v2.6.12-rc2 to v5.12-rc2", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "scsi: iscsi: Restrict sessions and handles to admin capabilities", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:P", "score": 3.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "Low", "Confidentiality": "Low", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L", "score": 4.4 }, "cwe": "Unspecified", "fixes": "688e8128b7a92df982709a4137ea4588d16f24aa", "last_affected_version": "5.11.3", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel through 5.11.3. A kernel pointer leak can be used to determine the address of the iscsi_transport structure. When an iSCSI transport is registered with the iSCSI subsystem, the transport's handle is available to unprivileged users via the sysfs file system, at /sys/class/iscsi_transport/$TRANSPORT_NAME/handle. When read, the show_transport_handle function (in drivers/scsi/scsi_transport_iscsi.c) is called, which leaks the handle. This handle is actually the pointer to an iscsi_transport struct in the kernel module's global variables.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-27363", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-27363", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-27363", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-27363", "SUSE": "https://www.suse.com/security/cve/CVE-2021-27363", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2021/CVE-2021-27363" } }, "CVE-2021-27364": { "affected_versions": "v2.6.12-rc2 to v5.12-rc2", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "scsi: iscsi: Restrict sessions and handles to admin capabilities", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:P", "score": 3.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "score": 7.1 }, "cwe": "Out-of-bounds Read", "fixes": "688e8128b7a92df982709a4137ea4588d16f24aa", "last_affected_version": "5.11.3", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel through 5.11.3. drivers/scsi/scsi_transport_iscsi.c is adversely affected by the ability of an unprivileged user to craft Netlink messages.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-27364", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-27364", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-27364", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-27364", "SUSE": "https://www.suse.com/security/cve/CVE-2021-27364", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2021/CVE-2021-27364" } }, "CVE-2021-27365": { "affected_versions": "v2.6.12-rc2 to v5.12-rc2", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "scsi: iscsi: Ensure sysfs attributes are limited to PAGE_SIZE", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Out-of-bounds Write", "fixes": "ec98ea7070e94cc25a422ec97d1421e28d97b7ee", "last_affected_version": "5.11.3", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel through 5.11.3. Certain iSCSI data structures do not have appropriate length constraints or checks, and can exceed the PAGE_SIZE value. An unprivileged user can send a Netlink message that is associated with iSCSI, and has a length up to the maximum length of a Netlink message.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-27365", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-27365", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-27365", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-27365", "SUSE": "https://www.suse.com/security/cve/CVE-2021-27365", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2021/CVE-2021-27365" } }, "CVE-2021-28038": { "affected_versions": "v2.6.12-rc2 to v5.12-rc2", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "Xen/gnttab: handle p2m update errors on a per-slot basis", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Changed", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H", "score": 6.5 }, "cwe": "Allocation of Resources Without Limits or Throttling", "fixes": "8310b77b48c5558c140e7a57a702e7819e62f04e", "last_affected_version": "5.11.3", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel through 5.11.3, as used with Xen PV. A certain part of the netback driver lacks necessary treatment of errors such as failed memory allocations (as a result of changes to the handling of grant mapping errors). A host OS denial of service may occur during misbehavior of a networking frontend driver. NOTE: this issue exists because of an incomplete fix for CVE-2021-26931.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-28038", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-28038", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-28038", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-28038", "SUSE": "https://www.suse.com/security/cve/CVE-2021-28038", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2021/CVE-2021-28038" } }, "CVE-2021-28039": { "affected_versions": "v5.9-rc4 to v5.12-rc2", "breaks": "9e2369c06c8a181478039258a4598c1ddd2cadfa", "cmt_msg": "xen: fix p2m size in dom0 for disabled memory hotplug case", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Changed", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H", "score": 6.5 }, "cwe": "Uncontrolled Resource Consumption", "fixes": "882213990d32fd224340a4533f6318dd152be4b2", "last_affected_version": "5.11.3", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel 5.9.x through 5.11.3, as used with Xen. In some less-common configurations, an x86 PV guest OS user can crash a Dom0 or driver domain via a large amount of I/O activity. The issue relates to misuse of guest physical addresses when a configuration has CONFIG_XEN_UNPOPULATED_ALLOC but not CONFIG_XEN_BALLOON_MEMORY_HOTPLUG.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-28039", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-28039", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-28039", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-28039", "SUSE": "https://www.suse.com/security/cve/CVE-2021-28039", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2021/CVE-2021-28039" } }, "CVE-2021-28375": { "affected_versions": "v5.1-rc1 to v5.12-rc3", "breaks": "c68cfb718c8f97b7f7a50ed66be5feb42d0c8988", "cmt_msg": "misc: fastrpc: restrict user apps from sending kernel RPC messages", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Improper Privilege Management", "fixes": "20c40794eb85ea29852d7bc37c55713802a543d6", "last_affected_version": "5.11.6", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel through 5.11.6. fastrpc_internal_invoke in drivers/misc/fastrpc.c does not prevent user applications from sending kernel RPC messages, aka CID-20c40794eb85. This is a related issue to CVE-2019-2308.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-28375", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-28375", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-28375", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-28375", "SUSE": "https://www.suse.com/security/cve/CVE-2021-28375", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2021/CVE-2021-28375" } }, "CVE-2021-28660": { "affected_versions": "v3.12-rc1 to v5.12-rc3", "breaks": "a2c60d42d97cdbeee3c7371cd3502fca77f07d39", "cmt_msg": "staging: rtl8188eu: prevent ->ssid overflow in rtw_wx_set_scan()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Adjacent Network", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:A/AC:L/Au:N/C:C/I:C/A:C", "score": 8.3 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Adjacent", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "score": 8.8 }, "cwe": "Out-of-bounds Write", "fixes": "74b6b20df8cfe90ada777d621b54c32e69e27cd7", "last_affected_version": "5.11.6", "last_modified": "2023-12-06", "nvd_text": "rtw_wx_set_scan in drivers/staging/rtl8188eu/os_dep/ioctl_linux.c in the Linux kernel through 5.11.6 allows writing beyond the end of the ->ssid[] array. NOTE: from the perspective of kernel.org releases, CVE IDs are not normally used for drivers/staging/* (unfinished work); however, system integrators may have situations in which a drivers/staging issue is relevant to their own customer base.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-28660", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-28660", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-28660", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-28660", "SUSE": "https://www.suse.com/security/cve/CVE-2021-28660", "Ubuntu": "https://ubuntu.com/security/CVE-2021-28660" } }, "CVE-2021-28688": { "affected_versions": "v2.6.12-rc2 to v5.12-rc6", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "xen-blkback: don't leak persistent grants from xen_blkbk_map()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Changed", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H", "score": 6.5 }, "cwe": "Improper Initialization", "fixes": "a846738f8c3788d846ed1f587270d2f2e3d32432", "last_affected_version": "5.11.10", "last_modified": "2023-12-06", "nvd_text": "The fix for XSA-365 includes initialization of pointers such that subsequent cleanup code wouldn't use uninitialized or stale values. This initialization went too far and may under certain conditions also overwrite pointers which are in need of cleaning up. The lack of cleanup would result in leaking persistent grants. The leak in turn would prevent fully cleaning up after a respective guest has died, leaving around zombie domains. All Linux versions having the fix for XSA-365 applied are vulnerable. XSA-365 was classified to affect versions back to at least 3.11.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-28688", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-28688", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-28688", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-28688", "SUSE": "https://www.suse.com/security/cve/CVE-2021-28688", "Ubuntu": "https://ubuntu.com/security/CVE-2021-28688" } }, "CVE-2021-28691": { "affected_versions": "v5.5-rc1 to v5.13-rc6", "breaks": "2ac061ce97f413bfbbdd768f7d2e0fda2e8170df", "cmt_msg": "xen-netback: take a reference to the RX task thread", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Use After Free", "fixes": "107866a8eb0b664675a260f1ba0655010fac1e08", "last_affected_version": "5.12.9", "last_modified": "2023-12-06", "nvd_text": "Guest triggered use-after-free in Linux xen-netback A malicious or buggy network PV frontend can force Linux netback to disable the interface and terminate the receive kernel thread associated with queue 0 in response to the frontend sending a malformed packet. Such kernel thread termination will lead to a use-after-free in Linux netback when the backend is destroyed, as the kernel thread associated with queue 0 will have already exited and thus the call to kthread_stop will be performed against a stale pointer.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-28691", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-28691", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-28691", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-28691", "SUSE": "https://www.suse.com/security/cve/CVE-2021-28691", "Ubuntu": "https://ubuntu.com/security/CVE-2021-28691" } }, "CVE-2021-28711": { "affected_versions": "v2.6.12-rc2 to v5.16-rc7", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "xen/blkfront: harden blkfront against event channel storms", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Changed", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H", "score": 6.5 }, "cwe": "Unspecified", "fixes": "0fd08a34e8e3b67ec9bd8287ac0facf8374b844a", "last_affected_version": "5.15.10", "last_modified": "2023-12-06", "nvd_text": "Rogue backends can cause DoS of guests via high frequency events T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Xen offers the ability to run PV backends in regular unprivileged guests, typically referred to as \"driver domains\". Running PV backends in driver domains has one primary security advantage: if a driver domain gets compromised, it doesn't have the privileges to take over the system. However, a malicious driver domain could try to attack other guests via sending events at a high frequency leading to a Denial of Service in the guest due to trying to service interrupts for elongated amounts of time. There are three affected backends: * blkfront patch 1, CVE-2021-28711 * netfront patch 2, CVE-2021-28712 * hvc_xen (console) patch 3, CVE-2021-28713", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-28711", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-28711", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-28711", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-28711", "SUSE": "https://www.suse.com/security/cve/CVE-2021-28711", "Ubuntu": "https://ubuntu.com/security/CVE-2021-28711" } }, "CVE-2021-28712": { "affected_versions": "v2.6.12-rc2 to v5.16-rc7", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "xen/netfront: harden netfront against event channel storms", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Changed", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H", "score": 6.5 }, "cwe": "Unspecified", "fixes": "b27d47950e481f292c0a5ad57357edb9d95d03ba", "last_affected_version": "5.15.10", "last_modified": "2023-12-06", "nvd_text": "Rogue backends can cause DoS of guests via high frequency events T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Xen offers the ability to run PV backends in regular unprivileged guests, typically referred to as \"driver domains\". Running PV backends in driver domains has one primary security advantage: if a driver domain gets compromised, it doesn't have the privileges to take over the system. However, a malicious driver domain could try to attack other guests via sending events at a high frequency leading to a Denial of Service in the guest due to trying to service interrupts for elongated amounts of time. There are three affected backends: * blkfront patch 1, CVE-2021-28711 * netfront patch 2, CVE-2021-28712 * hvc_xen (console) patch 3, CVE-2021-28713", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-28712", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-28712", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-28712", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-28712", "SUSE": "https://www.suse.com/security/cve/CVE-2021-28712", "Ubuntu": "https://ubuntu.com/security/CVE-2021-28712" } }, "CVE-2021-28713": { "affected_versions": "v2.6.12-rc2 to v5.16-rc7", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "xen/console: harden hvc_xen against event channel storms", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Changed", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H", "score": 6.5 }, "cwe": "Unspecified", "fixes": "fe415186b43df0db1f17fa3a46275fd92107fe71", "last_affected_version": "5.15.10", "last_modified": "2023-12-06", "nvd_text": "Rogue backends can cause DoS of guests via high frequency events T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Xen offers the ability to run PV backends in regular unprivileged guests, typically referred to as \"driver domains\". Running PV backends in driver domains has one primary security advantage: if a driver domain gets compromised, it doesn't have the privileges to take over the system. However, a malicious driver domain could try to attack other guests via sending events at a high frequency leading to a Denial of Service in the guest due to trying to service interrupts for elongated amounts of time. There are three affected backends: * blkfront patch 1, CVE-2021-28711 * netfront patch 2, CVE-2021-28712 * hvc_xen (console) patch 3, CVE-2021-28713", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-28713", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-28713", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-28713", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-28713", "SUSE": "https://www.suse.com/security/cve/CVE-2021-28713", "Ubuntu": "https://ubuntu.com/security/CVE-2021-28713" } }, "CVE-2021-28714": { "affected_versions": "v4.3-rc1 to v5.16-rc7", "breaks": "1d5d48523900a4b0f25d6b52f1a93c84bd671186", "cmt_msg": "xen/netback: fix rx queue stall detection", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Changed", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H", "score": 6.5 }, "cwe": "Improper Resource Shutdown or Release", "fixes": "6032046ec4b70176d247a71836186d47b25d1684", "last_affected_version": "5.15.10", "last_modified": "2023-12-06", "nvd_text": "Guest can force Linux netback driver to hog large amounts of kernel memory T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Incoming data packets for a guest in the Linux kernel's netback driver are buffered until the guest is ready to process them. There are some measures taken for avoiding to pile up too much data, but those can be bypassed by the guest: There is a timeout how long the client side of an interface can stop consuming new packets before it is assumed to have stalled, but this timeout is rather long (60 seconds by default). Using a UDP connection on a fast interface can easily accumulate gigabytes of data in that time. (CVE-2021-28715) The timeout could even never trigger if the guest manages to have only one free slot in its RX queue ring page and the next package would require more than one free slot, which may be the case when using GSO, XDP, or software hashing. (CVE-2021-28714)", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-28714", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-28714", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-28714", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-28714", "SUSE": "https://www.suse.com/security/cve/CVE-2021-28714", "Ubuntu": "https://ubuntu.com/security/CVE-2021-28714" } }, "CVE-2021-28715": { "affected_versions": "v3.18-rc3 to v5.16-rc7", "breaks": "f48da8b14d04ca87ffcffe68829afd45f926ec6a", "cmt_msg": "xen/netback: don't queue unlimited number of packages", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Changed", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H", "score": 6.5 }, "cwe": "Improper Resource Shutdown or Release", "fixes": "be81992f9086b230623ae3ebbc85ecee4d00a3d3", "last_affected_version": "5.15.10", "last_modified": "2023-12-06", "nvd_text": "Guest can force Linux netback driver to hog large amounts of kernel memory T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Incoming data packets for a guest in the Linux kernel's netback driver are buffered until the guest is ready to process them. There are some measures taken for avoiding to pile up too much data, but those can be bypassed by the guest: There is a timeout how long the client side of an interface can stop consuming new packets before it is assumed to have stalled, but this timeout is rather long (60 seconds by default). Using a UDP connection on a fast interface can easily accumulate gigabytes of data in that time. (CVE-2021-28715) The timeout could even never trigger if the guest manages to have only one free slot in its RX queue ring page and the next package would require more than one free slot, which may be the case when using GSO, XDP, or software hashing. (CVE-2021-28714)", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-28715", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-28715", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-28715", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-28715", "SUSE": "https://www.suse.com/security/cve/CVE-2021-28715", "Ubuntu": "https://ubuntu.com/security/CVE-2021-28715" } }, "CVE-2021-28950": { "affected_versions": "v5.11-rc1 to v5.12-rc4", "breaks": "5d069dbe8aaf2a197142558b6fb2978189ba3454", "cmt_msg": "fuse: fix live lock in fuse_iget()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Excessive Iteration", "fixes": "775c5033a0d164622d9d10dd0f0a5531639ed3ed", "last_affected_version": "5.11.7", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in fs/fuse/fuse_i.h in the Linux kernel before 5.11.8. A \"stall on CPU\" can occur because a retry loop continually finds the same bad inode, aka CID-775c5033a0d1.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-28950", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-28950", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-28950", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-28950", "SUSE": "https://www.suse.com/security/cve/CVE-2021-28950", "Ubuntu": "https://ubuntu.com/security/CVE-2021-28950" } }, "CVE-2021-28951": { "affected_versions": "v5.10-rc1 to v5.12-rc2", "breaks": "7e84e1c7566a1df470a9e1f49d3db2ce311261a4", "cmt_msg": "io_uring: ensure that SQPOLL thread is started for exit", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Unspecified", "fixes": "3ebba796fa251d042be42b929a2d916ee5c34a49", "last_affected_version": "5.11.8", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in fs/io_uring.c in the Linux kernel through 5.11.8. It allows attackers to cause a denial of service (deadlock) because exit may be waiting to park a SQPOLL thread, but concurrently that SQPOLL thread is waiting for a signal to start, aka CID-3ebba796fa25.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-28951", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-28951", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-28951", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-28951", "SUSE": "https://www.suse.com/security/cve/CVE-2021-28951", "Ubuntu": "https://ubuntu.com/security/CVE-2021-28951" } }, "CVE-2021-28952": { "affected_versions": "v5.7-rc1 to v5.12-rc4", "breaks": "1b93a88431470ea0b943157999084d9c7e6e3bd3", "cmt_msg": "ASoC: qcom: sdm845: Fix array out of bounds access", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')", "fixes": "1c668e1c0a0f74472469cd514f40c9012b324c31", "last_affected_version": "5.11.8", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel through 5.11.8. The sound/soc/qcom/sdm845.c soundwire device driver has a buffer overflow when an unexpected port ID number is encountered, aka CID-1c668e1c0a0f. (This has been fixed in 5.12-rc4.)", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-28952", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-28952", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-28952", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-28952", "SUSE": "https://www.suse.com/security/cve/CVE-2021-28952", "Ubuntu": "https://ubuntu.com/security/CVE-2021-28952" } }, "CVE-2021-28964": { "affected_versions": "v3.7-rc3 to v5.12-rc4", "breaks": "834328a8493079d15f30866ace42489463f52571", "cmt_msg": "btrfs: fix race when cloning extent buffer during rewind of an old root", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:M/Au:N/C:N/I:N/A:P", "score": 1.9 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 4.7 }, "cwe": "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", "fixes": "dbcc7d57bffc0c8cac9dac11bec548597d59a6a5", "last_affected_version": "5.11.8", "last_modified": "2023-12-06", "nvd_text": "A race condition was discovered in get_old_root in fs/btrfs/ctree.c in the Linux kernel through 5.11.8. It allows attackers to cause a denial of service (BUG) because of a lack of locking on an extent buffer before a cloning operation, aka CID-dbcc7d57bffc.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-28964", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-28964", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-28964", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-28964", "SUSE": "https://www.suse.com/security/cve/CVE-2021-28964", "Ubuntu": "https://ubuntu.com/security/CVE-2021-28964" } }, "CVE-2021-28971": { "affected_versions": "v4.5-rc1 to v5.12-rc4", "breaks": "01330d7288e0050c5aaabc558059ff91589e67cd", "cmt_msg": "perf/x86/intel: Fix a crash caused by zero PEBS status", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Uncontrolled Resource Consumption", "fixes": "d88d05a9e0b6d9356e97129d4ff9942d765f46ea", "last_affected_version": "5.11.8", "last_modified": "2023-12-06", "nvd_text": "In intel_pmu_drain_pebs_nhm in arch/x86/events/intel/ds.c in the Linux kernel through 5.11.8 on some Haswell CPUs, userspace applications (such as perf-fuzzer) can cause a system crash because the PEBS status in a PEBS record is mishandled, aka CID-d88d05a9e0b6.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-28971", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-28971", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-28971", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-28971", "SUSE": "https://www.suse.com/security/cve/CVE-2021-28971", "Ubuntu": "https://ubuntu.com/security/CVE-2021-28971" } }, "CVE-2021-28972": { "affected_versions": "v2.6.12-rc2 to v5.12-rc4", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "PCI: rpadlpar: Fix potential drc_name corruption in store functions", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "score": 6.7 }, "cwe": "Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')", "fixes": "cc7a0bb058b85ea03db87169c60c7cfdd5d34678", "last_affected_version": "5.11.8", "last_modified": "2023-12-06", "nvd_text": "In drivers/pci/hotplug/rpadlpar_sysfs.c in the Linux kernel through 5.11.8, the RPA PCI Hotplug driver has a user-tolerable buffer overflow when writing a new device name to the driver from userspace, allowing userspace to write data to the kernel stack frame directly. This occurs because add_slot_store and remove_slot_store mishandle drc_name '\\0' termination, aka CID-cc7a0bb058b8.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-28972", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-28972", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-28972", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-28972", "SUSE": "https://www.suse.com/security/cve/CVE-2021-28972", "Ubuntu": "https://ubuntu.com/security/CVE-2021-28972" } }, "CVE-2021-29154": { "affected_versions": "v2.6.12-rc2 to v5.12-rc7", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "bpf, x86: Validate computation of branch displacements for x86-64", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Improper Neutralization of Special Elements used in a Command ('Command Injection')", "fixes": "e4d4d456436bfb2fe412ee2cd489f7658449b098", "last_affected_version": "5.11.12", "last_modified": "2023-12-06", "nvd_text": "BPF JIT compilers in the Linux kernel through 5.11.12 have incorrect computation of branch displacements, allowing them to execute arbitrary code within the kernel context. This affects arch/x86/net/bpf_jit_comp.c and arch/x86/net/bpf_jit_comp32.c.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-29154", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-29154", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-29154", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-29154", "SUSE": "https://www.suse.com/security/cve/CVE-2021-29154", "Ubuntu": "https://ubuntu.com/security/CVE-2021-29154" } }, "CVE-2021-29155": { "affected_versions": "v2.6.12-rc2 to v5.12-rc8", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "bpf: Use correct permission flag for mixed signed bounds arithmetic", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.5 }, "cwe": "Out-of-bounds Read", "fixes": "9601148392520e2e134936e76788fc2a6371e7be", "last_affected_version": "5.11.15", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel through 5.11.x. kernel/bpf/verifier.c performs undesirable out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory. Specifically, for sequences of pointer arithmetic operations, the pointer modification performed by the first operation is not correctly accounted for when restricting subsequent operations.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-29155", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-29155", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-29155", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-29155", "SUSE": "https://www.suse.com/security/cve/CVE-2021-29155", "Ubuntu": "https://ubuntu.com/security/CVE-2021-29155" } }, "CVE-2021-29264": { "affected_versions": "v4.8-rc5 to v5.12-rc3", "breaks": "6c389fc931bcda88940c809f752ada6d7799482c", "cmt_msg": "gianfar: fix jumbo packets+napi+rx overrun crash", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "score": 4.7 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Unspecified", "fixes": "d8861bab48b6c1fc3cdbcab8ff9d1eaea43afe7f", "last_affected_version": "5.11.10", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel through 5.11.10. drivers/net/ethernet/freescale/gianfar.c in the Freescale Gianfar Ethernet driver allows attackers to cause a system crash because a negative fragment size is calculated in situations involving an rx queue overrun when jumbo packets are used and NAPI is enabled, aka CID-d8861bab48b6.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-29264", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-29264", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-29264", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-29264", "SUSE": "https://www.suse.com/security/cve/CVE-2021-29264", "Ubuntu": "https://ubuntu.com/security/CVE-2021-29264" } }, "CVE-2021-29265": { "affected_versions": "v2.6.39-rc1 to v5.12-rc3", "breaks": "9720b4bc76a83807c68e00c62bfba575251bb73e", "cmt_msg": "usbip: fix stub_dev usbip_sockfd_store() races leading to gpf", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "score": 4.7 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 4.7 }, "cwe": "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", "fixes": "9380afd6df70e24eacbdbde33afc6a3950965d22", "last_affected_version": "5.11.6", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel before 5.11.7. usbip_sockfd_store in drivers/usb/usbip/stub_dev.c allows attackers to cause a denial of service (GPF) because the stub-up sequence has race conditions during an update of the local and shared status, aka CID-9380afd6df70.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-29265", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-29265", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-29265", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-29265", "SUSE": "https://www.suse.com/security/cve/CVE-2021-29265", "Ubuntu": "https://ubuntu.com/security/CVE-2021-29265" } }, "CVE-2021-29266": { "affected_versions": "v5.8-rc1 to v5.12-rc4", "breaks": "776f395004d829bbbf18c159ed9beb517a208c71", "cmt_msg": "vhost-vdpa: fix use-after-free of v->config_ctx", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Use After Free", "fixes": "f6bbf0010ba004f5e90c7aefdebc0ee4bd3283b9", "last_affected_version": "5.11.8", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel before 5.11.9. drivers/vhost/vdpa.c has a use-after-free because v->config_ctx has an invalid value upon re-opening a character device, aka CID-f6bbf0010ba0.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-29266", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-29266", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-29266", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-29266", "SUSE": "https://www.suse.com/security/cve/CVE-2021-29266", "Ubuntu": "https://ubuntu.com/security/CVE-2021-29266" } }, "CVE-2021-29646": { "affected_versions": "v5.5-rc1 to v5.12-rc5", "breaks": "e1f32190cf7ddd55778b460e7d44af3f76529698", "cmt_msg": "tipc: better validate user input in tipc_nl_retrieve_key()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Unspecified", "fixes": "0217ed2848e8538bcf9172d97ed2eeb4a26041bb", "last_affected_version": "5.11.10", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel before 5.11.11. tipc_nl_retrieve_key in net/tipc/node.c does not properly validate certain data sizes, aka CID-0217ed2848e8.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-29646", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-29646", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-29646", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-29646", "SUSE": "https://www.suse.com/security/cve/CVE-2021-29646", "Ubuntu": "https://ubuntu.com/security/CVE-2021-29646" } }, "CVE-2021-29647": { "affected_versions": "v4.7-rc1 to v5.12-rc5", "breaks": "bdabad3e363d825ddf9679dd431cca0b2c30f881", "cmt_msg": "net: qrtr: fix a kernel-infoleak in qrtr_recvmsg()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.5 }, "cwe": "Unspecified", "fixes": "50535249f624d0072cd885bcdce4e4b6fb770160", "last_affected_version": "5.11.10", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel before 5.11.11. qrtr_recvmsg in net/qrtr/qrtr.c allows attackers to obtain sensitive information from kernel memory because of a partially uninitialized data structure, aka CID-50535249f624.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-29647", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-29647", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-29647", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-29647", "SUSE": "https://www.suse.com/security/cve/CVE-2021-29647", "Ubuntu": "https://ubuntu.com/security/CVE-2021-29647" } }, "CVE-2021-29648": { "affected_versions": "v5.11-rc1 to v5.12-rc5", "breaks": "5329722057d41aebc31e391907a501feaa42f7d9", "cmt_msg": "bpf: Dont allow vmlinux BTF to be used in map_create and prog_load.", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Improper Restriction of Excessive Authentication Attempts", "fixes": "350a5c4dd2452ea999cc5e1d4a8dbf12de2f97ef", "last_affected_version": "5.11.10", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel before 5.11.11. The BPF subsystem does not properly consider that resolved_ids and resolved_sizes are intentionally uninitialized in the vmlinux BPF Type Format (BTF), which can cause a system crash upon an unexpected access attempt (in map_create in kernel/bpf/syscall.c or check_btf_info in kernel/bpf/verifier.c), aka CID-350a5c4dd245.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-29648", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-29648", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-29648", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-29648", "SUSE": "https://www.suse.com/security/cve/CVE-2021-29648", "Ubuntu": "https://ubuntu.com/security/CVE-2021-29648" } }, "CVE-2021-29649": { "affected_versions": "v5.10-rc1 to v5.12-rc5", "breaks": "d71fa5c9763c24dd997a2fa4feb7a13a95bab42c", "cmt_msg": "bpf: Fix umd memory leak in copy_process()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Missing Release of Memory after Effective Lifetime", "fixes": "f60a85cad677c4f9bb4cadd764f1d106c38c7cf8", "last_affected_version": "5.11.10", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel before 5.11.11. The user mode driver (UMD) has a copy_process() memory leak, related to a lack of cleanup steps in kernel/usermode_driver.c and kernel/bpf/preload/bpf_preload_kern.c, aka CID-f60a85cad677.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-29649", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-29649", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-29649", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-29649", "SUSE": "https://www.suse.com/security/cve/CVE-2021-29649", "Ubuntu": "https://ubuntu.com/security/CVE-2021-29649" } }, "CVE-2021-29650": { "affected_versions": "v3.0-rc1 to v5.12-rc5", "breaks": "7f5c6d4f665bb57a19a34ce1fb16cc708c04f219", "cmt_msg": "netfilter: x_tables: Use correct memory barriers.", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Unspecified", "fixes": "175e476b8cdf2a4de7432583b49c871345e4f8a1", "last_affected_version": "5.11.10", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel before 5.11.11. The netfilter subsystem allows attackers to cause a denial of service (panic) because net/netfilter/x_tables.c and include/linux/netfilter/x_tables.h lack a full memory barrier upon the assignment of a new table value, aka CID-175e476b8cdf.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-29650", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-29650", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-29650", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-29650", "SUSE": "https://www.suse.com/security/cve/CVE-2021-29650", "Ubuntu": "https://ubuntu.com/security/CVE-2021-29650" } }, "CVE-2021-29657": { "affected_versions": "v5.10-rc1 to v5.12-rc6", "breaks": "2fcf4876ada8a293d3b92a1033b8b990a7c613d3", "cmt_msg": "KVM: SVM: load control fields from VMCB12 before checking them", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "score": 6.9 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "score": 7.4 }, "cwe": "Use After Free", "fixes": "a58d9166a756a0f4a6618e4f593232593d6df134", "last_affected_version": "5.11.11", "last_modified": "2023-12-06", "nvd_text": "arch/x86/kvm/svm/nested.c in the Linux kernel before 5.11.12 has a use-after-free in which an AMD KVM guest can bypass access control on host OS MSRs when there are nested guests, aka CID-a58d9166a756. This occurs because of a TOCTOU race condition associated with a VMCB12 double fetch in nested_svm_vmrun.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-29657", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-29657", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-29657", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-29657", "SUSE": "https://www.suse.com/security/cve/CVE-2021-29657", "Ubuntu": "https://ubuntu.com/security/CVE-2021-29657" } }, "CVE-2021-30002": { "affected_versions": "v2.6.39-rc1 to v5.12-rc1-dontuse", "breaks": "d14e6d76ebf740fd0d0bd296933993a555938896", "cmt_msg": "media: v4l: ioctl: Fix memory leak in video_usercopy", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 6.2 }, "cwe": "Missing Release of Resource after Effective Lifetime", "fixes": "fb18802a338b36f675a388fc03d2aa504a0d0899", "last_affected_version": "5.11.2", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel before 5.11.3 when a webcam device exists. video_usercopy in drivers/media/v4l2-core/v4l2-ioctl.c has a memory leak for large arguments, aka CID-fb18802a338b.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-30002", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-30002", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-30002", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-30002", "SUSE": "https://www.suse.com/security/cve/CVE-2021-30002", "Ubuntu": "https://ubuntu.com/security/CVE-2021-30002" } }, "CVE-2021-30178": { "affected_versions": "v5.12-rc1-dontuse to v5.12-rc2", "breaks": "8f014550dfb114cc7f42a517d20d2cf887a0b771", "cmt_msg": "KVM: x86: hyper-v: Fix Hyper-V context null-ptr-deref", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "NULL Pointer Dereference", "fixes": "919f4ebc598701670e80e31573a58f1f2d2bf918", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel through 5.11.11. synic_get in arch/x86/kvm/hyperv.c has a NULL pointer dereference for certain accesses to the SynIC Hyper-V context, aka CID-919f4ebc5987.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-30178", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-30178", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-30178", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-30178", "SUSE": "https://www.suse.com/security/cve/CVE-2021-30178", "Ubuntu": "https://ubuntu.com/security/CVE-2021-30178" } }, "CVE-2021-31440": { "affected_versions": "v5.7-rc1 to v5.13-rc1", "breaks": "3f50f132d8400e129fc9eb68b5020167ef80a244", "cmt_msg": "bpf: Fix propagation of 32 bit unsigned bounds from 64 bit bounds", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "score": 6.9 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.0 }, "cwe": "Incorrect Calculation", "fixes": "10bf4e83167cc68595b85fd73bb91e8f2c086e36", "last_affected_version": "5.12.3", "last_modified": "2023-12-06", "nvd_text": "This vulnerability allows local attackers to escalate privileges on affected installations of Linux Kernel 5.11.15. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the handling of eBPF programs. The issue results from the lack of proper validation of user-supplied eBPF programs prior to executing them. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the kernel. Was ZDI-CAN-13661.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-31440", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-31440", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-31440", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-31440", "SUSE": "https://www.suse.com/security/cve/CVE-2021-31440", "Ubuntu": "https://ubuntu.com/security/CVE-2021-31440" } }, "CVE-2021-3178": { "affected_versions": "v2.6.12-rc2 to v5.11-rc5", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "nfsd4: readdirplus shouldn't return parent of export", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "Single", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:N/AC:L/Au:S/C:P/I:P/A:N", "score": 5.5 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "None", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N", "score": 6.5 }, "cwe": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "fixes": "51b2ee7d006a736a9126e8111d1f24e4fd0afaa6", "last_affected_version": "5.10.9", "last_modified": "2023-12-06", "nvd_text": "fs/nfsd/nfs3xdr.c in the Linux kernel through 5.10.8, when there is an NFS export of a subdirectory of a filesystem, allows remote attackers to traverse to other parts of the filesystem via READDIRPLUS. NOTE: some parties argue that such a subdirectory export is not intended to prevent this attack; see also the exports(5) no_subtree_check default behavior", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-3178", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-3178", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-3178", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-3178", "SUSE": "https://www.suse.com/security/cve/CVE-2021-3178", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2021/CVE-2021-3178" } }, "CVE-2021-31829": { "affected_versions": "v5.0-rc1 to v5.13-rc1", "breaks": "979d63d50c0c0f7bc537bf821e056cc9fe5abd38", "cmt_msg": "bpf: Fix masking negation logic upon negative dst register", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.5 }, "cwe": "Incorrect Authorization", "fixes": "b9b34ddbe2076ade359cd5ce7537d5ed019e9807", "last_affected_version": "5.12.1", "last_modified": "2023-12-06", "nvd_text": "kernel/bpf/verifier.c in the Linux kernel through 5.12.1 performs undesirable speculative loads, leading to disclosure of stack content via side-channel attacks, aka CID-801c6058d14a. The specific concern is not protecting the BPF stack area against speculative loads. Also, the BPF stack can contain uninitialized data that might represent sensitive information previously operated on by the kernel.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-31829", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-31829", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-31829", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-31829", "SUSE": "https://www.suse.com/security/cve/CVE-2021-31829", "Ubuntu": "https://ubuntu.com/security/CVE-2021-31829" } }, "CVE-2021-31916": { "affected_versions": "v2.6.12-rc2 to v5.12-rc5", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "dm ioctl: fix out of bounds array access when no devices", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:C", "score": 6.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "score": 6.7 }, "cwe": "Out-of-bounds Write", "fixes": "4edbe1d7bcffcd6269f3b5eb63f710393ff2ec7a", "last_affected_version": "5.11.10", "last_modified": "2023-12-06", "nvd_text": "An out-of-bounds (OOB) memory write flaw was found in list_devices in drivers/md/dm-ioctl.c in the Multi-device driver module in the Linux kernel before 5.12. A bound check failure allows an attacker with special user (CAP_SYS_ADMIN) privilege to gain access to out-of-bounds memory leading to a system crash or a leak of internal kernel information. The highest threat from this vulnerability is to system availability.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-31916", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-31916", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-31916", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-31916", "SUSE": "https://www.suse.com/security/cve/CVE-2021-31916", "Ubuntu": "https://ubuntu.com/security/CVE-2021-31916" } }, "CVE-2021-32078": { "affected_versions": "v2.6.12-rc2 to v5.13-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "ARM: footbridge: remove personal server platform", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:C/I:N/A:C", "score": 6.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "score": 7.1 }, "cwe": "Out-of-bounds Read", "fixes": "298a58e165e447ccfaae35fe9f651f9d7e15166f", "last_modified": "2023-12-06", "nvd_text": "An Out-of-Bounds Read was discovered in arch/arm/mach-footbridge/personal-pci.c in the Linux kernel through 5.12.11 because of the lack of a check for a value that shouldn't be negative, e.g., access to element -2 of an array, aka CID-298a58e165e4.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-32078", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-32078", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-32078", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-32078", "SUSE": "https://www.suse.com/security/cve/CVE-2021-32078", "Ubuntu": "https://ubuntu.com/security/CVE-2021-32078" } }, "CVE-2021-32399": { "affected_versions": "v2.6.12-rc2 to v5.13-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "bluetooth: eliminate the potential race condition when removing the HCI controller", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "score": 4.4 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.0 }, "cwe": "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", "fixes": "e2cb6b891ad2b8caa9131e3be70f45243df82a80", "last_affected_version": "5.12.3", "last_modified": "2023-12-06", "nvd_text": "net/bluetooth/hci_request.c in the Linux kernel through 5.12.2 has a race condition for removal of the HCI controller.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-32399", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-32399", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-32399", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-32399", "SUSE": "https://www.suse.com/security/cve/CVE-2021-32399", "Ubuntu": "https://ubuntu.com/security/CVE-2021-32399" } }, "CVE-2021-32606": { "affected_versions": "v5.11-rc1 to v5.13-rc4", "breaks": "921ca574cd382142add8b12d0a7117f495510de5", "cmt_msg": "can: isotp: prevent race between isotp_bind() and isotp_setsockopt()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Use After Free", "fixes": "2b17c400aeb44daf041627722581ade527bb3c1d", "last_affected_version": "5.12.8", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel 5.11 through 5.12.2, isotp_setsockopt in net/can/isotp.c allows privilege escalation to root by leveraging a use-after-free. (This does not affect earlier versions that lack CAN ISOTP SF_BROADCAST support.)", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-32606", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-32606", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-32606", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-32606", "SUSE": "https://www.suse.com/security/cve/CVE-2021-32606", "Ubuntu": "https://ubuntu.com/security/CVE-2021-32606" } }, "CVE-2021-33033": { "affected_versions": "v4.8-rc1 to v5.12-rc3", "breaks": "d7cce01504a0ccb95b5007d846560cfccbc1947f", "cmt_msg": "cipso,calipso: resolve a number of problems with the DOI refcounts", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Use After Free", "fixes": "ad5d07f4a9cd671233ae20983848874731102c08", "last_affected_version": "5.11.6", "last_modified": "2023-12-06", "nvd_text": "The Linux kernel before 5.11.14 has a use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c because the CIPSO and CALIPSO refcounting for the DOI definitions is mishandled, aka CID-ad5d07f4a9cd. This leads to writing an arbitrary value.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-33033", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-33033", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-33033", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-33033", "SUSE": "https://www.suse.com/security/cve/CVE-2021-33033", "Ubuntu": "https://ubuntu.com/security/CVE-2021-33033" } }, "CVE-2021-33034": { "affected_versions": "v2.6.12-rc2 to v5.13-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "Bluetooth: verify AMP hci_chan before amp_destroy", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Use After Free", "fixes": "5c4c8c9544099bb9043a10a5318130a943e32fc3", "last_affected_version": "5.12.3", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-33034", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-33034", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-33034", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-33034", "SUSE": "https://www.suse.com/security/cve/CVE-2021-33034", "Ubuntu": "https://ubuntu.com/security/CVE-2021-33034" } }, "CVE-2021-33061": { "affected_versions": "v2.6.12-rc2 to v5.18-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "ixgbe: add improvement for MDD response functionality", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Unspecified", "fixes": "008ca35f6e87be1d60b6af3d1ae247c6d5c2531d", "last_modified": "2023-12-06", "nvd_text": "Insufficient control flow management for the Intel(R) 82599 Ethernet Controllers and Adapters may allow an authenticated user to potentially enable denial of service via local access.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-33061", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-33061", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-33061", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-33061", "SUSE": "https://www.suse.com/security/cve/CVE-2021-33061", "Ubuntu": "https://ubuntu.com/security/CVE-2021-33061" } }, "CVE-2021-33098": { "affected_versions": "v3.8-rc1 to v5.13-rc4", "breaks": "872844ddb9e44a49b759ae3e34250fefbab656f2", "cmt_msg": "ixgbe: fix large MTU request from VF", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Improper Input Validation", "fixes": "63e39d29b3da02e901349f6cd71159818a4737a6", "last_affected_version": "5.12.8", "last_modified": "2023-12-06", "nvd_text": "Improper input validation in the Intel(R) Ethernet ixgbe driver for Linux before version 3.17.3 may allow an authenticated user to potentially enable denial of service via local access.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-33098", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-33098", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-33098", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-33098", "SUSE": "https://www.suse.com/security/cve/CVE-2021-33098", "Ubuntu": "https://ubuntu.com/security/CVE-2021-33098" } }, "CVE-2021-33135": { "affected_versions": "v5.11-rc1 to v5.17-rc8", "breaks": "1728ab54b4be94aed89276eeb8e750a345659765", "cmt_msg": "x86/sgx: Free backing memory after faulting the enclave page", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Uncontrolled Resource Consumption", "fixes": "08999b2489b4c9b939d7483dbd03702ee4576d96", "last_affected_version": "5.16.14", "last_modified": "2023-12-06", "nvd_text": "Uncontrolled resource consumption in the Linux kernel drivers for Intel(R) SGX may allow an authenticated user to potentially enable denial of service via local access.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-33135", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-33135", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-33135", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-33135", "SUSE": "https://www.suse.com/security/cve/CVE-2021-33135", "Ubuntu": "https://ubuntu.com/security/CVE-2021-33135" } }, "CVE-2021-33200": { "affected_versions": "v5.12-rc8 to v5.13-rc4", "breaks": "7fedb63a8307dda0ec3b8969a3b233a1dd7ea8e0", "cmt_msg": "bpf: Wrap aux data inside bpf_sanitize_info container", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Out-of-bounds Write", "fixes": "3d0220f6861d713213b015b582e9f21e5b28d2e0", "last_affected_version": "5.12.7", "last_modified": "2023-12-06", "nvd_text": "kernel/bpf/verifier.c in the Linux kernel through 5.12.7 enforces incorrect limits for pointer arithmetic operations, aka CID-bb01a1bba579. This can be abused to perform out-of-bounds reads and writes in kernel memory, leading to local privilege escalation to root. In particular, there is a corner case where the off reg causes a masking direction change, which then results in an incorrect final aux->alu_limit.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-33200", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-33200", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-33200", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-33200", "SUSE": "https://www.suse.com/security/cve/CVE-2021-33200", "Ubuntu": "https://ubuntu.com/security/CVE-2021-33200" } }, "CVE-2021-3347": { "affected_versions": "v4.15-rc9 to v5.11-rc6", "breaks": "c1e2f0eaf015fb7076d51a339011f2383e6dd389", "cmt_msg": "futex: Ensure the correct return value from futex_lock_pi()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Use After Free", "fixes": "12bb3f7f1b03d5913b3f9d4236a488aa7774dfe9", "last_affected_version": "5.10.11", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel through 5.10.11. PI futexes have a kernel stack use-after-free during fault handling, allowing local users to execute code in the kernel, aka CID-34b1a1ce1458.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-3347", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-3347", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-3347", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-3347", "SUSE": "https://www.suse.com/security/cve/CVE-2021-3347", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2021/CVE-2021-3347" } }, "CVE-2021-3348": { "affected_versions": "v4.10-rc1 to v5.11-rc6", "breaks": "9561a7ade0c205bc2ee035a2ac880478dcc1a024", "cmt_msg": "nbd: freeze the queue while we're adding connections", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "score": 4.4 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.0 }, "cwe": "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", "fixes": "b98e762e3d71e893b221f871825dc64694cfb258", "last_affected_version": "5.10.12", "last_modified": "2023-12-06", "nvd_text": "nbd_add_socket in drivers/block/nbd.c in the Linux kernel through 5.10.12 has an ndb_queue_rq use-after-free that could be triggered by local attackers (with access to the nbd device) via an I/O request at a certain point during device setup, aka CID-b98e762e3d71.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-3348", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-3348", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-3348", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-3348", "SUSE": "https://www.suse.com/security/cve/CVE-2021-3348", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2021/CVE-2021-3348" } }, "CVE-2021-33624": { "affected_versions": "v4.15-rc8 to v5.13-rc7", "breaks": "b2157399cc9898260d6031c5bfe45fe137c1fbe7", "cmt_msg": "bpf: Inherit expanded/patched seen count from old aux data", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Complete", "Integrity Impact": "None", "raw": "AV:L/AC:M/Au:N/C:C/I:N/A:N", "score": 4.7 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 4.7 }, "cwe": "Observable Discrepancy", "fixes": "d203b0fd863a2261e5d00b97f3d060c4c2a6db71", "last_affected_version": "5.12.12", "last_modified": "2023-12-06", "nvd_text": "In kernel/bpf/verifier.c in the Linux kernel before 5.12.13, a branch can be mispredicted (e.g., because of type confusion) and consequently an unprivileged BPF program can read arbitrary memory locations via a side-channel attack, aka CID-9183671af6db.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-33624", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-33624", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-33624", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-33624", "SUSE": "https://www.suse.com/security/cve/CVE-2021-33624", "Ubuntu": "https://ubuntu.com/security/CVE-2021-33624" } }, "CVE-2021-33630": { "affected_versions": "v5.2-rc1 to v5.4-rc1", "breaks": "e0a7683d30e91e30ee6cf96314ae58a0314a095e", "cmt_msg": "net/sched: cbs: Fix not adding cbs instance to list", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "fixes": "3e8b9bfa110896f95d602d8c98d5f9d67e41d78c", "last_affected_version": "5.3.3", "last_modified": "2024-02-24", "nvd_text": "NULL Pointer Dereference vulnerability in openEuler kernel on Linux (network modules) allows Pointer Manipulation. This vulnerability is associated with program files net/sched/sch_cbs.C.\n\nThis issue affects openEuler kernel: from 4.19.90 before 4.19.90-2401.3.\n\n", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-33630", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-33630", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-33630", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-33630", "SUSE": "https://www.suse.com/security/cve/CVE-2021-33630", "Ubuntu": "https://ubuntu.com/security/CVE-2021-33630" } }, "CVE-2021-33631": { "affected_versions": "v3.8-rc1 to v6.2-rc1", "breaks": "f19d5870cbf72d4cb2a8e1f749dff97af99b071e", "cmt_msg": "ext4: fix kernel BUG in 'ext4_write_inline_data_end()'", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "fixes": "5c099c4fdc438014d5893629e70a8ba934433ee8", "last_affected_version": "6.1.3", "last_modified": "2024-02-02", "nvd_text": "Integer Overflow or Wraparound vulnerability in openEuler kernel on Linux (filesystem modules) allows Forced Integer Overflow.This issue affects openEuler kernel: from 4.19.90 before 4.19.90-2401.3, from 5.10.0-60.18.0 before 5.10.0-183.0.0.\n\n", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-33631", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-33631", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-33631", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-33631", "SUSE": "https://www.suse.com/security/cve/CVE-2021-33631", "Ubuntu": "https://ubuntu.com/security/CVE-2021-33631" } }, "CVE-2021-33655": { "affected_versions": "v2.6.12-rc2 to v5.19-rc6", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "fbcon: Disallow setting font bigger than screen size", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "score": 6.7 }, "cwe": "Out-of-bounds Write", "fixes": "65a01e601dbba8b7a51a2677811f70f783766682", "last_affected_version": "5.18.10", "last_modified": "2023-12-06", "nvd_text": "When sending malicous data to kernel by ioctl cmd FBIOPUT_VSCREENINFO,kernel will write memory out of bounds.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-33655", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-33655", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-33655", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-33655", "SUSE": "https://www.suse.com/security/cve/CVE-2021-33655", "Ubuntu": "https://ubuntu.com/security/CVE-2021-33655" } }, "CVE-2021-33656": { "affected_versions": "v2.6.12-rc2 to v5.12-rc1-dontuse", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "vt: drop old FONT ioctls", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Physical", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "score": 6.8 }, "cwe": "Out-of-bounds Write", "fixes": "ff2047fb755d4415ec3c70ac799889371151796d", "last_affected_version": "5.10.126", "last_modified": "2023-12-06", "nvd_text": "When setting font with malicous data by ioctl cmd PIO_FONT,kernel will write memory out of bounds.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-33656", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-33656", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-33656", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-33656", "SUSE": "https://www.suse.com/security/cve/CVE-2021-33656", "Ubuntu": "https://ubuntu.com/security/CVE-2021-33656" } }, "CVE-2021-33909": { "affected_versions": "v3.16-rc4 to v5.14-rc3", "breaks": "058504edd02667eef8fac9be27ab3ea74332e9b4", "cmt_msg": "seq_file: disallow extremely large seq buffer allocations", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')", "fixes": "8cae8cd89f05f6de223d63e6d15e31c8ba9cf53b", "last_affected_version": "5.13.3", "last_modified": "2023-12-06", "nvd_text": "fs/seq_file.c in the Linux kernel 3.16 through 5.13.x before 5.13.4 does not properly restrict seq buffer allocations, leading to an integer overflow, an Out-of-bounds Write, and escalation to root by an unprivileged user, aka CID-8cae8cd89f05.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-33909", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-33909", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-33909", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-33909", "SUSE": "https://www.suse.com/security/cve/CVE-2021-33909", "Ubuntu": "https://ubuntu.com/security/CVE-2021-33909" } }, "CVE-2021-3411": { "affected_versions": "v5.5-rc1 to v5.10", "breaks": "7705dc8557973d8ad8f10840f61d8ec805695e9e", "cmt_msg": "x86/kprobes: Fix optprobe to detect INT3 padding correctly", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "score": 6.7 }, "cwe": "Improper Control of Generation of Code ('Code Injection')", "fixes": "0d07c0ec4381f630c801539c79ad8dcc627f6e4a", "last_affected_version": "5.9", "last_modified": "2023-12-06", "nvd_text": "A flaw was found in the Linux kernel in versions prior to 5.10. A violation of memory access was found while detecting a padding of int3 in the linking state. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-3411", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-3411", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-3411", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-3411", "SUSE": "https://www.suse.com/security/cve/CVE-2021-3411", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2021/CVE-2021-3411" } }, "CVE-2021-3428": { "affected_versions": "v5.2-rc2 to v5.9-rc2", "breaks": "0a944e8a6c66ca04c7afbaa17e22bf208a8b37f0", "cmt_msg": "ext4: handle error of ext4_setup_system_zone() on remount", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Integer Overflow or Wraparound", "fixes": "d176b1f62f242ab259ff665a26fbac69db1aecba", "last_affected_version": "5.8.5", "last_modified": "2023-12-06", "nvd_text": "A flaw was found in the Linux kernel. A denial of service problem is identified if an extent tree is corrupted in a crafted ext4 filesystem in fs/ext4/extents.c in ext4_es_cache_extent. Fabricating an integer overflow, A local attacker with a special user privilege may cause a system crash problem which can lead to an availability threat.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-3428", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-3428", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-3428", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-3428", "SUSE": "https://www.suse.com/security/cve/CVE-2021-3428", "Ubuntu": "https://people.canonical.com/~ubuntu-security/cve/2021/CVE-2021-3428" } }, "CVE-2021-3444": { "affected_versions": "v4.15-rc5 to v5.12-rc1-dontuse", "breaks": "468f6eafa6c44cb2c5d8aad35e12f06c240a812a", "cmt_msg": "bpf: Fix truncation handling for mod32 dst reg wrt zero", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Out-of-bounds Read", "fixes": "9b00f1b78809309163dda2d044d9e94a3c0248a3", "last_affected_version": "5.11.1", "last_modified": "2023-12-06", "nvd_text": "The bpf verifier in the Linux kernel did not properly handle mod32 destination register truncation when the source register was known to be 0. A local attacker with the ability to load bpf programs could use this gain out-of-bounds reads in kernel memory leading to information disclosure (kernel memory), and possibly out-of-bounds writes that could potentially lead to code execution. This issue was addressed in the upstream kernel in commit 9b00f1b78809 (\"bpf: Fix truncation handling for mod32 dst reg wrt zero\") and in Linux stable kernels 5.11.2, 5.10.19, and 5.4.101.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-3444", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-3444", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-3444", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-3444", "SUSE": "https://www.suse.com/security/cve/CVE-2021-3444", "Ubuntu": "https://ubuntu.com/security/CVE-2021-3444" } }, "CVE-2021-34556": { "affected_versions": "v2.6.12-rc2 to v5.14-rc4", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "bpf: Introduce BPF nospec instruction for mitigating Spectre v4", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.5 }, "cwe": "Observable Discrepancy", "fixes": "f5e81d1117501546b7be050c5fbafa6efd2c722c", "last_affected_version": "5.13.7", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel through 5.13.7, an unprivileged BPF program can obtain sensitive information from kernel memory via a Speculative Store Bypass side-channel attack because the protection mechanism neglects the possibility of uninitialized memory locations on the BPF stack.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-34556", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-34556", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-34556", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-34556", "SUSE": "https://www.suse.com/security/cve/CVE-2021-34556", "Ubuntu": "https://ubuntu.com/security/CVE-2021-34556" } }, "CVE-2021-34693": { "affected_versions": "v2.6.25-rc1 to v5.13-rc7", "breaks": "ffd980f976e7fd666c2e61bf8ab35107efd11828", "cmt_msg": "can: bcm: fix infoleak in struct bcm_msg_head", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.5 }, "cwe": "Missing Initialization of Resource", "fixes": "5e87ddbe3942e27e939bdc02deb8579b0cbd8ecc", "last_affected_version": "5.12.12", "last_modified": "2023-12-06", "nvd_text": "net/can/bcm.c in the Linux kernel through 5.12.10 allows local users to obtain sensitive information from kernel stack memory because parts of a data structure are uninitialized.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-34693", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-34693", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-34693", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-34693", "SUSE": "https://www.suse.com/security/cve/CVE-2021-34693", "Ubuntu": "https://ubuntu.com/security/CVE-2021-34693" } }, "CVE-2021-3483": { "affected_versions": "v2.6.12-rc2 to v5.12-rc6", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "firewire: nosy: Fix a use-after-free bug in nosy_ioctl()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Use After Free", "fixes": "829933ef05a951c8ff140e814656d73e74915faf", "last_affected_version": "5.11.11", "last_modified": "2023-12-06", "nvd_text": "A flaw was found in the Nosy driver in the Linux kernel. This issue allows a device to be inserted twice into a doubly-linked list, leading to a use-after-free when one of these devices is removed. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. Versions before kernel 5.12-rc6 are affected", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-3483", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-3483", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-3483", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-3483", "SUSE": "https://www.suse.com/security/cve/CVE-2021-3483", "Ubuntu": "https://ubuntu.com/security/CVE-2021-3483" } }, "CVE-2021-34866": { "affected_versions": "v5.8-rc1 to v5.14", "breaks": "457f44363a8894135c85b7a9afd2bd8196db24ab", "cmt_msg": "bpf: Fix ringbuf helper function compatibility", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Access of Resource Using Incompatible Type ('Type Confusion')", "fixes": "5b029a32cfe4600f5e10e36b41778506b90fd4de", "last_affected_version": "5.13", "last_modified": "2023-12-06", "nvd_text": "This vulnerability allows local attackers to escalate privileges on affected installations of Linux Kernel 5.14-rc3. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the handling of eBPF programs. The issue results from the lack of proper validation of user-supplied eBPF programs, which can result in a type confusion condition. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the kernel. Was ZDI-CAN-14689.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-34866", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-34866", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-34866", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-34866", "SUSE": "https://www.suse.com/security/cve/CVE-2021-34866", "Ubuntu": "https://ubuntu.com/security/CVE-2021-34866" } }, "CVE-2021-3489": { "affected_versions": "v5.8-rc1 to v5.13-rc4", "breaks": "457f44363a8894135c85b7a9afd2bd8196db24ab", "cmt_msg": "bpf, ringbuf: Deny reserve of buffers larger than ringbuf", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Out-of-bounds Write", "fixes": "4b81ccebaeee885ab1aa1438133f2991e3a2b6ea", "last_affected_version": "5.12.3", "last_modified": "2023-12-06", "nvd_text": "The eBPF RINGBUF bpf_ringbuf_reserve() function in the Linux kernel did not check that the allocated size was smaller than the ringbuf size, allowing an attacker to perform out-of-bounds writes within the kernel and therefore, arbitrary code execution. This issue was fixed via commit 4b81ccebaeee (\"bpf, ringbuf: Deny reserve of buffers larger than ringbuf\") (v5.13-rc4) and backported to the stable kernels in v5.12.4, v5.11.21, and v5.10.37. It was introduced via 457f44363a88 (\"bpf: Implement BPF ring buffer and verifier support for it\") (v5.8-rc1).", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-3489", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-3489", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-3489", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-3489", "SUSE": "https://www.suse.com/security/cve/CVE-2021-3489", "Ubuntu": "https://ubuntu.com/security/CVE-2021-3489" } }, "CVE-2021-3490": { "affected_versions": "v5.7-rc1 to v5.13-rc4", "breaks": "3f50f132d8400e129fc9eb68b5020167ef80a244", "cmt_msg": "bpf: Fix alu32 const subreg bound tracking on bitwise operations", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Out-of-bounds Read", "fixes": "049c4e13714ecbca567b4d5f6d563f05d431c80e", "last_affected_version": "5.12.3", "last_modified": "2023-12-06", "nvd_text": "The eBPF ALU32 bounds tracking for bitwise ops (AND, OR and XOR) in the Linux kernel did not properly update 32-bit bounds, which could be turned into out of bounds reads and writes in the Linux kernel and therefore, arbitrary code execution. This issue was fixed via commit 049c4e13714e (\"bpf: Fix alu32 const subreg bound tracking on bitwise operations\") (v5.13-rc4) and backported to the stable kernels in v5.12.4, v5.11.21, and v5.10.37. The AND/OR issues were introduced by commit 3f50f132d840 (\"bpf: Verifier, do explicit ALU32 bounds tracking\") (5.7-rc1) and the XOR variant was introduced by 2921c90d4718 (\"bpf:Fix a verifier failure with xor\") ( 5.10-rc1).", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-3490", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-3490", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-3490", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-3490", "SUSE": "https://www.suse.com/security/cve/CVE-2021-3490", "Ubuntu": "https://ubuntu.com/security/CVE-2021-3490" } }, "CVE-2021-3491": { "affected_versions": "v5.7-rc1 to v5.13-rc1", "breaks": "ddf0322db79c5984dc1a1db890f946dd19b7d6d9", "cmt_msg": "io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Changed", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "score": 8.8 }, "cwe": "Out-of-bounds Write", "fixes": "d1f82808877bb10d3deee7cf3374a4eb3fb582db", "last_affected_version": "5.12.3", "last_modified": "2023-12-06", "nvd_text": "The io_uring subsystem in the Linux kernel allowed the MAX_RW_COUNT limit to be bypassed in the PROVIDE_BUFFERS operation, which led to negative values being usedin mem_rw when reading /proc//mem. This could be used to create a heap overflow leading to arbitrary code execution in the kernel. It was addressed via commit d1f82808877b (\"io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\") (v5.13-rc1) and backported to the stable kernels in v5.12.4, v5.11.21, and v5.10.37. It was introduced in ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\") (v5.7-rc1).", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-3491", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-3491", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-3491", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-3491", "SUSE": "https://www.suse.com/security/cve/CVE-2021-3491", "Ubuntu": "https://ubuntu.com/security/CVE-2021-3491" } }, "CVE-2021-3492": { "affected_versions": "unk to unk", "breaks": "", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Double Free", "fixes": "", "last_modified": "2023-12-06", "nvd_text": "Shiftfs, an out-of-tree stacking file system included in Ubuntu Linux kernels, did not properly handle faults occurring during copy_from_user() correctly. These could lead to either a double-free situation or memory not being freed at all. An attacker could use this to cause a denial of service (kernel memory exhaustion) or gain privileges via executing arbitrary code. AKA ZDI-CAN-13562.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-3492", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-3492", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-3492", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-3492", "SUSE": "https://www.suse.com/security/cve/CVE-2021-3492", "Ubuntu": "https://ubuntu.com/security/CVE-2021-3492" }, "vendor_specific": true }, "CVE-2021-3493": { "affected_versions": "v2.6.12-rc2 to v5.11-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "vfs: move cap_convert_nscap() call into vfs_setxattr()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Improper Privilege Management", "fixes": "7c03e2cda4a584cadc398e8f6641ca9988a39d52", "last_modified": "2023-12-06", "nvd_text": "The overlayfs implementation in the linux kernel did not properly validate with respect to user namespaces the setting of file capabilities on files in an underlying file system. Due to the combination of unprivileged user namespaces along with a patch carried in the Ubuntu kernel to allow unprivileged overlay mounts, an attacker could use this to gain elevated privileges.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-3493", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-3493", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-3493", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-3493", "SUSE": "https://www.suse.com/security/cve/CVE-2021-3493", "Ubuntu": "https://ubuntu.com/security/CVE-2021-3493" }, "vendor_specific": true }, "CVE-2021-34981": { "affected_versions": "v2.6.12-rc2 to v5.14-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "Bluetooth: cmtp: fix file refcount when cmtp_attach_device fails", "fixes": "3cfdf8fcaafa62a4123f92eb0f4a72650da3a479", "last_affected_version": "5.13.2", "last_modified": "2021-11-04", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-34981", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-34981", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-34981", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-34981", "SUSE": "https://www.suse.com/security/cve/CVE-2021-34981", "Ubuntu": "https://ubuntu.com/security/CVE-2021-34981" } }, "CVE-2021-3501": { "affected_versions": "v5.9-rc1 to v5.12-rc8", "breaks": "1aa561b1a4c0ae2a9a9b9c21a84b5ca66b4775d8", "cmt_msg": "KVM: VMX: Don't use vcpu->run->internal.ndata as an array index", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:N/I:P/A:P", "score": 3.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "score": 7.1 }, "cwe": "Out-of-bounds Write", "fixes": "04c4f2ee3f68c9a4bf1653d15f1a9a435ae33f7a", "last_affected_version": "5.11.15", "last_modified": "2023-12-06", "nvd_text": "A flaw was found in the Linux kernel in versions before 5.12. The value of internal.ndata, in the KVM API, is mapped to an array index, which can be updated by a user process at anytime which could lead to an out-of-bounds write. The highest threat from this vulnerability is to data integrity and system availability.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-3501", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-3501", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-3501", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-3501", "SUSE": "https://www.suse.com/security/cve/CVE-2021-3501", "Ubuntu": "https://ubuntu.com/security/CVE-2021-3501" } }, "CVE-2021-35039": { "affected_versions": "v4.15-rc1 to v5.13", "breaks": "7c9bc0983f890ed9782e755a0e070930cd979333", "cmt_msg": "module: limit enabling module.sig_enforce", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "score": 6.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Improper Verification of Cryptographic Signature", "fixes": "0c18f29aae7ce3dadd26d8ee3505d07cc982df75", "last_affected_version": "5.12", "last_modified": "2023-12-06", "nvd_text": "kernel/module.c in the Linux kernel before 5.12.14 mishandles Signature Verification, aka CID-0c18f29aae7c. Without CONFIG_MODULE_SIG, verification that a kernel module is signed, for loading via init_module, does not occur for a module.sig_enforce=1 command-line argument.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-35039", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-35039", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-35039", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-35039", "SUSE": "https://www.suse.com/security/cve/CVE-2021-35039", "Ubuntu": "https://ubuntu.com/security/CVE-2021-35039" } }, "CVE-2021-3506": { "affected_versions": "v2.6.12-rc2 to v5.13-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "f2fs: fix to avoid out-of-bounds memory access", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:C", "score": 5.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "score": 7.1 }, "cwe": "Out-of-bounds Read", "fixes": "b862676e371715456c9dade7990c8004996d0d9e", "last_affected_version": "5.12.2", "last_modified": "2023-12-06", "nvd_text": "An out-of-bounds (OOB) memory access flaw was found in fs/f2fs/node.c in the f2fs module in the Linux kernel in versions before 5.12.0-rc4. A bounds check failure allows a local attacker to gain access to out-of-bounds memory leading to a system crash or a leak of internal kernel information. The highest threat from this vulnerability is to system availability.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-3506", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-3506", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-3506", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-3506", "SUSE": "https://www.suse.com/security/cve/CVE-2021-3506", "Ubuntu": "https://ubuntu.com/security/CVE-2021-3506" } }, "CVE-2021-3542": { "affected_versions": "unk to unk", "breaks": "", "fixes": "", "last_modified": "2023-12-06", "nvd_text": "Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2021-42739. Reason: This candidate is a reservation duplicate of CVE-2021-42739. Notes: All CVE users should reference CVE-2021-42739 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-3542", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-3542", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-3542", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-3542", "SUSE": "https://www.suse.com/security/cve/CVE-2021-3542", "Ubuntu": "https://ubuntu.com/security/CVE-2021-3542" }, "rejected": true }, "CVE-2021-3543": { "affected_versions": "v5.10-rc1 to v5.13-rc1", "breaks": "38907e124088b2f5b176acdf3d89926c09d3206a", "cmt_msg": "nitro_enclaves: Fix stale file descriptors on failed usercopy", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "score": 6.7 }, "cwe": "NULL Pointer Dereference", "fixes": "f1ce3986baa62cffc3c5be156994de87524bab99", "last_affected_version": "5.12.2", "last_modified": "2023-12-06", "nvd_text": "A flaw null pointer dereference in the Nitro Enclaves kernel driver was found in the way that Enclaves VMs forces closures on the enclave file descriptor. A local user of a host machine could use this flaw to crash the system or escalate their privileges on the system.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-3543", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-3543", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-3543", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-3543", "SUSE": "https://www.suse.com/security/cve/CVE-2021-3543", "Ubuntu": "https://ubuntu.com/security/CVE-2021-3543" } }, "CVE-2021-35477": { "affected_versions": "v2.6.12-rc2 to v5.14-rc4", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "bpf: Introduce BPF nospec instruction for mitigating Spectre v4", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.5 }, "cwe": "Observable Discrepancy", "fixes": "f5e81d1117501546b7be050c5fbafa6efd2c722c", "last_affected_version": "5.13.7", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel through 5.13.7, an unprivileged BPF program can obtain sensitive information from kernel memory via a Speculative Store Bypass side-channel attack because a certain preempting store operation does not necessarily occur before a store operation that has an attacker-controlled value.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-35477", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-35477", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-35477", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-35477", "SUSE": "https://www.suse.com/security/cve/CVE-2021-35477", "Ubuntu": "https://ubuntu.com/security/CVE-2021-35477" } }, "CVE-2021-3564": { "affected_versions": "v2.6.12-rc2 to v5.13-rc5", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "Bluetooth: fix the erroneous flush_work() order", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Double Free", "fixes": "6a137caec23aeb9e036cdfd8a46dd8a366460e5d", "last_affected_version": "5.12.9", "last_modified": "2023-12-06", "nvd_text": "A flaw double-free memory corruption in the Linux kernel HCI device initialization subsystem was found in the way user attach malicious HCI TTY Bluetooth device. A local user could use this flaw to crash the system. This flaw affects all the Linux kernel versions starting from 3.13.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-3564", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-3564", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-3564", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-3564", "SUSE": "https://www.suse.com/security/cve/CVE-2021-3564", "Ubuntu": "https://ubuntu.com/security/CVE-2021-3564" } }, "CVE-2021-3573": { "affected_versions": "v2.6.12-rc2 to v5.13-rc5", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "Bluetooth: use correct lock to prevent UAF of hdev object", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "score": 6.9 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "score": 6.4 }, "cwe": "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", "fixes": "e305509e678b3a4af2b3cfd410f409f7cdaabb52", "last_affected_version": "5.12.9", "last_modified": "2023-12-06", "nvd_text": "A use-after-free in function hci_sock_bound_ioctl() of the Linux kernel HCI subsystem was found in the way user calls ioct HCIUNBLOCKADDR or other way triggers race condition of the call hci_unregister_dev() together with one of the calls hci_sock_blacklist_add(), hci_sock_blacklist_del(), hci_get_conn_info(), hci_get_auth_info(). A privileged local user could use this flaw to crash the system or escalate their privileges on the system. This flaw affects the Linux kernel versions prior to 5.13-rc5.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-3573", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-3573", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-3573", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-3573", "SUSE": "https://www.suse.com/security/cve/CVE-2021-3573", "Ubuntu": "https://ubuntu.com/security/CVE-2021-3573" } }, "CVE-2021-3587": { "affected_versions": "v3.3-rc1 to v5.13-rc5", "breaks": "d646960f7986fefb460a2b062d5ccc8ccfeacc3a", "cmt_msg": "nfc: fix NULL ptr dereference in llcp_sock_getname() after failed connect", "fixes": "4ac06a1e013cf5fdd963317ffd3b968560f33bba", "last_affected_version": "5.12.9", "last_modified": "2023-12-06", "nvd_text": "Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2021-38208. Reason: This candidate is a reservation duplicate of CVE-2021-38208. Notes: All CVE users should reference CVE-2021-38208 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-3587", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-3587", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-3587", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-3587", "SUSE": "https://www.suse.com/security/cve/CVE-2021-3587", "Ubuntu": "https://ubuntu.com/security/CVE-2021-3587" }, "rejected": true }, "CVE-2021-3600": { "affected_versions": "v4.15-rc9 to v5.11", "breaks": "68fda450a7df51cff9e5a4d4a4d9d0d5f2589153", "cmt_msg": "bpf: Fix 32 bit src register truncation on div/mod", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "fixes": "e88b2c6e5a4d9ce30d75391e4d950da74bb2bd90", "last_affected_version": "5.10", "last_modified": "2024-01-12", "nvd_text": "It was discovered that the eBPF implementation in the Linux kernel did not properly track bounds information for 32 bit registers when performing div and mod operations. A local attacker could use this to possibly execute arbitrary code.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-3600", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-3600", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-3600", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-3600", "SUSE": "https://www.suse.com/security/cve/CVE-2021-3600", "Ubuntu": "https://ubuntu.com/security/CVE-2021-3600" } }, "CVE-2021-3609": { "affected_versions": "v2.6.25-rc1 to v5.14-rc1", "breaks": "ffd980f976e7fd666c2e61bf8ab35107efd11828", "cmt_msg": "can: bcm: delay release of struct bcm_op after synchronize_rcu()", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "score": 6.9 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.0 }, "cwe": "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", "fixes": "d5f9023fa61ee8b94f37a93f08e94b136cf1e463", "last_affected_version": "5.13.1", "last_modified": "2023-12-06", "nvd_text": ".A flaw was found in the CAN BCM networking protocol in the Linux kernel, where a local attacker can abuse a flaw in the CAN subsystem to corrupt memory, crash the system or escalate privileges. This race condition in net/can/bcm.c in the Linux kernel allows for local privilege escalation to root.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-3609", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-3609", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-3609", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-3609", "SUSE": "https://www.suse.com/security/cve/CVE-2021-3609", "Ubuntu": "https://ubuntu.com/security/CVE-2021-3609" } }, "CVE-2021-3612": { "affected_versions": "v2.6.32-rc1 to v5.12-rc1-dontuse", "breaks": "999b874f4aa39b7abf45662ff0900f943ddb2d02", "cmt_msg": "Input: joydev - prevent potential read overflow in ioctl", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Improper Restriction of Operations within the Bounds of a Memory Buffer", "fixes": "182d679b2298d62bf42bb14b12a8067b8e17b617", "last_affected_version": "5.11.2", "last_modified": "2023-12-06", "nvd_text": "An out-of-bounds memory write flaw was found in the Linux kernel's joystick devices subsystem in versions before 5.9-rc1, in the way the user calls ioctl JSIOCSBTNMAP. This flaw allows a local user to crash the system or possibly escalate their privileges on the system. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-3612", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-3612", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-3612", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-3612", "SUSE": "https://www.suse.com/security/cve/CVE-2021-3612", "Ubuntu": "https://ubuntu.com/security/CVE-2021-3612" } }, "CVE-2021-3635": { "affected_versions": "v4.16-rc1 to v5.5-rc7", "breaks": "3b49e2e94e6ebb8b23d0955d9e898254455734f8", "cmt_msg": "netfilter: nf_tables: fix flowtable list del corruption", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "score": 4.4 }, "cwe": "Improper Restriction of Operations within the Bounds of a Memory Buffer", "fixes": "335178d5429c4cee61b58f4ac80688f556630818", "last_affected_version": "5.4.13", "last_modified": "2023-12-06", "nvd_text": "A flaw was found in the Linux kernel netfilter implementation in versions prior to 5.5-rc7. A user with root (CAP_SYS_ADMIN) access is able to panic the system when issuing netfilter netflow commands.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-3635", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-3635", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-3635", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-3635", "SUSE": "https://www.suse.com/security/cve/CVE-2021-3635", "Ubuntu": "https://ubuntu.com/security/CVE-2021-3635" } }, "CVE-2021-3640": { "affected_versions": "v2.6.12-rc2 to v5.16-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "Bluetooth: sco: Fix lock_sock() blockage by memcpy_from_msg()", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "score": 6.9 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.0 }, "cwe": "Use After Free", "fixes": "99c23da0eed4fd20cae8243f2b51e10e66aa0951", "last_affected_version": "5.15.2", "last_modified": "2023-12-06", "nvd_text": "A flaw use-after-free in function sco_sock_sendmsg() of the Linux kernel HCI subsystem was found in the way user calls ioct UFFDIO_REGISTER or other way triggers race condition of the call sco_conn_del() together with the call sco_sock_sendmsg() with the expected controllable faulting memory page. A privileged local user could use this flaw to crash the system or escalate their privileges on the system.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-3640", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-3640", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-3640", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-3640", "SUSE": "https://www.suse.com/security/cve/CVE-2021-3640", "Ubuntu": "https://ubuntu.com/security/CVE-2021-3640" } }, "CVE-2021-3653": { "affected_versions": "v2.6.30-rc1 to v5.14-rc7", "breaks": "3d6368ef580a4dff012960834bba4e28d3c1430c", "cmt_msg": "KVM: nSVM: avoid picking up unsupported bits from L2 in int_ctl (CVE-2021-3653)", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:C", "score": 6.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Changed", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "score": 8.8 }, "cwe": "Missing Authorization", "fixes": "0f923e07124df069ba68d8bb12324398f4b6b709", "last_affected_version": "5.13.11", "last_modified": "2023-12-06", "nvd_text": "A flaw was found in the KVM's AMD code for supporting SVM nested virtualization. The flaw occurs when processing the VMCB (virtual machine control block) provided by the L1 guest to spawn/handle a nested guest (L2). Due to improper validation of the \"int_ctl\" field, this issue could allow a malicious L1 to enable AVIC support (Advanced Virtual Interrupt Controller) for the L2 guest. As a result, the L2 guest would be allowed to read/write physical pages of the host, resulting in a crash of the entire system, leak of sensitive data or potential guest-to-host escape. This flaw affects Linux kernel versions prior to 5.14-rc7.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-3653", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-3653", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-3653", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-3653", "SUSE": "https://www.suse.com/security/cve/CVE-2021-3653", "Ubuntu": "https://ubuntu.com/security/CVE-2021-3653" } }, "CVE-2021-3655": { "affected_versions": "v2.6.12-rc2 to v5.14-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "sctp: validate from_addr_param return", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "Low", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "score": 3.3 }, "cwe": "Missing Initialization of Resource", "fixes": "0c5dc070ff3d6246d22ddd931f23a6266249e3db", "last_affected_version": "5.13.2", "last_modified": "2023-12-06", "nvd_text": "A vulnerability was found in the Linux kernel in versions prior to v5.14-rc1. Missing size validations on inbound SCTP packets may allow the kernel to read uninitialized memory.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-3655", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-3655", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-3655", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-3655", "SUSE": "https://www.suse.com/security/cve/CVE-2021-3655", "Ubuntu": "https://ubuntu.com/security/CVE-2021-3655" } }, "CVE-2021-3656": { "affected_versions": "v4.13-rc1 to v5.14-rc7", "breaks": "89c8a4984fc98e625517bfe5083342d77ee35811", "cmt_msg": "KVM: nSVM: always intercept VMLOAD/VMSAVE when nested (CVE-2021-3656)", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Changed", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "score": 8.8 }, "cwe": "Missing Authorization", "fixes": "c7dfa4009965a9b2d7b329ee970eb8da0d32f0bc", "last_affected_version": "5.13.11", "last_modified": "2023-12-06", "nvd_text": "A flaw was found in the KVM's AMD code for supporting SVM nested virtualization. The flaw occurs when processing the VMCB (virtual machine control block) provided by the L1 guest to spawn/handle a nested guest (L2). Due to improper validation of the \"virt_ext\" field, this issue could allow a malicious L1 to disable both VMLOAD/VMSAVE intercepts and VLS (Virtual VMLOAD/VMSAVE) for the L2 guest. As a result, the L2 guest would be allowed to read/write physical pages of the host, resulting in a crash of the entire system, leak of sensitive data or potential guest-to-host escape.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-3656", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-3656", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-3656", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-3656", "SUSE": "https://www.suse.com/security/cve/CVE-2021-3656", "Ubuntu": "https://ubuntu.com/security/CVE-2021-3656" } }, "CVE-2021-3659": { "affected_versions": "v2.6.12-rc2 to v5.12-rc7", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "net: mac802154: Fix general protection fault", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "NULL Pointer Dereference", "fixes": "1165affd484889d4986cf3b724318935a0b120d8", "last_affected_version": "5.11.13", "last_modified": "2023-12-06", "nvd_text": "A NULL pointer dereference flaw was found in the Linux kernel\u2019s IEEE 802.15.4 wireless networking subsystem in the way the user closes the LR-WPAN connection. This flaw allows a local user to crash the system. The highest threat from this vulnerability is to system availability.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-3659", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-3659", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-3659", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-3659", "SUSE": "https://www.suse.com/security/cve/CVE-2021-3659", "Ubuntu": "https://ubuntu.com/security/CVE-2021-3659" } }, "CVE-2021-3669": { "affected_versions": "v2.6.12-rc2 to v5.15-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "ipc: replace costly bailout check in sysvipc_find_ipc()", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Uncontrolled Resource Consumption", "fixes": "20401d1058f3f841f35a594ac2fc1293710e55b9", "last_modified": "2023-12-06", "nvd_text": "A flaw was found in the Linux kernel. Measuring usage of the shared memory does not scale with large shared memory segment counts which could lead to resource exhaustion and DoS.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-3669", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-3669", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-3669", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-3669", "SUSE": "https://www.suse.com/security/cve/CVE-2021-3669", "Ubuntu": "https://ubuntu.com/security/CVE-2021-3669" } }, "CVE-2021-3679": { "affected_versions": "v2.6.28-rc1 to v5.14-rc3", "breaks": "bf41a158cacba6ca5fc6407a54e7ad8ce1567e2e", "cmt_msg": "tracing: Fix bug in rb_per_cpu_empty() that might cause deadloop.", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Uncontrolled Resource Consumption", "fixes": "67f0d6d9883c13174669f88adac4f0ee656cc16a", "last_affected_version": "5.13.5", "last_modified": "2023-12-06", "nvd_text": "A lack of CPU resource in the Linux kernel tracing module functionality in versions prior to 5.14-rc3 was found in the way user uses trace ring buffer in a specific way. Only privileged local users (with CAP_SYS_ADMIN capability) could use this flaw to starve the resources causing denial of service.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-3679", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-3679", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-3679", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-3679", "SUSE": "https://www.suse.com/security/cve/CVE-2021-3679", "Ubuntu": "https://ubuntu.com/security/CVE-2021-3679" } }, "CVE-2021-3714": { "affected_versions": "unk to unk", "breaks": "", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "score": 7.5 }, "cwe": "Unspecified", "fixes": "", "last_modified": "2023-12-06", "nvd_text": "A flaw was found in the Linux kernels memory deduplication mechanism. Previous work has shown that memory deduplication can be attacked via a local exploitation mechanism. The same technique can be used if an attacker can upload page sized files and detect the change in access time from a networked service to determine if the page has been merged.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-3714", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-3714", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-3714", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-3714", "SUSE": "https://www.suse.com/security/cve/CVE-2021-3714", "Ubuntu": "https://ubuntu.com/security/CVE-2021-3714" } }, "CVE-2021-3715": { "affected_versions": "v3.18-rc1 to v5.6", "breaks": "1109c00547fc66df45b9ff923544be4c1e1bec13", "cmt_msg": "net_sched: cls_route: remove the right filter from hashtable", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Use After Free", "fixes": "ef299cc3fa1a9e1288665a9fdc8bff55629fd359", "last_affected_version": "5.5", "last_modified": "2023-12-06", "nvd_text": "A flaw was found in the \"Routing decision\" classifier in the Linux kernel's Traffic Control networking subsystem in the way it handled changing of classification filters, leading to a use-after-free condition. This flaw allows unprivileged local users to escalate their privileges on the system. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-3715", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-3715", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-3715", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-3715", "SUSE": "https://www.suse.com/security/cve/CVE-2021-3715", "Ubuntu": "https://ubuntu.com/security/CVE-2021-3715" } }, "CVE-2021-37159": { "affected_versions": "v2.6.12-rc2 to v5.14-rc3", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "usb: hso: fix error handling code of hso_create_net_device", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "score": 4.4 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Physical", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "score": 6.4 }, "cwe": "Double Free", "fixes": "a6ecfb39ba9d7316057cea823b196b734f6b18ca", "last_affected_version": "5.13.5", "last_modified": "2023-12-06", "nvd_text": "hso_free_net_device in drivers/net/usb/hso.c in the Linux kernel through 5.13.4 calls unregister_netdev without checking for the NETREG_REGISTERED state, leading to a use-after-free and a double free.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-37159", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-37159", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-37159", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-37159", "SUSE": "https://www.suse.com/security/cve/CVE-2021-37159", "Ubuntu": "https://ubuntu.com/security/CVE-2021-37159" } }, "CVE-2021-3732": { "affected_versions": "v3.18-rc2 to v5.14-rc6", "breaks": "c771d683a62e5d36bc46036f5c07f4f5bb7dda61", "cmt_msg": "ovl: prevent private clone if bind mount is not allowed", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.5 }, "cwe": "Unspecified", "fixes": "427215d85e8d1476da1a86b8d67aceb485eb3631", "last_affected_version": "5.13.10", "last_modified": "2023-12-06", "nvd_text": "A flaw was found in the Linux kernel's OverlayFS subsystem in the way the user mounts the TmpFS filesystem with OverlayFS. This flaw allows a local user to gain access to hidden files that should not be accessible.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-3732", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-3732", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-3732", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-3732", "SUSE": "https://www.suse.com/security/cve/CVE-2021-3732", "Ubuntu": "https://ubuntu.com/security/CVE-2021-3732" } }, "CVE-2021-3736": { "affected_versions": "v5.14-rc1 to v5.15-rc1", "breaks": "681c1615f8914451cfd432ad30e2f307b6490542", "cmt_msg": "vfio/mbochs: Fix missing error unwind of mbochs_used_mbytes", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.5 }, "cwe": "Missing Release of Memory after Effective Lifetime", "fixes": "de5494af4815a4c9328536c72741229b7de88e7f", "last_affected_version": "5.14.5", "last_modified": "2023-12-06", "nvd_text": "A flaw was found in the Linux kernel. A memory leak problem was found in mbochs_ioctl in samples/vfio-mdev/mbochs.c in Virtual Function I/O (VFIO) Mediated devices. This flaw could allow a local attacker to leak internal kernel information.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-3736", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-3736", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-3736", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-3736", "SUSE": "https://www.suse.com/security/cve/CVE-2021-3736", "Ubuntu": "https://ubuntu.com/security/CVE-2021-3736" } }, "CVE-2021-3739": { "affected_versions": "v4.20-rc1 to v5.15-rc1", "breaks": "a27a94c2b0c727517c17cf2ca3a9f7291caadfbc", "cmt_msg": "btrfs: fix NULL pointer dereference when deleting device by invalid id", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:P", "score": 3.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "score": 7.1 }, "cwe": "NULL Pointer Dereference", "fixes": "e4571b8c5e9ffa1e85c0c671995bd4dcc5c75091", "last_affected_version": "5.14.0", "last_modified": "2023-12-06", "nvd_text": "A NULL pointer dereference flaw was found in the btrfs_rm_device function in fs/btrfs/volumes.c in the Linux Kernel, where triggering the bug requires \u2018CAP_SYS_ADMIN\u2019. This flaw allows a local attacker to crash the system or leak kernel internal information. The highest threat from this vulnerability is to system availability.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-3739", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-3739", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-3739", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-3739", "SUSE": "https://www.suse.com/security/cve/CVE-2021-3739", "Ubuntu": "https://ubuntu.com/security/CVE-2021-3739" } }, "CVE-2021-3743": { "affected_versions": "v4.15-rc1 to v5.13-rc7", "breaks": "194ccc88297ae78d0803adad83c6dcc369787c9e", "cmt_msg": "net: qrtr: fix OOB Read in qrtr_endpoint_post", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:P", "score": 3.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "score": 7.1 }, "cwe": "Out-of-bounds Read", "fixes": "ad9d24c9429e2159d1e279dc3a83191ccb4daf1d", "last_affected_version": "5.12.12", "last_modified": "2023-12-06", "nvd_text": "An out-of-bounds (OOB) memory read flaw was found in the Qualcomm IPC router protocol in the Linux kernel. A missing sanity check allows a local attacker to gain access to out-of-bounds memory, leading to a system crash or a leak of internal kernel information. The highest threat from this vulnerability is to system availability.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-3743", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-3743", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-3743", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-3743", "SUSE": "https://www.suse.com/security/cve/CVE-2021-3743", "Ubuntu": "https://ubuntu.com/security/CVE-2021-3743" } }, "CVE-2021-3744": { "affected_versions": "v4.12-rc1 to v5.15-rc4", "breaks": "36cf515b9bbe298e1ce7384620f0d4ec45ad3328", "cmt_msg": "crypto: ccp - fix resource leaks in ccp_run_aes_gcm_cmd()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Missing Release of Memory after Effective Lifetime", "fixes": "505d9dcb0f7ddf9d075e729523a33d38642ae680", "last_affected_version": "5.14.9", "last_modified": "2023-12-06", "nvd_text": "A memory leak flaw was found in the Linux kernel in the ccp_run_aes_gcm_cmd() function in drivers/crypto/ccp/ccp-ops.c, which allows attackers to cause a denial of service (memory consumption). This vulnerability is similar with the older CVE-2019-18808.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-3744", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-3744", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-3744", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-3744", "SUSE": "https://www.suse.com/security/cve/CVE-2021-3744", "Ubuntu": "https://ubuntu.com/security/CVE-2021-3744" } }, "CVE-2021-3752": { "affected_versions": "v2.6.12-rc2 to v5.16-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "Bluetooth: fix use-after-free error in lock_sock_nested()", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Adjacent Network", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:A/AC:M/Au:N/C:C/I:C/A:C", "score": 7.9 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Adjacent", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.1 }, "cwe": "Use After Free", "fixes": "1bff51ea59a9afb67d2dd78518ab0582a54a472c", "last_affected_version": "5.15.2", "last_modified": "2023-12-06", "nvd_text": "A use-after-free flaw was found in the Linux kernel\u2019s Bluetooth subsystem in the way user calls connect to the socket and disconnect simultaneously due to a race condition. This flaw allows a user to crash the system or escalate their privileges. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-3752", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-3752", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-3752", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-3752", "SUSE": "https://www.suse.com/security/cve/CVE-2021-3752", "Ubuntu": "https://ubuntu.com/security/CVE-2021-3752" } }, "CVE-2021-3753": { "affected_versions": "v2.6.12-rc2 to v5.15-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "vt_kdsetmode: extend console locking", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "score": 1.9 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 4.7 }, "cwe": "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", "fixes": "2287a51ba822384834dafc1c798453375d1107c7", "last_affected_version": "5.14.0", "last_modified": "2023-12-06", "nvd_text": "A race problem was seen in the vt_k_ioctl in drivers/tty/vt/vt_ioctl.c in the Linux kernel, which may cause an out of bounds read in vt as the write access to vc_mode is not protected by lock-in vt_ioctl (KDSETMDE). The highest threat from this vulnerability is to data confidentiality.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-3753", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-3753", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-3753", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-3753", "SUSE": "https://www.suse.com/security/cve/CVE-2021-3753", "Ubuntu": "https://ubuntu.com/security/CVE-2021-3753" } }, "CVE-2021-37576": { "affected_versions": "v3.10-rc1 to v5.14-rc3", "breaks": "8e591cb7204739efa8e15967ea334eb367039dde", "cmt_msg": "KVM: PPC: Book3S: Fix H_RTAS rets buffer overflow", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Out-of-bounds Write", "fixes": "f62f3c20647ebd5fb6ecb8f0b477b9281c44c10a", "last_affected_version": "5.13.5", "last_modified": "2023-12-06", "nvd_text": "arch/powerpc/kvm/book3s_rtas.c in the Linux kernel through 5.13.5 on the powerpc platform allows KVM guest OS users to cause host OS memory corruption via rtas_args.nargs, aka CID-f62f3c20647e.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-37576", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-37576", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-37576", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-37576", "SUSE": "https://www.suse.com/security/cve/CVE-2021-37576", "Ubuntu": "https://ubuntu.com/security/CVE-2021-37576" } }, "CVE-2021-3759": { "affected_versions": "v4.5-rc1 to v5.15-rc1", "breaks": "a9bb7e620efdfd29b6d1c238041173e411670996", "cmt_msg": "memcg: enable accounting of ipc resources", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Uncontrolled Resource Consumption", "fixes": "18319498fdd4cdf8c1c2c48cd432863b1f915d6f", "last_affected_version": "5.10.153", "last_modified": "2023-12-06", "nvd_text": "A memory overflow vulnerability was found in the Linux kernel\u2019s ipc functionality of the memcg subsystem, in the way a user calls the semget function multiple times, creating semaphores. This flaw allows a local user to starve the resources, causing a denial of service. The highest threat from this vulnerability is to system availability.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-3759", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-3759", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-3759", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-3759", "SUSE": "https://www.suse.com/security/cve/CVE-2021-3759", "Ubuntu": "https://ubuntu.com/security/CVE-2021-3759" } }, "CVE-2021-3760": { "affected_versions": "v4.0-rc1 to v5.15-rc6", "breaks": "736bb9577407d3556d81c3c3cd57581cd3ae10ea", "cmt_msg": "nfc: nci: fix the UAF of rf_conn_info object", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Use After Free", "fixes": "1b1499a817c90fd1ce9453a2c98d2a01cca0e775", "last_affected_version": "5.14.14", "last_modified": "2023-12-06", "nvd_text": "A flaw was found in the Linux kernel. A use-after-free vulnerability in the NFC stack can lead to a threat to confidentiality, integrity, and system availability.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-3760", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-3760", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-3760", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-3760", "SUSE": "https://www.suse.com/security/cve/CVE-2021-3760", "Ubuntu": "https://ubuntu.com/security/CVE-2021-3760" } }, "CVE-2021-3764": { "affected_versions": "v4.12-rc1 to v5.15-rc4", "breaks": "36cf515b9bbe298e1ce7384620f0d4ec45ad3328", "cmt_msg": "crypto: ccp - fix resource leaks in ccp_run_aes_gcm_cmd()", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Missing Release of Memory after Effective Lifetime", "fixes": "505d9dcb0f7ddf9d075e729523a33d38642ae680", "last_affected_version": "5.14.9", "last_modified": "2023-12-06", "nvd_text": "A memory leak flaw was found in the Linux kernel's ccp_run_aes_gcm_cmd() function that allows an attacker to cause a denial of service. The vulnerability is similar to the older CVE-2019-18808. The highest threat from this vulnerability is to system availability.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-3764", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-3764", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-3764", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-3764", "SUSE": "https://www.suse.com/security/cve/CVE-2021-3764", "Ubuntu": "https://ubuntu.com/security/CVE-2021-3764" } }, "CVE-2021-3772": { "affected_versions": "v2.6.12-rc2 to v5.15", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "sctp: use init_tag from inithdr for ABORT chunk", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "Partial", "raw": "AV:N/AC:M/Au:N/C:N/I:P/A:P", "score": 5.8 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "None", "Integrity": "Low", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H", "score": 6.5 }, "cwe": "Improper Validation of Integrity Check Value", "fixes": "4f7019c7eb33967eb87766e0e4602b5576873680", "last_affected_version": "5.14", "last_modified": "2023-12-06", "nvd_text": "A flaw was found in the Linux SCTP stack. A blind attacker may be able to kill an existing SCTP association through invalid chunks if the attacker knows the IP-addresses and port numbers being used and the attacker can send packets with spoofed IP addresses.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-3772", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-3772", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-3772", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-3772", "SUSE": "https://www.suse.com/security/cve/CVE-2021-3772", "Ubuntu": "https://ubuntu.com/security/CVE-2021-3772" } }, "CVE-2021-38160": { "affected_versions": "v2.6.12-rc2 to v5.14-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "virtio_console: Assure used length from device is limited", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')", "fixes": "d00d8da5869a2608e97cfede094dfc5e11462a46", "last_affected_version": "5.13.3", "last_modified": "2023-12-06", "nvd_text": "In drivers/char/virtio_console.c in the Linux kernel before 5.13.4, data corruption or loss can be triggered by an untrusted device that supplies a buf->len value exceeding the buffer size. NOTE: the vendor indicates that the cited data corruption is not a vulnerability in any existing use case; the length validation was added solely for robustness in the face of anomalous host OS behavior", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-38160", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-38160", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-38160", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-38160", "SUSE": "https://www.suse.com/security/cve/CVE-2021-38160", "Ubuntu": "https://ubuntu.com/security/CVE-2021-38160" } }, "CVE-2021-38166": { "affected_versions": "v5.6-rc1 to v5.14-rc6", "breaks": "057996380a42bb64ccc04383cfa9c0ace4ea11f0", "cmt_msg": "bpf: Fix integer overflow involving bucket_size", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Out-of-bounds Write", "fixes": "c4eb1f403243fc7bbb7de644db8587c03de36da6", "last_affected_version": "5.13.11", "last_modified": "2023-12-06", "nvd_text": "In kernel/bpf/hashtab.c in the Linux kernel through 5.13.8, there is an integer overflow and out-of-bounds write when many elements are placed in a single bucket. NOTE: exploitation might be impractical without the CAP_SYS_ADMIN capability.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-38166", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-38166", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-38166", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-38166", "SUSE": "https://www.suse.com/security/cve/CVE-2021-38166", "Ubuntu": "https://ubuntu.com/security/CVE-2021-38166" } }, "CVE-2021-38198": { "affected_versions": "v2.6.20-rc4 to v5.13-rc6", "breaks": "cea0f0e7ea54753c3265dc77f605a6dad1912cfc", "cmt_msg": "KVM: X86: MMU: Use the correct inherited permissions to get shadow page", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Unspecified", "fixes": "b1bd5cba3306691c771d558e94baa73e8b0b96b7", "last_affected_version": "5.12.10", "last_modified": "2023-12-06", "nvd_text": "arch/x86/kvm/mmu/paging_tmpl.h in the Linux kernel before 5.12.11 incorrectly computes the access permissions of a shadow page, leading to a missing guest protection page fault.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-38198", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-38198", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-38198", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-38198", "SUSE": "https://www.suse.com/security/cve/CVE-2021-38198", "Ubuntu": "https://ubuntu.com/security/CVE-2021-38198" } }, "CVE-2021-38199": { "affected_versions": "v4.8-rc1 to v5.14-rc1", "breaks": "5c6e5b60aae4347223f176966455010a5715b863", "cmt_msg": "NFSv4: Initialise connection to the server in nfs4_alloc_client()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Adjacent Network", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:A/AC:L/Au:N/C:N/I:N/A:P", "score": 3.3 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Adjacent", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 6.5 }, "cwe": "Unspecified", "fixes": "dd99e9f98fbf423ff6d365b37a98e8879170f17c", "last_affected_version": "5.13.3", "last_modified": "2023-12-06", "nvd_text": "fs/nfs/nfs4client.c in the Linux kernel before 5.13.4 has incorrect connection-setup ordering, which allows operators of remote NFSv4 servers to cause a denial of service (hanging of mounts) by arranging for those servers to be unreachable during trunking detection.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-38199", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-38199", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-38199", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-38199", "SUSE": "https://www.suse.com/security/cve/CVE-2021-38199", "Ubuntu": "https://ubuntu.com/security/CVE-2021-38199" } }, "CVE-2021-38200": { "affected_versions": "v5.11-rc1 to v5.13-rc7", "breaks": "2ca13a4cc56c920a6c9fc8ee45d02bccacd7f46c", "cmt_msg": "powerpc/perf: Fix crash in perf_instruction_pointer() when ppmu is not set", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "NULL Pointer Dereference", "fixes": "60b7ed54a41b550d50caf7f2418db4a7e75b5bdc", "last_affected_version": "5.12.12", "last_modified": "2023-12-06", "nvd_text": "arch/powerpc/perf/core-book3s.c in the Linux kernel before 5.12.13, on systems with perf_event_paranoid=-1 and no specific PMU driver support registered, allows local users to cause a denial of service (perf_instruction_pointer NULL pointer dereference and OOPS) via a \"perf record\" command.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-38200", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-38200", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-38200", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-38200", "SUSE": "https://www.suse.com/security/cve/CVE-2021-38200", "Ubuntu": "https://ubuntu.com/security/CVE-2021-38200" } }, "CVE-2021-38201": { "affected_versions": "v5.11-rc1 to v5.14-rc1", "breaks": "8d86e373b0ef52d091ced9583ffbb33ad2771576", "cmt_msg": "sunrpc: Avoid a KASAN slab-out-of-bounds bug in xdr_set_page_base()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "score": 5.0 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 7.5 }, "cwe": "Improper Restriction of Operations within the Bounds of a Memory Buffer", "fixes": "6d1c0f3d28f98ea2736128ed3e46821496dc3a8c", "last_affected_version": "5.13.3", "last_modified": "2023-12-06", "nvd_text": "net/sunrpc/xdr.c in the Linux kernel before 5.13.4 allows remote attackers to cause a denial of service (xdr_set_page_base slab-out-of-bounds access) by performing many NFS 4.2 READ_PLUS operations.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-38201", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-38201", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-38201", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-38201", "SUSE": "https://www.suse.com/security/cve/CVE-2021-38201", "Ubuntu": "https://ubuntu.com/security/CVE-2021-38201" } }, "CVE-2021-38202": { "affected_versions": "v5.13-rc1 to v5.14-rc1", "breaks": "6019ce0742ca55d3e45279a19b07d1542747a098", "cmt_msg": "NFSD: Prevent a possible oops in the nfs_dirent() tracepoint", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "score": 5.0 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 7.5 }, "cwe": "Out-of-bounds Read", "fixes": "7b08cf62b1239a4322427d677ea9363f0ab677c6", "last_affected_version": "5.13.3", "last_modified": "2023-12-06", "nvd_text": "fs/nfsd/trace.h in the Linux kernel before 5.13.4 might allow remote attackers to cause a denial of service (out-of-bounds read in strlen) by sending NFS traffic when the trace event framework is being used for nfsd.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-38202", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-38202", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-38202", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-38202", "SUSE": "https://www.suse.com/security/cve/CVE-2021-38202", "Ubuntu": "https://ubuntu.com/security/CVE-2021-38202" } }, "CVE-2021-38203": { "affected_versions": "v5.13-rc1 to v5.14-rc2", "breaks": "eafa4fd0ad06074da8be4e28ff93b4dca9ffa407", "cmt_msg": "btrfs: fix deadlock with concurrent chunk allocations involving system chunks", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Allocation of Resources Without Limits or Throttling", "fixes": "1cb3db1cf383a3c7dbda1aa0ce748b0958759947", "last_affected_version": "5.13.3", "last_modified": "2023-12-06", "nvd_text": "btrfs in the Linux kernel before 5.13.4 allows attackers to cause a denial of service (deadlock) via processes that trigger allocation of new system chunks during times when there is a shortage of free space in the system space_info.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-38203", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-38203", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-38203", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-38203", "SUSE": "https://www.suse.com/security/cve/CVE-2021-38203", "Ubuntu": "https://ubuntu.com/security/CVE-2021-38203" } }, "CVE-2021-38204": { "affected_versions": "v3.16-rc1 to v5.14-rc3", "breaks": "2d53139f31626bad6f8983d8e519ddde2cbba921", "cmt_msg": "usb: max-3421: Prevent corruption of freed memory", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Physical", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "score": 6.8 }, "cwe": "Use After Free", "fixes": "b5fdf5c6e6bee35837e160c00ac89327bdad031b", "last_affected_version": "5.13.5", "last_modified": "2023-12-06", "nvd_text": "drivers/usb/host/max3421-hcd.c in the Linux kernel before 5.13.6 allows physically proximate attackers to cause a denial of service (use-after-free and panic) by removing a MAX-3421 USB device in certain situations.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-38204", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-38204", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-38204", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-38204", "SUSE": "https://www.suse.com/security/cve/CVE-2021-38204", "Ubuntu": "https://ubuntu.com/security/CVE-2021-38204" } }, "CVE-2021-38205": { "affected_versions": "v2.6.32-rc1 to v5.14-rc1", "breaks": "bb81b2ddfa194b6d12761a350b5b5985cecae0a9", "cmt_msg": "net: xilinx_emaclite: Do not print real IOMEM pointer", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "None", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "None", "Integrity": "Low", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "score": 3.3 }, "cwe": "Access of Uninitialized Pointer", "fixes": "d0d62baa7f505bd4c59cd169692ff07ec49dde37", "last_affected_version": "5.13.2", "last_modified": "2023-12-06", "nvd_text": "drivers/net/ethernet/xilinx/xilinx_emaclite.c in the Linux kernel before 5.13.3 makes it easier for attackers to defeat an ASLR protection mechanism because it prints a kernel pointer (i.e., the real IOMEM pointer).", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-38205", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-38205", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-38205", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-38205", "SUSE": "https://www.suse.com/security/cve/CVE-2021-38205", "Ubuntu": "https://ubuntu.com/security/CVE-2021-38205" } }, "CVE-2021-38206": { "affected_versions": "v5.9-rc1 to v5.13-rc7", "breaks": "cb17ed29a7a5fea8c9bf70e8a05757d71650e025", "cmt_msg": "mac80211: Fix NULL ptr deref for injected rate info", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "NULL Pointer Dereference", "fixes": "bddc0c411a45d3718ac535a070f349be8eca8d48", "last_affected_version": "5.12.12", "last_modified": "2023-12-06", "nvd_text": "The mac80211 subsystem in the Linux kernel before 5.12.13, when a device supporting only 5 GHz is used, allows attackers to cause a denial of service (NULL pointer dereference in the radiotap parser) by injecting a frame with 802.11a rates.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-38206", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-38206", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-38206", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-38206", "SUSE": "https://www.suse.com/security/cve/CVE-2021-38206", "Ubuntu": "https://ubuntu.com/security/CVE-2021-38206" } }, "CVE-2021-38207": { "affected_versions": "v5.6-rc4 to v5.13-rc7", "breaks": "84823ff80f7403752b59e00bb198724100dc611c", "cmt_msg": "net: ll_temac: Fix TX BD buffer overwrite", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "score": 5.0 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 7.5 }, "cwe": "Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')", "fixes": "c364df2489b8ef2f5e3159b1dff1ff1fdb16040d", "last_affected_version": "5.12.12", "last_modified": "2023-12-06", "nvd_text": "drivers/net/ethernet/xilinx/ll_temac_main.c in the Linux kernel before 5.12.13 allows remote attackers to cause a denial of service (buffer overflow and lockup) by sending heavy network traffic for about ten minutes.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-38207", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-38207", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-38207", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-38207", "SUSE": "https://www.suse.com/security/cve/CVE-2021-38207", "Ubuntu": "https://ubuntu.com/security/CVE-2021-38207" } }, "CVE-2021-38208": { "affected_versions": "v3.3-rc1 to v5.13-rc5", "breaks": "d646960f7986fefb460a2b062d5ccc8ccfeacc3a", "cmt_msg": "nfc: fix NULL ptr dereference in llcp_sock_getname() after failed connect", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "NULL Pointer Dereference", "fixes": "4ac06a1e013cf5fdd963317ffd3b968560f33bba", "last_affected_version": "5.12.9", "last_modified": "2023-12-06", "nvd_text": "net/nfc/llcp_sock.c in the Linux kernel before 5.12.10 allows local unprivileged users to cause a denial of service (NULL pointer dereference and BUG) by making a getsockname call after a certain type of failure of a bind call.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-38208", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-38208", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-38208", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-38208", "SUSE": "https://www.suse.com/security/cve/CVE-2021-38208", "Ubuntu": "https://ubuntu.com/security/CVE-2021-38208" } }, "CVE-2021-38209": { "affected_versions": "v5.7-rc1 to v5.13-rc1", "breaks": "d0febd81ae77a0e13717f1412ff9589e43fc4f8b", "cmt_msg": "netfilter: conntrack: Make global sysctls readonly in non-init netns", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "Low", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "score": 3.3 }, "cwe": "Observable Discrepancy", "fixes": "2671fa4dc0109d3fb581bc3078fdf17b5d9080f6", "last_affected_version": "5.12.1", "last_modified": "2023-12-06", "nvd_text": "net/netfilter/nf_conntrack_standalone.c in the Linux kernel before 5.12.2 allows observation of changes in any net namespace because these changes are leaked into all other net namespaces. This is related to the NF_SYSCTL_CT_MAX, NF_SYSCTL_CT_EXPECT_MAX, and NF_SYSCTL_CT_BUCKETS sysctls.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-38209", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-38209", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-38209", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-38209", "SUSE": "https://www.suse.com/security/cve/CVE-2021-38209", "Ubuntu": "https://ubuntu.com/security/CVE-2021-38209" } }, "CVE-2021-38300": { "affected_versions": "v3.16-rc1 to v5.15-rc4", "breaks": "c6610de353da5ca6eee5b8960e838a87a90ead0c", "cmt_msg": "bpf, mips: Validate conditional branch offsets", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Unspecified", "fixes": "37cb28ec7d3a36a5bace7063a3dba633ab110f8b", "last_affected_version": "5.14.9", "last_modified": "2023-12-06", "nvd_text": "arch/mips/net/bpf_jit.c in the Linux kernel before 5.4.10 can generate undesirable machine code when transforming unprivileged cBPF programs, allowing execution of arbitrary code within the kernel context. This occurs because conditional branches can exceed the 128 KB limit of the MIPS architecture.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-38300", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-38300", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-38300", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-38300", "SUSE": "https://www.suse.com/security/cve/CVE-2021-38300", "Ubuntu": "https://ubuntu.com/security/CVE-2021-38300" } }, "CVE-2021-3847": { "affected_versions": "unk to unk", "breaks": "", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Improper Preservation of Permissions", "fixes": "", "last_modified": "2023-12-06", "nvd_text": "An unauthorized access to the execution of the setuid file with capabilities flaw in the Linux kernel OverlayFS subsystem was found in the way user copying a capable file from a nosuid mount into another mount. A local user could use this flaw to escalate their privileges on the system.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-3847", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-3847", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-3847", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-3847", "SUSE": "https://www.suse.com/security/cve/CVE-2021-3847", "Ubuntu": "https://ubuntu.com/security/CVE-2021-3847" } }, "CVE-2021-3864": { "affected_versions": "unk to unk", "breaks": "", "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.0 }, "cwe": "Unspecified", "fixes": "", "last_modified": "2023-12-06", "nvd_text": "A flaw was found in the way the dumpable flag setting was handled when certain SUID binaries executed its descendants. The prerequisite is a SUID binary that sets real UID equal to effective UID, and real GID equal to effective GID. The descendant will then have a dumpable value set to 1. As a result, if the descendant process crashes and core_pattern is set to a relative value, its core dump is stored in the current directory with uid:gid permissions. An unprivileged local user with eligible root SUID binary could use this flaw to place core dumps into root-owned directories, potentially resulting in escalation of privileges.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-3864", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-3864", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-3864", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-3864", "SUSE": "https://www.suse.com/security/cve/CVE-2021-3864", "Ubuntu": "https://ubuntu.com/security/CVE-2021-3864" } }, "CVE-2021-3892": { "affected_versions": "unk to unk", "breaks": "", "fixes": "", "last_modified": "2023-12-06", "nvd_text": "Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2019-18198. Reason: This candidate is a reservation duplicate of CVE-2019-18198. Notes: All CVE users should reference CVE-2019-18198 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-3892", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-3892", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-3892", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-3892", "SUSE": "https://www.suse.com/security/cve/CVE-2021-3892", "Ubuntu": "https://ubuntu.com/security/CVE-2021-3892" }, "rejected": true }, "CVE-2021-3894": { "affected_versions": "v4.11-rc1 to v5.15-rc6", "breaks": "cc16f00f6529aa2378f2b949a6f68e9dc6dec363", "cmt_msg": "sctp: account stream padding length for reconf chunk", "fixes": "a2d859e3fc97e79d907761550dbc03ff1b36479c", "last_affected_version": "5.14.13", "last_modified": "2023-12-06", "nvd_text": "Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-3894", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-3894", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-3894", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-3894", "SUSE": "https://www.suse.com/security/cve/CVE-2021-3894", "Ubuntu": "https://ubuntu.com/security/CVE-2021-3894" }, "rejected": true }, "CVE-2021-3896": { "affected_versions": "unk to v5.15-rc6", "breaks": "", "cmt_msg": "isdn: cpai: check ctr->cnr to avoid array index out of bound", "fixes": "1f3e2e97c003f80c4b087092b225c8787ff91e4d", "last_affected_version": "5.14.14", "last_modified": "2023-12-06", "nvd_text": "Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2021-43389. Reason: This candidate is a reservation duplicate of CVE-2021-43389. Notes: All CVE users should reference CVE-2021-43389 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-3896", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-3896", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-3896", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-3896", "SUSE": "https://www.suse.com/security/cve/CVE-2021-3896", "Ubuntu": "https://ubuntu.com/security/CVE-2021-3896" }, "rejected": true }, "CVE-2021-3923": { "affected_versions": "v4.12-rc1 to v5.16", "breaks": "4ba66093bdc6316cd2fe48e74a54bfc29599322f", "cmt_msg": "RDMA/core: Don't infoleak GRH fields", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "Low", "Integrity": "None", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N", "score": 2.3 }, "cwe": "Unspecified", "fixes": "b35a0f4dd544eaa6162b6d2f13a2557a121ae5fd", "last_affected_version": "5.15", "last_modified": "2023-12-06", "nvd_text": "A flaw was found in the Linux kernel's implementation of RDMA over infiniband. An attacker with a privileged local account can leak kernel stack information when issuing commands to the /dev/infiniband/rdma_cm device node. While this access is unlikely to leak sensitive user information, it can be further used to defeat existing kernel protection mechanisms.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-3923", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-3923", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-3923", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-3923", "SUSE": "https://www.suse.com/security/cve/CVE-2021-3923", "Ubuntu": "https://ubuntu.com/security/CVE-2021-3923" } }, "CVE-2021-39633": { "affected_versions": "v3.10-rc1 to v5.14", "breaks": "c54419321455631079c7d6e60bc732dd0c5914c5", "cmt_msg": "ip_gre: add validation for csum_start", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.5 }, "cwe": "Exposure of Resource to Wrong Sphere", "fixes": "1d011c4803c72f3907eccfc1ec63caefb852fcbf", "last_affected_version": "5.13", "last_modified": "2023-12-06", "nvd_text": "In gre_handle_offloads of ip_gre.c, there is a possible page fault due to an invalid memory access. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-150694665References: Upstream kernel", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-39633", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-39633", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-39633", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-39633", "SUSE": "https://www.suse.com/security/cve/CVE-2021-39633", "Ubuntu": "https://ubuntu.com/security/CVE-2021-39633" } }, "CVE-2021-39634": { "affected_versions": "v2.6.12-rc2 to v5.9-rc8", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "epoll: do not insert into poll queues until all sanity checks are done", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Use After Free", "fixes": "f8d4f44df056c5b504b0d49683fb7279218fd207", "last_affected_version": "5.8.13", "last_modified": "2023-12-06", "nvd_text": "In fs/eventpoll.c, there is a possible use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-204450605References: Upstream kernel", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-39634", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-39634", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-39634", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-39634", "SUSE": "https://www.suse.com/security/cve/CVE-2021-39634", "Ubuntu": "https://ubuntu.com/security/CVE-2021-39634" } }, "CVE-2021-39636": { "affected_versions": "v2.6.12-rc2 to v4.16-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "netfilter: x_tables: fix pointer leaks to userspace", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "score": 4.4 }, "cwe": "Missing Initialization of Resource", "fixes": "1e98ffea5a8935ec040ab72299e349cb44b8defd", "last_affected_version": "4.14.36", "last_modified": "2023-12-06", "nvd_text": "In do_ipt_get_ctl and do_ipt_set_ctl of ip_tables.c, there is a possible way to leak kernel information due to uninitialized data. This could lead to local information disclosure with system execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-120612905References: Upstream kernel", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-39636", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-39636", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-39636", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-39636", "SUSE": "https://www.suse.com/security/cve/CVE-2021-39636", "Ubuntu": "https://ubuntu.com/security/CVE-2021-39636" } }, "CVE-2021-39648": { "affected_versions": "v2.6.12-rc2 to v5.11-rc3", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "usb: gadget: configfs: Fix use-after-free issue with udc_name", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "score": 1.9 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N", "score": 4.1 }, "cwe": "Exposure of Resource to Wrong Sphere", "fixes": "64e6bbfff52db4bf6785fab9cffab850b2de6870", "last_affected_version": "5.10.6", "last_modified": "2023-12-06", "nvd_text": "In gadget_dev_desc_UDC_show of configfs.c, there is a possible disclosure of kernel heap memory due to a race condition. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-160822094References: Upstream kernel", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-39648", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-39648", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-39648", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-39648", "SUSE": "https://www.suse.com/security/cve/CVE-2021-39648", "Ubuntu": "https://ubuntu.com/security/CVE-2021-39648" } }, "CVE-2021-39656": { "affected_versions": "v5.3-rc8 to v5.12-rc3", "breaks": "b0841eefd9693827afb9888235e26ddd098f9cef", "cmt_msg": "configfs: fix a use-after-free in __configfs_open_file", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "score": 6.7 }, "cwe": "Use After Free", "fixes": "14fbbc8297728e880070f7b077b3301a8c698ef9", "last_affected_version": "5.11.6", "last_modified": "2023-12-06", "nvd_text": "In __configfs_open_file of file.c, there is a possible use-after-free due to improper locking. This could lead to local escalation of privilege in the kernel with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-174049066References: Upstream kernel", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-39656", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-39656", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-39656", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-39656", "SUSE": "https://www.suse.com/security/cve/CVE-2021-39656", "Ubuntu": "https://ubuntu.com/security/CVE-2021-39656" } }, "CVE-2021-39657": { "affected_versions": "v3.4-rc1 to v5.11-rc4", "breaks": "7a3e97b0dc4bbac2ba7803564ab0057722689921", "cmt_msg": "scsi: ufs: Correct the LUN used in eh_device_reset_handler() callback", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "score": 4.4 }, "cwe": "Out-of-bounds Read", "fixes": "35fc4cd34426c242ab015ef280853b7bff101f48", "last_affected_version": "5.10.10", "last_modified": "2023-12-06", "nvd_text": "In ufshcd_eh_device_reset_handler of ufshcd.c, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-194696049References: Upstream kernel", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-39657", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-39657", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-39657", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-39657", "SUSE": "https://www.suse.com/security/cve/CVE-2021-39657", "Ubuntu": "https://ubuntu.com/security/CVE-2021-39657" } }, "CVE-2021-39685": { "affected_versions": "v2.6.12-rc2 to v5.16-rc5", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "USB: gadget: detect too-big endpoint 0 requests", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Out-of-bounds Write", "fixes": "153a2d7e3350cc89d406ba2d35be8793a64c2038", "last_affected_version": "5.15.7", "last_modified": "2023-12-06", "nvd_text": "In various setup methods of the USB gadget subsystem, there is a possible out of bounds write due to an incorrect flag check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-210292376References: Upstream kernel", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-39685", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-39685", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-39685", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-39685", "SUSE": "https://www.suse.com/security/cve/CVE-2021-39685", "Ubuntu": "https://ubuntu.com/security/CVE-2021-39685" } }, "CVE-2021-39686": { "affected_versions": "v2.6.29-rc1 to v5.16-rc1", "breaks": "457b9a6f09f011ebcb9b52cc203a6331a6fc2de7", "cmt_msg": "binder: use euid from cred instead of using task", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "score": 6.9 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.0 }, "cwe": "Improper Privilege Management", "fixes": "29bc22ac5e5bc63275e850f0c8fc549e3d0e306b", "last_affected_version": "5.15.1", "last_modified": "2023-12-06", "nvd_text": "In several functions of binder.c, there is a possible way to represent the wrong domain to SELinux due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-200688826References: Upstream kernel", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-39686", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-39686", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-39686", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-39686", "SUSE": "https://www.suse.com/security/cve/CVE-2021-39686", "Ubuntu": "https://ubuntu.com/security/CVE-2021-39686" } }, "CVE-2021-39698": { "affected_versions": "v2.6.12-rc2 to v5.16-rc5", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "wait: add wake_up_pollfree()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Use After Free", "fixes": "42288cb44c4b5fff7653bc392b583a2b8bd6a8c0", "last_affected_version": "5.15.7", "last_modified": "2023-12-06", "nvd_text": "In aio_poll_complete_work of aio.c, there is a possible memory corruption due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-185125206References: Upstream kernel", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-39698", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-39698", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-39698", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-39698", "SUSE": "https://www.suse.com/security/cve/CVE-2021-39698", "Ubuntu": "https://ubuntu.com/security/CVE-2021-39698" } }, "CVE-2021-39711": { "affected_versions": "v4.12-rc1 to v4.18-rc6", "breaks": "1cf1cae963c2e6032aebe1637e995bc2f5d330f4", "cmt_msg": "bpf: fix panic due to oob in bpf_prog_test_run_skb", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "score": 4.4 }, "cwe": "Out-of-bounds Read", "fixes": "6e6fddc78323533be570873abb728b7e0ba7e024", "last_affected_version": "4.14.258", "last_modified": "2023-12-06", "nvd_text": "In bpf_prog_test_run_skb of test_run.c, there is a possible out of bounds read due to Incorrect Size Value. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-154175781References: Upstream kernel", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-39711", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-39711", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-39711", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-39711", "SUSE": "https://www.suse.com/security/cve/CVE-2021-39711", "Ubuntu": "https://ubuntu.com/security/CVE-2021-39711" } }, "CVE-2021-39713": { "affected_versions": "v4.19-rc1 to v4.20-rc1", "breaks": "32a4f5ecd7381f30ae3bb36dea77a150ba68af2e", "cmt_msg": "net: sched: use Qdisc rcu API instead of relying on rtnl lock", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "score": 6.9 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.0 }, "cwe": "Unspecified", "fixes": "e368fdb61d8e7c67ac70791b23345b26d7bbc661", "last_affected_version": "4.19.220", "last_modified": "2023-12-06", "nvd_text": "Product: AndroidVersions: Android kernelAndroid ID: A-173788806References: Upstream kernel", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-39713", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-39713", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-39713", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-39713", "SUSE": "https://www.suse.com/security/cve/CVE-2021-39713", "Ubuntu": "https://ubuntu.com/security/CVE-2021-39713" } }, "CVE-2021-39714": { "affected_versions": "v3.14-rc1 to v4.12-rc1", "breaks": "b892bf75b2034e0e4af23da9a276160b8ad26c15", "cmt_msg": "staging: android: ion: Drop ion_map_kernel interface", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Integer Overflow or Wraparound", "fixes": "e3b914bc7eb6bcecc5b597ee6e31fc40442c291f", "last_modified": "2023-12-06", "nvd_text": "In ion_buffer_kmap_get of ion.c, there is a possible use-after-free due to an integer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-205573273References: Upstream kernel", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-39714", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-39714", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-39714", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-39714", "SUSE": "https://www.suse.com/security/cve/CVE-2021-39714", "Ubuntu": "https://ubuntu.com/security/CVE-2021-39714" } }, "CVE-2021-39800": { "affected_versions": "v2.6.12-rc2 to unk", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.5 }, "cwe": "Use After Free", "fixes": "504e1d6ee65d5b5a053253ae62f46035d774353c", "last_modified": "2023-12-06", "nvd_text": "In ion_ioctl of ion-ioctl.c, there is a possible way to leak kernel head data due to a use after free. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-208277166References: Upstream kernel", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-39800", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-39800", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-39800", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-39800", "SUSE": "https://www.suse.com/security/cve/CVE-2021-39800", "Ubuntu": "https://ubuntu.com/security/CVE-2021-39800" } }, "CVE-2021-39801": { "affected_versions": "v2.6.12-rc2 to unk", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Use After Free", "fixes": "504e1d6ee65d5b5a053253ae62f46035d774353c", "last_modified": "2023-12-06", "nvd_text": "In ion_ioctl of ion-ioctl.c, there is a possible use after free due to improper locking. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-209791720References: Upstream kernel", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-39801", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-39801", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-39801", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-39801", "SUSE": "https://www.suse.com/security/cve/CVE-2021-39801", "Ubuntu": "https://ubuntu.com/security/CVE-2021-39801" } }, "CVE-2021-39802": { "affected_versions": "unk to unk", "breaks": "b44e46bb047d136bc8977497b6fc2a9f08740321", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Improper Privilege Management", "fixes": "ac4488815518c236e60c0048833c51a76404b1b6", "last_modified": "2023-12-06", "nvd_text": "In change_pte_range of mprotect.c , there is a possible way to make a shared mmap writable due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-213339151References: Upstream kernel", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-39802", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-39802", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-39802", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-39802", "SUSE": "https://www.suse.com/security/cve/CVE-2021-39802", "Ubuntu": "https://ubuntu.com/security/CVE-2021-39802" }, "vendor_specific": true }, "CVE-2021-4001": { "affected_versions": "v5.5-rc1 to v5.16-rc2", "breaks": "a23740ec43ba022dbfd139d0fe3eff193216272b", "cmt_msg": "bpf: Fix toctou on read-only map's constant scalar tracking", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "None", "Integrity Impact": "Complete", "raw": "AV:L/AC:M/Au:N/C:N/I:C/A:N", "score": 4.7 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "None", "Integrity": "High", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:N", "score": 4.1 }, "cwe": "Time-of-check Time-of-use (TOCTOU) Race Condition", "fixes": "353050be4c19e102178ccc05988101887c25ae53", "last_affected_version": "5.15.4", "last_modified": "2023-12-06", "nvd_text": "A race condition was found in the Linux kernel's ebpf verifier between bpf_map_update_elem and bpf_map_freeze due to a missing lock in kernel/bpf/syscall.c. In this flaw, a local user with a special privilege (cap_sys_admin or cap_bpf) can modify the frozen mapped address space. This flaw affects kernel versions prior to 5.16 rc2.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-4001", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-4001", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-4001", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-4001", "SUSE": "https://www.suse.com/security/cve/CVE-2021-4001", "Ubuntu": "https://ubuntu.com/security/CVE-2021-4001" } }, "CVE-2021-4002": { "affected_versions": "v3.6-rc1 to v5.16-rc3", "breaks": "24669e58477e2752c1fbca9c1c988e9dd0d79d15", "cmt_msg": "hugetlbfs: flush TLBs correctly after huge_pmd_unshare", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:N", "score": 3.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "Low", "Integrity": "Low", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "score": 4.4 }, "cwe": "Missing Release of Memory after Effective Lifetime", "fixes": "a4a118f2eead1d6c49e00765de89878288d4b890", "last_affected_version": "5.15.4", "last_modified": "2023-12-06", "nvd_text": "A memory leak flaw in the Linux kernel's hugetlbfs memory usage was found in the way the user maps some regions of memory twice using shmget() which are aligned to PUD alignment with the fault of some of the memory pages. A local user could use this flaw to get unauthorized access to some data.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-4002", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-4002", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-4002", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-4002", "SUSE": "https://www.suse.com/security/cve/CVE-2021-4002", "Ubuntu": "https://ubuntu.com/security/CVE-2021-4002" } }, "CVE-2021-4023": { "affected_versions": "unk to v5.15-rc1", "backport": true, "breaks": "3146cba99aa284b1d4a10fbd923df953f1d18035", "cmt_msg": "io-wq: fix cancellation on create-worker failure", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Unspecified", "fixes": "713b9825a4c47897f66ad69409581e7734a8728e", "last_modified": "2023-12-06", "nvd_text": "A flaw was found in the io-workqueue implementation in the Linux kernel versions prior to 5.15-rc1. The kernel can panic when an improper cancellation operation triggers the submission of new io-uring operations during a shortage of free space. This flaw allows a local user with permissions to execute io-uring requests to possibly crash the system.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-4023", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-4023", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-4023", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-4023", "SUSE": "https://www.suse.com/security/cve/CVE-2021-4023", "Ubuntu": "https://ubuntu.com/security/CVE-2021-4023" } }, "CVE-2021-4028": { "affected_versions": "v5.10-rc1 to v5.15-rc4", "breaks": "732d41c545bb359cbb8c94698bdc1f8bcf82279c", "cmt_msg": "RDMA/cma: Do not change route.addr.src_addr.ss_family", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Use After Free", "fixes": "bc0bdc5afaa740d782fbf936aaeebd65e5c2921d", "last_affected_version": "5.14.9", "last_modified": "2023-12-06", "nvd_text": "A flaw in the Linux kernel's implementation of RDMA communications manager listener code allowed an attacker with local access to setup a socket to listen on a high port allowing for a list element to be used after free. Given the ability to execute code, a local attacker could leverage this use-after-free to crash the system or possibly escalate privileges on the system.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-4028", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-4028", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-4028", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-4028", "SUSE": "https://www.suse.com/security/cve/CVE-2021-4028", "Ubuntu": "https://ubuntu.com/security/CVE-2021-4028" } }, "CVE-2021-4032": { "affected_versions": "v5.15-rc1 to v5.15-rc7", "breaks": "421221234ada41b4a9f0beeb08e30b07388bd4bd", "cmt_msg": "Revert \"KVM: x86: Open code necessary bits of kvm_lapic_set_base() at vCPU RESET\"", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "score": 4.4 }, "cwe": "Incomplete Cleanup", "fixes": "f7d8a19f9a056a05c5c509fa65af472a322abfee", "last_modified": "2023-12-06", "nvd_text": "A vulnerability was found in the Linux kernel's KVM subsystem in arch/x86/kvm/lapic.c kvm_free_lapic when a failure allocation was detected. In this flaw the KVM subsystem may crash the kernel due to mishandling of memory errors that happens during VCPU construction, which allows an attacker with special user privilege to cause a denial of service. This flaw affects kernel versions prior to 5.15 rc7.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-4032", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-4032", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-4032", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-4032", "SUSE": "https://www.suse.com/security/cve/CVE-2021-4032", "Ubuntu": "https://ubuntu.com/security/CVE-2021-4032" } }, "CVE-2021-4037": { "affected_versions": "v2.6.12-rc2 to v5.12-rc1-dontuse", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "xfs: fix up non-directory creation in SGID directories", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Improper Access Control", "fixes": "01ea173e103edd5ec41acec65b9261b87e123fc2", "last_affected_version": "5.10.145", "last_modified": "2023-12-06", "nvd_text": "A vulnerability was found in the fs/inode.c:inode_init_owner() function logic of the LInux kernel that allows local users to create files for the XFS file-system with an unintended group ownership and with group execution and SGID permission bits set, in a scenario where a directory is SGID and belongs to a certain group and is writable by a user who is not a member of this group. This can lead to excessive permissions granted in case when they should not. This vulnerability is similar to the previous CVE-2018-13405 and adds the missed fix for the XFS.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-4037", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-4037", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-4037", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-4037", "SUSE": "https://www.suse.com/security/cve/CVE-2021-4037", "Ubuntu": "https://ubuntu.com/security/CVE-2021-4037" } }, "CVE-2021-40490": { "affected_versions": "v3.8-rc1 to v5.15-rc1", "breaks": "f19d5870cbf72d4cb2a8e1f749dff97af99b071e", "cmt_msg": "ext4: fix race writing to an inline_data file while its xattrs are changing", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "score": 4.4 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.0 }, "cwe": "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", "fixes": "a54c4613dac1500b40e4ab55199f7c51f028e848", "last_affected_version": "5.14.1", "last_modified": "2023-12-06", "nvd_text": "A race condition was discovered in ext4_write_inline_data_end in fs/ext4/inline.c in the ext4 subsystem in the Linux kernel through 5.13.13.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-40490", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-40490", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-40490", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-40490", "SUSE": "https://www.suse.com/security/cve/CVE-2021-40490", "Ubuntu": "https://ubuntu.com/security/CVE-2021-40490" } }, "CVE-2021-4083": { "affected_versions": "v2.6.12-rc2 to v5.16-rc4", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "fget: check that the fd still exists after getting a ref to it", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "score": 6.9 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.0 }, "cwe": "Use After Free", "fixes": "054aa8d439b9185d4f5eb9a90282d1ce74772969", "last_affected_version": "5.15.6", "last_modified": "2023-12-06", "nvd_text": "A read-after-free memory flaw was found in the Linux kernel's garbage collection for Unix domain socket file handlers in the way users call close() and fget() simultaneously and can potentially trigger a race condition. This flaw allows a local user to crash the system or escalate their privileges on the system. This flaw affects Linux kernel versions prior to 5.16-rc4.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-4083", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-4083", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-4083", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-4083", "SUSE": "https://www.suse.com/security/cve/CVE-2021-4083", "Ubuntu": "https://ubuntu.com/security/CVE-2021-4083" } }, "CVE-2021-4090": { "affected_versions": "v5.11-rc1 to v5.16-rc2", "breaks": "d1c263a031e876ac3ca5223c728e4d98ed50b3c0", "cmt_msg": "NFSD: Fix exposure in nfsd4_decode_bitmap()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:N", "score": 6.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "score": 7.1 }, "cwe": "Out-of-bounds Write", "fixes": "c0019b7db1d7ac62c711cda6b357a659d46428fe", "last_affected_version": "5.15.4", "last_modified": "2023-12-06", "nvd_text": "An out-of-bounds (OOB) memory write flaw was found in the NFSD in the Linux kernel. Missing sanity may lead to a write beyond bmval[bmlen-1] in nfsd4_decode_bitmap4 in fs/nfsd/nfs4xdr.c. In this flaw, a local attacker with user privilege may gain access to out-of-bounds memory, leading to a system integrity and confidentiality threat.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-4090", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-4090", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-4090", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-4090", "SUSE": "https://www.suse.com/security/cve/CVE-2021-4090", "Ubuntu": "https://ubuntu.com/security/CVE-2021-4090" } }, "CVE-2021-4093": { "affected_versions": "v5.11-rc1 to v5.15-rc7", "breaks": "7ed9abfe8e9f62384f9b11c9fca19e551dbec5bd", "cmt_msg": "KVM: SEV-ES: go over the sev_pio_data buffer in multiple passes if needed", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Changed", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "score": 8.8 }, "cwe": "Out-of-bounds Read", "fixes": "95e16b4792b0429f1933872f743410f00e590c55", "last_affected_version": "5.14.14", "last_modified": "2023-12-06", "nvd_text": "A flaw was found in the KVM's AMD code for supporting the Secure Encrypted Virtualization-Encrypted State (SEV-ES). A KVM guest using SEV-ES can trigger out-of-bounds reads and writes in the host kernel via a malicious VMGEXIT for a string I/O instruction (for example, outs or ins) using the exit reason SVM_EXIT_IOIO. This issue results in a crash of the entire system or a potential guest-to-host escape scenario.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-4093", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-4093", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-4093", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-4093", "SUSE": "https://www.suse.com/security/cve/CVE-2021-4093", "Ubuntu": "https://ubuntu.com/security/CVE-2021-4093" } }, "CVE-2021-4095": { "affected_versions": "v5.12-rc1-dontuse to v5.17-rc1", "breaks": "629b5348841a10afce49fbe81619863fd839f217", "cmt_msg": "KVM: x86: Fix wall clock writes in Xen shared_info not to mark page dirty", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:M/Au:N/C:N/I:N/A:P", "score": 1.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "NULL Pointer Dereference", "fixes": "55749769fe608fa3f4a075e42e89d237c8e37637", "last_modified": "2023-12-06", "nvd_text": "A NULL pointer dereference was found in the Linux kernel's KVM when dirty ring logging is enabled without an active vCPU context. An unprivileged local attacker on the host may use this flaw to cause a kernel oops condition and thus a denial of service by issuing a KVM_XEN_HVM_SET_ATTR ioctl. This flaw affects Linux kernel versions prior to 5.17-rc1.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-4095", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-4095", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-4095", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-4095", "SUSE": "https://www.suse.com/security/cve/CVE-2021-4095", "Ubuntu": "https://ubuntu.com/security/CVE-2021-4095" } }, "CVE-2021-41073": { "affected_versions": "v5.10-rc1 to v5.15-rc2", "breaks": "4017eb91a9e79bbb5d14868c207436f4a6a0af50", "cmt_msg": "io_uring: ensure symmetry in handling iter types in loop_rw_iter()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Improper Privilege Management", "fixes": "16c8d2df7ec0eed31b7d3b61cb13206a7fb930cc", "last_affected_version": "5.14.6", "last_modified": "2023-12-06", "nvd_text": "loop_rw_iter in fs/io_uring.c in the Linux kernel 5.10 through 5.14.6 allows local users to gain privileges by using IORING_OP_PROVIDE_BUFFERS to trigger a free of a kernel buffer, as demonstrated by using /proc//maps for exploitation.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-41073", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-41073", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-41073", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-41073", "SUSE": "https://www.suse.com/security/cve/CVE-2021-41073", "Ubuntu": "https://ubuntu.com/security/CVE-2021-41073" } }, "CVE-2021-4135": { "affected_versions": "v4.16-rc1 to v5.16-rc6", "breaks": "395cacb5f1a0a290f1ae9ca4692c400d2b57a705", "cmt_msg": "netdevsim: Zero-initialize memory for new map's value in function nsim_bpf_map_alloc", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.5 }, "cwe": "Missing Release of Memory after Effective Lifetime", "fixes": "481221775d53d6215a6e5e9ce1cce6d2b4ab9a46", "last_affected_version": "5.15.10", "last_modified": "2023-12-06", "nvd_text": "A memory leak vulnerability was found in the Linux kernel's eBPF for the Simulated networking device driver in the way user uses BPF for the device such that function nsim_map_alloc_elem being called. A local user could use this flaw to get unauthorized access to some data.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-4135", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-4135", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-4135", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-4135", "SUSE": "https://www.suse.com/security/cve/CVE-2021-4135", "Ubuntu": "https://ubuntu.com/security/CVE-2021-4135" } }, "CVE-2021-4148": { "affected_versions": "v5.4-rc1 to v5.15", "breaks": "99cb0dbd47a15d395bf3faa78dc122bc5efe3fc0", "cmt_msg": "mm: khugepaged: skip huge page collapse for special files", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Improper Validation of Integrity Check Value", "fixes": "a4aeaa06d45e90f9b279f0b09de84bd00006e733", "last_affected_version": "5.14", "last_modified": "2023-12-06", "nvd_text": "A vulnerability was found in the Linux kernel's block_invalidatepage in fs/buffer.c in the filesystem. A missing sanity check may allow a local attacker with user privilege to cause a denial of service (DOS) problem.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-4148", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-4148", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-4148", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-4148", "SUSE": "https://www.suse.com/security/cve/CVE-2021-4148", "Ubuntu": "https://ubuntu.com/security/CVE-2021-4148" } }, "CVE-2021-4149": { "affected_versions": "v2.6.12-rc2 to v5.15-rc6", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "btrfs: unlock newly allocated extent buffer after error", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Improper Locking", "fixes": "19ea40dddf1833db868533958ca066f368862211", "last_affected_version": "5.14.13", "last_modified": "2023-12-06", "nvd_text": "A vulnerability was found in btrfs_alloc_tree_b in fs/btrfs/extent-tree.c in the Linux kernel due to an improper lock operation in btrfs. In this flaw, a user with a local privilege may cause a denial of service (DOS) due to a deadlock problem.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-4149", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-4149", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-4149", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-4149", "SUSE": "https://www.suse.com/security/cve/CVE-2021-4149", "Ubuntu": "https://ubuntu.com/security/CVE-2021-4149" } }, "CVE-2021-4150": { "affected_versions": "v2.6.12-rc2 to v5.15-rc7", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "block: fix incorrect references to disk objects", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Use After Free", "fixes": "9fbfabfda25d8774c5a08634fdd2da000a924890", "last_modified": "2023-12-06", "nvd_text": "A use-after-free flaw was found in the add_partition in block/partitions/core.c in the Linux kernel. A local attacker with user privileges could cause a denial of service on the system. The issue results from the lack of code cleanup when device_add call fails when adding a partition to the disk.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-4150", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-4150", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-4150", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-4150", "SUSE": "https://www.suse.com/security/cve/CVE-2021-4150", "Ubuntu": "https://ubuntu.com/security/CVE-2021-4150" } }, "CVE-2021-4154": { "affected_versions": "v5.1-rc1 to v5.14-rc2", "breaks": "8d2451f4994fa60a57617282bab91b98266a00b1", "cmt_msg": "cgroup: verify that source is a string", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Changed", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "score": 8.8 }, "cwe": "Use After Free", "fixes": "3b0462726e7ef281c35a7a4ae33e93ee2bc9975b", "last_affected_version": "5.13.3", "last_modified": "2023-12-06", "nvd_text": "A use-after-free flaw was found in cgroup1_parse_param in kernel/cgroup/cgroup-v1.c in the Linux kernel's cgroup v1 parser. A local attacker with a user privilege could cause a privilege escalation by exploiting the fsconfig syscall parameter leading to a container breakout and a denial of service on the system.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-4154", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-4154", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-4154", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-4154", "SUSE": "https://www.suse.com/security/cve/CVE-2021-4154", "Ubuntu": "https://ubuntu.com/security/CVE-2021-4154" } }, "CVE-2021-4155": { "affected_versions": "v2.6.12-rc2 to v5.16", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "xfs: map unwritten blocks in XFS_IOC_{ALLOC,FREE}SP just like fallocate", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.5 }, "cwe": "Incorrect Calculation of Buffer Size", "fixes": "983d8e60f50806f90534cc5373d0ce867e5aaf79", "last_affected_version": "5.15", "last_modified": "2023-12-06", "nvd_text": "A data leak flaw was found in the way XFS_IOC_ALLOCSP IOCTL in the XFS filesystem allowed for size increase of files with unaligned size. A local attacker could use this flaw to leak data on the XFS filesystem otherwise not accessible to them.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-4155", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-4155", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-4155", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-4155", "SUSE": "https://www.suse.com/security/cve/CVE-2021-4155", "Ubuntu": "https://ubuntu.com/security/CVE-2021-4155" } }, "CVE-2021-4157": { "affected_versions": "v4.0-rc1 to v5.13-rc1", "breaks": "d67ae825a59d639e4d8b82413af84d854617a87e", "cmt_msg": "pNFS/flexfiles: fix incorrect size check in decode_nfs_fh()", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Adjacent Network", "Authentication": "Single", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:A/AC:M/Au:S/C:C/I:C/A:C", "score": 7.4 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Adjacent", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 8.0 }, "cwe": "Improper Restriction of Operations within the Bounds of a Memory Buffer", "fixes": "ed34695e15aba74f45247f1ee2cf7e09d449f925", "last_affected_version": "5.12.4", "last_modified": "2023-12-06", "nvd_text": "An out of memory bounds write flaw (1 or 2 bytes of memory) in the Linux kernel NFS subsystem was found in the way users use mirroring (replication of files with NFS). A user, having access to the NFS mount, could potentially use this flaw to crash the system or escalate privileges on the system.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-4157", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-4157", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-4157", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-4157", "SUSE": "https://www.suse.com/security/cve/CVE-2021-4157", "Ubuntu": "https://ubuntu.com/security/CVE-2021-4157" } }, "CVE-2021-4159": { "affected_versions": "v2.6.12-rc2 to v5.7-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "score": 4.4 }, "cwe": "Unspecified", "fixes": "294f2fc6da27620a506e6c050241655459ccd6bd", "last_affected_version": "5.4.209", "last_modified": "2023-12-06", "nvd_text": "A vulnerability was found in the Linux kernel's EBPF verifier when handling internal data structures. Internal memory locations could be returned to userspace. A local attacker with the permissions to insert eBPF code to the kernel can use this to leak internal kernel memory details defeating some of the exploit mitigations in place for the kernel.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-4159", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-4159", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-4159", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-4159", "SUSE": "https://www.suse.com/security/cve/CVE-2021-4159", "Ubuntu": "https://ubuntu.com/security/CVE-2021-4159" } }, "CVE-2021-41864": { "affected_versions": "v4.6-rc1 to v5.15-rc5", "breaks": "557c0c6e7df8e14a46bd7560d193fa5bbc00a858", "cmt_msg": "bpf: Fix integer overflow in prealloc_elems_and_freelist()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Integer Overflow or Wraparound", "fixes": "30e29a9a2bc6a4888335a6ede968b75cd329657a", "last_affected_version": "5.14.11", "last_modified": "2023-12-06", "nvd_text": "prealloc_elems_and_freelist in kernel/bpf/stackmap.c in the Linux kernel before 5.14.12 allows unprivileged users to trigger an eBPF multiplication integer overflow with a resultant out-of-bounds write.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-41864", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-41864", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-41864", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-41864", "SUSE": "https://www.suse.com/security/cve/CVE-2021-41864", "Ubuntu": "https://ubuntu.com/security/CVE-2021-41864" } }, "CVE-2021-4197": { "affected_versions": "v4.2-rc1 to v5.16", "breaks": "187fe84067bd377047cfcb7f2bbc7c9dc12d290c", "cmt_msg": "cgroup: Use open-time credentials for process migraton perm checks", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Improper Authentication", "fixes": "1756d7994ad85c2479af6ae5a9750b92324685af", "last_affected_version": "5.15", "last_modified": "2023-12-06", "nvd_text": "An unprivileged write to the file handler flaw in the Linux kernel's control groups and namespaces subsystem was found in the way users have access to some less privileged process that are controlled by cgroups and have higher privileged parent process. It is actually both for cgroup2 and cgroup1 versions of control groups. A local user could use this flaw to crash the system or escalate their privileges on the system.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-4197", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-4197", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-4197", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-4197", "SUSE": "https://www.suse.com/security/cve/CVE-2021-4197", "Ubuntu": "https://ubuntu.com/security/CVE-2021-4197" } }, "CVE-2021-42008": { "affected_versions": "v2.6.12-rc2 to v5.14-rc7", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "net: 6pack: fix slab-out-of-bounds in decode_data", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "score": 6.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Out-of-bounds Write", "fixes": "19d1532a187669ce86d5a2696eb7275310070793", "last_affected_version": "5.13.12", "last_modified": "2023-12-06", "nvd_text": "The decode_data function in drivers/net/hamradio/6pack.c in the Linux kernel before 5.13.13 has a slab out-of-bounds write. Input from a process that has the CAP_NET_ADMIN capability can lead to root access.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-42008", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-42008", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-42008", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-42008", "SUSE": "https://www.suse.com/security/cve/CVE-2021-42008", "Ubuntu": "https://ubuntu.com/security/CVE-2021-42008" } }, "CVE-2021-4202": { "affected_versions": "v3.2-rc1 to v5.16-rc2", "breaks": "6a2968aaf50c7a22fced77a5e24aa636281efca8", "cmt_msg": "NFC: reorganize the functions in nci_request", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "score": 6.9 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.0 }, "cwe": "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", "fixes": "86cdf8e38792545161dbe3350a7eced558ba4d15", "last_affected_version": "5.15.4", "last_modified": "2023-12-06", "nvd_text": "A use-after-free flaw was found in nci_request in net/nfc/nci/core.c in NFC Controller Interface (NCI) in the Linux kernel. This flaw could allow a local attacker with user privileges to cause a data race problem while the device is getting removed, leading to a privilege escalation problem.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-4202", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-4202", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-4202", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-4202", "SUSE": "https://www.suse.com/security/cve/CVE-2021-4202", "Ubuntu": "https://ubuntu.com/security/CVE-2021-4202" } }, "CVE-2021-4203": { "affected_versions": "v2.6.36-rc1 to v5.15-rc4", "breaks": "109f6e39fa07c48f580125f531f46cb7c245b528", "cmt_msg": "af_unix: fix races in sk_peer_pid and sk_peer_cred accesses", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "Single", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:N/AC:M/Au:S/C:P/I:N/A:P", "score": 4.9 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:H", "score": 6.8 }, "cwe": "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", "fixes": "35306eb23814444bd4021f8a1c3047d3cb0c8b2b", "last_affected_version": "5.14.9", "last_modified": "2023-12-06", "nvd_text": "A use-after-free read flaw was found in sock_getsockopt() in net/core/sock.c due to SO_PEERCRED and SO_PEERGROUPS race with listen() (and connect()) in the Linux kernel. In this flaw, an attacker with a user privileges may crash the system or leak internal kernel information.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-4203", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-4203", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-4203", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-4203", "SUSE": "https://www.suse.com/security/cve/CVE-2021-4203", "Ubuntu": "https://ubuntu.com/security/CVE-2021-4203" } }, "CVE-2021-4204": { "affected_versions": "v5.8-rc1 to v5.17-rc1", "breaks": "457f44363a8894135c85b7a9afd2bd8196db24ab", "cmt_msg": "bpf: Generalize check_ctx_reg for reuse with other types", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "score": 7.1 }, "cwe": "Improper Input Validation", "fixes": "be80a1d3f9dbe5aee79a325964f7037fe2d92f30", "last_modified": "2023-12-06", "nvd_text": "An out-of-bounds (OOB) memory access flaw was found in the Linux kernel's eBPF due to an Improper Input Validation. This flaw allows a local attacker with a special privilege to crash the system or leak internal information.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-4204", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-4204", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-4204", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-4204", "SUSE": "https://www.suse.com/security/cve/CVE-2021-4204", "Ubuntu": "https://ubuntu.com/security/CVE-2021-4204" } }, "CVE-2021-4218": { "affected_versions": "v2.6.12-rc2 to v5.8-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "sysctl: pass kernel pointers to ->proc_handler", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Improper Initialization", "fixes": "32927393dc1ccd60fb2bdc05b9e8e88753761469", "last_modified": "2023-12-06", "nvd_text": "A flaw was found in the Linux kernel\u2019s implementation of reading the SVC RDMA counters. Reading the counter sysctl panics the system. This flaw allows a local attacker with local access to cause a denial of service while the system reboots. The issue is specific to CentOS/RHEL.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-4218", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-4218", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-4218", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-4218", "SUSE": "https://www.suse.com/security/cve/CVE-2021-4218", "Ubuntu": "https://ubuntu.com/security/CVE-2021-4218" } }, "CVE-2021-42252": { "affected_versions": "v4.12-rc1 to v5.15-rc1", "breaks": "6c4e976785011dfbe461821d0bfc58cfd60eac56", "cmt_msg": "soc: aspeed: lpc-ctrl: Fix boundary check for mmap", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Unspecified", "fixes": "b49a0e69a7b1a68c8d3f64097d06dabb770fec96", "last_affected_version": "5.14.5", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in aspeed_lpc_ctrl_mmap in drivers/soc/aspeed/aspeed-lpc-ctrl.c in the Linux kernel before 5.14.6. Local attackers able to access the Aspeed LPC control interface could overwrite memory in the kernel and potentially execute privileges, aka CID-b49a0e69a7b1. This occurs because a certain comparison uses values that are not memory sizes.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-42252", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-42252", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-42252", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-42252", "SUSE": "https://www.suse.com/security/cve/CVE-2021-42252", "Ubuntu": "https://ubuntu.com/security/CVE-2021-42252" } }, "CVE-2021-42327": { "affected_versions": "v5.10-rc1 to v5.15", "breaks": "918698d5c2b50433714d2042f55b55b090faa167", "cmt_msg": "drm/amdgpu: fix out of bounds write", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "score": 6.7 }, "cwe": "Out-of-bounds Write", "fixes": "5afa7898ab7a0ec9c28556a91df714bf3c2f725e", "last_affected_version": "5.14", "last_modified": "2023-12-06", "nvd_text": "dp_link_settings_write in drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c in the Linux kernel through 5.14.14 allows a heap-based buffer overflow by an attacker who can write a string to the AMD GPU display drivers debug filesystem. There are no checks on size within parse_write_buffer_into_params when it uses the size of copy_from_user to copy a userspace buffer into a 40-byte heap buffer.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-42327", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-42327", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-42327", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-42327", "SUSE": "https://www.suse.com/security/cve/CVE-2021-42327", "Ubuntu": "https://ubuntu.com/security/CVE-2021-42327" } }, "CVE-2021-42739": { "affected_versions": "v2.6.12-rc2 to v5.16-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "media: firewire: firedtv-avc: fix a buffer overflow in avc_ca_pmt()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "score": 6.7 }, "cwe": "Out-of-bounds Write", "fixes": "35d2969ea3c7d32aee78066b1f3cf61a0d935a4e", "last_affected_version": "5.15.0", "last_modified": "2024-04-09", "nvd_text": "The firewire subsystem in the Linux kernel through 5.14.13 has a buffer overflow related to drivers/media/firewire/firedtv-avc.c and drivers/media/firewire/firedtv-ci.c, because avc_ca_pmt mishandles bounds checking.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-42739", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-42739", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-42739", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-42739", "SUSE": "https://www.suse.com/security/cve/CVE-2021-42739", "Ubuntu": "https://ubuntu.com/security/CVE-2021-42739" } }, "CVE-2021-43056": { "affected_versions": "v5.2-rc1 to v5.15-rc6", "breaks": "10d91611f426d4bafd2a83d966c36da811b2f7ad", "cmt_msg": "KVM: PPC: Book3S HV: Make idle_kvm_start_guest() return 0 if it went to guest", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Unspecified", "fixes": "cdeb5d7d890e14f3b70e8087e745c4a6a7d9f337", "last_affected_version": "5.14.14", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel for powerpc before 5.14.15. It allows a malicious KVM guest to crash the host, when the host is running on Power8, due to an arch/powerpc/kvm/book3s_hv_rmhandlers.S implementation bug in the handling of the SRR1 register values.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-43056", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-43056", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-43056", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-43056", "SUSE": "https://www.suse.com/security/cve/CVE-2021-43056", "Ubuntu": "https://ubuntu.com/security/CVE-2021-43056" } }, "CVE-2021-43057": { "affected_versions": "v5.13-rc1 to v5.15-rc3", "breaks": "eb1231f73c4d7dc26db55e08c070e6526eaf7ee5", "cmt_msg": "selinux,smack: fix subjective/objective credential use mixups", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Use After Free", "fixes": "a3727a8bac0a9e77c70820655fd8715523ba3db7", "last_affected_version": "5.14.7", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel before 5.14.8. A use-after-free in selinux_ptrace_traceme (aka the SELinux handler for PTRACE_TRACEME) could be used by local attackers to cause memory corruption and escalate privileges, aka CID-a3727a8bac0a. This occurs because of an attempt to access the subjective credentials of another task.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-43057", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-43057", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-43057", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-43057", "SUSE": "https://www.suse.com/security/cve/CVE-2021-43057", "Ubuntu": "https://ubuntu.com/security/CVE-2021-43057" } }, "CVE-2021-43267": { "affected_versions": "v5.10-rc1 to v5.15", "breaks": "1ef6f7c9390ff5308c940ff8d0a53533a4673ad9", "cmt_msg": "tipc: fix size validations for the MSG_CRYPTO type", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "score": 7.5 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "score": 9.8 }, "cwe": "Improper Input Validation", "fixes": "fa40d9734a57bcbfa79a280189799f76c88f7bb0", "last_affected_version": "5.14", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in net/tipc/crypto.c in the Linux kernel before 5.14.16. The Transparent Inter-Process Communication (TIPC) functionality allows remote attackers to exploit insufficient validation of user-supplied sizes for the MSG_CRYPTO message type.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-43267", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-43267", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-43267", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-43267", "SUSE": "https://www.suse.com/security/cve/CVE-2021-43267", "Ubuntu": "https://ubuntu.com/security/CVE-2021-43267" } }, "CVE-2021-43389": { "affected_versions": "v2.6.12-rc2 to v5.15-rc6", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "isdn: cpai: check ctr->cnr to avoid array index out of bound", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Out-of-bounds Read", "fixes": "1f3e2e97c003f80c4b087092b225c8787ff91e4d", "last_affected_version": "5.14.14", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel before 5.14.15. There is an array-index-out-of-bounds flaw in the detach_capi_ctr function in drivers/isdn/capi/kcapi.c.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-43389", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-43389", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-43389", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-43389", "SUSE": "https://www.suse.com/security/cve/CVE-2021-43389", "Ubuntu": "https://ubuntu.com/security/CVE-2021-43389" } }, "CVE-2021-43975": { "affected_versions": "v2.6.12-rc2 to v5.16-rc2", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "atlantic: Fix OOB read and write in hw_atl_utils_fw_rpc_wait", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "score": 6.7 }, "cwe": "Out-of-bounds Write", "fixes": "b922f622592af76b57cbc566eaeccda0b31a3496", "last_affected_version": "5.15.6", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel through 5.15.2, hw_atl_utils_fw_rpc_wait in drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_utils.c allows an attacker (who can introduce a crafted device) to trigger an out-of-bounds write via a crafted length value.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-43975", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-43975", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-43975", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-43975", "SUSE": "https://www.suse.com/security/cve/CVE-2021-43975", "Ubuntu": "https://ubuntu.com/security/CVE-2021-43975" } }, "CVE-2021-43976": { "affected_versions": "v2.6.12-rc2 to v5.17-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "mwifiex: Fix skb_over_panic in mwifiex_usb_recv()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Physical", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 4.6 }, "cwe": "Unspecified", "fixes": "04d80663f67ccef893061b49ec8a42ff7045ae84", "last_affected_version": "5.16.2", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel through 5.15.2, mwifiex_usb_recv in drivers/net/wireless/marvell/mwifiex/usb.c allows an attacker (who can connect a crafted USB device) to cause a denial of service (skb_over_panic).", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-43976", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-43976", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-43976", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-43976", "SUSE": "https://www.suse.com/security/cve/CVE-2021-43976", "Ubuntu": "https://ubuntu.com/security/CVE-2021-43976" } }, "CVE-2021-44733": { "affected_versions": "v4.12-rc1 to v5.16-rc7", "breaks": "967c9cca2cc50569efc65945325c173cecba83bd", "cmt_msg": "tee: handle lookup of shm with reference count 0", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "score": 4.4 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.0 }, "cwe": "Use After Free", "fixes": "dfd0743f1d9ea76931510ed150334d571fbab49d", "last_affected_version": "5.15.11", "last_modified": "2023-12-06", "nvd_text": "A use-after-free exists in drivers/tee/tee_shm.c in the TEE subsystem in the Linux kernel through 5.15.11. This occurs because of a race condition in tee_shm_get_from_id during an attempt to free a shared memory object.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-44733", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-44733", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-44733", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-44733", "SUSE": "https://www.suse.com/security/cve/CVE-2021-44733", "Ubuntu": "https://ubuntu.com/security/CVE-2021-44733" } }, "CVE-2021-44879": { "affected_versions": "v2.6.12-rc2 to v5.17-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "f2fs: fix to do sanity check on inode type during garbage collection", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "score": 4.3 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "raw": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "NULL Pointer Dereference", "fixes": "9056d6489f5a41cfbb67f719d2c0ce61ead72d9f", "last_affected_version": "5.16.2", "last_modified": "2023-12-06", "nvd_text": "In gc_data_segment in fs/f2fs/gc.c in the Linux kernel before 5.16.3, special files are not considered, leading to a move_data_page NULL pointer dereference.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-44879", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-44879", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-44879", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-44879", "SUSE": "https://www.suse.com/security/cve/CVE-2021-44879", "Ubuntu": "https://ubuntu.com/security/CVE-2021-44879" } }, "CVE-2021-45095": { "affected_versions": "v2.6.12-rc2 to v5.16-rc6", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "phonet: refcount leak in pep_sock_accep", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.5 }, "cwe": "Exposure of Sensitive Information to an Unauthorized Actor", "fixes": "bcd0f93353326954817a4f9fa55ec57fb38acbb0", "last_affected_version": "5.15.13", "last_modified": "2023-12-06", "nvd_text": "pep_sock_accept in net/phonet/pep.c in the Linux kernel through 5.15.8 has a refcount leak.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-45095", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-45095", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-45095", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-45095", "SUSE": "https://www.suse.com/security/cve/CVE-2021-45095", "Ubuntu": "https://ubuntu.com/security/CVE-2021-45095" } }, "CVE-2021-45100": { "affected_versions": "v5.15-rc1 to v5.16-rc7", "breaks": "e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9", "cmt_msg": "ksmbd: disable SMB2_GLOBAL_CAP_ENCRYPTION for SMB 3.1.1", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "score": 5.0 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "score": 7.5 }, "cwe": "Cleartext Transmission of Sensitive Information", "fixes": "83912d6d55be10d65b5268d1871168b9ebe1ec4b", "last_affected_version": "5.15.11", "last_modified": "2023-12-06", "nvd_text": "The ksmbd server through 3.4.2, as used in the Linux kernel through 5.15.8, sometimes communicates in cleartext even though encryption has been enabled. This occurs because it sets the SMB2_GLOBAL_CAP_ENCRYPTION flag when using the SMB 3.1.1 protocol, which is a violation of the SMB protocol specification. When Windows 10 detects this protocol violation, it disables encryption.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-45100", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-45100", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-45100", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-45100", "SUSE": "https://www.suse.com/security/cve/CVE-2021-45100", "Ubuntu": "https://ubuntu.com/security/CVE-2021-45100" } }, "CVE-2021-45402": { "affected_versions": "v5.7-rc1 to v5.16-rc6", "breaks": "3f50f132d8400e129fc9eb68b5020167ef80a244", "cmt_msg": "bpf: Fix signed bounds propagation after mov32", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.5 }, "cwe": "Exposure of Resource to Wrong Sphere", "fixes": "3cf2b61eb06765e27fec6799292d9fb46d0b7e60", "last_affected_version": "5.15.10", "last_modified": "2023-12-06", "nvd_text": "The check_alu_op() function in kernel/bpf/verifier.c in the Linux kernel through v5.16-rc5 did not properly update bounds while handling the mov32 instruction, which allows local users to obtain potentially sensitive address information, aka a \"pointer leak.\"", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-45402", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-45402", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-45402", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-45402", "SUSE": "https://www.suse.com/security/cve/CVE-2021-45402", "Ubuntu": "https://ubuntu.com/security/CVE-2021-45402" } }, "CVE-2021-45469": { "affected_versions": "v3.8-rc1 to v5.17-rc1", "breaks": "af48b85b8cd3fbb12c9b6759c16db6d69c0b03da", "cmt_msg": "f2fs: fix to do sanity check on last xattr entry in __f2fs_setxattr()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Out-of-bounds Read", "fixes": "645a3c40ca3d40cc32b4b5972bf2620f2eb5dba6", "last_affected_version": "5.16.2", "last_modified": "2023-12-06", "nvd_text": "In __f2fs_setxattr in fs/f2fs/xattr.c in the Linux kernel through 5.15.11, there is an out-of-bounds memory access when an inode has an invalid last xattr entry.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-45469", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-45469", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-45469", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-45469", "SUSE": "https://www.suse.com/security/cve/CVE-2021-45469", "Ubuntu": "https://ubuntu.com/security/CVE-2021-45469" } }, "CVE-2021-45480": { "affected_versions": "v5.13-rc4 to v5.16-rc6", "breaks": "aced3ce57cd37b5ca332bcacd370d01f5a8c5371", "cmt_msg": "rds: memory leak in __rds_conn_create()", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "score": 4.7 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Missing Release of Memory after Effective Lifetime", "fixes": "5f9562ebe710c307adc5f666bf1a2162ee7977c0", "last_affected_version": "5.15.10", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel before 5.15.11. There is a memory leak in the __rds_conn_create() function in net/rds/connection.c in a certain combination of circumstances.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-45480", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-45480", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-45480", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-45480", "SUSE": "https://www.suse.com/security/cve/CVE-2021-45480", "Ubuntu": "https://ubuntu.com/security/CVE-2021-45480" } }, "CVE-2021-45485": { "affected_versions": "v2.6.12-rc2 to v5.14-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "ipv6: use prandom_u32() for ID generation", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "score": 5.0 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "score": 7.5 }, "cwe": "Use of a Broken or Risky Cryptographic Algorithm", "fixes": "62f20e068ccc50d6ab66fdb72ba90da2b9418c99", "last_affected_version": "5.13.2", "last_modified": "2023-12-06", "nvd_text": "In the IPv6 implementation in the Linux kernel before 5.13.3, net/ipv6/output_core.c has an information leak because of certain use of a hash table which, although big, doesn't properly consider that IPv6-based attackers can typically choose among many IPv6 source addresses.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-45485", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-45485", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-45485", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-45485", "SUSE": "https://www.suse.com/security/cve/CVE-2021-45485", "Ubuntu": "https://ubuntu.com/security/CVE-2021-45485" } }, "CVE-2021-45486": { "affected_versions": "v3.16-rc1 to v5.13-rc1", "breaks": "73f156a6e8c1074ac6327e0abd1169e95eb66463", "cmt_msg": "inet: use bigger hash table for IP ID generation", "cvss2": { "Access Complexity": "Low", "Access Vector": "Adjacent Network", "Authentication": "Single", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:A/AC:L/Au:S/C:P/I:N/A:N", "score": 2.7 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Adjacent", "Availability": "None", "Confidentiality": "Low", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "score": 3.5 }, "cwe": "Use of a Broken or Risky Cryptographic Algorithm", "fixes": "aa6dd211e4b1dde9d5dc25d699d35f789ae7eeba", "last_affected_version": "5.12.3", "last_modified": "2023-12-06", "nvd_text": "In the IPv4 implementation in the Linux kernel before 5.12.4, net/ipv4/route.c has an information leak because the hash table is very small.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-45486", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-45486", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-45486", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-45486", "SUSE": "https://www.suse.com/security/cve/CVE-2021-45486", "Ubuntu": "https://ubuntu.com/security/CVE-2021-45486" } }, "CVE-2021-45868": { "affected_versions": "v2.6.12-rc2 to v5.16-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "quota: check block number when reading the block in quota file", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "score": 4.3 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "raw": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Use After Free", "fixes": "9bf3d20331295b1ecb81f4ed9ef358c51699a050", "last_affected_version": "5.15.2", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel before 5.15.3, fs/quota/quota_tree.c does not validate the block number in the quota tree (on disk). This can, for example, lead to a kernel/locking/rwsem.c use-after-free if there is a corrupted quota file.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-45868", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-45868", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-45868", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-45868", "SUSE": "https://www.suse.com/security/cve/CVE-2021-45868", "Ubuntu": "https://ubuntu.com/security/CVE-2021-45868" } }, "CVE-2021-46283": { "affected_versions": "v5.7-rc1 to v5.13-rc7", "breaks": "65038428b2c6c5be79d3f78a6b79c0cdc3a58a41", "cmt_msg": "netfilter: nf_tables: initialize set before expression setup", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Improper Initialization", "fixes": "ad9f151e560b016b6ad3280b48e42fa11e1a5440", "last_affected_version": "5.12.12", "last_modified": "2023-12-06", "nvd_text": "nf_tables_newset in net/netfilter/nf_tables_api.c in the Linux kernel before 5.12.13 allows local users to cause a denial of service (NULL pointer dereference and general protection fault) because of the missing initialization for nft_set_elem_expr_alloc. A local user can set a netfilter table expression in their own namespace.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-46283", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-46283", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-46283", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-46283", "SUSE": "https://www.suse.com/security/cve/CVE-2021-46283", "Ubuntu": "https://ubuntu.com/security/CVE-2021-46283" } }, "CVE-2021-46904": { "affected_versions": "v2.6.27-rc1 to v5.12-rc7", "breaks": "72dc1c096c7051a48ab1dbb12f71976656b55eb5", "cmt_msg": "net: hso: fix null-ptr-deref during tty device unregistration", "fixes": "8a12f8836145ffe37e9c8733dce18c22fb668b66", "last_affected_version": "5.11.13", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: hso: fix null-ptr-deref during tty device unregistration\n\nMultiple ttys try to claim the same the minor number causing a double\nunregistration of the same device. The first unregistration succeeds\nbut the next one results in a null-ptr-deref.\n\nThe get_free_serial_index() function returns an available minor number\nbut doesn't assign it immediately. The assignment is done by the caller\nlater. But before this assignment, calls to get_free_serial_index()\nwould return the same minor number.\n\nFix this by modifying get_free_serial_index to assign the minor number\nimmediately after one is found to be and rename it to obtain_minor()\nto better reflect what it does. Similary, rename set_serial_by_index()\nto release_minor() and modify it to free up the minor number of the\ngiven hso_serial. Every obtain_minor() should have corresponding\nrelease_minor() call.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-46904", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-46904", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-46904", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-46904", "SUSE": "https://www.suse.com/security/cve/CVE-2021-46904", "Ubuntu": "https://ubuntu.com/security/CVE-2021-46904" } }, "CVE-2021-46905": { "affected_versions": "v5.12-rc7 to v5.13-rc1", "breaks": "8a12f8836145ffe37e9c8733dce18c22fb668b66", "cmt_msg": "net: hso: fix NULL-deref on disconnect regression", "fixes": "2ad5692db72874f02b9ad551d26345437ea4f7f3", "last_affected_version": "5.12.0", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: hso: fix NULL-deref on disconnect regression\n\nCommit 8a12f8836145 (\"net: hso: fix null-ptr-deref during tty device\nunregistration\") fixed the racy minor allocation reported by syzbot, but\nintroduced an unconditional NULL-pointer dereference on every disconnect\ninstead.\n\nSpecifically, the serial device table must no longer be accessed after\nthe minor has been released by hso_serial_tty_unregister().", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-46905", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-46905", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-46905", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-46905", "SUSE": "https://www.suse.com/security/cve/CVE-2021-46905", "Ubuntu": "https://ubuntu.com/security/CVE-2021-46905" } }, "CVE-2021-46906": { "affected_versions": "v2.6.12-rc2 to v5.13-rc5", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "HID: usbhid: fix info leak in hid_submit_ctrl", "fixes": "6be388f4a35d2ce5ef7dbf635a8964a5da7f799f", "last_affected_version": "5.12.11", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: usbhid: fix info leak in hid_submit_ctrl\n\nIn hid_submit_ctrl(), the way of calculating the report length doesn't\ntake into account that report->size can be zero. When running the\nsyzkaller reproducer, a report of size 0 causes hid_submit_ctrl) to\ncalculate transfer_buffer_length as 16384. When this urb is passed to\nthe usb core layer, KMSAN reports an info leak of 16384 bytes.\n\nTo fix this, first modify hid_report_len() to account for the zero\nreport size case by using DIV_ROUND_UP for the division. Then, call it\nfrom hid_submit_ctrl().", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-46906", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-46906", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-46906", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-46906", "SUSE": "https://www.suse.com/security/cve/CVE-2021-46906", "Ubuntu": "https://ubuntu.com/security/CVE-2021-46906" } }, "CVE-2021-46908": { "affected_versions": "unk to v5.12-rc8", "breaks": "", "cmt_msg": "bpf: Use correct permission flag for mixed signed bounds arithmetic", "fixes": "9601148392520e2e134936e76788fc2a6371e7be", "last_affected_version": "5.11.15", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Use correct permission flag for mixed signed bounds arithmetic\n\nWe forbid adding unknown scalars with mixed signed bounds due to the\nspectre v1 masking mitigation. Hence this also needs bypass_spec_v1\nflag instead of allow_ptr_leaks.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-46908", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-46908", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-46908", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-46908", "SUSE": "https://www.suse.com/security/cve/CVE-2021-46908", "Ubuntu": "https://ubuntu.com/security/CVE-2021-46908" } }, "CVE-2021-46909": { "affected_versions": "v4.13-rc1 to v5.12-rc8", "breaks": "30fdfb929e82450bbf3d0e0aba56efbc29b52b52", "cmt_msg": "ARM: footbridge: fix PCI interrupt mapping", "fixes": "30e3b4f256b4e366a61658c294f6a21b8626dda7", "last_affected_version": "5.11.15", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nARM: footbridge: fix PCI interrupt mapping\n\nSince commit 30fdfb929e82 (\"PCI: Add a call to pci_assign_irq() in\npci_device_probe()\"), the PCI code will call the IRQ mapping function\nwhenever a PCI driver is probed. If these are marked as __init, this\ncauses an oops if a PCI driver is loaded or bound after the kernel has\ninitialised.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-46909", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-46909", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-46909", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-46909", "SUSE": "https://www.suse.com/security/cve/CVE-2021-46909", "Ubuntu": "https://ubuntu.com/security/CVE-2021-46909" } }, "CVE-2021-46910": { "affected_versions": "v5.11-rc1 to v5.12-rc8", "breaks": "2a15ba82fa6ca3f35502b3060f22118a938d2889", "cmt_msg": "ARM: 9063/1: mm: reduce maximum number of CPUs if DEBUG_KMAP_LOCAL is enabled", "fixes": "d624833f5984d484c5e3196f34b926f9e71dafee", "last_affected_version": "5.11.15", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nARM: 9063/1: mm: reduce maximum number of CPUs if DEBUG_KMAP_LOCAL is enabled\n\nThe debugging code for kmap_local() doubles the number of per-CPU fixmap\nslots allocated for kmap_local(), in order to use half of them as guard\nregions. This causes the fixmap region to grow downwards beyond the start\nof its reserved window if the supported number of CPUs is large, and collide\nwith the newly added virtual DT mapping right below it, which is obviously\nnot good.\n\nOne manifestation of this is EFI boot on a kernel built with NR_CPUS=32\nand CONFIG_DEBUG_KMAP_LOCAL=y, which may pass the FDT in highmem, resulting\nin block entries below the fixmap region that the fixmap code misidentifies\nas fixmap table entries, and subsequently tries to dereference using a\nphys-to-virt translation that is only valid for lowmem. This results in a\ncryptic splat such as the one below.\n\n ftrace: allocating 45548 entries in 89 pages\n 8<--- cut here ---\n Unable to handle kernel paging request at virtual address fc6006f0\n pgd = (ptrval)\n [fc6006f0] *pgd=80000040207003, *pmd=00000000\n Internal error: Oops: a06 [#1] SMP ARM\n Modules linked in:\n CPU: 0 PID: 0 Comm: swapper Not tainted 5.11.0+ #382\n Hardware name: Generic DT based system\n PC is at cpu_ca15_set_pte_ext+0x24/0x30\n LR is at __set_fixmap+0xe4/0x118\n pc : [] lr : [] psr: 400000d3\n sp : c1601ed8 ip : 00400000 fp : 00800000\n r10: 0000071f r9 : 00421000 r8 : 00c00000\n r7 : 00c00000 r6 : 0000071f r5 : ffade000 r4 : 4040171f\n r3 : 00c00000 r2 : 4040171f r1 : c041ac78 r0 : fc6006f0\n Flags: nZcv IRQs off FIQs off Mode SVC_32 ISA ARM Segment none\n Control: 30c5387d Table: 40203000 DAC: 00000001\n Process swapper (pid: 0, stack limit = 0x(ptrval))\n\nSo let's limit CONFIG_NR_CPUS to 16 when CONFIG_DEBUG_KMAP_LOCAL=y. Also,\nfix the BUILD_BUG_ON() check that was supposed to catch this, by checking\nwhether the region grows below the start address rather than above the end\naddress.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-46910", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-46910", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-46910", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-46910", "SUSE": "https://www.suse.com/security/cve/CVE-2021-46910", "Ubuntu": "https://ubuntu.com/security/CVE-2021-46910" } }, "CVE-2021-46911": { "affected_versions": "v5.7-rc1 to v5.12-rc8", "breaks": "5a4b9fe7fece62ecab6fb28fe92362f83b41c33e", "cmt_msg": "ch_ktls: Fix kernel panic", "fixes": "1a73e427b824133940c2dd95ebe26b6dce1cbf10", "last_affected_version": "5.11.15", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nch_ktls: Fix kernel panic\n\nTaking page refcount is not ideal and causes kernel panic\nsometimes. It's better to take tx_ctx lock for the complete\nskb transmit, to avoid page cleanup if ACK received in middle.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-46911", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-46911", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-46911", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-46911", "SUSE": "https://www.suse.com/security/cve/CVE-2021-46911", "Ubuntu": "https://ubuntu.com/security/CVE-2021-46911" } }, "CVE-2021-46912": { "affected_versions": "v5.7-rc1 to v5.12-rc8", "breaks": "9cb8e048e5d93825ec5e8dfb5b8df4987ea25745", "cmt_msg": "net: Make tcp_allowed_congestion_control readonly in non-init netns", "fixes": "97684f0970f6e112926de631fdd98d9693c7e5c1", "last_affected_version": "5.11.15", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: Make tcp_allowed_congestion_control readonly in non-init netns\n\nCurrently, tcp_allowed_congestion_control is global and writable;\nwriting to it in any net namespace will leak into all other net\nnamespaces.\n\ntcp_available_congestion_control and tcp_allowed_congestion_control are\nthe only sysctls in ipv4_net_table (the per-netns sysctl table) with a\nNULL data pointer; their handlers (proc_tcp_available_congestion_control\nand proc_allowed_congestion_control) have no other way of referencing a\nstruct net. Thus, they operate globally.\n\nBecause ipv4_net_table does not use designated initializers, there is no\neasy way to fix up this one \"bad\" table entry. However, the data pointer\nupdating logic shouldn't be applied to NULL pointers anyway, so we\ninstead force these entries to be read-only.\n\nThese sysctls used to exist in ipv4_table (init-net only), but they were\nmoved to the per-net ipv4_net_table, presumably without realizing that\ntcp_allowed_congestion_control was writable and thus introduced a leak.\n\nBecause the intent of that commit was only to know (i.e. read) \"which\ncongestion algorithms are available or allowed\", this read-only solution\nshould be sufficient.\n\nThe logic added in recent commit\n31c4d2f160eb: (\"net: Ensure net namespace isolation of sysctls\")\ndoes not and cannot check for NULL data pointers, because\nother table entries (e.g. /proc/sys/net/netfilter/nf_log/) have\n.data=NULL but use other methods (.extra2) to access the struct net.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-46912", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-46912", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-46912", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-46912", "SUSE": "https://www.suse.com/security/cve/CVE-2021-46912", "Ubuntu": "https://ubuntu.com/security/CVE-2021-46912" } }, "CVE-2021-46913": { "affected_versions": "v5.7-rc1 to v5.12-rc8", "breaks": "4094445229760d0d31a4190dfe88fe815c9fc34e", "cmt_msg": "netfilter: nftables: clone set element expression template", "fixes": "4d8f9065830e526c83199186c5f56a6514f457d2", "last_affected_version": "5.11.15", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nftables: clone set element expression template\n\nmemcpy() breaks when using connlimit in set elements. Use\nnft_expr_clone() to initialize the connlimit expression list, otherwise\nconnlimit garbage collector crashes when walking on the list head copy.\n\n[ 493.064656] Workqueue: events_power_efficient nft_rhash_gc [nf_tables]\n[ 493.064685] RIP: 0010:find_or_evict+0x5a/0x90 [nf_conncount]\n[ 493.064694] Code: 2b 43 40 83 f8 01 77 0d 48 c7 c0 f5 ff ff ff 44 39 63 3c 75 df 83 6d 18 01 48 8b 43 08 48 89 de 48 8b 13 48 8b 3d ee 2f 00 00 <48> 89 42 08 48 89 10 48 b8 00 01 00 00 00 00 ad de 48 89 03 48 83\n[ 493.064699] RSP: 0018:ffffc90000417dc0 EFLAGS: 00010297\n[ 493.064704] RAX: 0000000000000000 RBX: ffff888134f38410 RCX: 0000000000000000\n[ 493.064708] RDX: 0000000000000000 RSI: ffff888134f38410 RDI: ffff888100060cc0\n[ 493.064711] RBP: ffff88812ce594a8 R08: ffff888134f38438 R09: 00000000ebb9025c\n[ 493.064714] R10: ffffffff8219f838 R11: 0000000000000017 R12: 0000000000000001\n[ 493.064718] R13: ffffffff82146740 R14: ffff888134f38410 R15: 0000000000000000\n[ 493.064721] FS: 0000000000000000(0000) GS:ffff88840e440000(0000) knlGS:0000000000000000\n[ 493.064725] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 493.064729] CR2: 0000000000000008 CR3: 00000001330aa002 CR4: 00000000001706e0\n[ 493.064733] Call Trace:\n[ 493.064737] nf_conncount_gc_list+0x8f/0x150 [nf_conncount]\n[ 493.064746] nft_rhash_gc+0x106/0x390 [nf_tables]", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-46913", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-46913", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-46913", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-46913", "SUSE": "https://www.suse.com/security/cve/CVE-2021-46913", "Ubuntu": "https://ubuntu.com/security/CVE-2021-46913" } }, "CVE-2021-46914": { "affected_versions": "v5.9-rc1 to v5.12-rc8", "breaks": "6f82b25587354ce7c9c42e0b53d8b0770b900847", "cmt_msg": "ixgbe: fix unbalanced device enable/disable in suspend/resume", "fixes": "debb9df311582c83fe369baa35fa4b92e8a9c58a", "last_affected_version": "5.11.15", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nixgbe: fix unbalanced device enable/disable in suspend/resume\n\npci_disable_device() called in __ixgbe_shutdown() decreases\ndev->enable_cnt by 1. pci_enable_device_mem() which increases\ndev->enable_cnt by 1, was removed from ixgbe_resume() in commit\n6f82b2558735 (\"ixgbe: use generic power management\"). This caused\nunbalanced increase/decrease. So add pci_enable_device_mem() back.\n\nFix the following call trace.\n\n ixgbe 0000:17:00.1: disabling already-disabled device\n Call Trace:\n __ixgbe_shutdown+0x10a/0x1e0 [ixgbe]\n ixgbe_suspend+0x32/0x70 [ixgbe]\n pci_pm_suspend+0x87/0x160\n ? pci_pm_freeze+0xd0/0xd0\n dpm_run_callback+0x42/0x170\n __device_suspend+0x114/0x460\n async_suspend+0x1f/0xa0\n async_run_entry_fn+0x3c/0xf0\n process_one_work+0x1dd/0x410\n worker_thread+0x34/0x3f0\n ? cancel_delayed_work+0x90/0x90\n kthread+0x14c/0x170\n ? kthread_park+0x90/0x90\n ret_from_fork+0x1f/0x30", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-46914", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-46914", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-46914", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-46914", "SUSE": "https://www.suse.com/security/cve/CVE-2021-46914", "Ubuntu": "https://ubuntu.com/security/CVE-2021-46914" } }, "CVE-2021-46915": { "affected_versions": "v4.13 to v5.12-rc8", "breaks": "c26844eda9d4fdbd266660e3b3de2d0270e3a1ed", "cmt_msg": "netfilter: nft_limit: avoid possible divide error in nft_limit_init", "fixes": "b895bdf5d643b6feb7c60856326dd4feb6981560", "last_affected_version": "5.11.15", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_limit: avoid possible divide error in nft_limit_init\n\ndiv_u64() divides u64 by u32.\n\nnft_limit_init() wants to divide u64 by u64, use the appropriate\nmath function (div64_u64)\n\ndivide error: 0000 [#1] PREEMPT SMP KASAN\nCPU: 1 PID: 8390 Comm: syz-executor188 Not tainted 5.12.0-rc4-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nRIP: 0010:div_u64_rem include/linux/math64.h:28 [inline]\nRIP: 0010:div_u64 include/linux/math64.h:127 [inline]\nRIP: 0010:nft_limit_init+0x2a2/0x5e0 net/netfilter/nft_limit.c:85\nCode: ef 4c 01 eb 41 0f 92 c7 48 89 de e8 38 a5 22 fa 4d 85 ff 0f 85 97 02 00 00 e8 ea 9e 22 fa 4c 0f af f3 45 89 ed 31 d2 4c 89 f0 <49> f7 f5 49 89 c6 e8 d3 9e 22 fa 48 8d 7d 48 48 b8 00 00 00 00 00\nRSP: 0018:ffffc90009447198 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: 0000200000000000 RCX: 0000000000000000\nRDX: 0000000000000000 RSI: ffffffff875152e6 RDI: 0000000000000003\nRBP: ffff888020f80908 R08: 0000200000000000 R09: 0000000000000000\nR10: ffffffff875152d8 R11: 0000000000000000 R12: ffffc90009447270\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\nFS: 000000000097a300(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00000000200001c4 CR3: 0000000026a52000 CR4: 00000000001506e0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n nf_tables_newexpr net/netfilter/nf_tables_api.c:2675 [inline]\n nft_expr_init+0x145/0x2d0 net/netfilter/nf_tables_api.c:2713\n nft_set_elem_expr_alloc+0x27/0x280 net/netfilter/nf_tables_api.c:5160\n nf_tables_newset+0x1997/0x3150 net/netfilter/nf_tables_api.c:4321\n nfnetlink_rcv_batch+0x85a/0x21b0 net/netfilter/nfnetlink.c:456\n nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:580 [inline]\n nfnetlink_rcv+0x3af/0x420 net/netfilter/nfnetlink.c:598\n netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline]\n netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1338\n netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1927\n sock_sendmsg_nosec net/socket.c:654 [inline]\n sock_sendmsg+0xcf/0x120 net/socket.c:674\n ____sys_sendmsg+0x6e8/0x810 net/socket.c:2350\n ___sys_sendmsg+0xf3/0x170 net/socket.c:2404\n __sys_sendmsg+0xe5/0x1b0 net/socket.c:2433\n do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46\n entry_SYSCALL_64_after_hwframe+0x44/0xae", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-46915", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-46915", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-46915", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-46915", "SUSE": "https://www.suse.com/security/cve/CVE-2021-46915", "Ubuntu": "https://ubuntu.com/security/CVE-2021-46915" } }, "CVE-2021-46916": { "affected_versions": "v5.11-rc1 to v5.12-rc8", "breaks": "b02e5a0ebb172c8276cea3151942aac681f7a4a6", "cmt_msg": "ixgbe: Fix NULL pointer dereference in ethtool loopback test", "fixes": "31166efb1cee348eb6314e9c0095d84cbeb66b9d", "last_affected_version": "5.11.15", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nixgbe: Fix NULL pointer dereference in ethtool loopback test\n\nThe ixgbe driver currently generates a NULL pointer dereference when\nperforming the ethtool loopback test. This is due to the fact that there\nisn't a q_vector associated with the test ring when it is setup as\ninterrupts are not normally added to the test rings.\n\nTo address this I have added code that will check for a q_vector before\nreturning a napi_id value. If a q_vector is not present it will return a\nvalue of 0.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-46916", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-46916", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-46916", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-46916", "SUSE": "https://www.suse.com/security/cve/CVE-2021-46916", "Ubuntu": "https://ubuntu.com/security/CVE-2021-46916" } }, "CVE-2021-46917": { "affected_versions": "v5.8-rc6 to v5.12-rc8", "breaks": "da32b28c95a79e399e18c03f8178f41aec9c66e4", "cmt_msg": "dmaengine: idxd: fix wq cleanup of WQCFG registers", "fixes": "ea9aadc06a9f10ad20a90edc0a484f1147d88a7a", "last_affected_version": "5.11.15", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: idxd: fix wq cleanup of WQCFG registers\n\nA pre-release silicon erratum workaround where wq reset does not clear\nWQCFG registers was leaked into upstream code. Use wq reset command\ninstead of blasting the MMIO region. This also address an issue where\nwe clobber registers in future devices.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-46917", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-46917", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-46917", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-46917", "SUSE": "https://www.suse.com/security/cve/CVE-2021-46917", "Ubuntu": "https://ubuntu.com/security/CVE-2021-46917" } }, "CVE-2021-46918": { "affected_versions": "v5.11-rc1 to v5.12-rc8", "breaks": "8e50d392652f20616a136165dff516b86baf5e49", "cmt_msg": "dmaengine: idxd: clear MSIX permission entry on shutdown", "fixes": "6df0e6c57dfc064af330071f372f11aa8c584997", "last_affected_version": "5.11.15", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: idxd: clear MSIX permission entry on shutdown\n\nAdd disabling/clearing of MSIX permission entries on device shutdown to\nmirror the enabling of the MSIX entries on probe. Current code left the\nMSIX enabled and the pasid entries still programmed at device shutdown.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-46918", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-46918", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-46918", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-46918", "SUSE": "https://www.suse.com/security/cve/CVE-2021-46918", "Ubuntu": "https://ubuntu.com/security/CVE-2021-46918" } }, "CVE-2021-46919": { "affected_versions": "v5.6-rc1 to v5.12-rc8", "breaks": "c52ca478233c172b2d322b5241d6279a8661cbba", "cmt_msg": "dmaengine: idxd: fix wq size store permission state", "fixes": "0fff71c5a311e1264988179f7dcc217fda15fadd", "last_affected_version": "5.11.15", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: idxd: fix wq size store permission state\n\nWQ size can only be changed when the device is disabled. Current code\nallows change when device is enabled but wq is disabled. Change the check\nto detect device state.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-46919", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-46919", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-46919", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-46919", "SUSE": "https://www.suse.com/security/cve/CVE-2021-46919", "Ubuntu": "https://ubuntu.com/security/CVE-2021-46919" } }, "CVE-2021-46920": { "affected_versions": "v5.6-rc1 to v5.12-rc8", "breaks": "bfe1d56091c1a404b3d4ce7e9809d745fc4453bb", "cmt_msg": "dmaengine: idxd: Fix clobbering of SWERR overflow bit on writeback", "fixes": "ea941ac294d75d0ace50797aebf0056f6f8f7a7f", "last_affected_version": "5.11.15", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: idxd: Fix clobbering of SWERR overflow bit on writeback\n\nCurrent code blindly writes over the SWERR and the OVERFLOW bits. Write\nback the bits actually read instead so the driver avoids clobbering the\nOVERFLOW bit that comes after the register is read.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-46920", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-46920", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-46920", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-46920", "SUSE": "https://www.suse.com/security/cve/CVE-2021-46920", "Ubuntu": "https://ubuntu.com/security/CVE-2021-46920" } }, "CVE-2021-46921": { "affected_versions": "v4.15-rc1 to v5.12", "breaks": "b519b56e378ee82caf9b079b04f5db87dedc3251", "cmt_msg": "locking/qrwlock: Fix ordering in queued_write_lock_slowpath()", "fixes": "84a24bf8c52e66b7ac89ada5e3cfbe72d65c1896", "last_affected_version": "5.11", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nlocking/qrwlock: Fix ordering in queued_write_lock_slowpath()\n\nWhile this code is executed with the wait_lock held, a reader can\nacquire the lock without holding wait_lock. The writer side loops\nchecking the value with the atomic_cond_read_acquire(), but only truly\nacquires the lock when the compare-and-exchange is completed\nsuccessfully which isn\u2019t ordered. This exposes the window between the\nacquire and the cmpxchg to an A-B-A problem which allows reads\nfollowing the lock acquisition to observe values speculatively before\nthe write lock is truly acquired.\n\nWe've seen a problem in epoll where the reader does a xchg while\nholding the read lock, but the writer can see a value change out from\nunder it.\n\n Writer | Reader\n --------------------------------------------------------------------------------\n ep_scan_ready_list() |\n |- write_lock_irq() |\n |- queued_write_lock_slowpath() |\n\t|- atomic_cond_read_acquire() |\n\t\t\t\t | read_lock_irqsave(&ep->lock, flags);\n --> (observes value before unlock) | chain_epi_lockless()\n | | epi->next = xchg(&ep->ovflist, epi);\n | | read_unlock_irqrestore(&ep->lock, flags);\n | |\n | atomic_cmpxchg_relaxed() |\n |-- READ_ONCE(ep->ovflist); |\n\nA core can order the read of the ovflist ahead of the\natomic_cmpxchg_relaxed(). Switching the cmpxchg to use acquire\nsemantics addresses this issue at which point the atomic_cond_read can\nbe switched to use relaxed semantics.\n\n[peterz: use try_cmpxchg()]", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-46921", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-46921", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-46921", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-46921", "SUSE": "https://www.suse.com/security/cve/CVE-2021-46921", "Ubuntu": "https://ubuntu.com/security/CVE-2021-46921" } }, "CVE-2021-46922": { "affected_versions": "v5.12-rc1-dontuse to v5.12", "breaks": "8c657a0590de585b1115847c17b34a58025f2f4b", "cmt_msg": "KEYS: trusted: Fix TPM reservation for seal/unseal", "fixes": "9d5171eab462a63e2fbebfccf6026e92be018f20", "last_affected_version": "5.11", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nKEYS: trusted: Fix TPM reservation for seal/unseal\n\nThe original patch 8c657a0590de (\"KEYS: trusted: Reserve TPM for seal\nand unseal operations\") was correct on the mailing list:\n\nhttps://lore.kernel.org/linux-integrity/20210128235621.127925-4-jarkko@kernel.org/\n\nBut somehow got rebased so that the tpm_try_get_ops() in\ntpm2_seal_trusted() got lost. This causes an imbalanced put of the\nTPM ops and causes oopses on TIS based hardware.\n\nThis fix puts back the lost tpm_try_get_ops()", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-46922", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-46922", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-46922", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-46922", "SUSE": "https://www.suse.com/security/cve/CVE-2021-46922", "Ubuntu": "https://ubuntu.com/security/CVE-2021-46922" } }, "CVE-2021-46923": { "affected_versions": "v5.12-rc1-dontuse to v5.16-rc8", "breaks": "9caccd41541a6f7d6279928d9f971f6642c361af", "cmt_msg": "fs/mount_setattr: always cleanup mount_kattr", "fixes": "012e332286e2bb9f6ac77d195f17e74b2963d663", "last_affected_version": "5.15.12", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/mount_setattr: always cleanup mount_kattr\n\nMake sure that finish_mount_kattr() is called after mount_kattr was\nsuccesfully built in both the success and failure case to prevent\nleaking any references we took when we built it. We returned early if\npath lookup failed thereby risking to leak an additional reference we\ntook when building mount_kattr when an idmapped mount was requested.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-46923", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-46923", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-46923", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-46923", "SUSE": "https://www.suse.com/security/cve/CVE-2021-46923", "Ubuntu": "https://ubuntu.com/security/CVE-2021-46923" } }, "CVE-2021-46924": { "affected_versions": "v3.16-rc1 to v5.16-rc8", "breaks": "68957303f44a501af5cf37913208a2acaa6bcdf1", "cmt_msg": "NFC: st21nfca: Fix memory leak in device probe and remove", "fixes": "1b9dadba502234eea7244879b8d5d126bfaf9f0c", "last_affected_version": "5.15.12", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFC: st21nfca: Fix memory leak in device probe and remove\n\n'phy->pending_skb' is alloced when device probe, but forgot to free\nin the error handling path and remove path, this cause memory leak\nas follows:\n\nunreferenced object 0xffff88800bc06800 (size 512):\n comm \"8\", pid 11775, jiffies 4295159829 (age 9.032s)\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace:\n [<00000000d66c09ce>] __kmalloc_node_track_caller+0x1ed/0x450\n [<00000000c93382b3>] kmalloc_reserve+0x37/0xd0\n [<000000005fea522c>] __alloc_skb+0x124/0x380\n [<0000000019f29f9a>] st21nfca_hci_i2c_probe+0x170/0x8f2\n\nFix it by freeing 'pending_skb' in error and remove.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-46924", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-46924", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-46924", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-46924", "SUSE": "https://www.suse.com/security/cve/CVE-2021-46924", "Ubuntu": "https://ubuntu.com/security/CVE-2021-46924" } }, "CVE-2021-46925": { "affected_versions": "v4.11-rc1 to v5.16-rc8", "breaks": "5f08318f617b05b6ee389d8bd174c7af921ebf19", "cmt_msg": "net/smc: fix kernel panic caused by race of smc_sock", "fixes": "349d43127dac00c15231e8ffbcaabd70f7b0e544", "last_affected_version": "5.15.12", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/smc: fix kernel panic caused by race of smc_sock\n\nA crash occurs when smc_cdc_tx_handler() tries to access smc_sock\nbut smc_release() has already freed it.\n\n[ 4570.695099] BUG: unable to handle page fault for address: 000000002eae9e88\n[ 4570.696048] #PF: supervisor write access in kernel mode\n[ 4570.696728] #PF: error_code(0x0002) - not-present page\n[ 4570.697401] PGD 0 P4D 0\n[ 4570.697716] Oops: 0002 [#1] PREEMPT SMP NOPTI\n[ 4570.698228] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.16.0-rc4+ #111\n[ 4570.699013] Hardware name: Alibaba Cloud Alibaba Cloud ECS, BIOS 8c24b4c 04/0\n[ 4570.699933] RIP: 0010:_raw_spin_lock+0x1a/0x30\n<...>\n[ 4570.711446] Call Trace:\n[ 4570.711746] \n[ 4570.711992] smc_cdc_tx_handler+0x41/0xc0\n[ 4570.712470] smc_wr_tx_tasklet_fn+0x213/0x560\n[ 4570.712981] ? smc_cdc_tx_dismisser+0x10/0x10\n[ 4570.713489] tasklet_action_common.isra.17+0x66/0x140\n[ 4570.714083] __do_softirq+0x123/0x2f4\n[ 4570.714521] irq_exit_rcu+0xc4/0xf0\n[ 4570.714934] common_interrupt+0xba/0xe0\n\nThough smc_cdc_tx_handler() checked the existence of smc connection,\nsmc_release() may have already dismissed and released the smc socket\nbefore smc_cdc_tx_handler() further visits it.\n\nsmc_cdc_tx_handler() |smc_release()\nif (!conn) |\n |\n |smc_cdc_tx_dismiss_slots()\n | smc_cdc_tx_dismisser()\n |\n |sock_put(&smc->sk) <- last sock_put,\n | smc_sock freed\nbh_lock_sock(&smc->sk) (panic) |\n\nTo make sure we won't receive any CDC messages after we free the\nsmc_sock, add a refcount on the smc_connection for inflight CDC\nmessage(posted to the QP but haven't received related CQE), and\ndon't release the smc_connection until all the inflight CDC messages\nhaven been done, for both success or failed ones.\n\nUsing refcount on CDC messages brings another problem: when the link\nis going to be destroyed, smcr_link_clear() will reset the QP, which\nthen remove all the pending CQEs related to the QP in the CQ. To make\nsure all the CQEs will always come back so the refcount on the\nsmc_connection can always reach 0, smc_ib_modify_qp_reset() was replaced\nby smc_ib_modify_qp_error().\nAnd remove the timeout in smc_wr_tx_wait_no_pending_sends() since we\nneed to wait for all pending WQEs done, or we may encounter use-after-\nfree when handling CQEs.\n\nFor IB device removal routine, we need to wait for all the QPs on that\ndevice been destroyed before we can destroy CQs on the device, or\nthe refcount on smc_connection won't reach 0 and smc_sock cannot be\nreleased.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-46925", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-46925", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-46925", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-46925", "SUSE": "https://www.suse.com/security/cve/CVE-2021-46925", "Ubuntu": "https://ubuntu.com/security/CVE-2021-46925" } }, "CVE-2021-46926": { "affected_versions": "v2.6.12-rc2 to v5.16-rc7", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "ALSA: hda: intel-sdw-acpi: harden detection of controller", "fixes": "385f287f9853da402d94278e59f594501c1d1dad", "last_affected_version": "5.15.12", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: hda: intel-sdw-acpi: harden detection of controller\n\nThe existing code currently sets a pointer to an ACPI handle before\nchecking that it's actually a SoundWire controller. This can lead to\nissues where the graph walk continues and eventually fails, but the\npointer was set already.\n\nThis patch changes the logic so that the information provided to\nthe caller is set when a controller is found.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-46926", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-46926", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-46926", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-46926", "SUSE": "https://www.suse.com/security/cve/CVE-2021-46926", "Ubuntu": "https://ubuntu.com/security/CVE-2021-46926" } }, "CVE-2021-46927": { "affected_versions": "v5.15-rc1 to v5.16-rc8", "breaks": "5b78ed24e8ec48602c1d6f5a188e58d000c81e2b", "cmt_msg": "nitro_enclaves: Use get_user_pages_unlocked() call to handle mmap assert", "fixes": "3a0152b219523227c2a62a0a122cf99608287176", "last_affected_version": "5.15.12", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnitro_enclaves: Use get_user_pages_unlocked() call to handle mmap assert\n\nAfter commit 5b78ed24e8ec (\"mm/pagemap: add mmap_assert_locked()\nannotations to find_vma*()\"), the call to get_user_pages() will trigger\nthe mmap assert.\n\nstatic inline void mmap_assert_locked(struct mm_struct *mm)\n{\n\tlockdep_assert_held(&mm->mmap_lock);\n\tVM_BUG_ON_MM(!rwsem_is_locked(&mm->mmap_lock), mm);\n}\n\n[ 62.521410] kernel BUG at include/linux/mmap_lock.h:156!\n...........................................................\n[ 62.538938] RIP: 0010:find_vma+0x32/0x80\n...........................................................\n[ 62.605889] Call Trace:\n[ 62.608502] \n[ 62.610956] ? lock_timer_base+0x61/0x80\n[ 62.614106] find_extend_vma+0x19/0x80\n[ 62.617195] __get_user_pages+0x9b/0x6a0\n[ 62.620356] __gup_longterm_locked+0x42d/0x450\n[ 62.623721] ? finish_wait+0x41/0x80\n[ 62.626748] ? __kmalloc+0x178/0x2f0\n[ 62.629768] ne_set_user_memory_region_ioctl.isra.0+0x225/0x6a0 [nitro_enclaves]\n[ 62.635776] ne_enclave_ioctl+0x1cf/0x6d7 [nitro_enclaves]\n[ 62.639541] __x64_sys_ioctl+0x82/0xb0\n[ 62.642620] do_syscall_64+0x3b/0x90\n[ 62.645642] entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nUse get_user_pages_unlocked() when setting the enclave memory regions.\nThat's a similar pattern as mmap_read_lock() used together with\nget_user_pages().", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-46927", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-46927", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-46927", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-46927", "SUSE": "https://www.suse.com/security/cve/CVE-2021-46927", "Ubuntu": "https://ubuntu.com/security/CVE-2021-46927" } }, "CVE-2021-46928": { "affected_versions": "v2.6.12-rc2 to v5.16-rc7", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "parisc: Clear stale IIR value on instruction access rights trap", "fixes": "484730e5862f6b872dca13840bed40fd7c60fa26", "last_affected_version": "5.15.12", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nparisc: Clear stale IIR value on instruction access rights trap\n\nWhen a trap 7 (Instruction access rights) occurs, this means the CPU\ncouldn't execute an instruction due to missing execute permissions on\nthe memory region. In this case it seems the CPU didn't even fetched\nthe instruction from memory and thus did not store it in the cr19 (IIR)\nregister before calling the trap handler. So, the trap handler will find\nsome random old stale value in cr19.\n\nThis patch simply overwrites the stale IIR value with a constant magic\n\"bad food\" value (0xbaadf00d), in the hope people don't start to try to\nunderstand the various random IIR values in trap 7 dumps.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-46928", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-46928", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-46928", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-46928", "SUSE": "https://www.suse.com/security/cve/CVE-2021-46928", "Ubuntu": "https://ubuntu.com/security/CVE-2021-46928" } }, "CVE-2021-46929": { "affected_versions": "v4.14-rc1 to v5.16-rc8", "breaks": "d25adbeb0cdb860fb39e09cdd025e9cfc954c5ab", "cmt_msg": "sctp: use call_rcu to free endpoint", "fixes": "5ec7d18d1813a5bead0b495045606c93873aecbb", "last_affected_version": "5.15.12", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: use call_rcu to free endpoint\n\nThis patch is to delay the endpoint free by calling call_rcu() to fix\nanother use-after-free issue in sctp_sock_dump():\n\n BUG: KASAN: use-after-free in __lock_acquire+0x36d9/0x4c20\n Call Trace:\n __lock_acquire+0x36d9/0x4c20 kernel/locking/lockdep.c:3218\n lock_acquire+0x1ed/0x520 kernel/locking/lockdep.c:3844\n __raw_spin_lock_bh include/linux/spinlock_api_smp.h:135 [inline]\n _raw_spin_lock_bh+0x31/0x40 kernel/locking/spinlock.c:168\n spin_lock_bh include/linux/spinlock.h:334 [inline]\n __lock_sock+0x203/0x350 net/core/sock.c:2253\n lock_sock_nested+0xfe/0x120 net/core/sock.c:2774\n lock_sock include/net/sock.h:1492 [inline]\n sctp_sock_dump+0x122/0xb20 net/sctp/diag.c:324\n sctp_for_each_transport+0x2b5/0x370 net/sctp/socket.c:5091\n sctp_diag_dump+0x3ac/0x660 net/sctp/diag.c:527\n __inet_diag_dump+0xa8/0x140 net/ipv4/inet_diag.c:1049\n inet_diag_dump+0x9b/0x110 net/ipv4/inet_diag.c:1065\n netlink_dump+0x606/0x1080 net/netlink/af_netlink.c:2244\n __netlink_dump_start+0x59a/0x7c0 net/netlink/af_netlink.c:2352\n netlink_dump_start include/linux/netlink.h:216 [inline]\n inet_diag_handler_cmd+0x2ce/0x3f0 net/ipv4/inet_diag.c:1170\n __sock_diag_cmd net/core/sock_diag.c:232 [inline]\n sock_diag_rcv_msg+0x31d/0x410 net/core/sock_diag.c:263\n netlink_rcv_skb+0x172/0x440 net/netlink/af_netlink.c:2477\n sock_diag_rcv+0x2a/0x40 net/core/sock_diag.c:274\n\nThis issue occurs when asoc is peeled off and the old sk is freed after\ngetting it by asoc->base.sk and before calling lock_sock(sk).\n\nTo prevent the sk free, as a holder of the sk, ep should be alive when\ncalling lock_sock(). This patch uses call_rcu() and moves sock_put and\nep free into sctp_endpoint_destroy_rcu(), so that it's safe to try to\nhold the ep under rcu_read_lock in sctp_transport_traverse_process().\n\nIf sctp_endpoint_hold() returns true, it means this ep is still alive\nand we have held it and can continue to dump it; If it returns false,\nit means this ep is dead and can be freed after rcu_read_unlock, and\nwe should skip it.\n\nIn sctp_sock_dump(), after locking the sk, if this ep is different from\ntsp->asoc->ep, it means during this dumping, this asoc was peeled off\nbefore calling lock_sock(), and the sk should be skipped; If this ep is\nthe same with tsp->asoc->ep, it means no peeloff happens on this asoc,\nand due to lock_sock, no peeloff will happen either until release_sock.\n\nNote that delaying endpoint free won't delay the port release, as the\nport release happens in sctp_endpoint_destroy() before calling call_rcu().\nAlso, freeing endpoint by call_rcu() makes it safe to access the sk by\nasoc->base.sk in sctp_assocs_seq_show() and sctp_rcv().\n\nThanks Jones to bring this issue up.\n\nv1->v2:\n - improve the changelog.\n - add kfree(ep) into sctp_endpoint_destroy_rcu(), as Jakub noticed.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-46929", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-46929", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-46929", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-46929", "SUSE": "https://www.suse.com/security/cve/CVE-2021-46929", "Ubuntu": "https://ubuntu.com/security/CVE-2021-46929" } }, "CVE-2021-46930": { "affected_versions": "v5.2-rc1 to v5.16-rc8", "breaks": "83374e035b6286731c5aa617844c7b724294c2a7", "cmt_msg": "usb: mtu3: fix list_head check warning", "fixes": "8c313e3bfd9adae8d5c4ba1cc696dcbc86fbf9bf", "last_affected_version": "5.15.12", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: mtu3: fix list_head check warning\n\nThis is caused by uninitialization of list_head.\n\nBUG: KASAN: use-after-free in __list_del_entry_valid+0x34/0xe4\n\nCall trace:\ndump_backtrace+0x0/0x298\nshow_stack+0x24/0x34\ndump_stack+0x130/0x1a8\nprint_address_description+0x88/0x56c\n__kasan_report+0x1b8/0x2a0\nkasan_report+0x14/0x20\n__asan_load8+0x9c/0xa0\n__list_del_entry_valid+0x34/0xe4\nmtu3_req_complete+0x4c/0x300 [mtu3]\nmtu3_gadget_stop+0x168/0x448 [mtu3]\nusb_gadget_unregister_driver+0x204/0x3a0\nunregister_gadget_item+0x44/0xa4", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-46930", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-46930", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-46930", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-46930", "SUSE": "https://www.suse.com/security/cve/CVE-2021-46930", "Ubuntu": "https://ubuntu.com/security/CVE-2021-46930" } }, "CVE-2021-46931": { "affected_versions": "v5.7-rc1 to v5.16-rc8", "breaks": "5f29458b77d51c104554575b73184c243930aa87", "cmt_msg": "net/mlx5e: Wrap the tx reporter dump callback to extract the sq", "fixes": "918fc3855a6507a200e9cf22c20be852c0982687", "last_affected_version": "5.15.12", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Wrap the tx reporter dump callback to extract the sq\n\nFunction mlx5e_tx_reporter_dump_sq() casts its void * argument to struct\nmlx5e_txqsq *, but in TX-timeout-recovery flow the argument is actually\nof type struct mlx5e_tx_timeout_ctx *.\n\n mlx5_core 0000:08:00.1 enp8s0f1: TX timeout detected\n mlx5_core 0000:08:00.1 enp8s0f1: TX timeout on queue: 1, SQ: 0x11ec, CQ: 0x146d, SQ Cons: 0x0 SQ Prod: 0x1, usecs since last trans: 21565000\n BUG: stack guard page was hit at 0000000093f1a2de (stack is 00000000b66ea0dc..000000004d932dae)\n kernel stack overflow (page fault): 0000 [#1] SMP NOPTI\n CPU: 5 PID: 95 Comm: kworker/u20:1 Tainted: G W OE 5.13.0_mlnx #1\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n Workqueue: mlx5e mlx5e_tx_timeout_work [mlx5_core]\n RIP: 0010:mlx5e_tx_reporter_dump_sq+0xd3/0x180\n [mlx5_core]\n Call Trace:\n mlx5e_tx_reporter_dump+0x43/0x1c0 [mlx5_core]\n devlink_health_do_dump.part.91+0x71/0xd0\n devlink_health_report+0x157/0x1b0\n mlx5e_reporter_tx_timeout+0xb9/0xf0 [mlx5_core]\n ? mlx5e_tx_reporter_err_cqe_recover+0x1d0/0x1d0\n [mlx5_core]\n ? mlx5e_health_queue_dump+0xd0/0xd0 [mlx5_core]\n ? update_load_avg+0x19b/0x550\n ? set_next_entity+0x72/0x80\n ? pick_next_task_fair+0x227/0x340\n ? finish_task_switch+0xa2/0x280\n mlx5e_tx_timeout_work+0x83/0xb0 [mlx5_core]\n process_one_work+0x1de/0x3a0\n worker_thread+0x2d/0x3c0\n ? process_one_work+0x3a0/0x3a0\n kthread+0x115/0x130\n ? kthread_park+0x90/0x90\n ret_from_fork+0x1f/0x30\n --[ end trace 51ccabea504edaff ]---\n RIP: 0010:mlx5e_tx_reporter_dump_sq+0xd3/0x180\n PKRU: 55555554\n Kernel panic - not syncing: Fatal exception\n Kernel Offset: disabled\n end Kernel panic - not syncing: Fatal exception\n\nTo fix this bug add a wrapper for mlx5e_tx_reporter_dump_sq() which\nextracts the sq from struct mlx5e_tx_timeout_ctx and set it as the\nTX-timeout-recovery flow dump callback.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-46931", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-46931", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-46931", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-46931", "SUSE": "https://www.suse.com/security/cve/CVE-2021-46931", "Ubuntu": "https://ubuntu.com/security/CVE-2021-46931" } }, "CVE-2021-46932": { "affected_versions": "v2.6.23-rc1 to v5.16-rc8", "breaks": "5a6eb676d3bc4d7a6feab200a92437b62ad298da", "cmt_msg": "Input: appletouch - initialize work before device registration", "fixes": "9f3ccdc3f6ef10084ceb3a47df0961bec6196fd0", "last_affected_version": "5.15.12", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nInput: appletouch - initialize work before device registration\n\nSyzbot has reported warning in __flush_work(). This warning is caused by\nwork->func == NULL, which means missing work initialization.\n\nThis may happen, since input_dev->close() calls\ncancel_work_sync(&dev->work), but dev->work initalization happens _after_\ninput_register_device() call.\n\nSo this patch moves dev->work initialization before registering input\ndevice", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-46932", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-46932", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-46932", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-46932", "SUSE": "https://www.suse.com/security/cve/CVE-2021-46932", "Ubuntu": "https://ubuntu.com/security/CVE-2021-46932" } }, "CVE-2021-46933": { "affected_versions": "v4.0-rc1 to v5.16-rc8", "breaks": "5e33f6fdf735cda1d4580fe6f1878da05718fe73", "cmt_msg": "usb: gadget: f_fs: Clear ffs_eventfd in ffs_data_clear.", "fixes": "b1e0887379422975f237d43d8839b751a6bcf154", "last_affected_version": "5.15.12", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_fs: Clear ffs_eventfd in ffs_data_clear.\n\nffs_data_clear is indirectly called from both ffs_fs_kill_sb and\nffs_ep0_release, so it ends up being called twice when userland closes ep0\nand then unmounts f_fs.\nIf userland provided an eventfd along with function's USB descriptors, it\nends up calling eventfd_ctx_put as many times, causing a refcount\nunderflow.\nNULL-ify ffs_eventfd to prevent these extraneous eventfd_ctx_put calls.\n\nAlso, set epfiles to NULL right after de-allocating it, for readability.\n\nFor completeness, ffs_data_clear actually ends up being called thrice, the\nlast call being before the whole ffs structure gets freed, so when this\nspecific sequence happens there is a second underflow happening (but not\nbeing reported):\n\n/sys/kernel/debug/tracing# modprobe usb_f_fs\n/sys/kernel/debug/tracing# echo ffs_data_clear > set_ftrace_filter\n/sys/kernel/debug/tracing# echo function > current_tracer\n/sys/kernel/debug/tracing# echo 1 > tracing_on\n(setup gadget, run and kill function userland process, teardown gadget)\n/sys/kernel/debug/tracing# echo 0 > tracing_on\n/sys/kernel/debug/tracing# cat trace\n smartcard-openp-436 [000] ..... 1946.208786: ffs_data_clear <-ffs_data_closed\n smartcard-openp-431 [000] ..... 1946.279147: ffs_data_clear <-ffs_data_closed\n smartcard-openp-431 [000] .n... 1946.905512: ffs_data_clear <-ffs_data_put\n\nWarning output corresponding to above trace:\n[ 1946.284139] WARNING: CPU: 0 PID: 431 at lib/refcount.c:28 refcount_warn_saturate+0x110/0x15c\n[ 1946.293094] refcount_t: underflow; use-after-free.\n[ 1946.298164] Modules linked in: usb_f_ncm(E) u_ether(E) usb_f_fs(E) hci_uart(E) btqca(E) btrtl(E) btbcm(E) btintel(E) bluetooth(E) nls_ascii(E) nls_cp437(E) vfat(E) fat(E) bcm2835_v4l2(CE) bcm2835_mmal_vchiq(CE) videobuf2_vmalloc(E) videobuf2_memops(E) sha512_generic(E) videobuf2_v4l2(E) sha512_arm(E) videobuf2_common(E) videodev(E) cpufreq_dt(E) snd_bcm2835(CE) brcmfmac(E) mc(E) vc4(E) ctr(E) brcmutil(E) snd_soc_core(E) snd_pcm_dmaengine(E) drbg(E) snd_pcm(E) snd_timer(E) snd(E) soundcore(E) drm_kms_helper(E) cec(E) ansi_cprng(E) rc_core(E) syscopyarea(E) raspberrypi_cpufreq(E) sysfillrect(E) sysimgblt(E) cfg80211(E) max17040_battery(OE) raspberrypi_hwmon(E) fb_sys_fops(E) regmap_i2c(E) ecdh_generic(E) rfkill(E) ecc(E) bcm2835_rng(E) rng_core(E) vchiq(CE) leds_gpio(E) libcomposite(E) fuse(E) configfs(E) ip_tables(E) x_tables(E) autofs4(E) ext4(E) crc16(E) mbcache(E) jbd2(E) crc32c_generic(E) sdhci_iproc(E) sdhci_pltfm(E) sdhci(E)\n[ 1946.399633] CPU: 0 PID: 431 Comm: smartcard-openp Tainted: G C OE 5.15.0-1-rpi #1 Debian 5.15.3-1\n[ 1946.417950] Hardware name: BCM2835\n[ 1946.425442] Backtrace:\n[ 1946.432048] [] (dump_backtrace) from [] (show_stack+0x20/0x24)\n[ 1946.448226] r7:00000009 r6:0000001c r5:c04a948c r4:c0a64e2c\n[ 1946.458412] [] (show_stack) from [] (dump_stack+0x28/0x30)\n[ 1946.470380] [] (dump_stack) from [] (__warn+0xe8/0x154)\n[ 1946.482067] r5:c04a948c r4:c0a71dc8\n[ 1946.490184] [] (__warn) from [] (warn_slowpath_fmt+0xa0/0xe4)\n[ 1946.506758] r7:00000009 r6:0000001c r5:c0a71dc8 r4:c0a71e04\n[ 1946.517070] [] (warn_slowpath_fmt) from [] (refcount_warn_saturate+0x110/0x15c)\n[ 1946.535309] r8:c0100224 r7:c0dfcb84 r6:ffffffff r5:c3b84c00 r4:c24a17c0\n[ 1946.546708] [] (refcount_warn_saturate) from [] (eventfd_ctx_put+0x48/0x74)\n[ 1946.564476] [] (eventfd_ctx_put) from [] (ffs_data_clear+0xd0/0x118 [usb_f_fs])\n[ 1946.582664] r5:c3b84c00 r4:c2695b00\n[ 1946.590668] [] (ffs_data_clear [usb_f_fs]) from [] (ffs_data_closed+0x9c/0x150 [usb_f_fs])\n[ 1946.609608] r5:bf54d014 r4:c2695b00\n[ 1946.617522] [] (ffs_data_closed [usb_f_fs]) from [] (ffs_fs_kill_sb+0x2c/0x30 [usb_f_fs])\n[ 1946.636217] r7:c0dfcb\n---truncated---", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-46933", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-46933", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-46933", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-46933", "SUSE": "https://www.suse.com/security/cve/CVE-2021-46933", "Ubuntu": "https://ubuntu.com/security/CVE-2021-46933" } }, "CVE-2021-46934": { "affected_versions": "v4.15-rc1 to v5.16-rc8", "breaks": "7d5cb45655f2e9e37ef75d18f50c0072ef14a38b", "cmt_msg": "i2c: validate user data in compat ioctl", "fixes": "bb436283e25aaf1533ce061605d23a9564447bdf", "last_affected_version": "5.15.12", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: validate user data in compat ioctl\n\nWrong user data may cause warning in i2c_transfer(), ex: zero msgs.\nUserspace should not be able to trigger warnings, so this patch adds\nvalidation checks for user data in compact ioctl to prevent reported\nwarnings", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-46934", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-46934", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-46934", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-46934", "SUSE": "https://www.suse.com/security/cve/CVE-2021-46934", "Ubuntu": "https://ubuntu.com/security/CVE-2021-46934" } }, "CVE-2021-46935": { "affected_versions": "v4.14-rc1 to v5.16-rc8", "breaks": "74310e06be4d74dcf67cd108366710dee5c576d5", "cmt_msg": "binder: fix async_free_space accounting for empty parcels", "fixes": "cfd0d84ba28c18b531648c9d4a35ecca89ad9901", "last_affected_version": "5.15.12", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nbinder: fix async_free_space accounting for empty parcels\n\nIn 4.13, commit 74310e06be4d (\"android: binder: Move buffer out of area shared with user space\")\nfixed a kernel structure visibility issue. As part of that patch,\nsizeof(void *) was used as the buffer size for 0-length data payloads so\nthe driver could detect abusive clients sending 0-length asynchronous\ntransactions to a server by enforcing limits on async_free_size.\n\nUnfortunately, on the \"free\" side, the accounting of async_free_space\ndid not add the sizeof(void *) back. The result was that up to 8-bytes of\nasync_free_space were leaked on every async transaction of 8-bytes or\nless. These small transactions are uncommon, so this accounting issue\nhas gone undetected for several years.\n\nThe fix is to use \"buffer_size\" (the allocated buffer size) instead of\n\"size\" (the logical buffer size) when updating the async_free_space\nduring the free operation. These are the same except for this\ncorner case of asynchronous transactions with payloads < 8 bytes.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-46935", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-46935", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-46935", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-46935", "SUSE": "https://www.suse.com/security/cve/CVE-2021-46935", "Ubuntu": "https://ubuntu.com/security/CVE-2021-46935" } }, "CVE-2021-46936": { "affected_versions": "v2.6.27-rc1 to v5.16-rc8", "breaks": "61a7e26028b94805fd686a6dc9dbd9941f8f19b0", "cmt_msg": "net: fix use-after-free in tw_timer_handler", "fixes": "e22e45fc9e41bf9fcc1e92cfb78eb92786728ef0", "last_affected_version": "5.15.12", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fix use-after-free in tw_timer_handler\n\nA real world panic issue was found as follow in Linux 5.4.\n\n BUG: unable to handle page fault for address: ffffde49a863de28\n PGD 7e6fe62067 P4D 7e6fe62067 PUD 7e6fe63067 PMD f51e064067 PTE 0\n RIP: 0010:tw_timer_handler+0x20/0x40\n Call Trace:\n \n call_timer_fn+0x2b/0x120\n run_timer_softirq+0x1ef/0x450\n __do_softirq+0x10d/0x2b8\n irq_exit+0xc7/0xd0\n smp_apic_timer_interrupt+0x68/0x120\n apic_timer_interrupt+0xf/0x20\n\nThis issue was also reported since 2017 in the thread [1],\nunfortunately, the issue was still can be reproduced after fixing\nDCCP.\n\nThe ipv4_mib_exit_net is called before tcp_sk_exit_batch when a net\nnamespace is destroyed since tcp_sk_ops is registered befrore\nipv4_mib_ops, which means tcp_sk_ops is in the front of ipv4_mib_ops\nin the list of pernet_list. There will be a use-after-free on\nnet->mib.net_statistics in tw_timer_handler after ipv4_mib_exit_net\nif there are some inflight time-wait timers.\n\nThis bug is not introduced by commit f2bf415cfed7 (\"mib: add net to\nNET_ADD_STATS_BH\") since the net_statistics is a global variable\ninstead of dynamic allocation and freeing. Actually, commit\n61a7e26028b9 (\"mib: put net statistics on struct net\") introduces\nthe bug since it put net statistics on struct net and free it when\nnet namespace is destroyed.\n\nMoving init_ipv4_mibs() to the front of tcp_init() to fix this bug\nand replace pr_crit() with panic() since continuing is meaningless\nwhen init_ipv4_mibs() fails.\n\n[1] https://groups.google.com/g/syzkaller/c/p1tn-_Kc6l4/m/smuL_FMAAgAJ?pli=1", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-46936", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-46936", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-46936", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-46936", "SUSE": "https://www.suse.com/security/cve/CVE-2021-46936", "Ubuntu": "https://ubuntu.com/security/CVE-2021-46936" } }, "CVE-2021-46937": { "affected_versions": "v5.15-rc1 to v5.16-rc8", "breaks": "4bc05954d0076655cfaf6f0135585bdc20cd6b11", "cmt_msg": "mm/damon/dbgfs: fix 'struct pid' leaks in 'dbgfs_target_ids_write()'", "fixes": "ebb3f994dd92f8fb4d70c7541091216c1e10cb71", "last_affected_version": "5.15.12", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/damon/dbgfs: fix 'struct pid' leaks in 'dbgfs_target_ids_write()'\n\nDAMON debugfs interface increases the reference counts of 'struct pid's\nfor targets from the 'target_ids' file write callback\n('dbgfs_target_ids_write()'), but decreases the counts only in DAMON\nmonitoring termination callback ('dbgfs_before_terminate()').\n\nTherefore, when 'target_ids' file is repeatedly written without DAMON\nmonitoring start/termination, the reference count is not decreased and\ntherefore memory for the 'struct pid' cannot be freed. This commit\nfixes this issue by decreasing the reference counts when 'target_ids' is\nwritten.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-46937", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-46937", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-46937", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-46937", "SUSE": "https://www.suse.com/security/cve/CVE-2021-46937", "Ubuntu": "https://ubuntu.com/security/CVE-2021-46937" } }, "CVE-2021-46938": { "affected_versions": "v4.6-rc1 to v5.13-rc1", "breaks": "1c357a1e86a4227a6b6059f2de118ae47659cebc", "cmt_msg": "dm rq: fix double free of blk_mq_tag_set in dev remove after table load fails", "fixes": "8e947c8f4a5620df77e43c9c75310dc510250166", "last_affected_version": "5.12.2", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm rq: fix double free of blk_mq_tag_set in dev remove after table load fails\n\nWhen loading a device-mapper table for a request-based mapped device,\nand the allocation/initialization of the blk_mq_tag_set for the device\nfails, a following device remove will cause a double free.\n\nE.g. (dmesg):\n device-mapper: core: Cannot initialize queue for request-based dm-mq mapped device\n device-mapper: ioctl: unable to set up device queue for new table.\n Unable to handle kernel pointer dereference in virtual kernel address space\n Failing address: 0305e098835de000 TEID: 0305e098835de803\n Fault in home space mode while using kernel ASCE.\n AS:000000025efe0007 R3:0000000000000024\n Oops: 0038 ilc:3 [#1] SMP\n Modules linked in: ... lots of modules ...\n Supported: Yes, External\n CPU: 0 PID: 7348 Comm: multipathd Kdump: loaded Tainted: G W X 5.3.18-53-default #1 SLE15-SP3\n Hardware name: IBM 8561 T01 7I2 (LPAR)\n Krnl PSW : 0704e00180000000 000000025e368eca (kfree+0x42/0x330)\n R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:2 PM:0 RI:0 EA:3\n Krnl GPRS: 000000000000004a 000000025efe5230 c1773200d779968d 0000000000000000\n 000000025e520270 000000025e8d1b40 0000000000000003 00000007aae10000\n 000000025e5202a2 0000000000000001 c1773200d779968d 0305e098835de640\n 00000007a8170000 000003ff80138650 000000025e5202a2 000003e00396faa8\n Krnl Code: 000000025e368eb8: c4180041e100 lgrl %r1,25eba50b8\n 000000025e368ebe: ecba06b93a55 risbg %r11,%r10,6,185,58\n #000000025e368ec4: e3b010000008 ag %r11,0(%r1)\n >000000025e368eca: e310b0080004 lg %r1,8(%r11)\n 000000025e368ed0: a7110001 tmll %r1,1\n 000000025e368ed4: a7740129 brc 7,25e369126\n 000000025e368ed8: e320b0080004 lg %r2,8(%r11)\n 000000025e368ede: b904001b lgr %r1,%r11\n Call Trace:\n [<000000025e368eca>] kfree+0x42/0x330\n [<000000025e5202a2>] blk_mq_free_tag_set+0x72/0xb8\n [<000003ff801316a8>] dm_mq_cleanup_mapped_device+0x38/0x50 [dm_mod]\n [<000003ff80120082>] free_dev+0x52/0xd0 [dm_mod]\n [<000003ff801233f0>] __dm_destroy+0x150/0x1d0 [dm_mod]\n [<000003ff8012bb9a>] dev_remove+0x162/0x1c0 [dm_mod]\n [<000003ff8012a988>] ctl_ioctl+0x198/0x478 [dm_mod]\n [<000003ff8012ac8a>] dm_ctl_ioctl+0x22/0x38 [dm_mod]\n [<000000025e3b11ee>] ksys_ioctl+0xbe/0xe0\n [<000000025e3b127a>] __s390x_sys_ioctl+0x2a/0x40\n [<000000025e8c15ac>] system_call+0xd8/0x2c8\n Last Breaking-Event-Address:\n [<000000025e52029c>] blk_mq_free_tag_set+0x6c/0xb8\n Kernel panic - not syncing: Fatal exception: panic_on_oops\n\nWhen allocation/initialization of the blk_mq_tag_set fails in\ndm_mq_init_request_queue(), it is uninitialized/freed, but the pointer\nis not reset to NULL; so when dev_remove() later gets into\ndm_mq_cleanup_mapped_device() it sees the pointer and tries to\nuninitialize and free it again.\n\nFix this by setting the pointer to NULL in dm_mq_init_request_queue()\nerror-handling. Also set it to NULL in dm_mq_cleanup_mapped_device().", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-46938", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-46938", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-46938", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-46938", "SUSE": "https://www.suse.com/security/cve/CVE-2021-46938", "Ubuntu": "https://ubuntu.com/security/CVE-2021-46938" } }, "CVE-2021-46939": { "affected_versions": "unk to v5.13-rc1", "breaks": "", "cmt_msg": "tracing: Restructure trace_clock_global() to never block", "fixes": "aafe104aa9096827a429bc1358f8260ee565b7cc", "last_affected_version": "5.12.2", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Restructure trace_clock_global() to never block\n\nIt was reported that a fix to the ring buffer recursion detection would\ncause a hung machine when performing suspend / resume testing. The\nfollowing backtrace was extracted from debugging that case:\n\nCall Trace:\n trace_clock_global+0x91/0xa0\n __rb_reserve_next+0x237/0x460\n ring_buffer_lock_reserve+0x12a/0x3f0\n trace_buffer_lock_reserve+0x10/0x50\n __trace_graph_return+0x1f/0x80\n trace_graph_return+0xb7/0xf0\n ? trace_clock_global+0x91/0xa0\n ftrace_return_to_handler+0x8b/0xf0\n ? pv_hash+0xa0/0xa0\n return_to_handler+0x15/0x30\n ? ftrace_graph_caller+0xa0/0xa0\n ? trace_clock_global+0x91/0xa0\n ? __rb_reserve_next+0x237/0x460\n ? ring_buffer_lock_reserve+0x12a/0x3f0\n ? trace_event_buffer_lock_reserve+0x3c/0x120\n ? trace_event_buffer_reserve+0x6b/0xc0\n ? trace_event_raw_event_device_pm_callback_start+0x125/0x2d0\n ? dpm_run_callback+0x3b/0xc0\n ? pm_ops_is_empty+0x50/0x50\n ? platform_get_irq_byname_optional+0x90/0x90\n ? trace_device_pm_callback_start+0x82/0xd0\n ? dpm_run_callback+0x49/0xc0\n\nWith the following RIP:\n\nRIP: 0010:native_queued_spin_lock_slowpath+0x69/0x200\n\nSince the fix to the recursion detection would allow a single recursion to\nhappen while tracing, this lead to the trace_clock_global() taking a spin\nlock and then trying to take it again:\n\nring_buffer_lock_reserve() {\n trace_clock_global() {\n arch_spin_lock() {\n queued_spin_lock_slowpath() {\n /* lock taken */\n (something else gets traced by function graph tracer)\n ring_buffer_lock_reserve() {\n trace_clock_global() {\n arch_spin_lock() {\n queued_spin_lock_slowpath() {\n /* DEAD LOCK! */\n\nTracing should *never* block, as it can lead to strange lockups like the\nabove.\n\nRestructure the trace_clock_global() code to instead of simply taking a\nlock to update the recorded \"prev_time\" simply use it, as two events\nhappening on two different CPUs that calls this at the same time, really\ndoesn't matter which one goes first. Use a trylock to grab the lock for\nupdating the prev_time, and if it fails, simply try again the next time.\nIf it failed to be taken, that means something else is already updating\nit.\n\n\nBugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=212761", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-46939", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-46939", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-46939", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-46939", "SUSE": "https://www.suse.com/security/cve/CVE-2021-46939", "Ubuntu": "https://ubuntu.com/security/CVE-2021-46939" } }, "CVE-2021-46940": { "affected_versions": "v5.10-rc4 to v5.13-rc1", "breaks": "9972d5d84d76982606806b2ce887f70c2f8ba60a", "cmt_msg": "tools/power turbostat: Fix offset overflow issue in index converting", "fixes": "13a779de4175df602366d129e41782ad7168cef0", "last_affected_version": "5.12.2", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\ntools/power turbostat: Fix offset overflow issue in index converting\n\nThe idx_to_offset() function returns type int (32-bit signed), but\nMSR_PKG_ENERGY_STAT is u32 and would be interpreted as a negative number.\nThe end result is that it hits the if (offset < 0) check in update_msr_sum()\nwhich prevents the timer callback from updating the stat in the background when\nlong durations are used. The similar issue exists in offset_to_idx() and\nupdate_msr_sum(). Fix this issue by converting the 'int' to 'off_t' accordingly.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-46940", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-46940", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-46940", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-46940", "SUSE": "https://www.suse.com/security/cve/CVE-2021-46940", "Ubuntu": "https://ubuntu.com/security/CVE-2021-46940" } }, "CVE-2021-46941": { "affected_versions": "v4.12-rc1 to v5.13-rc1", "breaks": "41ce1456e1dbbc7355d0fcc10cf7c337c13def24", "cmt_msg": "usb: dwc3: core: Do core softreset when switch mode", "fixes": "f88359e1588b85cf0e8209ab7d6620085f3441d9", "last_affected_version": "5.12.2", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: dwc3: core: Do core softreset when switch mode\n\n\nAccording to the programming guide, to switch mode for DRD controller,\nthe driver needs to do the following.\n\nTo switch from device to host:\n1. Reset controller with GCTL.CoreSoftReset\n2. Set GCTL.PrtCapDir(host mode)\n3. Reset the host with USBCMD.HCRESET\n4. Then follow up with the initializing host registers sequence\n\nTo switch from host to device:\n1. Reset controller with GCTL.CoreSoftReset\n2. Set GCTL.PrtCapDir(device mode)\n3. Reset the device with DCTL.CSftRst\n4. Then follow up with the initializing registers sequence\n\nCurrently we're missing step 1) to do GCTL.CoreSoftReset and step 3) of\nswitching from host to device. John Stult reported a lockup issue seen\nwith HiKey960 platform without these steps[1]. Similar issue is observed\nwith Ferry's testing platform[2].\n\nSo, apply the required steps along with some fixes to Yu Chen's and John\nStultz's version. The main fixes to their versions are the missing wait\nfor clocks synchronization before clearing GCTL.CoreSoftReset and only\napply DCTL.CSftRst when switching from host to device.\n\n[1] https://lore.kernel.org/linux-usb/20210108015115.27920-1-john.stultz@linaro.org/\n[2] https://lore.kernel.org/linux-usb/0ba7a6ba-e6a7-9cd4-0695-64fc927e01f1@gmail.com/", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-46941", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-46941", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-46941", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-46941", "SUSE": "https://www.suse.com/security/cve/CVE-2021-46941", "Ubuntu": "https://ubuntu.com/security/CVE-2021-46941" } }, "CVE-2021-46942": { "affected_versions": "v5.12-rc1-dontuse to v5.13-rc1", "breaks": "37d1e2e3642e2380750d7f35279180826f29660e", "cmt_msg": "io_uring: fix shared sqpoll cancellation hangs", "fixes": "734551df6f9bedfbefcd113ede665945e9de0b99", "last_affected_version": "5.12.2", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring: fix shared sqpoll cancellation hangs\n\n[ 736.982891] INFO: task iou-sqp-4294:4295 blocked for more than 122 seconds.\n[ 736.982897] Call Trace:\n[ 736.982901] schedule+0x68/0xe0\n[ 736.982903] io_uring_cancel_sqpoll+0xdb/0x110\n[ 736.982908] io_sqpoll_cancel_cb+0x24/0x30\n[ 736.982911] io_run_task_work_head+0x28/0x50\n[ 736.982913] io_sq_thread+0x4e3/0x720\n\nWe call io_uring_cancel_sqpoll() one by one for each ctx either in\nsq_thread() itself or via task works, and it's intended to cancel all\nrequests of a specified context. However the function uses per-task\ncounters to track the number of inflight requests, so it counts more\nrequests than available via currect io_uring ctx and goes to sleep for\nthem to appear (e.g. from IRQ), that will never happen.\n\nCancel a bit more than before, i.e. all ctxs that share sqpoll\nand continue to use shared counters. Don't forget that we should not\nremove ctx from the list before running that task_work sqpoll-cancel,\notherwise the function wouldn't be able to find the context and will\nhang.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-46942", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-46942", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-46942", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-46942", "SUSE": "https://www.suse.com/security/cve/CVE-2021-46942", "Ubuntu": "https://ubuntu.com/security/CVE-2021-46942" } }, "CVE-2021-46943": { "affected_versions": "v5.2-rc1 to v5.13-rc1", "breaks": "6d5f26f2e045f2377b524516194657c00efbbce8", "cmt_msg": "media: staging/intel-ipu3: Fix set_fmt error handling", "fixes": "ad91849996f9dd79741a961fd03585a683b08356", "last_affected_version": "5.12.2", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: staging/intel-ipu3: Fix set_fmt error handling\n\nIf there in an error during a set_fmt, do not overwrite the previous\nsizes with the invalid config.\n\nWithout this patch, v4l2-compliance ends up allocating 4GiB of RAM and\ncausing the following OOPs\n\n[ 38.662975] ipu3-imgu 0000:00:05.0: swiotlb buffer is full (sz: 4096 bytes)\n[ 38.662980] DMA: Out of SW-IOMMU space for 4096 bytes at device 0000:00:05.0\n[ 38.663010] general protection fault: 0000 [#1] PREEMPT SMP", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-46943", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-46943", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-46943", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-46943", "SUSE": "https://www.suse.com/security/cve/CVE-2021-46943", "Ubuntu": "https://ubuntu.com/security/CVE-2021-46943" } }, "CVE-2021-46944": { "affected_versions": "v5.2-rc1 to v5.13-rc1", "breaks": "6d5f26f2e045f2377b524516194657c00efbbce8", "cmt_msg": "media: staging/intel-ipu3: Fix memory leak in imu_fmt", "fixes": "3630901933afba1d16c462b04d569b7576339223", "last_affected_version": "5.12.2", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: staging/intel-ipu3: Fix memory leak in imu_fmt\n\nWe are losing the reference to an allocated memory if try. Change the\norder of the check to avoid that.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-46944", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-46944", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-46944", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-46944", "SUSE": "https://www.suse.com/security/cve/CVE-2021-46944", "Ubuntu": "https://ubuntu.com/security/CVE-2021-46944" } }, "CVE-2021-46945": { "affected_versions": "v5.11-rc1 to v5.13-rc1", "breaks": "014c9caa29d3a44e0de695c99ef18bec3e887d52", "cmt_msg": "ext4: always panic when errors=panic is specified", "fixes": "ac2f7ca51b0929461ea49918f27c11b680f28995", "last_affected_version": "5.12.2", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: always panic when errors=panic is specified\n\nBefore commit 014c9caa29d3 (\"ext4: make ext4_abort() use\n__ext4_error()\"), the following series of commands would trigger a\npanic:\n\n1. mount /dev/sda -o ro,errors=panic test\n2. mount /dev/sda -o remount,abort test\n\nAfter commit 014c9caa29d3, remounting a file system using the test\nmount option \"abort\" will no longer trigger a panic. This commit will\nrestore the behaviour immediately before commit 014c9caa29d3.\n(However, note that the Linux kernel's behavior has not been\nconsistent; some previous kernel versions, including 5.4 and 4.19\nsimilarly did not panic after using the mount option \"abort\".)\n\nThis also makes a change to long-standing behaviour; namely, the\nfollowing series commands will now cause a panic, when previously it\ndid not:\n\n1. mount /dev/sda -o ro,errors=panic test\n2. echo test > /sys/fs/ext4/sda/trigger_fs_error\n\nHowever, this makes ext4's behaviour much more consistent, so this is\na good thing.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-46945", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-46945", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-46945", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-46945", "SUSE": "https://www.suse.com/security/cve/CVE-2021-46945", "Ubuntu": "https://ubuntu.com/security/CVE-2021-46945" } }, "CVE-2021-46947": { "affected_versions": "v5.12-rc1-dontuse to v5.13-rc1", "breaks": "e26ca4b535820b1445dcef3c0f82b3fb5b45108b", "cmt_msg": "sfc: adjust efx->xdp_tx_queue_count with the real number of initialized queues", "fixes": "99ba0ea616aabdc8e26259fd722503e012199a76", "last_affected_version": "5.12.2", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nsfc: adjust efx->xdp_tx_queue_count with the real number of initialized queues\n\nefx->xdp_tx_queue_count is initially initialized to num_possible_cpus() and is\nlater used to allocate and traverse efx->xdp_tx_queues lookup array. However,\nwe may end up not initializing all the array slots with real queues during\nprobing. This results, for example, in a NULL pointer dereference, when running\n\"# ethtool -S \", similar to below\n\n[2570283.664955][T4126959] BUG: kernel NULL pointer dereference, address: 00000000000000f8\n[2570283.681283][T4126959] #PF: supervisor read access in kernel mode\n[2570283.695678][T4126959] #PF: error_code(0x0000) - not-present page\n[2570283.710013][T4126959] PGD 0 P4D 0\n[2570283.721649][T4126959] Oops: 0000 [#1] SMP PTI\n[2570283.734108][T4126959] CPU: 23 PID: 4126959 Comm: ethtool Tainted: G O 5.10.20-cloudflare-2021.3.1 #1\n[2570283.752641][T4126959] Hardware name: \n[2570283.781408][T4126959] RIP: 0010:efx_ethtool_get_stats+0x2ca/0x330 [sfc]\n[2570283.796073][T4126959] Code: 00 85 c0 74 39 48 8b 95 a8 0f 00 00 48 85 d2 74 2d 31 c0 eb 07 48 8b 95 a8 0f 00 00 48 63 c8 49 83 c4 08 83 c0 01 48 8b 14 ca <48> 8b 92 f8 00 00 00 49 89 54 24 f8 39 85 a0 0f 00 00 77 d7 48 8b\n[2570283.831259][T4126959] RSP: 0018:ffffb79a77657ce8 EFLAGS: 00010202\n[2570283.845121][T4126959] RAX: 0000000000000019 RBX: ffffb799cd0c9280 RCX: 0000000000000018\n[2570283.860872][T4126959] RDX: 0000000000000000 RSI: ffff96dd970ce000 RDI: 0000000000000005\n[2570283.876525][T4126959] RBP: ffff96dd86f0a000 R08: ffff96dd970ce480 R09: 000000000000005f\n[2570283.892014][T4126959] R10: ffffb799cd0c9fff R11: ffffb799cd0c9000 R12: ffffb799cd0c94f8\n[2570283.907406][T4126959] R13: ffffffffc11b1090 R14: ffff96dd970ce000 R15: ffffffffc11cd66c\n[2570283.922705][T4126959] FS: 00007fa7723f8740(0000) GS:ffff96f51fac0000(0000) knlGS:0000000000000000\n[2570283.938848][T4126959] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[2570283.952524][T4126959] CR2: 00000000000000f8 CR3: 0000001a73e6e006 CR4: 00000000007706e0\n[2570283.967529][T4126959] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[2570283.982400][T4126959] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[2570283.997308][T4126959] PKRU: 55555554\n[2570284.007649][T4126959] Call Trace:\n[2570284.017598][T4126959] dev_ethtool+0x1832/0x2830\n\nFix this by adjusting efx->xdp_tx_queue_count after probing to reflect the true\nvalue of initialized slots in efx->xdp_tx_queues.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-46947", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-46947", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-46947", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-46947", "SUSE": "https://www.suse.com/security/cve/CVE-2021-46947", "Ubuntu": "https://ubuntu.com/security/CVE-2021-46947" } }, "CVE-2021-46948": { "affected_versions": "v5.10-rc1 to v5.13-rc1", "breaks": "12804793b17c0e19115a90d98f2f3df0cb79e233", "cmt_msg": "sfc: farch: fix TX queue lookup in TX event handling", "fixes": "83b09a1807415608b387c7bc748d329fefc5617e", "last_affected_version": "5.12.2", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nsfc: farch: fix TX queue lookup in TX event handling\n\nWe're starting from a TXQ label, not a TXQ type, so\n efx_channel_get_tx_queue() is inappropriate (and could return NULL,\n leading to panics).", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-46948", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-46948", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-46948", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-46948", "SUSE": "https://www.suse.com/security/cve/CVE-2021-46948", "Ubuntu": "https://ubuntu.com/security/CVE-2021-46948" } }, "CVE-2021-46949": { "affected_versions": "v5.10-rc1 to v5.13-rc1", "breaks": "12804793b17c0e19115a90d98f2f3df0cb79e233", "cmt_msg": "sfc: farch: fix TX queue lookup in TX flush done handling", "fixes": "5b1faa92289b53cad654123ed2bc8e10f6ddd4ac", "last_affected_version": "5.12.2", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nsfc: farch: fix TX queue lookup in TX flush done handling\n\nWe're starting from a TXQ instance number ('qid'), not a TXQ type, so\n efx_get_tx_queue() is inappropriate (and could return NULL, leading\n to panics).", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-46949", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-46949", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-46949", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-46949", "SUSE": "https://www.suse.com/security/cve/CVE-2021-46949", "Ubuntu": "https://ubuntu.com/security/CVE-2021-46949" } }, "CVE-2021-46950": { "affected_versions": "unk to v5.13-rc1", "breaks": "", "cmt_msg": "md/raid1: properly indicate failure when ending a failed write request", "fixes": "2417b9869b81882ab90fd5ed1081a1cb2d4db1dd", "last_affected_version": "5.12.2", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd/raid1: properly indicate failure when ending a failed write request\n\nThis patch addresses a data corruption bug in raid1 arrays using bitmaps.\nWithout this fix, the bitmap bits for the failed I/O end up being cleared.\n\nSince we are in the failure leg of raid1_end_write_request, the request\neither needs to be retried (R1BIO_WriteError) or failed (R1BIO_Degraded).", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-46950", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-46950", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-46950", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-46950", "SUSE": "https://www.suse.com/security/cve/CVE-2021-46950", "Ubuntu": "https://ubuntu.com/security/CVE-2021-46950" } }, "CVE-2021-46951": { "affected_versions": "unk to v5.13-rc1", "breaks": "", "cmt_msg": "tpm: efi: Use local variable for calculating final log size", "fixes": "48cff270b037022e37835d93361646205ca25101", "last_affected_version": "5.12.2", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\ntpm: efi: Use local variable for calculating final log size\n\nWhen tpm_read_log_efi is called multiple times, which happens when\none loads and unloads a TPM2 driver multiple times, then the global\nvariable efi_tpm_final_log_size will at some point become a negative\nnumber due to the subtraction of final_events_preboot_size occurring\neach time. Use a local variable to avoid this integer underflow.\n\nThe following issue is now resolved:\n\nMar 8 15:35:12 hibinst kernel: Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015\nMar 8 15:35:12 hibinst kernel: Workqueue: tpm-vtpm vtpm_proxy_work [tpm_vtpm_proxy]\nMar 8 15:35:12 hibinst kernel: RIP: 0010:__memcpy+0x12/0x20\nMar 8 15:35:12 hibinst kernel: Code: 00 b8 01 00 00 00 85 d2 74 0a c7 05 44 7b ef 00 0f 00 00 00 c3 cc cc cc 66 66 90 66 90 48 89 f8 48 89 d1 48 c1 e9 03 83 e2 07 48 a5 89 d1 f3 a4 c3 66 0f 1f 44 00 00 48 89 f8 48 89 d1 f3 a4\nMar 8 15:35:12 hibinst kernel: RSP: 0018:ffff9ac4c0fcfde0 EFLAGS: 00010206\nMar 8 15:35:12 hibinst kernel: RAX: ffff88f878cefed5 RBX: ffff88f878ce9000 RCX: 1ffffffffffffe0f\nMar 8 15:35:12 hibinst kernel: RDX: 0000000000000003 RSI: ffff9ac4c003bff9 RDI: ffff88f878cf0e4d\nMar 8 15:35:12 hibinst kernel: RBP: ffff9ac4c003b000 R08: 0000000000001000 R09: 000000007e9d6073\nMar 8 15:35:12 hibinst kernel: R10: ffff9ac4c003b000 R11: ffff88f879ad3500 R12: 0000000000000ed5\nMar 8 15:35:12 hibinst kernel: R13: ffff88f878ce9760 R14: 0000000000000002 R15: ffff88f77de7f018\nMar 8 15:35:12 hibinst kernel: FS: 0000000000000000(0000) GS:ffff88f87bd00000(0000) knlGS:0000000000000000\nMar 8 15:35:12 hibinst kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nMar 8 15:35:12 hibinst kernel: CR2: ffff9ac4c003c000 CR3: 00000001785a6004 CR4: 0000000000060ee0\nMar 8 15:35:12 hibinst kernel: Call Trace:\nMar 8 15:35:12 hibinst kernel: tpm_read_log_efi+0x152/0x1a7\nMar 8 15:35:12 hibinst kernel: tpm_bios_log_setup+0xc8/0x1c0\nMar 8 15:35:12 hibinst kernel: tpm_chip_register+0x8f/0x260\nMar 8 15:35:12 hibinst kernel: vtpm_proxy_work+0x16/0x60 [tpm_vtpm_proxy]\nMar 8 15:35:12 hibinst kernel: process_one_work+0x1b4/0x370\nMar 8 15:35:12 hibinst kernel: worker_thread+0x53/0x3e0\nMar 8 15:35:12 hibinst kernel: ? process_one_work+0x370/0x370", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-46951", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-46951", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-46951", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-46951", "SUSE": "https://www.suse.com/security/cve/CVE-2021-46951", "Ubuntu": "https://ubuntu.com/security/CVE-2021-46951" } }, "CVE-2021-46952": { "affected_versions": "unk to v5.13-rc1", "breaks": "", "cmt_msg": "NFS: fs_context: validate UDP retrans to prevent shift out-of-bounds", "fixes": "c09f11ef35955785f92369e25819bf0629df2e59", "last_affected_version": "5.12.2", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFS: fs_context: validate UDP retrans to prevent shift out-of-bounds\n\nFix shift out-of-bounds in xprt_calc_majortimeo(). This is caused\nby a garbage timeout (retrans) mount option being passed to nfs mount,\nin this case from syzkaller.\n\nIf the protocol is XPRT_TRANSPORT_UDP, then 'retrans' is a shift\nvalue for a 64-bit long integer, so 'retrans' cannot be >= 64.\nIf it is >= 64, fail the mount and return an error.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-46952", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-46952", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-46952", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-46952", "SUSE": "https://www.suse.com/security/cve/CVE-2021-46952", "Ubuntu": "https://ubuntu.com/security/CVE-2021-46952" } }, "CVE-2021-46953": { "affected_versions": "v4.12-rc1 to v5.13-rc1", "breaks": "ca9ae5ec4ef0ed13833b03297ab319676965492c", "cmt_msg": "ACPI: GTDT: Don't corrupt interrupt mappings on watchdow probe failure", "fixes": "1ecd5b129252249b9bc03d7645a7bda512747277", "last_affected_version": "5.12.2", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPI: GTDT: Don't corrupt interrupt mappings on watchdow probe failure\n\nWhen failing the driver probe because of invalid firmware properties,\nthe GTDT driver unmaps the interrupt that it mapped earlier.\n\nHowever, it never checks whether the mapping of the interrupt actially\nsucceeded. Even more, should the firmware report an illegal interrupt\nnumber that overlaps with the GIC SGI range, this can result in an\nIPI being unmapped, and subsequent fireworks (as reported by Dann\nFrazier).\n\nRework the driver to have a slightly saner behaviour and actually\ncheck whether the interrupt has been mapped before unmapping things.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-46953", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-46953", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-46953", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-46953", "SUSE": "https://www.suse.com/security/cve/CVE-2021-46953", "Ubuntu": "https://ubuntu.com/security/CVE-2021-46953" } }, "CVE-2021-46954": { "affected_versions": "v5.11-rc1 to v5.13-rc1", "breaks": "c129412f74e99b609f0a8e95fc3915af1fd40f34", "cmt_msg": "net/sched: sch_frag: fix stack OOB read while fragmenting IPv4 packets", "fixes": "31fe34a0118e0acc958c802e830ad5d37ef6b1d3", "last_affected_version": "5.12.2", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: sch_frag: fix stack OOB read while fragmenting IPv4 packets\n\nwhen 'act_mirred' tries to fragment IPv4 packets that had been previously\nre-assembled using 'act_ct', splats like the following can be observed on\nkernels built with KASAN:\n\n BUG: KASAN: stack-out-of-bounds in ip_do_fragment+0x1b03/0x1f60\n Read of size 1 at addr ffff888147009574 by task ping/947\n\n CPU: 0 PID: 947 Comm: ping Not tainted 5.12.0-rc6+ #418\n Hardware name: Red Hat KVM, BIOS 1.11.1-4.module+el8.1.0+4066+0f1aadab 04/01/2014\n Call Trace:\n \n dump_stack+0x92/0xc1\n print_address_description.constprop.7+0x1a/0x150\n kasan_report.cold.13+0x7f/0x111\n ip_do_fragment+0x1b03/0x1f60\n sch_fragment+0x4bf/0xe40\n tcf_mirred_act+0xc3d/0x11a0 [act_mirred]\n tcf_action_exec+0x104/0x3e0\n fl_classify+0x49a/0x5e0 [cls_flower]\n tcf_classify_ingress+0x18a/0x820\n __netif_receive_skb_core+0xae7/0x3340\n __netif_receive_skb_one_core+0xb6/0x1b0\n process_backlog+0x1ef/0x6c0\n __napi_poll+0xaa/0x500\n net_rx_action+0x702/0xac0\n __do_softirq+0x1e4/0x97f\n do_softirq+0x71/0x90\n \n __local_bh_enable_ip+0xdb/0xf0\n ip_finish_output2+0x760/0x2120\n ip_do_fragment+0x15a5/0x1f60\n __ip_finish_output+0x4c2/0xea0\n ip_output+0x1ca/0x4d0\n ip_send_skb+0x37/0xa0\n raw_sendmsg+0x1c4b/0x2d00\n sock_sendmsg+0xdb/0x110\n __sys_sendto+0x1d7/0x2b0\n __x64_sys_sendto+0xdd/0x1b0\n do_syscall_64+0x33/0x40\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n RIP: 0033:0x7f82e13853eb\n Code: 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 f3 0f 1e fa 48 8d 05 75 42 2c 00 41 89 ca 8b 00 85 c0 75 14 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 75 c3 0f 1f 40 00 41 57 4d 89 c7 41 56 41 89\n RSP: 002b:00007ffe01fad888 EFLAGS: 00000246 ORIG_RAX: 000000000000002c\n RAX: ffffffffffffffda RBX: 00005571aac13700 RCX: 00007f82e13853eb\n RDX: 0000000000002330 RSI: 00005571aac13700 RDI: 0000000000000003\n RBP: 0000000000002330 R08: 00005571aac10500 R09: 0000000000000010\n R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffe01faefb0\n R13: 00007ffe01fad890 R14: 00007ffe01fad980 R15: 00005571aac0f0a0\n\n The buggy address belongs to the page:\n page:000000001dff2e03 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x147009\n flags: 0x17ffffc0001000(reserved)\n raw: 0017ffffc0001000 ffffea00051c0248 ffffea00051c0248 0000000000000000\n raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000\n page dumped because: kasan: bad access detected\n\n Memory state around the buggy address:\n ffff888147009400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n ffff888147009480: f1 f1 f1 f1 04 f2 f2 f2 f2 f2 f2 f2 00 00 00 00\n >ffff888147009500: 00 00 00 00 00 00 00 00 00 00 f2 f2 f2 f2 f2 f2\n ^\n ffff888147009580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n ffff888147009600: 00 00 00 00 00 00 00 00 00 00 00 00 00 f2 f2 f2\n\nfor IPv4 packets, sch_fragment() uses a temporary struct dst_entry. Then,\nin the following call graph:\n\n ip_do_fragment()\n ip_skb_dst_mtu()\n ip_dst_mtu_maybe_forward()\n ip_mtu_locked()\n\nthe pointer to struct dst_entry is used as pointer to struct rtable: this\nturns the access to struct members like rt_mtu_locked into an OOB read in\nthe stack. Fix this changing the temporary variable used for IPv4 packets\nin sch_fragment(), similarly to what is done for IPv6 few lines below.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-46954", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-46954", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-46954", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-46954", "SUSE": "https://www.suse.com/security/cve/CVE-2021-46954", "Ubuntu": "https://ubuntu.com/security/CVE-2021-46954" } }, "CVE-2021-46955": { "affected_versions": "v4.16-rc7 to v5.13-rc1", "breaks": "d52e5a7e7ca49457dd31fc8b42fb7c0d58a31221", "cmt_msg": "openvswitch: fix stack OOB read while fragmenting IPv4 packets", "fixes": "7c0ea5930c1c211931819d83cfb157bff1539a4c", "last_affected_version": "5.12.2", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nopenvswitch: fix stack OOB read while fragmenting IPv4 packets\n\nrunning openvswitch on kernels built with KASAN, it's possible to see the\nfollowing splat while testing fragmentation of IPv4 packets:\n\n BUG: KASAN: stack-out-of-bounds in ip_do_fragment+0x1b03/0x1f60\n Read of size 1 at addr ffff888112fc713c by task handler2/1367\n\n CPU: 0 PID: 1367 Comm: handler2 Not tainted 5.12.0-rc6+ #418\n Hardware name: Red Hat KVM, BIOS 1.11.1-4.module+el8.1.0+4066+0f1aadab 04/01/2014\n Call Trace:\n dump_stack+0x92/0xc1\n print_address_description.constprop.7+0x1a/0x150\n kasan_report.cold.13+0x7f/0x111\n ip_do_fragment+0x1b03/0x1f60\n ovs_fragment+0x5bf/0x840 [openvswitch]\n do_execute_actions+0x1bd5/0x2400 [openvswitch]\n ovs_execute_actions+0xc8/0x3d0 [openvswitch]\n ovs_packet_cmd_execute+0xa39/0x1150 [openvswitch]\n genl_family_rcv_msg_doit.isra.15+0x227/0x2d0\n genl_rcv_msg+0x287/0x490\n netlink_rcv_skb+0x120/0x380\n genl_rcv+0x24/0x40\n netlink_unicast+0x439/0x630\n netlink_sendmsg+0x719/0xbf0\n sock_sendmsg+0xe2/0x110\n ____sys_sendmsg+0x5ba/0x890\n ___sys_sendmsg+0xe9/0x160\n __sys_sendmsg+0xd3/0x170\n do_syscall_64+0x33/0x40\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n RIP: 0033:0x7f957079db07\n Code: c3 66 90 41 54 41 89 d4 55 48 89 f5 53 89 fb 48 83 ec 10 e8 eb ec ff ff 44 89 e2 48 89 ee 89 df 41 89 c0 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 35 44 89 c7 48 89 44 24 08 e8 24 ed ff ff 48\n RSP: 002b:00007f956ce35a50 EFLAGS: 00000293 ORIG_RAX: 000000000000002e\n RAX: ffffffffffffffda RBX: 0000000000000019 RCX: 00007f957079db07\n RDX: 0000000000000000 RSI: 00007f956ce35ae0 RDI: 0000000000000019\n RBP: 00007f956ce35ae0 R08: 0000000000000000 R09: 00007f9558006730\n R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000\n R13: 00007f956ce37308 R14: 00007f956ce35f80 R15: 00007f956ce35ae0\n\n The buggy address belongs to the page:\n page:00000000af2a1d93 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x112fc7\n flags: 0x17ffffc0000000()\n raw: 0017ffffc0000000 0000000000000000 dead000000000122 0000000000000000\n raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000\n page dumped because: kasan: bad access detected\n\n addr ffff888112fc713c is located in stack of task handler2/1367 at offset 180 in frame:\n ovs_fragment+0x0/0x840 [openvswitch]\n\n this frame has 2 objects:\n [32, 144) 'ovs_dst'\n [192, 424) 'ovs_rt'\n\n Memory state around the buggy address:\n ffff888112fc7000: f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n ffff888112fc7080: 00 f1 f1 f1 f1 00 00 00 00 00 00 00 00 00 00 00\n >ffff888112fc7100: 00 00 00 f2 f2 f2 f2 f2 f2 00 00 00 00 00 00 00\n ^\n ffff888112fc7180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n ffff888112fc7200: 00 00 00 00 00 00 f2 f2 f2 00 00 00 00 00 00 00\n\nfor IPv4 packets, ovs_fragment() uses a temporary struct dst_entry. Then,\nin the following call graph:\n\n ip_do_fragment()\n ip_skb_dst_mtu()\n ip_dst_mtu_maybe_forward()\n ip_mtu_locked()\n\nthe pointer to struct dst_entry is used as pointer to struct rtable: this\nturns the access to struct members like rt_mtu_locked into an OOB read in\nthe stack. Fix this changing the temporary variable used for IPv4 packets\nin ovs_fragment(), similarly to what is done for IPv6 few lines below.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-46955", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-46955", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-46955", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-46955", "SUSE": "https://www.suse.com/security/cve/CVE-2021-46955", "Ubuntu": "https://ubuntu.com/security/CVE-2021-46955" } }, "CVE-2021-46956": { "affected_versions": "v5.4-rc1 to v5.13-rc1", "breaks": "a62a8ef9d97da23762a588592c8b8eb50a8deb6a", "cmt_msg": "virtiofs: fix memory leak in virtio_fs_probe()", "fixes": "c79c5e0178922a9e092ec8fed026750f39dcaef4", "last_affected_version": "5.12.2", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirtiofs: fix memory leak in virtio_fs_probe()\n\nWhen accidentally passing twice the same tag to qemu, kmemleak ended up\nreporting a memory leak in virtiofs. Also, looking at the log I saw the\nfollowing error (that's when I realised the duplicated tag):\n\n virtiofs: probe of virtio5 failed with error -17\n\nHere's the kmemleak log for reference:\n\nunreferenced object 0xffff888103d47800 (size 1024):\n comm \"systemd-udevd\", pid 118, jiffies 4294893780 (age 18.340s)\n hex dump (first 32 bytes):\n 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N..........\n ff ff ff ff ff ff ff ff 80 90 02 a0 ff ff ff ff ................\n backtrace:\n [<000000000ebb87c1>] virtio_fs_probe+0x171/0x7ae [virtiofs]\n [<00000000f8aca419>] virtio_dev_probe+0x15f/0x210\n [<000000004d6baf3c>] really_probe+0xea/0x430\n [<00000000a6ceeac8>] device_driver_attach+0xa8/0xb0\n [<00000000196f47a7>] __driver_attach+0x98/0x140\n [<000000000b20601d>] bus_for_each_dev+0x7b/0xc0\n [<00000000399c7b7f>] bus_add_driver+0x11b/0x1f0\n [<0000000032b09ba7>] driver_register+0x8f/0xe0\n [<00000000cdd55998>] 0xffffffffa002c013\n [<000000000ea196a2>] do_one_initcall+0x64/0x2e0\n [<0000000008f727ce>] do_init_module+0x5c/0x260\n [<000000003cdedab6>] __do_sys_finit_module+0xb5/0x120\n [<00000000ad2f48c6>] do_syscall_64+0x33/0x40\n [<00000000809526b5>] entry_SYSCALL_64_after_hwframe+0x44/0xae", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-46956", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-46956", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-46956", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-46956", "SUSE": "https://www.suse.com/security/cve/CVE-2021-46956", "Ubuntu": "https://ubuntu.com/security/CVE-2021-46956" } }, "CVE-2021-46957": { "affected_versions": "v5.12-rc1-dontuse to v5.13-rc1", "breaks": "c22b0bcb1dd024cb9caad9230e3a387d8b061df5", "cmt_msg": "riscv/kprobe: fix kernel panic when invoking sys_read traced by kprobe", "fixes": "b1ebaa0e1318494a7637099a26add50509e37964", "last_affected_version": "5.12.2", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv/kprobe: fix kernel panic when invoking sys_read traced by kprobe\n\nThe execution of sys_read end up hitting a BUG_ON() in __find_get_block\nafter installing kprobe at sys_read, the BUG message like the following:\n\n[ 65.708663] ------------[ cut here ]------------\n[ 65.709987] kernel BUG at fs/buffer.c:1251!\n[ 65.711283] Kernel BUG [#1]\n[ 65.712032] Modules linked in:\n[ 65.712925] CPU: 0 PID: 51 Comm: sh Not tainted 5.12.0-rc4 #1\n[ 65.714407] Hardware name: riscv-virtio,qemu (DT)\n[ 65.715696] epc : __find_get_block+0x218/0x2c8\n[ 65.716835] ra : __getblk_gfp+0x1c/0x4a\n[ 65.717831] epc : ffffffe00019f11e ra : ffffffe00019f56a sp : ffffffe002437930\n[ 65.719553] gp : ffffffe000f06030 tp : ffffffe0015abc00 t0 : ffffffe00191e038\n[ 65.721290] t1 : ffffffe00191e038 t2 : 000000000000000a s0 : ffffffe002437960\n[ 65.723051] s1 : ffffffe00160ad00 a0 : ffffffe00160ad00 a1 : 000000000000012a\n[ 65.724772] a2 : 0000000000000400 a3 : 0000000000000008 a4 : 0000000000000040\n[ 65.726545] a5 : 0000000000000000 a6 : ffffffe00191e000 a7 : 0000000000000000\n[ 65.728308] s2 : 000000000000012a s3 : 0000000000000400 s4 : 0000000000000008\n[ 65.730049] s5 : 000000000000006c s6 : ffffffe00240f800 s7 : ffffffe000f080a8\n[ 65.731802] s8 : 0000000000000001 s9 : 000000000000012a s10: 0000000000000008\n[ 65.733516] s11: 0000000000000008 t3 : 00000000000003ff t4 : 000000000000000f\n[ 65.734434] t5 : 00000000000003ff t6 : 0000000000040000\n[ 65.734613] status: 0000000000000100 badaddr: 0000000000000000 cause: 0000000000000003\n[ 65.734901] Call Trace:\n[ 65.735076] [] __find_get_block+0x218/0x2c8\n[ 65.735417] [] __ext4_get_inode_loc+0xb2/0x2f6\n[ 65.735618] [] ext4_get_inode_loc+0x3a/0x8a\n[ 65.735802] [] ext4_reserve_inode_write+0x2e/0x8c\n[ 65.735999] [] __ext4_mark_inode_dirty+0x4c/0x18e\n[ 65.736208] [] ext4_dirty_inode+0x46/0x66\n[ 65.736387] [] __mark_inode_dirty+0x12c/0x3da\n[ 65.736576] [] touch_atime+0x146/0x150\n[ 65.736748] [] filemap_read+0x234/0x246\n[ 65.736920] [] generic_file_read_iter+0xc0/0x114\n[ 65.737114] [] ext4_file_read_iter+0x42/0xea\n[ 65.737310] [] new_sync_read+0xe2/0x15a\n[ 65.737483] [] vfs_read+0xca/0xf2\n[ 65.737641] [] ksys_read+0x5e/0xc8\n[ 65.737816] [] sys_read+0xe/0x16\n[ 65.737973] [] ret_from_syscall+0x0/0x2\n[ 65.738858] ---[ end trace fe93f985456c935d ]---\n\nA simple reproducer looks like:\n\techo 'p:myprobe sys_read fd=%a0 buf=%a1 count=%a2' > /sys/kernel/debug/tracing/kprobe_events\n\techo 1 > /sys/kernel/debug/tracing/events/kprobes/myprobe/enable\n\tcat /sys/kernel/debug/tracing/trace\n\nHere's what happens to hit that BUG_ON():\n\n1) After installing kprobe at entry of sys_read, the first instruction\n is replaced by 'ebreak' instruction on riscv64 platform.\n\n2) Once kernel reach the 'ebreak' instruction at the entry of sys_read,\n it trap into the riscv breakpoint handler, where it do something to\n setup for coming single-step of origin instruction, including backup\n the 'sstatus' in pt_regs, followed by disable interrupt during single\n stepping via clear 'SIE' bit of 'sstatus' in pt_regs.\n\n3) Then kernel restore to the instruction slot contains two instructions,\n one is original instruction at entry of sys_read, the other is 'ebreak'.\n Here it trigger a 'Instruction page fault' exception (value at 'scause'\n is '0xc'), if PF is not filled into PageTabe for that slot yet.\n\n4) Again kernel trap into page fault exception handler, where it choose\n different policy according to the state of running kprobe. Because\n afte 2) the state is KPROBE_HIT_SS, so kernel reset the current kp\n---truncated---", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-46957", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-46957", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-46957", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-46957", "SUSE": "https://www.suse.com/security/cve/CVE-2021-46957", "Ubuntu": "https://ubuntu.com/security/CVE-2021-46957" } }, "CVE-2021-46958": { "affected_versions": "v5.7-rc4 to v5.13-rc1", "breaks": "ef67963dac255b293e19815ea3d440567be4626f", "cmt_msg": "btrfs: fix race between transaction aborts and fsyncs leading to use-after-free", "fixes": "061dde8245356d8864d29e25207aa4daa0be4d3c", "last_affected_version": "5.12.2", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix race between transaction aborts and fsyncs leading to use-after-free\n\nThere is a race between a task aborting a transaction during a commit,\na task doing an fsync and the transaction kthread, which leads to an\nuse-after-free of the log root tree. When this happens, it results in a\nstack trace like the following:\n\n BTRFS info (device dm-0): forced readonly\n BTRFS warning (device dm-0): Skipping commit of aborted transaction.\n BTRFS: error (device dm-0) in cleanup_transaction:1958: errno=-5 IO failure\n BTRFS warning (device dm-0): lost page write due to IO error on /dev/mapper/error-test (-5)\n BTRFS warning (device dm-0): Skipping commit of aborted transaction.\n BTRFS warning (device dm-0): direct IO failed ino 261 rw 0,0 sector 0xa4e8 len 4096 err no 10\n BTRFS error (device dm-0): error writing primary super block to device 1\n BTRFS warning (device dm-0): direct IO failed ino 261 rw 0,0 sector 0x12e000 len 4096 err no 10\n BTRFS warning (device dm-0): direct IO failed ino 261 rw 0,0 sector 0x12e008 len 4096 err no 10\n BTRFS warning (device dm-0): direct IO failed ino 261 rw 0,0 sector 0x12e010 len 4096 err no 10\n BTRFS: error (device dm-0) in write_all_supers:4110: errno=-5 IO failure (1 errors while writing supers)\n BTRFS: error (device dm-0) in btrfs_sync_log:3308: errno=-5 IO failure\n general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6b68: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC PTI\n CPU: 2 PID: 2458471 Comm: fsstress Not tainted 5.12.0-rc5-btrfs-next-84 #1\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014\n RIP: 0010:__mutex_lock+0x139/0xa40\n Code: c0 74 19 (...)\n RSP: 0018:ffff9f18830d7b00 EFLAGS: 00010202\n RAX: 6b6b6b6b6b6b6b68 RBX: 0000000000000001 RCX: 0000000000000002\n RDX: ffffffffb9c54d13 RSI: 0000000000000000 RDI: 0000000000000000\n RBP: ffff9f18830d7bc0 R08: 0000000000000000 R09: 0000000000000000\n R10: ffff9f18830d7be0 R11: 0000000000000001 R12: ffff8c6cd199c040\n R13: ffff8c6c95821358 R14: 00000000fffffffb R15: ffff8c6cbcf01358\n FS: 00007fa9140c2b80(0000) GS:ffff8c6fac600000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007fa913d52000 CR3: 000000013d2b4003 CR4: 0000000000370ee0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n ? __btrfs_handle_fs_error+0xde/0x146 [btrfs]\n ? btrfs_sync_log+0x7c1/0xf20 [btrfs]\n ? btrfs_sync_log+0x7c1/0xf20 [btrfs]\n btrfs_sync_log+0x7c1/0xf20 [btrfs]\n btrfs_sync_file+0x40c/0x580 [btrfs]\n do_fsync+0x38/0x70\n __x64_sys_fsync+0x10/0x20\n do_syscall_64+0x33/0x80\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n RIP: 0033:0x7fa9142a55c3\n Code: 8b 15 09 (...)\n RSP: 002b:00007fff26278d48 EFLAGS: 00000246 ORIG_RAX: 000000000000004a\n RAX: ffffffffffffffda RBX: 0000563c83cb4560 RCX: 00007fa9142a55c3\n RDX: 00007fff26278cb0 RSI: 00007fff26278cb0 RDI: 0000000000000005\n RBP: 0000000000000005 R08: 0000000000000001 R09: 00007fff26278d5c\n R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000340\n R13: 00007fff26278de0 R14: 00007fff26278d96 R15: 0000563c83ca57c0\n Modules linked in: btrfs dm_zero dm_snapshot dm_thin_pool (...)\n ---[ end trace ee2f1b19327d791d ]---\n\nThe steps that lead to this crash are the following:\n\n1) We are at transaction N;\n\n2) We have two tasks with a transaction handle attached to transaction N.\n Task A and Task B. Task B is doing an fsync;\n\n3) Task B is at btrfs_sync_log(), and has saved fs_info->log_root_tree\n into a local variable named 'log_root_tree' at the top of\n btrfs_sync_log(). Task B is about to call write_all_supers(), but\n before that...\n\n4) Task A calls btrfs_commit_transaction(), and after it sets the\n transaction state to TRANS_STATE_COMMIT_START, an error happens before\n it w\n---truncated---", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-46958", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-46958", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-46958", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-46958", "SUSE": "https://www.suse.com/security/cve/CVE-2021-46958", "Ubuntu": "https://ubuntu.com/security/CVE-2021-46958" } }, "CVE-2021-46959": { "affected_versions": "v2.6.12-rc2 to v5.13-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "spi: Fix use-after-free with devm_spi_alloc_*", "fixes": "794aaf01444d4e765e2b067cba01cc69c1c68ed9", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: Fix use-after-free with devm_spi_alloc_*\n\nWe can't rely on the contents of the devres list during\nspi_unregister_controller(), as the list is already torn down at the\ntime we perform devres_find() for devm_spi_release_controller. This\ncauses devices registered with devm_spi_alloc_{master,slave}() to be\nmistakenly identified as legacy, non-devm managed devices and have their\nreference counters decremented below 0.\n\n------------[ cut here ]------------\nWARNING: CPU: 1 PID: 660 at lib/refcount.c:28 refcount_warn_saturate+0x108/0x174\n[] (refcount_warn_saturate) from [] (kobject_put+0x90/0x98)\n[] (kobject_put) from [] (put_device+0x20/0x24)\n r4:b6700140\n[] (put_device) from [] (devm_spi_release_controller+0x3c/0x40)\n[] (devm_spi_release_controller) from [] (release_nodes+0x84/0xc4)\n r5:b6700180 r4:b6700100\n[] (release_nodes) from [] (devres_release_all+0x5c/0x60)\n r8:b1638c54 r7:b117ad94 r6:b1638c10 r5:b117ad94 r4:b163dc10\n[] (devres_release_all) from [] (__device_release_driver+0x144/0x1ec)\n r5:b117ad94 r4:b163dc10\n[] (__device_release_driver) from [] (device_driver_detach+0x84/0xa0)\n r9:00000000 r8:00000000 r7:b117ad94 r6:b163dc54 r5:b1638c10 r4:b163dc10\n[] (device_driver_detach) from [] (unbind_store+0xe4/0xf8)\n\nInstead, determine the devm allocation state as a flag on the\ncontroller which is guaranteed to be stable during cleanup.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-46959", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-46959", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-46959", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-46959", "SUSE": "https://www.suse.com/security/cve/CVE-2021-46959", "Ubuntu": "https://ubuntu.com/security/CVE-2021-46959" } }, "CVE-2021-46960": { "affected_versions": "v4.11-rc1 to v5.13-rc1", "breaks": "61cfac6f267dabcf2740a7ec8a0295833b28b5f5", "cmt_msg": "cifs: Return correct error code from smb2_get_enc_key", "fixes": "83728cbf366e334301091d5b808add468ab46b27", "last_affected_version": "5.12.2", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: Return correct error code from smb2_get_enc_key\n\nAvoid a warning if the error percolates back up:\n\n[440700.376476] CIFS VFS: \\\\otters.example.com crypt_message: Could not get encryption key\n[440700.386947] ------------[ cut here ]------------\n[440700.386948] err = 1\n[440700.386977] WARNING: CPU: 11 PID: 2733 at /build/linux-hwe-5.4-p6lk6L/linux-hwe-5.4-5.4.0/lib/errseq.c:74 errseq_set+0x5c/0x70\n...\n[440700.397304] CPU: 11 PID: 2733 Comm: tar Tainted: G OE 5.4.0-70-generic #78~18.04.1-Ubuntu\n...\n[440700.397334] Call Trace:\n[440700.397346] __filemap_set_wb_err+0x1a/0x70\n[440700.397419] cifs_writepages+0x9c7/0xb30 [cifs]\n[440700.397426] do_writepages+0x4b/0xe0\n[440700.397444] __filemap_fdatawrite_range+0xcb/0x100\n[440700.397455] filemap_write_and_wait+0x42/0xa0\n[440700.397486] cifs_setattr+0x68b/0xf30 [cifs]\n[440700.397493] notify_change+0x358/0x4a0\n[440700.397500] utimes_common+0xe9/0x1c0\n[440700.397510] do_utimes+0xc5/0x150\n[440700.397520] __x64_sys_utimensat+0x88/0xd0", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-46960", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-46960", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-46960", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-46960", "SUSE": "https://www.suse.com/security/cve/CVE-2021-46960", "Ubuntu": "https://ubuntu.com/security/CVE-2021-46960" } }, "CVE-2021-46961": { "affected_versions": "v5.1-rc1 to v5.13-rc1", "breaks": "3f1f3234bc2db1c16b9818b9a15a5d58ad45251c", "cmt_msg": "irqchip/gic-v3: Do not enable irqs when handling spurious interrups", "fixes": "a97709f563a078e259bf0861cd259aa60332890a", "last_affected_version": "5.12.2", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nirqchip/gic-v3: Do not enable irqs when handling spurious interrups\n\nWe triggered the following error while running our 4.19 kernel\nwith the pseudo-NMI patches backported to it:\n\n[ 14.816231] ------------[ cut here ]------------\n[ 14.816231] kernel BUG at irq.c:99!\n[ 14.816232] Internal error: Oops - BUG: 0 [#1] SMP\n[ 14.816232] Process swapper/0 (pid: 0, stack limit = 0x(____ptrval____))\n[ 14.816233] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G O 4.19.95.aarch64 #14\n[ 14.816233] Hardware name: evb (DT)\n[ 14.816234] pstate: 80400085 (Nzcv daIf +PAN -UAO)\n[ 14.816234] pc : asm_nmi_enter+0x94/0x98\n[ 14.816235] lr : asm_nmi_enter+0x18/0x98\n[ 14.816235] sp : ffff000008003c50\n[ 14.816235] pmr_save: 00000070\n[ 14.816237] x29: ffff000008003c50 x28: ffff0000095f56c0\n[ 14.816238] x27: 0000000000000000 x26: ffff000008004000\n[ 14.816239] x25: 00000000015e0000 x24: ffff8008fb916000\n[ 14.816240] x23: 0000000020400005 x22: ffff0000080817cc\n[ 14.816241] x21: ffff000008003da0 x20: 0000000000000060\n[ 14.816242] x19: 00000000000003ff x18: ffffffffffffffff\n[ 14.816243] x17: 0000000000000008 x16: 003d090000000000\n[ 14.816244] x15: ffff0000095ea6c8 x14: ffff8008fff5ab40\n[ 14.816244] x13: ffff8008fff58b9d x12: 0000000000000000\n[ 14.816245] x11: ffff000008c8a200 x10: 000000008e31fca5\n[ 14.816246] x9 : ffff000008c8a208 x8 : 000000000000000f\n[ 14.816247] x7 : 0000000000000004 x6 : ffff8008fff58b9e\n[ 14.816248] x5 : 0000000000000000 x4 : 0000000080000000\n[ 14.816249] x3 : 0000000000000000 x2 : 0000000080000000\n[ 14.816250] x1 : 0000000000120000 x0 : ffff0000095f56c0\n[ 14.816251] Call trace:\n[ 14.816251] asm_nmi_enter+0x94/0x98\n[ 14.816251] el1_irq+0x8c/0x180 (IRQ C)\n[ 14.816252] gic_handle_irq+0xbc/0x2e4\n[ 14.816252] el1_irq+0xcc/0x180 (IRQ B)\n[ 14.816253] arch_timer_handler_virt+0x38/0x58\n[ 14.816253] handle_percpu_devid_irq+0x90/0x240\n[ 14.816253] generic_handle_irq+0x34/0x50\n[ 14.816254] __handle_domain_irq+0x68/0xc0\n[ 14.816254] gic_handle_irq+0xf8/0x2e4\n[ 14.816255] el1_irq+0xcc/0x180 (IRQ A)\n[ 14.816255] arch_cpu_idle+0x34/0x1c8\n[ 14.816255] default_idle_call+0x24/0x44\n[ 14.816256] do_idle+0x1d0/0x2c8\n[ 14.816256] cpu_startup_entry+0x28/0x30\n[ 14.816256] rest_init+0xb8/0xc8\n[ 14.816257] start_kernel+0x4c8/0x4f4\n[ 14.816257] Code: 940587f1 d5384100 b9401001 36a7fd01 (d4210000)\n[ 14.816258] Modules linked in: start_dp(O) smeth(O)\n[ 15.103092] ---[ end trace 701753956cb14aa8 ]---\n[ 15.103093] Kernel panic - not syncing: Fatal exception in interrupt\n[ 15.103099] SMP: stopping secondary CPUs\n[ 15.103100] Kernel Offset: disabled\n[ 15.103100] CPU features: 0x36,a2400218\n[ 15.103100] Memory Limit: none\n\nwhich is cause by a 'BUG_ON(in_nmi())' in nmi_enter().\n\nFrom the call trace, we can find three interrupts (noted A, B, C above):\ninterrupt (A) is preempted by (B), which is further interrupted by (C).\n\nSubsequent investigations show that (B) results in nmi_enter() being\ncalled, but that it actually is a spurious interrupt. Furthermore,\ninterrupts are reenabled in the context of (B), and (C) fires with\nNMI priority. We end-up with a nested NMI situation, something\nwe definitely do not want to (and cannot) handle.\n\nThe bug here is that spurious interrupts should never result in any\nstate change, and we should just return to the interrupted context.\nMoving the handling of spurious interrupts as early as possible in\nthe GICv3 handler fixes this issue.\n\n[maz: rewrote commit message, corrected Fixes: tag]", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-46961", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-46961", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-46961", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-46961", "SUSE": "https://www.suse.com/security/cve/CVE-2021-46961", "Ubuntu": "https://ubuntu.com/security/CVE-2021-46961" } }, "CVE-2021-46962": { "affected_versions": "unk to v5.13-rc1", "breaks": "", "cmt_msg": "mmc: uniphier-sd: Fix a resource leak in the remove function", "fixes": "e29c84857e2d51aa017ce04284b962742fb97d9e", "last_affected_version": "5.12.2", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nmmc: uniphier-sd: Fix a resource leak in the remove function\n\nA 'tmio_mmc_host_free()' call is missing in the remove function, in order\nto balance a 'tmio_mmc_host_alloc()' call in the probe.\nThis is done in the error handling path of the probe, but not in the remove\nfunction.\n\nAdd the missing call.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-46962", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-46962", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-46962", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-46962", "SUSE": "https://www.suse.com/security/cve/CVE-2021-46962", "Ubuntu": "https://ubuntu.com/security/CVE-2021-46962" } }, "CVE-2021-46963": { "affected_versions": "v5.5-rc1 to v5.13-rc1", "breaks": "af2a0c51b1205327f55a7e82e530403ae1d42cbb", "cmt_msg": "scsi: qla2xxx: Fix crash in qla2xxx_mqueuecommand()", "fixes": "6641df81ab799f28a5d564f860233dd26cca0d93", "last_affected_version": "5.12.2", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: Fix crash in qla2xxx_mqueuecommand()\n\n RIP: 0010:kmem_cache_free+0xfa/0x1b0\n Call Trace:\n qla2xxx_mqueuecommand+0x2b5/0x2c0 [qla2xxx]\n scsi_queue_rq+0x5e2/0xa40\n __blk_mq_try_issue_directly+0x128/0x1d0\n blk_mq_request_issue_directly+0x4e/0xb0\n\nFix incorrect call to free srb in qla2xxx_mqueuecommand(), as srb is now\nallocated by upper layers. This fixes smatch warning of srb unintended\nfree.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-46963", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-46963", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-46963", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-46963", "SUSE": "https://www.suse.com/security/cve/CVE-2021-46963", "Ubuntu": "https://ubuntu.com/security/CVE-2021-46963" } }, "CVE-2021-46964": { "affected_versions": "v5.11-rc1 to v5.13-rc1", "breaks": "a6dcfe08487e5e83b6b4214c959a9577a9ed2d9f", "cmt_msg": "scsi: qla2xxx: Reserve extra IRQ vectors", "fixes": "f02d4086a8f36a0e1aaebf559b54cf24a177a486", "last_affected_version": "5.12.2", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: Reserve extra IRQ vectors\n\nCommit a6dcfe08487e (\"scsi: qla2xxx: Limit interrupt vectors to number of\nCPUs\") lowers the number of allocated MSI-X vectors to the number of CPUs.\n\nThat breaks vector allocation assumptions in qla83xx_iospace_config(),\nqla24xx_enable_msix() and qla2x00_iospace_config(). Either of the functions\ncomputes maximum number of qpairs as:\n\n ha->max_qpairs = ha->msix_count - 1 (MB interrupt) - 1 (default\n response queue) - 1 (ATIO, in dual or pure target mode)\n\nmax_qpairs is set to zero in case of two CPUs and initiator mode. The\nnumber is then used to allocate ha->queue_pair_map inside\nqla2x00_alloc_queues(). No allocation happens and ha->queue_pair_map is\nleft NULL but the driver thinks there are queue pairs available.\n\nqla2xxx_queuecommand() tries to find a qpair in the map and crashes:\n\n if (ha->mqenable) {\n uint32_t tag;\n uint16_t hwq;\n struct qla_qpair *qpair = NULL;\n\n tag = blk_mq_unique_tag(cmd->request);\n hwq = blk_mq_unique_tag_to_hwq(tag);\n qpair = ha->queue_pair_map[hwq]; # <- HERE\n\n if (qpair)\n return qla2xxx_mqueuecommand(host, cmd, qpair);\n }\n\n BUG: kernel NULL pointer dereference, address: 0000000000000000\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: 0000 [#1] SMP PTI\n CPU: 0 PID: 72 Comm: kworker/u4:3 Tainted: G W 5.10.0-rc1+ #25\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.0.0-prebuilt.qemu-project.org 04/01/2014\n Workqueue: scsi_wq_7 fc_scsi_scan_rport [scsi_transport_fc]\n RIP: 0010:qla2xxx_queuecommand+0x16b/0x3f0 [qla2xxx]\n Call Trace:\n scsi_queue_rq+0x58c/0xa60\n blk_mq_dispatch_rq_list+0x2b7/0x6f0\n ? __sbitmap_get_word+0x2a/0x80\n __blk_mq_sched_dispatch_requests+0xb8/0x170\n blk_mq_sched_dispatch_requests+0x2b/0x50\n __blk_mq_run_hw_queue+0x49/0xb0\n __blk_mq_delay_run_hw_queue+0xfb/0x150\n blk_mq_sched_insert_request+0xbe/0x110\n blk_execute_rq+0x45/0x70\n __scsi_execute+0x10e/0x250\n scsi_probe_and_add_lun+0x228/0xda0\n __scsi_scan_target+0xf4/0x620\n ? __pm_runtime_resume+0x4f/0x70\n scsi_scan_target+0x100/0x110\n fc_scsi_scan_rport+0xa1/0xb0 [scsi_transport_fc]\n process_one_work+0x1ea/0x3b0\n worker_thread+0x28/0x3b0\n ? process_one_work+0x3b0/0x3b0\n kthread+0x112/0x130\n ? kthread_park+0x80/0x80\n ret_from_fork+0x22/0x30\n\nThe driver should allocate enough vectors to provide every CPU it's own HW\nqueue and still handle reserved (MB, RSP, ATIO) interrupts.\n\nThe change fixes the crash on dual core VM and prevents unbalanced QP\nallocation where nr_hw_queues is two less than the number of CPUs.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-46964", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-46964", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-46964", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-46964", "SUSE": "https://www.suse.com/security/cve/CVE-2021-46964", "Ubuntu": "https://ubuntu.com/security/CVE-2021-46964" } }, "CVE-2021-46965": { "affected_versions": "unk to v5.13-rc1", "breaks": "", "cmt_msg": "mtd: physmap: physmap-bt1-rom: Fix unintentional stack access", "fixes": "683313993dbe1651c7aa00bb42a041d70e914925", "last_affected_version": "5.12.2", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nmtd: physmap: physmap-bt1-rom: Fix unintentional stack access\n\nCast &data to (char *) in order to avoid unintentionally accessing\nthe stack.\n\nNotice that data is of type u32, so any increment to &data\nwill be in the order of 4-byte chunks, and this piece of code\nis actually intended to be a byte offset.\n\nAddresses-Coverity-ID: 1497765 (\"Out-of-bounds access\")", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-46965", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-46965", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-46965", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-46965", "SUSE": "https://www.suse.com/security/cve/CVE-2021-46965", "Ubuntu": "https://ubuntu.com/security/CVE-2021-46965" } }, "CVE-2021-46966": { "affected_versions": "v5.4-rc1 to v5.13-rc1", "breaks": "03d1571d9513369c17e6848476763ebbd10ec2cb", "cmt_msg": "ACPI: custom_method: fix potential use-after-free issue", "fixes": "e483bb9a991bdae29a0caa4b3a6d002c968f94aa", "last_affected_version": "5.12.2", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPI: custom_method: fix potential use-after-free issue\n\nIn cm_write(), buf is always freed when reaching the end of the\nfunction. If the requested count is less than table.length, the\nallocated buffer will be freed but subsequent calls to cm_write() will\nstill try to access it.\n\nRemove the unconditional kfree(buf) at the end of the function and\nset the buf to NULL in the -EINVAL error path to match the rest of\nfunction.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-46966", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-46966", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-46966", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-46966", "SUSE": "https://www.suse.com/security/cve/CVE-2021-46966", "Ubuntu": "https://ubuntu.com/security/CVE-2021-46966" } }, "CVE-2021-46967": { "affected_versions": "v5.8-rc1 to v5.13-rc1", "breaks": "ddd89d0a059d8e9740c75a97e0efe9bf07ee51f9", "cmt_msg": "vhost-vdpa: fix vm_flags for virtqueue doorbell mapping", "fixes": "3a3e0fad16d40a2aa68ddf7eea4acdf48b22dd44", "last_affected_version": "5.12.2", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nvhost-vdpa: fix vm_flags for virtqueue doorbell mapping\n\nThe virtqueue doorbell is usually implemented via registeres but we\ndon't provide the necessary vma->flags like VM_PFNMAP. This may cause\nseveral issues e.g when userspace tries to map the doorbell via vhost\nIOTLB, kernel may panic due to the page is not backed by page\nstructure. This patch fixes this by setting the necessary\nvm_flags. With this patch, try to map doorbell via IOTLB will fail\nwith bad address.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-46967", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-46967", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-46967", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-46967", "SUSE": "https://www.suse.com/security/cve/CVE-2021-46967", "Ubuntu": "https://ubuntu.com/security/CVE-2021-46967" } }, "CVE-2021-46968": { "affected_versions": "v5.10-rc3 to v5.13-rc1", "breaks": "29c2680fd2bf3862ff5cf2957f198512493156f9", "cmt_msg": "s390/zcrypt: fix zcard and zqueue hot-unplug memleak", "fixes": "70fac8088cfad9f3b379c9082832b4d7532c16c2", "last_affected_version": "5.12.2", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/zcrypt: fix zcard and zqueue hot-unplug memleak\n\nTests with kvm and a kmemdebug kernel showed, that on hot unplug the\nzcard and zqueue structs for the unplugged card or queue are not\nproperly freed because of a mismatch with get/put for the embedded\nkref counter.\n\nThis fix now adjusts the handling of the kref counters. With init the\nkref counter starts with 1. This initial value needs to drop to zero\nwith the unregister of the card or queue to trigger the release and\nfree the object.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-46968", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-46968", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-46968", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-46968", "SUSE": "https://www.suse.com/security/cve/CVE-2021-46968", "Ubuntu": "https://ubuntu.com/security/CVE-2021-46968" } }, "CVE-2021-46969": { "affected_versions": "unk to v5.13-rc1", "breaks": "", "cmt_msg": "bus: mhi: core: Fix invalid error returning in mhi_queue", "fixes": "0ecc1c70dcd32c0f081b173a1a5d89952686f271", "last_affected_version": "5.12.2", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nbus: mhi: core: Fix invalid error returning in mhi_queue\n\nmhi_queue returns an error when the doorbell is not accessible in\nthe current state. This can happen when the device is in non M0\nstate, like M3, and needs to be waken-up prior ringing the DB. This\ncase is managed earlier by triggering an asynchronous M3 exit via\ncontroller resume/suspend callbacks, that in turn will cause M0\ntransition and DB update.\n\nSo, since it's not an error but just delaying of doorbell update, there\nis no reason to return an error.\n\nThis also fixes a use after free error for skb case, indeed a caller\nqueuing skb will try to free the skb if the queueing fails, but in\nthat case queueing has been done.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-46969", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-46969", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-46969", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-46969", "SUSE": "https://www.suse.com/security/cve/CVE-2021-46969", "Ubuntu": "https://ubuntu.com/security/CVE-2021-46969" } }, "CVE-2021-46970": { "affected_versions": "unk to v5.13-rc1", "breaks": "", "cmt_msg": "bus: mhi: pci_generic: Remove WQ_MEM_RECLAIM flag from state workqueue", "fixes": "0fccbf0a3b690b162f53b13ed8bc442ea33437dc", "last_affected_version": "5.12.2", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nbus: mhi: pci_generic: Remove WQ_MEM_RECLAIM flag from state workqueue\n\nA recent change created a dedicated workqueue for the state-change work\nwith WQ_HIGHPRI (no strong reason for that) and WQ_MEM_RECLAIM flags,\nbut the state-change work (mhi_pm_st_worker) does not guarantee forward\nprogress under memory pressure, and will even wait on various memory\nallocations when e.g. creating devices, loading firmware, etc... The\nwork is then not part of a memory reclaim path...\n\nMoreover, this causes a warning in check_flush_dependency() since we end\nup in code that flushes a non-reclaim workqueue:\n\n[ 40.969601] workqueue: WQ_MEM_RECLAIM mhi_hiprio_wq:mhi_pm_st_worker [mhi] is flushing !WQ_MEM_RECLAIM events_highpri:flush_backlog\n[ 40.969612] WARNING: CPU: 4 PID: 158 at kernel/workqueue.c:2607 check_flush_dependency+0x11c/0x140\n[ 40.969733] Call Trace:\n[ 40.969740] __flush_work+0x97/0x1d0\n[ 40.969745] ? wake_up_process+0x15/0x20\n[ 40.969749] ? insert_work+0x70/0x80\n[ 40.969750] ? __queue_work+0x14a/0x3e0\n[ 40.969753] flush_work+0x10/0x20\n[ 40.969756] rollback_registered_many+0x1c9/0x510\n[ 40.969759] unregister_netdevice_queue+0x94/0x120\n[ 40.969761] unregister_netdev+0x1d/0x30\n[ 40.969765] mhi_net_remove+0x1a/0x40 [mhi_net]\n[ 40.969770] mhi_driver_remove+0x124/0x250 [mhi]\n[ 40.969776] device_release_driver_internal+0xf0/0x1d0\n[ 40.969778] device_release_driver+0x12/0x20\n[ 40.969782] bus_remove_device+0xe1/0x150\n[ 40.969786] device_del+0x17b/0x3e0\n[ 40.969791] mhi_destroy_device+0x9a/0x100 [mhi]\n[ 40.969796] ? mhi_unmap_single_use_bb+0x50/0x50 [mhi]\n[ 40.969799] device_for_each_child+0x5e/0xa0\n[ 40.969804] mhi_pm_st_worker+0x921/0xf50 [mhi]", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-46970", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-46970", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-46970", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-46970", "SUSE": "https://www.suse.com/security/cve/CVE-2021-46970", "Ubuntu": "https://ubuntu.com/security/CVE-2021-46970" } }, "CVE-2021-46971": { "affected_versions": "v5.4-rc1 to v5.13-rc1", "breaks": "b0c8fdc7fdb77586c3d1937050925b960743306e", "cmt_msg": "perf/core: Fix unconditional security_locked_down() call", "fixes": "08ef1af4de5fe7de9c6d69f1e22e51b66e385d9b", "last_affected_version": "5.12.1", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf/core: Fix unconditional security_locked_down() call\n\nCurrently, the lockdown state is queried unconditionally, even though\nits result is used only if the PERF_SAMPLE_REGS_INTR bit is set in\nattr.sample_type. While that doesn't matter in case of the Lockdown LSM,\nit causes trouble with the SELinux's lockdown hook implementation.\n\nSELinux implements the locked_down hook with a check whether the current\ntask's type has the corresponding \"lockdown\" class permission\n(\"integrity\" or \"confidentiality\") allowed in the policy. This means\nthat calling the hook when the access control decision would be ignored\ngenerates a bogus permission check and audit record.\n\nFix this by checking sample_type first and only calling the hook when\nits result would be honored.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-46971", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-46971", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-46971", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-46971", "SUSE": "https://www.suse.com/security/cve/CVE-2021-46971", "Ubuntu": "https://ubuntu.com/security/CVE-2021-46971" } }, "CVE-2021-46972": { "affected_versions": "v5.8-rc1 to v5.13-rc1", "breaks": "6815f479ca90ee7fd2e28b2a420f796b974155fe", "cmt_msg": "ovl: fix leaked dentry", "fixes": "eaab1d45cdb4bb0c846bd23c3d666d5b90af7b41", "last_affected_version": "5.12.1", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\novl: fix leaked dentry\n\nSince commit 6815f479ca90 (\"ovl: use only uppermetacopy state in\novl_lookup()\"), overlayfs doesn't put temporary dentry when there is a\nmetacopy error, which leads to dentry leaks when shutting down the related\nsuperblock:\n\n overlayfs: refusing to follow metacopy origin for (/file0)\n ...\n BUG: Dentry (____ptrval____){i=3f33,n=file3} still in use (1) [unmount of overlay overlay]\n ...\n WARNING: CPU: 1 PID: 432 at umount_check.cold+0x107/0x14d\n CPU: 1 PID: 432 Comm: unmount-overlay Not tainted 5.12.0-rc5 #1\n ...\n RIP: 0010:umount_check.cold+0x107/0x14d\n ...\n Call Trace:\n d_walk+0x28c/0x950\n ? dentry_lru_isolate+0x2b0/0x2b0\n ? __kasan_slab_free+0x12/0x20\n do_one_tree+0x33/0x60\n shrink_dcache_for_umount+0x78/0x1d0\n generic_shutdown_super+0x70/0x440\n kill_anon_super+0x3e/0x70\n deactivate_locked_super+0xc4/0x160\n deactivate_super+0xfa/0x140\n cleanup_mnt+0x22e/0x370\n __cleanup_mnt+0x1a/0x30\n task_work_run+0x139/0x210\n do_exit+0xb0c/0x2820\n ? __kasan_check_read+0x1d/0x30\n ? find_held_lock+0x35/0x160\n ? lock_release+0x1b6/0x660\n ? mm_update_next_owner+0xa20/0xa20\n ? reacquire_held_locks+0x3f0/0x3f0\n ? __sanitizer_cov_trace_const_cmp4+0x22/0x30\n do_group_exit+0x135/0x380\n __do_sys_exit_group.isra.0+0x20/0x20\n __x64_sys_exit_group+0x3c/0x50\n do_syscall_64+0x45/0x70\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n ...\n VFS: Busy inodes after unmount of overlay. Self-destruct in 5 seconds. Have a nice day...\n\nThis fix has been tested with a syzkaller reproducer.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-46972", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-46972", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-46972", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-46972", "SUSE": "https://www.suse.com/security/cve/CVE-2021-46972", "Ubuntu": "https://ubuntu.com/security/CVE-2021-46972" } }, "CVE-2021-46973": { "affected_versions": "v5.8-rc1 to v5.13-rc1", "breaks": "6e728f321393b1fce9e1c2c3e55f9f7c15991321", "cmt_msg": "net: qrtr: Avoid potential use after free in MHI send", "fixes": "47a017f33943278570c072bc71681809b2567b3a", "last_affected_version": "5.12.1", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: qrtr: Avoid potential use after free in MHI send\n\nIt is possible that the MHI ul_callback will be invoked immediately\nfollowing the queueing of the skb for transmission, leading to the\ncallback decrementing the refcount of the associated sk and freeing the\nskb.\n\nAs such the dereference of skb and the increment of the sk refcount must\nhappen before the skb is queued, to avoid the skb to be used after free\nand potentially the sk to drop its last refcount..", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-46973", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-46973", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-46973", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-46973", "SUSE": "https://www.suse.com/security/cve/CVE-2021-46973", "Ubuntu": "https://ubuntu.com/security/CVE-2021-46973" } }, "CVE-2021-46974": { "affected_versions": "v5.0-rc1 to v5.13-rc1", "breaks": "979d63d50c0c0f7bc537bf821e056cc9fe5abd38", "cmt_msg": "bpf: Fix masking negation logic upon negative dst register", "fixes": "b9b34ddbe2076ade359cd5ce7537d5ed019e9807", "last_affected_version": "5.12.1", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix masking negation logic upon negative dst register\n\nThe negation logic for the case where the off_reg is sitting in the\ndst register is not correct given then we cannot just invert the add\nto a sub or vice versa. As a fix, perform the final bitwise and-op\nunconditionally into AX from the off_reg, then move the pointer from\nthe src to dst and finally use AX as the source for the original\npointer arithmetic operation such that the inversion yields a correct\nresult. The single non-AX mov in between is possible given constant\nblinding is retaining it as it's not an immediate based operation.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-46974", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-46974", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-46974", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-46974", "SUSE": "https://www.suse.com/security/cve/CVE-2021-46974", "Ubuntu": "https://ubuntu.com/security/CVE-2021-46974" } }, "CVE-2021-46976": { "affected_versions": "v5.8-rc1 to v5.13-rc2", "breaks": "229007e02d697b0662f85378aae53531b0dfea05", "cmt_msg": "drm/i915: Fix crash in auto_retire", "fixes": "402be8a101190969fc7ff122d07e262df86e132b", "last_affected_version": "5.12.4", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915: Fix crash in auto_retire\n\nThe retire logic uses the 2 lower bits of the pointer to the retire\nfunction to store flags. However, the auto_retire function is not\nguaranteed to be aligned to a multiple of 4, which causes crashes as\nwe jump to the wrong address, for example like this:\n\n2021-04-24T18:03:53.804300Z WARNING kernel: [ 516.876901] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\n2021-04-24T18:03:53.804310Z WARNING kernel: [ 516.876906] CPU: 7 PID: 146 Comm: kworker/u16:6 Tainted: G U 5.4.105-13595-g3cd84167b2df #1\n2021-04-24T18:03:53.804311Z WARNING kernel: [ 516.876907] Hardware name: Google Volteer2/Volteer2, BIOS Google_Volteer2.13672.76.0 02/22/2021\n2021-04-24T18:03:53.804312Z WARNING kernel: [ 516.876911] Workqueue: events_unbound active_work\n2021-04-24T18:03:53.804313Z WARNING kernel: [ 516.876914] RIP: 0010:auto_retire+0x1/0x20\n2021-04-24T18:03:53.804314Z WARNING kernel: [ 516.876916] Code: e8 01 f2 ff ff eb 02 31 db 48 89 d8 5b 5d c3 0f 1f 44 00 00 55 48 89 e5 f0 ff 87 c8 00 00 00 0f 88 ab 47 4a 00 31 c0 5d c3 0f <1f> 44 00 00 55 48 89 e5 f0 ff 8f c8 00 00 00 0f 88 9a 47 4a 00 74\n2021-04-24T18:03:53.804319Z WARNING kernel: [ 516.876918] RSP: 0018:ffff9b4d809fbe38 EFLAGS: 00010286\n2021-04-24T18:03:53.804320Z WARNING kernel: [ 516.876919] RAX: 0000000000000007 RBX: ffff927915079600 RCX: 0000000000000007\n2021-04-24T18:03:53.804320Z WARNING kernel: [ 516.876921] RDX: ffff9b4d809fbe40 RSI: 0000000000000286 RDI: ffff927915079600\n2021-04-24T18:03:53.804321Z WARNING kernel: [ 516.876922] RBP: ffff9b4d809fbe68 R08: 8080808080808080 R09: fefefefefefefeff\n2021-04-24T18:03:53.804321Z WARNING kernel: [ 516.876924] R10: 0000000000000010 R11: ffffffff92e44bd8 R12: ffff9279150796a0\n2021-04-24T18:03:53.804322Z WARNING kernel: [ 516.876925] R13: ffff92791c368180 R14: ffff927915079640 R15: 000000001c867605\n2021-04-24T18:03:53.804323Z WARNING kernel: [ 516.876926] FS: 0000000000000000(0000) GS:ffff92791ffc0000(0000) knlGS:0000000000000000\n2021-04-24T18:03:53.804323Z WARNING kernel: [ 516.876928] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n2021-04-24T18:03:53.804324Z WARNING kernel: [ 516.876929] CR2: 0000239514955000 CR3: 00000007f82da001 CR4: 0000000000760ee0\n2021-04-24T18:03:53.804325Z WARNING kernel: [ 516.876930] PKRU: 55555554\n2021-04-24T18:03:53.804325Z WARNING kernel: [ 516.876931] Call Trace:\n2021-04-24T18:03:53.804326Z WARNING kernel: [ 516.876935] __active_retire+0x77/0xcf\n2021-04-24T18:03:53.804326Z WARNING kernel: [ 516.876939] process_one_work+0x1da/0x394\n2021-04-24T18:03:53.804327Z WARNING kernel: [ 516.876941] worker_thread+0x216/0x375\n2021-04-24T18:03:53.804327Z WARNING kernel: [ 516.876944] kthread+0x147/0x156\n2021-04-24T18:03:53.804335Z WARNING kernel: [ 516.876946] ? pr_cont_work+0x58/0x58\n2021-04-24T18:03:53.804335Z WARNING kernel: [ 516.876948] ? kthread_blkcg+0x2e/0x2e\n2021-04-24T18:03:53.804336Z WARNING kernel: [ 516.876950] ret_from_fork+0x1f/0x40\n2021-04-24T18:03:53.804336Z WARNING kernel: [ 516.876952] Modules linked in: cdc_mbim cdc_ncm cdc_wdm xt_cgroup rfcomm cmac algif_hash algif_skcipher af_alg xt_MASQUERADE uinput snd_soc_rt5682_sdw snd_soc_rt5682 snd_soc_max98373_sdw snd_soc_max98373 snd_soc_rl6231 regmap_sdw snd_soc_sof_sdw snd_soc_hdac_hdmi snd_soc_dmic snd_hda_codec_hdmi snd_sof_pci snd_sof_intel_hda_common intel_ipu6_psys snd_sof_xtensa_dsp soundwire_intel soundwire_generic_allocation soundwire_cadence snd_sof_intel_hda snd_sof snd_soc_hdac_hda snd_soc_acpi_intel_match snd_soc_acpi snd_hda_ext_core soundwire_bus snd_hda_intel snd_intel_dspcfg snd_hda_codec snd_hwdep snd_hda_core intel_ipu6_isys videobuf2_dma_contig videobuf2_v4l2 videobuf2_common videobuf2_memops mei_hdcp intel_ipu6 ov2740 ov8856 at24 sx9310 dw9768 v4l2_fwnode cros_ec_typec intel_pmc_mux roles acpi_als typec fuse iio_trig_sysfs cros_ec_light_prox cros_ec_lid_angle cros_ec_sensors cros\n---truncated---", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-46976", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-46976", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-46976", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-46976", "SUSE": "https://www.suse.com/security/cve/CVE-2021-46976", "Ubuntu": "https://ubuntu.com/security/CVE-2021-46976" } }, "CVE-2021-46977": { "affected_versions": "v5.5-rc1 to v5.13-rc2", "breaks": "4be5341026246870818e28b53202b001426a5aec", "cmt_msg": "KVM: VMX: Disable preemption when probing user return MSRs", "fixes": "5104d7ffcf24749939bea7fdb5378d186473f890", "last_affected_version": "5.12.4", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: VMX: Disable preemption when probing user return MSRs\n\nDisable preemption when probing a user return MSR via RDSMR/WRMSR. If\nthe MSR holds a different value per logical CPU, the WRMSR could corrupt\nthe host's value if KVM is preempted between the RDMSR and WRMSR, and\nthen rescheduled on a different CPU.\n\nOpportunistically land the helper in common x86, SVM will use the helper\nin a future commit.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-46977", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-46977", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-46977", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-46977", "SUSE": "https://www.suse.com/security/cve/CVE-2021-46977", "Ubuntu": "https://ubuntu.com/security/CVE-2021-46977" } }, "CVE-2021-46978": { "affected_versions": "v5.11-rc3 to v5.13-rc2", "breaks": "f2c7ef3ba9556d62a7e2bb23b563c6510007d55c", "cmt_msg": "KVM: nVMX: Always make an attempt to map eVMCS after migration", "fixes": "f5c7e8425f18fdb9bdb7d13340651d7876890329", "last_affected_version": "5.12.4", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: nVMX: Always make an attempt to map eVMCS after migration\n\nWhen enlightened VMCS is in use and nested state is migrated with\nvmx_get_nested_state()/vmx_set_nested_state() KVM can't map evmcs\npage right away: evmcs gpa is not 'struct kvm_vmx_nested_state_hdr'\nand we can't read it from VP assist page because userspace may decide\nto restore HV_X64_MSR_VP_ASSIST_PAGE after restoring nested state\n(and QEMU, for example, does exactly that). To make sure eVMCS is\nmapped /vmx_set_nested_state() raises KVM_REQ_GET_NESTED_STATE_PAGES\nrequest.\n\nCommit f2c7ef3ba955 (\"KVM: nSVM: cancel KVM_REQ_GET_NESTED_STATE_PAGES\non nested vmexit\") added KVM_REQ_GET_NESTED_STATE_PAGES clearing to\nnested_vmx_vmexit() to make sure MSR permission bitmap is not switched\nwhen an immediate exit from L2 to L1 happens right after migration (caused\nby a pending event, for example). Unfortunately, in the exact same\nsituation we still need to have eVMCS mapped so\nnested_sync_vmcs12_to_shadow() reflects changes in VMCS12 to eVMCS.\n\nAs a band-aid, restore nested_get_evmcs_page() when clearing\nKVM_REQ_GET_NESTED_STATE_PAGES in nested_vmx_vmexit(). The 'fix' is far\nfrom being ideal as we can't easily propagate possible failures and even if\nwe could, this is most likely already too late to do so. The whole\n'KVM_REQ_GET_NESTED_STATE_PAGES' idea for mapping eVMCS after migration\nseems to be fragile as we diverge too much from the 'native' path when\nvmptr loading happens on vmx_set_nested_state().", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-46978", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-46978", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-46978", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-46978", "SUSE": "https://www.suse.com/security/cve/CVE-2021-46978", "Ubuntu": "https://ubuntu.com/security/CVE-2021-46978" } }, "CVE-2021-46979": { "affected_versions": "v5.11-rc1 to v5.13-rc2", "breaks": "8dedcc3eee3aceb37832176f0a1b03d5687acda3", "cmt_msg": "iio: core: fix ioctl handlers removal", "fixes": "901f84de0e16bde10a72d7eb2f2eb73fcde8fa1a", "last_affected_version": "5.12.4", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: core: fix ioctl handlers removal\n\nCurrently ioctl handlers are removed twice. For the first time during\niio_device_unregister() then later on inside\niio_device_unregister_eventset() and iio_buffers_free_sysfs_and_mask().\nDouble free leads to kernel panic.\n\nFix this by not touching ioctl handlers list directly but rather\nletting code responsible for registration call the matching cleanup\nroutine itself.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-46979", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-46979", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-46979", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-46979", "SUSE": "https://www.suse.com/security/cve/CVE-2021-46979", "Ubuntu": "https://ubuntu.com/security/CVE-2021-46979" } }, "CVE-2021-46980": { "affected_versions": "v5.8-rc1 to v5.13-rc2", "breaks": "992a60ed0d5e312ce9a485c9e12097ac82ae4b3e", "cmt_msg": "usb: typec: ucsi: Retrieve all the PDOs instead of just the first 4", "fixes": "1f4642b72be79757f050924a9b9673b6a02034bc", "last_affected_version": "5.12.4", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: typec: ucsi: Retrieve all the PDOs instead of just the first 4\n\ncommit 4dbc6a4ef06d (\"usb: typec: ucsi: save power data objects\nin PD mode\") introduced retrieval of the PDOs when connected to a\nPD-capable source. But only the first 4 PDOs are received since\nthat is the maximum number that can be fetched at a time given the\nMESSAGE_IN length limitation (16 bytes). However, as per the PD spec\na connected source may advertise up to a maximum of 7 PDOs.\n\nIf such a source is connected it's possible the PPM could have\nnegotiated a power contract with one of the PDOs at index greater\nthan 4, and would be reflected in the request data object's (RDO)\nobject position field. This would result in an out-of-bounds access\nwhen the rdo_index() is used to index into the src_pdos array in\nucsi_psy_get_voltage_now().\n\nWith the help of the UBSAN -fsanitize=array-bounds checker enabled\nthis exact issue is revealed when connecting to a PD source adapter\nthat advertise 5 PDOs and the PPM enters a contract having selected\nthe 5th one.\n\n[ 151.545106][ T70] Unexpected kernel BRK exception at EL1\n[ 151.545112][ T70] Internal error: BRK handler: f2005512 [#1] PREEMPT SMP\n...\n[ 151.545499][ T70] pc : ucsi_psy_get_prop+0x208/0x20c\n[ 151.545507][ T70] lr : power_supply_show_property+0xc0/0x328\n...\n[ 151.545542][ T70] Call trace:\n[ 151.545544][ T70] ucsi_psy_get_prop+0x208/0x20c\n[ 151.545546][ T70] power_supply_uevent+0x1a4/0x2f0\n[ 151.545550][ T70] dev_uevent+0x200/0x384\n[ 151.545555][ T70] kobject_uevent_env+0x1d4/0x7e8\n[ 151.545557][ T70] power_supply_changed_work+0x174/0x31c\n[ 151.545562][ T70] process_one_work+0x244/0x6f0\n[ 151.545564][ T70] worker_thread+0x3e0/0xa64\n\nWe can resolve this by instead retrieving and storing up to the\nmaximum of 7 PDOs in the con->src_pdos array. This would involve\ntwo calls to the GET_PDOS command.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-46980", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-46980", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-46980", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-46980", "SUSE": "https://www.suse.com/security/cve/CVE-2021-46980", "Ubuntu": "https://ubuntu.com/security/CVE-2021-46980" } }, "CVE-2021-46981": { "affected_versions": "v5.4-rc1 to v5.13-rc2", "breaks": "e9e006f5fcf2bab59149cb38a48a4817c1b538b4", "cmt_msg": "nbd: Fix NULL pointer in flush_workqueue", "fixes": "79ebe9110fa458d58f1fceb078e2068d7ad37390", "last_affected_version": "5.12.4", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnbd: Fix NULL pointer in flush_workqueue\n\nOpen /dev/nbdX first, the config_refs will be 1 and\nthe pointers in nbd_device are still null. Disconnect\n/dev/nbdX, then reference a null recv_workq. The\nprotection by config_refs in nbd_genl_disconnect is useless.\n\n[ 656.366194] BUG: kernel NULL pointer dereference, address: 0000000000000020\n[ 656.368943] #PF: supervisor write access in kernel mode\n[ 656.369844] #PF: error_code(0x0002) - not-present page\n[ 656.370717] PGD 10cc87067 P4D 10cc87067 PUD 1074b4067 PMD 0\n[ 656.371693] Oops: 0002 [#1] SMP\n[ 656.372242] CPU: 5 PID: 7977 Comm: nbd-client Not tainted 5.11.0-rc5-00040-g76c057c84d28 #1\n[ 656.373661] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20190727_073836-buildvm-ppc64le-16.ppc.fedoraproject.org-3.fc31 04/01/2014\n[ 656.375904] RIP: 0010:mutex_lock+0x29/0x60\n[ 656.376627] Code: 00 0f 1f 44 00 00 55 48 89 fd 48 83 05 6f d7 fe 08 01 e8 7a c3 ff ff 48 83 05 6a d7 fe 08 01 31 c0 65 48 8b 14 25 00 6d 01 00 48 0f b1 55 d\n[ 656.378934] RSP: 0018:ffffc900005eb9b0 EFLAGS: 00010246\n[ 656.379350] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000\n[ 656.379915] RDX: ffff888104cf2600 RSI: ffffffffaae8f452 RDI: 0000000000000020\n[ 656.380473] RBP: 0000000000000020 R08: 0000000000000000 R09: ffff88813bd6b318\n[ 656.381039] R10: 00000000000000c7 R11: fefefefefefefeff R12: ffff888102710b40\n[ 656.381599] R13: ffffc900005eb9e0 R14: ffffffffb2930680 R15: ffff88810770ef00\n[ 656.382166] FS: 00007fdf117ebb40(0000) GS:ffff88813bd40000(0000) knlGS:0000000000000000\n[ 656.382806] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 656.383261] CR2: 0000000000000020 CR3: 0000000100c84000 CR4: 00000000000006e0\n[ 656.383819] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 656.384370] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 656.384927] Call Trace:\n[ 656.385111] flush_workqueue+0x92/0x6c0\n[ 656.385395] nbd_disconnect_and_put+0x81/0xd0\n[ 656.385716] nbd_genl_disconnect+0x125/0x2a0\n[ 656.386034] genl_family_rcv_msg_doit.isra.0+0x102/0x1b0\n[ 656.386422] genl_rcv_msg+0xfc/0x2b0\n[ 656.386685] ? nbd_ioctl+0x490/0x490\n[ 656.386954] ? genl_family_rcv_msg_doit.isra.0+0x1b0/0x1b0\n[ 656.387354] netlink_rcv_skb+0x62/0x180\n[ 656.387638] genl_rcv+0x34/0x60\n[ 656.387874] netlink_unicast+0x26d/0x590\n[ 656.388162] netlink_sendmsg+0x398/0x6c0\n[ 656.388451] ? netlink_rcv_skb+0x180/0x180\n[ 656.388750] ____sys_sendmsg+0x1da/0x320\n[ 656.389038] ? ____sys_recvmsg+0x130/0x220\n[ 656.389334] ___sys_sendmsg+0x8e/0xf0\n[ 656.389605] ? ___sys_recvmsg+0xa2/0xf0\n[ 656.389889] ? handle_mm_fault+0x1671/0x21d0\n[ 656.390201] __sys_sendmsg+0x6d/0xe0\n[ 656.390464] __x64_sys_sendmsg+0x23/0x30\n[ 656.390751] do_syscall_64+0x45/0x70\n[ 656.391017] entry_SYSCALL_64_after_hwframe+0x44/0xa9\n\nTo fix it, just add if (nbd->recv_workq) to nbd_disconnect_and_put().", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-46981", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-46981", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-46981", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-46981", "SUSE": "https://www.suse.com/security/cve/CVE-2021-46981", "Ubuntu": "https://ubuntu.com/security/CVE-2021-46981" } }, "CVE-2021-46982": { "affected_versions": "v2.6.12-rc2 to v5.13-rc2", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "f2fs: compress: fix race condition of overwrite vs truncate", "fixes": "a949dc5f2c5cfe0c910b664650f45371254c0744", "last_affected_version": "5.12.4", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: compress: fix race condition of overwrite vs truncate\n\npos_fsstress testcase complains a panic as belew:\n\n------------[ cut here ]------------\nkernel BUG at fs/f2fs/compress.c:1082!\ninvalid opcode: 0000 [#1] SMP PTI\nCPU: 4 PID: 2753477 Comm: kworker/u16:2 Tainted: G OE 5.12.0-rc1-custom #1\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014\nWorkqueue: writeback wb_workfn (flush-252:16)\nRIP: 0010:prepare_compress_overwrite+0x4c0/0x760 [f2fs]\nCall Trace:\n f2fs_prepare_compress_overwrite+0x5f/0x80 [f2fs]\n f2fs_write_cache_pages+0x468/0x8a0 [f2fs]\n f2fs_write_data_pages+0x2a4/0x2f0 [f2fs]\n do_writepages+0x38/0xc0\n __writeback_single_inode+0x44/0x2a0\n writeback_sb_inodes+0x223/0x4d0\n __writeback_inodes_wb+0x56/0xf0\n wb_writeback+0x1dd/0x290\n wb_workfn+0x309/0x500\n process_one_work+0x220/0x3c0\n worker_thread+0x53/0x420\n kthread+0x12f/0x150\n ret_from_fork+0x22/0x30\n\nThe root cause is truncate() may race with overwrite as below,\nso that one reference count left in page can not guarantee the\npage attaching in mapping tree all the time, after truncation,\nlater find_lock_page() may return NULL pointer.\n\n- prepare_compress_overwrite\n - f2fs_pagecache_get_page\n - unlock_page\n\t\t\t\t\t- f2fs_setattr\n\t\t\t\t\t - truncate_setsize\n\t\t\t\t\t - truncate_inode_page\n\t\t\t\t\t - delete_from_page_cache\n - find_lock_page\n\nFix this by avoiding referencing updated page.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-46982", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-46982", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-46982", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-46982", "SUSE": "https://www.suse.com/security/cve/CVE-2021-46982", "Ubuntu": "https://ubuntu.com/security/CVE-2021-46982" } }, "CVE-2021-46983": { "affected_versions": "v5.9-rc1 to v5.13-rc2", "breaks": "ca0f1a8055be2a04073af435dc68419334481638", "cmt_msg": "nvmet-rdma: Fix NULL deref when SEND is completed with error", "fixes": "8cc365f9559b86802afc0208389f5c8d46b4ad61", "last_affected_version": "5.12.4", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvmet-rdma: Fix NULL deref when SEND is completed with error\n\nWhen running some traffic and taking down the link on peer, a\nretry counter exceeded error is received. This leads to\nnvmet_rdma_error_comp which tried accessing the cq_context to\nobtain the queue. The cq_context is no longer valid after the\nfix to use shared CQ mechanism and should be obtained similar\nto how it is obtained in other functions from the wc->qp.\n\n[ 905.786331] nvmet_rdma: SEND for CQE 0x00000000e3337f90 failed with status transport retry counter exceeded (12).\n[ 905.832048] BUG: unable to handle kernel NULL pointer dereference at 0000000000000048\n[ 905.839919] PGD 0 P4D 0\n[ 905.842464] Oops: 0000 1 SMP NOPTI\n[ 905.846144] CPU: 13 PID: 1557 Comm: kworker/13:1H Kdump: loaded Tainted: G OE --------- - - 4.18.0-304.el8.x86_64 #1\n[ 905.872135] RIP: 0010:nvmet_rdma_error_comp+0x5/0x1b [nvmet_rdma]\n[ 905.878259] Code: 19 4f c0 e8 89 b3 a5 f6 e9 5b e0 ff ff 0f b7 75 14 4c 89 ea 48 c7 c7 08 1a 4f c0 e8 71 b3 a5 f6 e9 4b e0 ff ff 0f 1f 44 00 00 <48> 8b 47 48 48 85 c0 74 08 48 89 c7 e9 98 bf 49 00 e9 c3 e3 ff ff\n[ 905.897135] RSP: 0018:ffffab601c45fe28 EFLAGS: 00010246\n[ 905.902387] RAX: 0000000000000065 RBX: ffff9e729ea2f800 RCX: 0000000000000000\n[ 905.909558] RDX: 0000000000000000 RSI: ffff9e72df9567c8 RDI: 0000000000000000\n[ 905.916731] RBP: ffff9e729ea2b400 R08: 000000000000074d R09: 0000000000000074\n[ 905.923903] R10: 0000000000000000 R11: ffffab601c45fcc0 R12: 0000000000000010\n[ 905.931074] R13: 0000000000000000 R14: 0000000000000010 R15: ffff9e729ea2f400\n[ 905.938247] FS: 0000000000000000(0000) GS:ffff9e72df940000(0000) knlGS:0000000000000000\n[ 905.938249] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 905.950067] nvmet_rdma: SEND for CQE 0x00000000c7356cca failed with status transport retry counter exceeded (12).\n[ 905.961855] CR2: 0000000000000048 CR3: 000000678d010004 CR4: 00000000007706e0\n[ 905.961855] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 905.961856] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 905.961857] PKRU: 55555554\n[ 906.010315] Call Trace:\n[ 906.012778] __ib_process_cq+0x89/0x170 [ib_core]\n[ 906.017509] ib_cq_poll_work+0x26/0x80 [ib_core]\n[ 906.022152] process_one_work+0x1a7/0x360\n[ 906.026182] ? create_worker+0x1a0/0x1a0\n[ 906.030123] worker_thread+0x30/0x390\n[ 906.033802] ? create_worker+0x1a0/0x1a0\n[ 906.037744] kthread+0x116/0x130\n[ 906.040988] ? kthread_flush_work_fn+0x10/0x10\n[ 906.045456] ret_from_fork+0x1f/0x40", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-46983", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-46983", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-46983", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-46983", "SUSE": "https://www.suse.com/security/cve/CVE-2021-46983", "Ubuntu": "https://ubuntu.com/security/CVE-2021-46983" } }, "CVE-2021-46984": { "affected_versions": "v4.18-rc1 to v5.13-rc2", "breaks": "a6088845c2bf754d6cb2572b484180680b037804", "cmt_msg": "kyber: fix out of bounds access when preempted", "fixes": "efed9a3337e341bd0989161b97453b52567bc59d", "last_affected_version": "5.12.4", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nkyber: fix out of bounds access when preempted\n\n__blk_mq_sched_bio_merge() gets the ctx and hctx for the current CPU and\npasses the hctx to ->bio_merge(). kyber_bio_merge() then gets the ctx\nfor the current CPU again and uses that to get the corresponding Kyber\ncontext in the passed hctx. However, the thread may be preempted between\nthe two calls to blk_mq_get_ctx(), and the ctx returned the second time\nmay no longer correspond to the passed hctx. This \"works\" accidentally\nmost of the time, but it can cause us to read garbage if the second ctx\ncame from an hctx with more ctx's than the first one (i.e., if\nctx->index_hw[hctx->type] > hctx->nr_ctx).\n\nThis manifested as this UBSAN array index out of bounds error reported\nby Jakub:\n\nUBSAN: array-index-out-of-bounds in ../kernel/locking/qspinlock.c:130:9\nindex 13106 is out of range for type 'long unsigned int [128]'\nCall Trace:\n dump_stack+0xa4/0xe5\n ubsan_epilogue+0x5/0x40\n __ubsan_handle_out_of_bounds.cold.13+0x2a/0x34\n queued_spin_lock_slowpath+0x476/0x480\n do_raw_spin_lock+0x1c2/0x1d0\n kyber_bio_merge+0x112/0x180\n blk_mq_submit_bio+0x1f5/0x1100\n submit_bio_noacct+0x7b0/0x870\n submit_bio+0xc2/0x3a0\n btrfs_map_bio+0x4f0/0x9d0\n btrfs_submit_data_bio+0x24e/0x310\n submit_one_bio+0x7f/0xb0\n submit_extent_page+0xc4/0x440\n __extent_writepage_io+0x2b8/0x5e0\n __extent_writepage+0x28d/0x6e0\n extent_write_cache_pages+0x4d7/0x7a0\n extent_writepages+0xa2/0x110\n do_writepages+0x8f/0x180\n __writeback_single_inode+0x99/0x7f0\n writeback_sb_inodes+0x34e/0x790\n __writeback_inodes_wb+0x9e/0x120\n wb_writeback+0x4d2/0x660\n wb_workfn+0x64d/0xa10\n process_one_work+0x53a/0xa80\n worker_thread+0x69/0x5b0\n kthread+0x20b/0x240\n ret_from_fork+0x1f/0x30\n\nOnly Kyber uses the hctx, so fix it by passing the request_queue to\n->bio_merge() instead. BFQ and mq-deadline just use that, and Kyber can\nmap the queues itself to avoid the mismatch.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-46984", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-46984", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-46984", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-46984", "SUSE": "https://www.suse.com/security/cve/CVE-2021-46984", "Ubuntu": "https://ubuntu.com/security/CVE-2021-46984" } }, "CVE-2021-46985": { "affected_versions": "v5.12-rc5 to v5.13-rc2", "breaks": "eb50aaf960e3bedfef79063411ffd670da94b84b", "cmt_msg": "ACPI: scan: Fix a memory leak in an error handling path", "fixes": "0c8bd174f0fc131bc9dfab35cd8784f59045da87", "last_affected_version": "5.12.4", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPI: scan: Fix a memory leak in an error handling path\n\nIf 'acpi_device_set_name()' fails, we must free\n'acpi_device_bus_id->bus_id' or there is a (potential) memory leak.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-46985", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-46985", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-46985", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-46985", "SUSE": "https://www.suse.com/security/cve/CVE-2021-46985", "Ubuntu": "https://ubuntu.com/security/CVE-2021-46985" } }, "CVE-2021-46986": { "affected_versions": "v5.10-rc1 to v5.13-rc2", "breaks": "e81a7018d93a7de31a3f121c9a7eecd0a5ec58b0", "cmt_msg": "usb: dwc3: gadget: Free gadget structure only after freeing endpoints", "fixes": "bb9c74a5bd1462499fe5ccb1e3c5ac40dcfa9139", "last_affected_version": "5.12.4", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: dwc3: gadget: Free gadget structure only after freeing endpoints\n\nAs part of commit e81a7018d93a (\"usb: dwc3: allocate gadget structure\ndynamically\") the dwc3_gadget_release() was added which will free\nthe dwc->gadget structure upon the device's removal when\nusb_del_gadget_udc() is called in dwc3_gadget_exit().\n\nHowever, simply freeing the gadget results a dangling pointer\nsituation: the endpoints created in dwc3_gadget_init_endpoints()\nhave their dep->endpoint.ep_list members chained off the list_head\nanchored at dwc->gadget->ep_list. Thus when dwc->gadget is freed,\nthe first dwc3_ep in the list now has a dangling prev pointer and\nlikewise for the next pointer of the dwc3_ep at the tail of the list.\nThe dwc3_gadget_free_endpoints() that follows will result in a\nuse-after-free when it calls list_del().\n\nThis was caught by enabling KASAN and performing a driver unbind.\nThe recent commit 568262bf5492 (\"usb: dwc3: core: Add shutdown\ncallback for dwc3\") also exposes this as a panic during shutdown.\n\nThere are a few possibilities to fix this. One could be to perform\na list_del() of the gadget->ep_list itself which removes it from\nthe rest of the dwc3_ep chain.\n\nAnother approach is what this patch does, by splitting up the\nusb_del_gadget_udc() call into its separate \"del\" and \"put\"\ncomponents. This allows dwc3_gadget_free_endpoints() to be\ncalled before the gadget is finally freed with usb_put_gadget().", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-46986", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-46986", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-46986", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-46986", "SUSE": "https://www.suse.com/security/cve/CVE-2021-46986", "Ubuntu": "https://ubuntu.com/security/CVE-2021-46986" } }, "CVE-2021-46987": { "affected_versions": "v5.9-rc1 to v5.13-rc2", "breaks": "c53e9653605dbf708f5be02902de51831be4b009", "cmt_msg": "btrfs: fix deadlock when cloning inline extents and using qgroups", "fixes": "f9baa501b4fd6962257853d46ddffbc21f27e344", "last_affected_version": "5.12.4", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix deadlock when cloning inline extents and using qgroups\n\nThere are a few exceptional cases where cloning an inline extent needs to\ncopy the inline extent data into a page of the destination inode.\n\nWhen this happens, we end up starting a transaction while having a dirty\npage for the destination inode and while having the range locked in the\ndestination's inode iotree too. Because when reserving metadata space\nfor a transaction we may need to flush existing delalloc in case there is\nnot enough free space, we have a mechanism in place to prevent a deadlock,\nwhich was introduced in commit 3d45f221ce627d (\"btrfs: fix deadlock when\ncloning inline extent and low on free metadata space\").\n\nHowever when using qgroups, a transaction also reserves metadata qgroup\nspace, which can also result in flushing delalloc in case there is not\nenough available space at the moment. When this happens we deadlock, since\nflushing delalloc requires locking the file range in the inode's iotree\nand the range was already locked at the very beginning of the clone\noperation, before attempting to start the transaction.\n\nWhen this issue happens, stack traces like the following are reported:\n\n [72747.556262] task:kworker/u81:9 state:D stack: 0 pid: 225 ppid: 2 flags:0x00004000\n [72747.556268] Workqueue: writeback wb_workfn (flush-btrfs-1142)\n [72747.556271] Call Trace:\n [72747.556273] __schedule+0x296/0x760\n [72747.556277] schedule+0x3c/0xa0\n [72747.556279] io_schedule+0x12/0x40\n [72747.556284] __lock_page+0x13c/0x280\n [72747.556287] ? generic_file_readonly_mmap+0x70/0x70\n [72747.556325] extent_write_cache_pages+0x22a/0x440 [btrfs]\n [72747.556331] ? __set_page_dirty_nobuffers+0xe7/0x160\n [72747.556358] ? set_extent_buffer_dirty+0x5e/0x80 [btrfs]\n [72747.556362] ? update_group_capacity+0x25/0x210\n [72747.556366] ? cpumask_next_and+0x1a/0x20\n [72747.556391] extent_writepages+0x44/0xa0 [btrfs]\n [72747.556394] do_writepages+0x41/0xd0\n [72747.556398] __writeback_single_inode+0x39/0x2a0\n [72747.556403] writeback_sb_inodes+0x1ea/0x440\n [72747.556407] __writeback_inodes_wb+0x5f/0xc0\n [72747.556410] wb_writeback+0x235/0x2b0\n [72747.556414] ? get_nr_inodes+0x35/0x50\n [72747.556417] wb_workfn+0x354/0x490\n [72747.556420] ? newidle_balance+0x2c5/0x3e0\n [72747.556424] process_one_work+0x1aa/0x340\n [72747.556426] worker_thread+0x30/0x390\n [72747.556429] ? create_worker+0x1a0/0x1a0\n [72747.556432] kthread+0x116/0x130\n [72747.556435] ? kthread_park+0x80/0x80\n [72747.556438] ret_from_fork+0x1f/0x30\n\n [72747.566958] Workqueue: btrfs-flush_delalloc btrfs_work_helper [btrfs]\n [72747.566961] Call Trace:\n [72747.566964] __schedule+0x296/0x760\n [72747.566968] ? finish_wait+0x80/0x80\n [72747.566970] schedule+0x3c/0xa0\n [72747.566995] wait_extent_bit.constprop.68+0x13b/0x1c0 [btrfs]\n [72747.566999] ? finish_wait+0x80/0x80\n [72747.567024] lock_extent_bits+0x37/0x90 [btrfs]\n [72747.567047] btrfs_invalidatepage+0x299/0x2c0 [btrfs]\n [72747.567051] ? find_get_pages_range_tag+0x2cd/0x380\n [72747.567076] __extent_writepage+0x203/0x320 [btrfs]\n [72747.567102] extent_write_cache_pages+0x2bb/0x440 [btrfs]\n [72747.567106] ? update_load_avg+0x7e/0x5f0\n [72747.567109] ? enqueue_entity+0xf4/0x6f0\n [72747.567134] extent_writepages+0x44/0xa0 [btrfs]\n [72747.567137] ? enqueue_task_fair+0x93/0x6f0\n [72747.567140] do_writepages+0x41/0xd0\n [72747.567144] __filemap_fdatawrite_range+0xc7/0x100\n [72747.567167] btrfs_run_delalloc_work+0x17/0x40 [btrfs]\n [72747.567195] btrfs_work_helper+0xc2/0x300 [btrfs]\n [72747.567200] process_one_work+0x1aa/0x340\n [72747.567202] worker_thread+0x30/0x390\n [72747.567205] ? create_worker+0x1a0/0x1a0\n [72747.567208] kthread+0x116/0x130\n [72747.567211] ? kthread_park+0x80/0x80\n [72747.567214] ret_from_fork+0x1f/0x30\n\n [72747.569686] task:fsstress state:D stack: \n---truncated---", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-46987", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-46987", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-46987", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-46987", "SUSE": "https://www.suse.com/security/cve/CVE-2021-46987", "Ubuntu": "https://ubuntu.com/security/CVE-2021-46987" } }, "CVE-2021-46988": { "affected_versions": "v4.11-rc1 to v5.13-rc2", "breaks": "cb658a453b9327ce96ce5222c24d162b5b65b564", "cmt_msg": "userfaultfd: release page in error path to avoid BUG_ON", "fixes": "7ed9d238c7dbb1fdb63ad96a6184985151b0171c", "last_affected_version": "5.12.4", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nuserfaultfd: release page in error path to avoid BUG_ON\n\nConsider the following sequence of events:\n\n1. Userspace issues a UFFD ioctl, which ends up calling into\n shmem_mfill_atomic_pte(). We successfully account the blocks, we\n shmem_alloc_page(), but then the copy_from_user() fails. We return\n -ENOENT. We don't release the page we allocated.\n2. Our caller detects this error code, tries the copy_from_user() after\n dropping the mmap_lock, and retries, calling back into\n shmem_mfill_atomic_pte().\n3. Meanwhile, let's say another process filled up the tmpfs being used.\n4. So shmem_mfill_atomic_pte() fails to account blocks this time, and\n immediately returns - without releasing the page.\n\nThis triggers a BUG_ON in our caller, which asserts that the page\nshould always be consumed, unless -ENOENT is returned.\n\nTo fix this, detect if we have such a \"dangling\" page when accounting\nfails, and if so, release it before returning.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-46988", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-46988", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-46988", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-46988", "SUSE": "https://www.suse.com/security/cve/CVE-2021-46988", "Ubuntu": "https://ubuntu.com/security/CVE-2021-46988" } }, "CVE-2021-46989": { "affected_versions": "v4.19-rc1 to v5.13-rc2", "breaks": "31651c607151f1034cfb57e5a78678bea54c362b", "cmt_msg": "hfsplus: prevent corruption in shrinking truncate", "fixes": "c3187cf32216313fb316084efac4dab3a8459b1d", "last_affected_version": "5.12.4", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nhfsplus: prevent corruption in shrinking truncate\n\nI believe there are some issues introduced by commit 31651c607151\n(\"hfsplus: avoid deadlock on file truncation\")\n\nHFS+ has extent records which always contains 8 extents. In case the\nfirst extent record in catalog file gets full, new ones are allocated from\nextents overflow file.\n\nIn case shrinking truncate happens to middle of an extent record which\nlocates in extents overflow file, the logic in hfsplus_file_truncate() was\nchanged so that call to hfs_brec_remove() is not guarded any more.\n\nRight action would be just freeing the extents that exceed the new size\ninside extent record by calling hfsplus_free_extents(), and then check if\nthe whole extent record should be removed. However since the guard\n(blk_cnt > start) is now after the call to hfs_brec_remove(), this has\nunfortunate effect that the last matching extent record is removed\nunconditionally.\n\nTo reproduce this issue, create a file which has at least 10 extents, and\nthen perform shrinking truncate into middle of the last extent record, so\nthat the number of remaining extents is not under or divisible by 8. This\ncauses the last extent record (8 extents) to be removed totally instead of\ntruncating into middle of it. Thus this causes corruption, and lost data.\n\nFix for this is simply checking if the new truncated end is below the\nstart of this extent record, making it safe to remove the full extent\nrecord. However call to hfs_brec_remove() can't be moved to it's previous\nplace since we're dropping ->tree_lock and it can cause a race condition\nand the cached info being invalidated possibly corrupting the node data.\n\nAnother issue is related to this one. When entering into the block\n(blk_cnt > start) we are not holding the ->tree_lock. We break out from\nthe loop not holding the lock, but hfs_find_exit() does unlock it. Not\nsure if it's possible for someone else to take the lock under our feet,\nbut it can cause hard to debug errors and premature unlocking. Even if\nthere's no real risk of it, the locking should still always be kept in\nbalance. Thus taking the lock now just before the check.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-46989", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-46989", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-46989", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-46989", "SUSE": "https://www.suse.com/security/cve/CVE-2021-46989", "Ubuntu": "https://ubuntu.com/security/CVE-2021-46989" } }, "CVE-2021-46990": { "affected_versions": "v5.10-rc5 to v5.13-rc2", "breaks": "f79643787e0a0762d2409b7b8334e83f22d85695", "cmt_msg": "powerpc/64s: Fix crashes when toggling entry flush barrier", "fixes": "aec86b052df6541cc97c5fca44e5934cbea4963b", "last_affected_version": "5.12.4", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/64s: Fix crashes when toggling entry flush barrier\n\nThe entry flush mitigation can be enabled/disabled at runtime via a\ndebugfs file (entry_flush), which causes the kernel to patch itself to\nenable/disable the relevant mitigations.\n\nHowever depending on which mitigation we're using, it may not be safe to\ndo that patching while other CPUs are active. For example the following\ncrash:\n\n sleeper[15639]: segfault (11) at c000000000004c20 nip c000000000004c20 lr c000000000004c20\n\nShows that we returned to userspace with a corrupted LR that points into\nthe kernel, due to executing the partially patched call to the fallback\nentry flush (ie. we missed the LR restore).\n\nFix it by doing the patching under stop machine. The CPUs that aren't\ndoing the patching will be spinning in the core of the stop machine\nlogic. That is currently sufficient for our purposes, because none of\nthe patching we do is to that code or anywhere in the vicinity.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-46990", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-46990", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-46990", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-46990", "SUSE": "https://www.suse.com/security/cve/CVE-2021-46990", "Ubuntu": "https://ubuntu.com/security/CVE-2021-46990" } }, "CVE-2021-46991": { "affected_versions": "v4.16-rc1 to v5.13-rc1", "breaks": "7b0b1a6d0ac983ce1928432285d0222d4fb7c38b", "cmt_msg": "i40e: Fix use-after-free in i40e_client_subtask()", "fixes": "38318f23a7ef86a8b1862e5e8078c4de121960c3", "last_affected_version": "5.12.4", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\ni40e: Fix use-after-free in i40e_client_subtask()\n\nCurrently the call to i40e_client_del_instance frees the object\npf->cinst, however pf->cinst->lan_info is being accessed after\nthe free. Fix this by adding the missing return.\n\nAddresses-Coverity: (\"Read from pointer after free\")", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-46991", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-46991", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-46991", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-46991", "SUSE": "https://www.suse.com/security/cve/CVE-2021-46991", "Ubuntu": "https://ubuntu.com/security/CVE-2021-46991" } }, "CVE-2021-46992": { "affected_versions": "v4.9-rc1 to v5.13-rc1", "breaks": "0ed6389c483dc77cdbdd48de0ca7ce41723dd667", "cmt_msg": "netfilter: nftables: avoid overflows in nft_hash_buckets()", "fixes": "a54754ec9891830ba548e2010c889e3c8146e449", "last_affected_version": "5.12.4", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nftables: avoid overflows in nft_hash_buckets()\n\nNumber of buckets being stored in 32bit variables, we have to\nensure that no overflows occur in nft_hash_buckets()\n\nsyzbot injected a size == 0x40000000 and reported:\n\nUBSAN: shift-out-of-bounds in ./include/linux/log2.h:57:13\nshift exponent 64 is too large for 64-bit type 'long unsigned int'\nCPU: 1 PID: 29539 Comm: syz-executor.4 Not tainted 5.12.0-rc7-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nCall Trace:\n __dump_stack lib/dump_stack.c:79 [inline]\n dump_stack+0x141/0x1d7 lib/dump_stack.c:120\n ubsan_epilogue+0xb/0x5a lib/ubsan.c:148\n __ubsan_handle_shift_out_of_bounds.cold+0xb1/0x181 lib/ubsan.c:327\n __roundup_pow_of_two include/linux/log2.h:57 [inline]\n nft_hash_buckets net/netfilter/nft_set_hash.c:411 [inline]\n nft_hash_estimate.cold+0x19/0x1e net/netfilter/nft_set_hash.c:652\n nft_select_set_ops net/netfilter/nf_tables_api.c:3586 [inline]\n nf_tables_newset+0xe62/0x3110 net/netfilter/nf_tables_api.c:4322\n nfnetlink_rcv_batch+0xa09/0x24b0 net/netfilter/nfnetlink.c:488\n nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:612 [inline]\n nfnetlink_rcv+0x3af/0x420 net/netfilter/nfnetlink.c:630\n netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline]\n netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1338\n netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1927\n sock_sendmsg_nosec net/socket.c:654 [inline]\n sock_sendmsg+0xcf/0x120 net/socket.c:674\n ____sys_sendmsg+0x6e8/0x810 net/socket.c:2350\n ___sys_sendmsg+0xf3/0x170 net/socket.c:2404\n __sys_sendmsg+0xe5/0x1b0 net/socket.c:2433\n do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-46992", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-46992", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-46992", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-46992", "SUSE": "https://www.suse.com/security/cve/CVE-2021-46992", "Ubuntu": "https://ubuntu.com/security/CVE-2021-46992" } }, "CVE-2021-46993": { "affected_versions": "v5.3-rc1 to v5.13-rc1", "breaks": "69842cba9ace84849bb9b8edcdf2cefccd97901c", "cmt_msg": "sched: Fix out-of-bound access in uclamp", "fixes": "6d2f8909a5fabb73fe2a63918117943986c39b6c", "last_affected_version": "5.12.4", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched: Fix out-of-bound access in uclamp\n\nUtil-clamp places tasks in different buckets based on their clamp values\nfor performance reasons. However, the size of buckets is currently\ncomputed using a rounding division, which can lead to an off-by-one\nerror in some configurations.\n\nFor instance, with 20 buckets, the bucket size will be 1024/20=51. A\ntask with a clamp of 1024 will be mapped to bucket id 1024/51=20. Sadly,\ncorrect indexes are in range [0,19], hence leading to an out of bound\nmemory access.\n\nClamp the bucket id to fix the issue.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-46993", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-46993", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-46993", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-46993", "SUSE": "https://www.suse.com/security/cve/CVE-2021-46993", "Ubuntu": "https://ubuntu.com/security/CVE-2021-46993" } }, "CVE-2021-46994": { "affected_versions": "v5.5-rc1 to v5.13-rc1", "breaks": "8ce8c0abcba314e1fe954a1840f6568bf5aef2ef", "cmt_msg": "can: mcp251x: fix resume from sleep before interface was brought up", "fixes": "03c427147b2d3e503af258711af4fc792b89b0af", "last_affected_version": "5.12.4", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: mcp251x: fix resume from sleep before interface was brought up\n\nSince 8ce8c0abcba3 the driver queues work via priv->restart_work when\nresuming after suspend, even when the interface was not previously\nenabled. This causes a null dereference error as the workqueue is only\nallocated and initialized in mcp251x_open().\n\nTo fix this we move the workqueue init to mcp251x_can_probe() as there\nis no reason to do it later and repeat it whenever mcp251x_open() is\ncalled.\n\n[mkl: fix error handling in mcp251x_stop()]", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-46994", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-46994", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-46994", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-46994", "SUSE": "https://www.suse.com/security/cve/CVE-2021-46994", "Ubuntu": "https://ubuntu.com/security/CVE-2021-46994" } }, "CVE-2021-46995": { "affected_versions": "v5.12-rc1-dontuse to v5.13-rc1", "breaks": "cf8ee6de2543a0fa6d9471ddbb7216464a9681a1", "cmt_msg": "can: mcp251xfd: mcp251xfd_probe(): fix an error pointer dereference in probe", "fixes": "4cc7faa406975b460aa674606291dea197c1210c", "last_affected_version": "5.12.4", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: mcp251xfd: mcp251xfd_probe(): fix an error pointer dereference in probe\n\nWhen we converted this code to use dev_err_probe() we accidentally\nremoved a return. It means that if devm_clk_get() it will lead to an\nOops when we call clk_get_rate() on the next line.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-46995", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-46995", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-46995", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-46995", "SUSE": "https://www.suse.com/security/cve/CVE-2021-46995", "Ubuntu": "https://ubuntu.com/security/CVE-2021-46995" } }, "CVE-2021-46996": { "affected_versions": "v5.10-rc1 to v5.13-rc1", "breaks": "b131c96496b369c7b14125e7c50e89ac7cec8051", "cmt_msg": "netfilter: nftables: Fix a memleak from userdata error path in new objects", "fixes": "85dfd816fabfc16e71786eda0a33a7046688b5b0", "last_affected_version": "5.12.4", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nftables: Fix a memleak from userdata error path in new objects\n\nRelease object name if userdata allocation fails.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-46996", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-46996", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-46996", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-46996", "SUSE": "https://www.suse.com/security/cve/CVE-2021-46996", "Ubuntu": "https://ubuntu.com/security/CVE-2021-46996" } }, "CVE-2021-46997": { "affected_versions": "v5.10-rc7 to v5.13-rc1", "breaks": "23529049c68423820487304f244144e0d576e85a", "cmt_msg": "arm64: entry: always set GIC_PRIO_PSR_I_SET during entry", "fixes": "4d6a38da8e79e94cbd1344aa90876f0f805db705", "last_affected_version": "5.12.4", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: entry: always set GIC_PRIO_PSR_I_SET during entry\n\nZenghui reports that booting a kernel with \"irqchip.gicv3_pseudo_nmi=1\"\non the command line hits a warning during kernel entry, due to the way\nwe manipulate the PMR.\n\nEarly in the entry sequence, we call lockdep_hardirqs_off() to inform\nlockdep that interrupts have been masked (as the HW sets DAIF wqhen\nentering an exception). Architecturally PMR_EL1 is not affected by\nexception entry, and we don't set GIC_PRIO_PSR_I_SET in the PMR early in\nthe exception entry sequence, so early in exception entry the PMR can\nindicate that interrupts are unmasked even though they are masked by\nDAIF.\n\nIf DEBUG_LOCKDEP is selected, lockdep_hardirqs_off() will check that\ninterrupts are masked, before we set GIC_PRIO_PSR_I_SET in any of the\nexception entry paths, and hence lockdep_hardirqs_off() will WARN() that\nsomething is amiss.\n\nWe can avoid this by consistently setting GIC_PRIO_PSR_I_SET during\nexception entry so that kernel code sees a consistent environment. We\nmust also update local_daif_inherit() to undo this, as currently only\ntouches DAIF. For other paths, local_daif_restore() will update both\nDAIF and the PMR. With this done, we can remove the existing special\ncases which set this later in the entry code.\n\nWe always use (GIC_PRIO_IRQON | GIC_PRIO_PSR_I_SET) for consistency with\nlocal_daif_save(), as this will warn if it ever encounters\n(GIC_PRIO_IRQOFF | GIC_PRIO_PSR_I_SET), and never sets this itself. This\nmatches the gic_prio_kentry_setup that we have to retain for\nret_to_user.\n\nThe original splat from Zenghui's report was:\n\n| DEBUG_LOCKS_WARN_ON(!irqs_disabled())\n| WARNING: CPU: 3 PID: 125 at kernel/locking/lockdep.c:4258 lockdep_hardirqs_off+0xd4/0xe8\n| Modules linked in:\n| CPU: 3 PID: 125 Comm: modprobe Tainted: G W 5.12.0-rc8+ #463\n| Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015\n| pstate: 604003c5 (nZCv DAIF +PAN -UAO -TCO BTYPE=--)\n| pc : lockdep_hardirqs_off+0xd4/0xe8\n| lr : lockdep_hardirqs_off+0xd4/0xe8\n| sp : ffff80002a39bad0\n| pmr_save: 000000e0\n| x29: ffff80002a39bad0 x28: ffff0000de214bc0\n| x27: ffff0000de1c0400 x26: 000000000049b328\n| x25: 0000000000406f30 x24: ffff0000de1c00a0\n| x23: 0000000020400005 x22: ffff8000105f747c\n| x21: 0000000096000044 x20: 0000000000498ef9\n| x19: ffff80002a39bc88 x18: ffffffffffffffff\n| x17: 0000000000000000 x16: ffff800011c61eb0\n| x15: ffff800011700a88 x14: 0720072007200720\n| x13: 0720072007200720 x12: 0720072007200720\n| x11: 0720072007200720 x10: 0720072007200720\n| x9 : ffff80002a39bad0 x8 : ffff80002a39bad0\n| x7 : ffff8000119f0800 x6 : c0000000ffff7fff\n| x5 : ffff8000119f07a8 x4 : 0000000000000001\n| x3 : 9bcdab23f2432800 x2 : ffff800011730538\n| x1 : 9bcdab23f2432800 x0 : 0000000000000000\n| Call trace:\n| lockdep_hardirqs_off+0xd4/0xe8\n| enter_from_kernel_mode.isra.5+0x7c/0xa8\n| el1_abort+0x24/0x100\n| el1_sync_handler+0x80/0xd0\n| el1_sync+0x6c/0x100\n| __arch_clear_user+0xc/0x90\n| load_elf_binary+0x9fc/0x1450\n| bprm_execve+0x404/0x880\n| kernel_execve+0x180/0x188\n| call_usermodehelper_exec_async+0xdc/0x158\n| ret_from_fork+0x10/0x18", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-46997", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-46997", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-46997", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-46997", "SUSE": "https://www.suse.com/security/cve/CVE-2021-46997", "Ubuntu": "https://ubuntu.com/security/CVE-2021-46997" } }, "CVE-2021-46998": { "affected_versions": "v4.16-rc1 to v5.13-rc1", "breaks": "fb7516d42478ebc8e2f00efb76ef96f7b68fd8d3", "cmt_msg": "ethernet:enic: Fix a use after free bug in enic_hard_start_xmit", "fixes": "643001b47adc844ae33510c4bb93c236667008a3", "last_affected_version": "5.12.4", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nethernet:enic: Fix a use after free bug in enic_hard_start_xmit\n\nIn enic_hard_start_xmit, it calls enic_queue_wq_skb(). Inside\nenic_queue_wq_skb, if some error happens, the skb will be freed\nby dev_kfree_skb(skb). But the freed skb is still used in\nskb_tx_timestamp(skb).\n\nMy patch makes enic_queue_wq_skb() return error and goto spin_unlock()\nincase of error. The solution is provided by Govind.\nSee https://lkml.org/lkml/2021/4/30/961.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-46998", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-46998", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-46998", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-46998", "SUSE": "https://www.suse.com/security/cve/CVE-2021-46998", "Ubuntu": "https://ubuntu.com/security/CVE-2021-46998" } }, "CVE-2021-46999": { "affected_versions": "v5.7-rc3 to v5.13-rc1", "breaks": "145cb2f7177d94bc54563ed26027e952ee0ae03c", "cmt_msg": "sctp: do asoc update earlier in sctp_sf_do_dupcook_a", "fixes": "35b4f24415c854cd718ccdf38dbea6297f010aae", "last_affected_version": "5.12.4", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: do asoc update earlier in sctp_sf_do_dupcook_a\n\nThere's a panic that occurs in a few of envs, the call trace is as below:\n\n [] general protection fault, ... 0x29acd70f1000a: 0000 [#1] SMP PTI\n [] RIP: 0010:sctp_ulpevent_notify_peer_addr_change+0x4b/0x1fa [sctp]\n [] sctp_assoc_control_transport+0x1b9/0x210 [sctp]\n [] sctp_do_8_2_transport_strike.isra.16+0x15c/0x220 [sctp]\n [] sctp_cmd_interpreter.isra.21+0x1231/0x1a10 [sctp]\n [] sctp_do_sm+0xc3/0x2a0 [sctp]\n [] sctp_generate_timeout_event+0x81/0xf0 [sctp]\n\nThis is caused by a transport use-after-free issue. When processing a\nduplicate COOKIE-ECHO chunk in sctp_sf_do_dupcook_a(), both COOKIE-ACK\nand SHUTDOWN chunks are allocated with the transort from the new asoc.\nHowever, later in the sideeffect machine, the old asoc is used to send\nthem out and old asoc's shutdown_last_sent_to is set to the transport\nthat SHUTDOWN chunk attached to in sctp_cmd_setup_t2(), which actually\nbelongs to the new asoc. After the new_asoc is freed and the old asoc\nT2 timeout, the old asoc's shutdown_last_sent_to that is already freed\nwould be accessed in sctp_sf_t2_timer_expire().\n\nThanks Alexander and Jere for helping dig into this issue.\n\nTo fix it, this patch is to do the asoc update first, then allocate\nthe COOKIE-ACK and SHUTDOWN chunks with the 'updated' old asoc. This\nwould make more sense, as a chunk from an asoc shouldn't be sent out\nwith another asoc. We had fixed quite a few issues caused by this.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-46999", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-46999", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-46999", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-46999", "SUSE": "https://www.suse.com/security/cve/CVE-2021-46999", "Ubuntu": "https://ubuntu.com/security/CVE-2021-46999" } }, "CVE-2021-47000": { "affected_versions": "v5.8-rc1 to v5.13-rc1", "breaks": "878dabb64117406abd40977b87544d05bb3031fc", "cmt_msg": "ceph: fix inode leak on getattr error in __fh_to_dentry", "fixes": "1775c7ddacfcea29051c67409087578f8f4d751b", "last_affected_version": "5.12.4", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nceph: fix inode leak on getattr error in __fh_to_dentry", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47000", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47000", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47000", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47000", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47000", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47000" } }, "CVE-2021-47001": { "affected_versions": "v5.5-rc1 to v5.13-rc1", "breaks": "2ae50ad68cd79224198b525f7bd645c9da98b6ff", "cmt_msg": "xprtrdma: Fix cwnd update ordering", "fixes": "35d8b10a25884050bb3b0149b62c3818ec59f77c", "last_affected_version": "5.12.4", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nxprtrdma: Fix cwnd update ordering\n\nAfter a reconnect, the reply handler is opening the cwnd (and thus\nenabling more RPC Calls to be sent) /before/ rpcrdma_post_recvs()\ncan post enough Receive WRs to receive their replies. This causes an\nRNR and the new connection is lost immediately.\n\nThe race is most clearly exposed when KASAN and disconnect injection\nare enabled. This slows down rpcrdma_rep_create() enough to allow\nthe send side to post a bunch of RPC Calls before the Receive\ncompletion handler can invoke ib_post_recv().", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47001", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47001", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47001", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47001", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47001", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47001" } }, "CVE-2021-47002": { "affected_versions": "v5.11-rc1 to v5.13-rc1", "breaks": "5191955d6fc65e6d4efe8f4f10a6028298f57281", "cmt_msg": "SUNRPC: Fix null pointer dereference in svc_rqst_free()", "fixes": "b9f83ffaa0c096b4c832a43964fe6bff3acffe10", "last_affected_version": "5.12.4", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nSUNRPC: Fix null pointer dereference in svc_rqst_free()\n\nWhen alloc_pages_node() returns null in svc_rqst_alloc(), the\nnull rq_scratch_page pointer will be dereferenced when calling\nput_page() in svc_rqst_free(). Fix it by adding a null check.\n\nAddresses-Coverity: (\"Dereference after null check\")", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47002", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47002", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47002", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47002", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47002", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47002" } }, "CVE-2021-47003": { "affected_versions": "v5.11 to v5.13-rc1", "breaks": "89e3becd8f821e507052e012d2559dcda59f538e", "cmt_msg": "dmaengine: idxd: Fix potential null dereference on pointer status", "fixes": "28ac8e03c43dfc6a703aa420d18222540b801120", "last_affected_version": "5.12.4", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: idxd: Fix potential null dereference on pointer status\n\nThere are calls to idxd_cmd_exec that pass a null status pointer however\na recent commit has added an assignment to *status that can end up\nwith a null pointer dereference. The function expects a null status\npointer sometimes as there is a later assignment to *status where\nstatus is first null checked. Fix the issue by null checking status\nbefore making the assignment.\n\nAddresses-Coverity: (\"Explicit null dereferenced\")", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47003", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47003", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47003", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47003", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47003", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47003" } }, "CVE-2021-47004": { "affected_versions": "v4.20-rc1 to v5.13-rc1", "breaks": "4354994f097d068a894aa1a0860da54571df3582", "cmt_msg": "f2fs: fix to avoid touching checkpointed data in get_victim()", "fixes": "61461fc921b756ae16e64243f72af2bfc2e620db", "last_affected_version": "5.12.4", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to avoid touching checkpointed data in get_victim()\n\nIn CP disabling mode, there are two issues when using LFS or SSR | AT_SSR\nmode to select victim:\n\n1. LFS is set to find source section during GC, the victim should have\nno checkpointed data, since after GC, section could not be set free for\nreuse.\n\nPreviously, we only check valid chpt blocks in current segment rather\nthan section, fix it.\n\n2. SSR | AT_SSR are set to find target segment for writes which can be\nfully filled by checkpointed and newly written blocks, we should never\nselect such segment, otherwise it can cause panic or data corruption\nduring allocation, potential case is described as below:\n\n a) target segment has 'n' (n < 512) ckpt valid blocks\n b) GC migrates 'n' valid blocks to other segment (segment is still\n in dirty list)\n c) GC migrates '512 - n' blocks to target segment (segment has 'n'\n cp_vblocks and '512 - n' vblocks)\n d) If GC selects target segment via {AT,}SSR allocator, however there\n is no free space in targe segment.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47004", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47004", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47004", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47004", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47004", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47004" } }, "CVE-2021-47005": { "affected_versions": "v5.1-rc1 to v5.13-rc1", "breaks": "2c04c5b8eef797dca99699cfb55ff42dd3c12c23", "cmt_msg": "PCI: endpoint: Fix NULL pointer dereference for ->get_features()", "fixes": "6613bc2301ba291a1c5a90e1dc24cf3edf223c03", "last_affected_version": "5.12.4", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: endpoint: Fix NULL pointer dereference for ->get_features()\n\nget_features ops of pci_epc_ops may return NULL, causing NULL pointer\ndereference in pci_epf_test_alloc_space function. Let us add a check for\npci_epc_feature pointer in pci_epf_test_bind before we access it to avoid\nany such NULL pointer dereference and return -ENOTSUPP in case\npci_epc_feature is not found.\n\nWhen the patch is not applied and EPC features is not implemented in the\nplatform driver, we see the following dump due to kernel NULL pointer\ndereference.\n\nCall trace:\n pci_epf_test_bind+0xf4/0x388\n pci_epf_bind+0x3c/0x80\n pci_epc_epf_link+0xa8/0xcc\n configfs_symlink+0x1a4/0x48c\n vfs_symlink+0x104/0x184\n do_symlinkat+0x80/0xd4\n __arm64_sys_symlinkat+0x1c/0x24\n el0_svc_common.constprop.3+0xb8/0x170\n el0_svc_handler+0x70/0x88\n el0_svc+0x8/0x640\nCode: d2800581 b9403ab9 f9404ebb 8b394f60 (f9400400)\n---[ end trace a438e3c5a24f9df0 ]---", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47005", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47005", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47005", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47005", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47005", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47005" } }, "CVE-2021-47006": { "affected_versions": "v4.7-rc1 to v5.13-rc1", "breaks": "1879445dfa7bbd6fe21b09c5cc72f4934798afed", "cmt_msg": "ARM: 9064/1: hw_breakpoint: Do not directly check the event's overflow_handler hook", "fixes": "a506bd5756290821a4314f502b4bafc2afcf5260", "last_affected_version": "5.12.4", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nARM: 9064/1: hw_breakpoint: Do not directly check the event's overflow_handler hook\n\nThe commit 1879445dfa7b (\"perf/core: Set event's default\n::overflow_handler()\") set a default event->overflow_handler in\nperf_event_alloc(), and replace the check event->overflow_handler with\nis_default_overflow_handler(), but one is missing.\n\nCurrently, the bp->overflow_handler can not be NULL. As a result,\nenable_single_step() is always not invoked.\n\nComments from Zhen Lei:\n\n https://patchwork.kernel.org/project/linux-arm-kernel/patch/20210207105934.2001-1-thunder.leizhen@huawei.com/", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47006", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47006", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47006", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47006", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47006", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47006" } }, "CVE-2021-47007": { "affected_versions": "v5.8-rc1 to v5.13-rc1", "breaks": "b4b10061ef98c583bcf82a4200703fbaa98c18dc", "cmt_msg": "f2fs: fix panic during f2fs_resize_fs()", "fixes": "3ab0598e6d860ef49d029943ba80f627c15c15d6", "last_affected_version": "5.12.4", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix panic during f2fs_resize_fs()\n\nf2fs_resize_fs() hangs in below callstack with testcase:\n- mkfs 16GB image & mount image\n- dd 8GB fileA\n- dd 8GB fileB\n- sync\n- rm fileA\n- sync\n- resize filesystem to 8GB\n\nkernel BUG at segment.c:2484!\nCall Trace:\n allocate_segment_by_default+0x92/0xf0 [f2fs]\n f2fs_allocate_data_block+0x44b/0x7e0 [f2fs]\n do_write_page+0x5a/0x110 [f2fs]\n f2fs_outplace_write_data+0x55/0x100 [f2fs]\n f2fs_do_write_data_page+0x392/0x850 [f2fs]\n move_data_page+0x233/0x320 [f2fs]\n do_garbage_collect+0x14d9/0x1660 [f2fs]\n free_segment_range+0x1f7/0x310 [f2fs]\n f2fs_resize_fs+0x118/0x330 [f2fs]\n __f2fs_ioctl+0x487/0x3680 [f2fs]\n __x64_sys_ioctl+0x8e/0xd0\n do_syscall_64+0x33/0x80\n entry_SYSCALL_64_after_hwframe+0x44/0xa9\n\nThe root cause is we forgot to check that whether we have enough space\nin resized filesystem to store all valid blocks in before-resizing\nfilesystem, then allocator will run out-of-space during block migration\nin free_segment_range().", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47007", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47007", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47007", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47007", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47007", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47007" } }, "CVE-2021-47008": { "affected_versions": "v5.11-rc1 to v5.13-rc1", "breaks": "f1c6366e304328de301be362eca905a3503ff33b", "cmt_msg": "KVM: SVM: Make sure GHCB is mapped before updating", "fixes": "a3ba26ecfb569f4aa3f867e80c02aa65f20aadad", "last_affected_version": "5.12.4", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: SVM: Make sure GHCB is mapped before updating\n\nAccess to the GHCB is mainly in the VMGEXIT path and it is known that the\nGHCB will be mapped. But there are two paths where it is possible the GHCB\nmight not be mapped.\n\nThe sev_vcpu_deliver_sipi_vector() routine will update the GHCB to inform\nthe caller of the AP Reset Hold NAE event that a SIPI has been delivered.\nHowever, if a SIPI is performed without a corresponding AP Reset Hold,\nthen the GHCB might not be mapped (depending on the previous VMEXIT),\nwhich will result in a NULL pointer dereference.\n\nThe svm_complete_emulated_msr() routine will update the GHCB to inform\nthe caller of a RDMSR/WRMSR operation about any errors. While it is likely\nthat the GHCB will be mapped in this situation, add a safe guard\nin this path to be certain a NULL pointer dereference is not encountered.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47008", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47008", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47008", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47008", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47008", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47008" } }, "CVE-2021-47009": { "affected_versions": "v5.12-rc1-dontuse to v5.13-rc2", "breaks": "5df16caada3fba3b21cb09b85cdedf99507f4ec1", "cmt_msg": "KEYS: trusted: Fix memory leak on object td", "fixes": "83a775d5f9bfda95b1c295f95a3a041a40c7f321", "last_affected_version": "5.12.4", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nKEYS: trusted: Fix memory leak on object td\n\nTwo error return paths are neglecting to free allocated object td,\ncausing a memory leak. Fix this by returning via the error return\npath that securely kfree's td.\n\nFixes clang scan-build warning:\nsecurity/keys/trusted-keys/trusted_tpm1.c:496:10: warning: Potential\nmemory leak [unix.Malloc]", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47009", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47009", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47009", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47009", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47009", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47009" } }, "CVE-2021-47010": { "affected_versions": "v4.15-rc1 to v5.13-rc1", "breaks": "6670e152447732ba90626f36dfc015a13fbf150e", "cmt_msg": "net: Only allow init netns to set default tcp cong to a restricted algo", "fixes": "8d432592f30fcc34ef5a10aac4887b4897884493", "last_affected_version": "5.12.3", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: Only allow init netns to set default tcp cong to a restricted algo\n\ntcp_set_default_congestion_control() is netns-safe in that it writes\nto &net->ipv4.tcp_congestion_control, but it also sets\nca->flags |= TCP_CONG_NON_RESTRICTED which is not namespaced.\nThis has the unintended side-effect of changing the global\nnet.ipv4.tcp_allowed_congestion_control sysctl, despite the fact that it\nis read-only: 97684f0970f6 (\"net: Make tcp_allowed_congestion_control\nreadonly in non-init netns\")\n\nResolve this netns \"leak\" by only allowing the init netns to set the\ndefault algorithm to one that is restricted. This restriction could be\nremoved if tcp_allowed_congestion_control were namespace-ified in the\nfuture.\n\nThis bug was uncovered with\nhttps://github.com/JonathonReinhart/linux-netns-sysctl-verify", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47010", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47010", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47010", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47010", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47010", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47010" } }, "CVE-2021-47011": { "affected_versions": "v5.11-rc5 to v5.13-rc1", "breaks": "3de7d4f25a7438f09fef4e71ef111f1805cd8e7c", "cmt_msg": "mm: memcontrol: slab: fix obtain a reference to a freeing memcg", "fixes": "9f38f03ae8d5f57371b71aa6b4275765b65454fd", "last_affected_version": "5.12.3", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: memcontrol: slab: fix obtain a reference to a freeing memcg\n\nPatch series \"Use obj_cgroup APIs to charge kmem pages\", v5.\n\nSince Roman's series \"The new cgroup slab memory controller\" applied.\nAll slab objects are charged with the new APIs of obj_cgroup. The new\nAPIs introduce a struct obj_cgroup to charge slab objects. It prevents\nlong-living objects from pinning the original memory cgroup in the\nmemory. But there are still some corner objects (e.g. allocations\nlarger than order-1 page on SLUB) which are not charged with the new\nAPIs. Those objects (include the pages which are allocated from buddy\nallocator directly) are charged as kmem pages which still hold a\nreference to the memory cgroup.\n\nE.g. We know that the kernel stack is charged as kmem pages because the\nsize of the kernel stack can be greater than 2 pages (e.g. 16KB on\nx86_64 or arm64). If we create a thread (suppose the thread stack is\ncharged to memory cgroup A) and then move it from memory cgroup A to\nmemory cgroup B. Because the kernel stack of the thread hold a\nreference to the memory cgroup A. The thread can pin the memory cgroup\nA in the memory even if we remove the cgroup A. If we want to see this\nscenario by using the following script. We can see that the system has\nadded 500 dying cgroups (This is not a real world issue, just a script\nto show that the large kmallocs are charged as kmem pages which can pin\nthe memory cgroup in the memory).\n\n\t#!/bin/bash\n\n\tcat /proc/cgroups | grep memory\n\n\tcd /sys/fs/cgroup/memory\n\techo 1 > memory.move_charge_at_immigrate\n\n\tfor i in range{1..500}\n\tdo\n\t\tmkdir kmem_test\n\t\techo $$ > kmem_test/cgroup.procs\n\t\tsleep 3600 &\n\t\techo $$ > cgroup.procs\n\t\techo `cat kmem_test/cgroup.procs` > cgroup.procs\n\t\trmdir kmem_test\n\tdone\n\n\tcat /proc/cgroups | grep memory\n\nThis patchset aims to make those kmem pages to drop the reference to\nmemory cgroup by using the APIs of obj_cgroup. Finally, we can see that\nthe number of the dying cgroups will not increase if we run the above test\nscript.\n\nThis patch (of 7):\n\nThe rcu_read_lock/unlock only can guarantee that the memcg will not be\nfreed, but it cannot guarantee the success of css_get (which is in the\nrefill_stock when cached memcg changed) to memcg.\n\n rcu_read_lock()\n memcg = obj_cgroup_memcg(old)\n __memcg_kmem_uncharge(memcg)\n refill_stock(memcg)\n if (stock->cached != memcg)\n // css_get can change the ref counter from 0 back to 1.\n css_get(&memcg->css)\n rcu_read_unlock()\n\nThis fix is very like the commit:\n\n eefbfa7fd678 (\"mm: memcg/slab: fix use after free in obj_cgroup_charge\")\n\nFix this by holding a reference to the memcg which is passed to the\n__memcg_kmem_uncharge() before calling __memcg_kmem_uncharge().", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47011", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47011", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47011", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47011", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47011", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47011" } }, "CVE-2021-47012": { "affected_versions": "v5.3-rc1 to v5.13-rc1", "breaks": "2251334dcac9eb337575d8767e2a6a7e81848f7f", "cmt_msg": "RDMA/siw: Fix a use after free in siw_alloc_mr", "fixes": "3093ee182f01689b89e9f8797b321603e5de4f63", "last_affected_version": "5.12.3", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/siw: Fix a use after free in siw_alloc_mr\n\nOur code analyzer reported a UAF.\n\nIn siw_alloc_mr(), it calls siw_mr_add_mem(mr,..). In the implementation of\nsiw_mr_add_mem(), mem is assigned to mr->mem and then mem is freed via\nkfree(mem) if xa_alloc_cyclic() failed. Here, mr->mem still point to a\nfreed object. After, the execution continue up to the err_out branch of\nsiw_alloc_mr, and the freed mr->mem is used in siw_mr_drop_mem(mr).\n\nMy patch moves \"mr->mem = mem\" behind the if (xa_alloc_cyclic(..)<0) {}\nsection, to avoid the uaf.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47012", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47012", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47012", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47012", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47012", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47012" } }, "CVE-2021-47013": { "affected_versions": "v4.9-rc1 to v5.13-rc1", "breaks": "b9b17debc69d27cd55e21ee51a5ba7fc50a426cf", "cmt_msg": "net:emac/emac-mac: Fix a use after free in emac_mac_tx_buf_send", "fixes": "6d72e7c767acbbdd44ebc7d89c6690b405b32b57", "last_affected_version": "5.12.3", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet:emac/emac-mac: Fix a use after free in emac_mac_tx_buf_send\n\nIn emac_mac_tx_buf_send, it calls emac_tx_fill_tpd(..,skb,..).\nIf some error happens in emac_tx_fill_tpd(), the skb will be freed via\ndev_kfree_skb(skb) in error branch of emac_tx_fill_tpd().\nBut the freed skb is still used via skb->len by netdev_sent_queue(,skb->len).\n\nAs i observed that emac_tx_fill_tpd() haven't modified the value of skb->len,\nthus my patch assigns skb->len to 'len' before the possible free and\nuse 'len' instead of skb->len later.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47013", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47013", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47013", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47013", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47013", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47013" } }, "CVE-2021-47014": { "affected_versions": "v5.8-rc7 to v5.13-rc1", "breaks": "ae372cb1750f6c95370f92fe5f5620e0954663ba", "cmt_msg": "net/sched: act_ct: fix wild memory access when clearing fragments", "fixes": "f77bd544a6bbe69aa50d9ed09f13494cf36ff806", "last_affected_version": "5.12.3", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: act_ct: fix wild memory access when clearing fragments\n\nwhile testing re-assembly/re-fragmentation using act_ct, it's possible to\nobserve a crash like the following one:\n\n KASAN: maybe wild-memory-access in range [0x0001000000000448-0x000100000000044f]\n CPU: 50 PID: 0 Comm: swapper/50 Tainted: G S 5.12.0-rc7+ #424\n Hardware name: Dell Inc. PowerEdge R730/072T6D, BIOS 2.4.3 01/17/2017\n RIP: 0010:inet_frag_rbtree_purge+0x50/0xc0\n Code: 00 fc ff df 48 89 c3 31 ed 48 89 df e8 a9 7a 38 ff 4c 89 fe 48 89 df 49 89 c6 e8 5b 3a 38 ff 48 8d 7b 40 48 89 f8 48 c1 e8 03 <42> 80 3c 20 00 75 59 48 8d bb d0 00 00 00 4c 8b 6b 40 48 89 f8 48\n RSP: 0018:ffff888c31449db8 EFLAGS: 00010203\n RAX: 0000200000000089 RBX: 000100000000040e RCX: ffffffff989eb960\n RDX: 0000000000000140 RSI: ffffffff97cfb977 RDI: 000100000000044e\n RBP: 0000000000000900 R08: 0000000000000000 R09: ffffed1186289350\n R10: 0000000000000003 R11: ffffed1186289350 R12: dffffc0000000000\n R13: 000100000000040e R14: 0000000000000000 R15: ffff888155e02160\n FS: 0000000000000000(0000) GS:ffff888c31440000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00005600cb70a5b8 CR3: 0000000a2c014005 CR4: 00000000003706e0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n \n inet_frag_destroy+0xa9/0x150\n call_timer_fn+0x2d/0x180\n run_timer_softirq+0x4fe/0xe70\n __do_softirq+0x197/0x5a0\n irq_exit_rcu+0x1de/0x200\n sysvec_apic_timer_interrupt+0x6b/0x80\n \n\nwhen act_ct temporarily stores an IP fragment, restoring the skb qdisc cb\nresults in putting random data in FRAG_CB(), and this causes those \"wild\"\nmemory accesses later, when the rbtree is purged. Never overwrite the skb\ncb in case tcf_ct_handle_fragments() returns -EINPROGRESS.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47014", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47014", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47014", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47014", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47014", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47014" } }, "CVE-2021-47015": { "affected_versions": "v5.1-rc5 to v5.13-rc1", "breaks": "a1b0e4e684e9c300b9e759b46cb7a0147e61ddff", "cmt_msg": "bnxt_en: Fix RX consumer index logic in the error path.", "fixes": "bbd6f0a948139970f4a615dff189d9a503681a39", "last_affected_version": "5.12.3", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nbnxt_en: Fix RX consumer index logic in the error path.\n\nIn bnxt_rx_pkt(), the RX buffers are expected to complete in order.\nIf the RX consumer index indicates an out of order buffer completion,\nit means we are hitting a hardware bug and the driver will abort all\nremaining RX packets and reset the RX ring. The RX consumer index\nthat we pass to bnxt_discard_rx() is not correct. We should be\npassing the current index (tmp_raw_cons) instead of the old index\n(raw_cons). This bug can cause us to be at the wrong index when\ntrying to abort the next RX packet. It can crash like this:\n\n #0 [ffff9bbcdf5c39a8] machine_kexec at ffffffff9b05e007\n #1 [ffff9bbcdf5c3a00] __crash_kexec at ffffffff9b111232\n #2 [ffff9bbcdf5c3ad0] panic at ffffffff9b07d61e\n #3 [ffff9bbcdf5c3b50] oops_end at ffffffff9b030978\n #4 [ffff9bbcdf5c3b78] no_context at ffffffff9b06aaf0\n #5 [ffff9bbcdf5c3bd8] __bad_area_nosemaphore at ffffffff9b06ae2e\n #6 [ffff9bbcdf5c3c28] bad_area_nosemaphore at ffffffff9b06af24\n #7 [ffff9bbcdf5c3c38] __do_page_fault at ffffffff9b06b67e\n #8 [ffff9bbcdf5c3cb0] do_page_fault at ffffffff9b06bb12\n #9 [ffff9bbcdf5c3ce0] page_fault at ffffffff9bc015c5\n [exception RIP: bnxt_rx_pkt+237]\n RIP: ffffffffc0259cdd RSP: ffff9bbcdf5c3d98 RFLAGS: 00010213\n RAX: 000000005dd8097f RBX: ffff9ba4cb11b7e0 RCX: ffffa923cf6e9000\n RDX: 0000000000000fff RSI: 0000000000000627 RDI: 0000000000001000\n RBP: ffff9bbcdf5c3e60 R8: 0000000000420003 R9: 000000000000020d\n R10: ffffa923cf6ec138 R11: ffff9bbcdf5c3e83 R12: ffff9ba4d6f928c0\n R13: ffff9ba4cac28080 R14: ffff9ba4cb11b7f0 R15: ffff9ba4d5a30000\n ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47015", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47015", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47015", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47015", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47015", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47015" } }, "CVE-2021-47016": { "affected_versions": "v5.2-rc1 to v5.13-rc1", "breaks": "7529b90d051e4629884771ba2b1d3a87d2c6a9d7", "cmt_msg": "m68k: mvme147,mvme16x: Don't wipe PCC timer config bits", "fixes": "43262178c043032e7c42d00de44c818ba05f9967", "last_affected_version": "5.12.3", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nm68k: mvme147,mvme16x: Don't wipe PCC timer config bits\n\nDon't clear the timer 1 configuration bits when clearing the interrupt flag\nand counter overflow. As Michael reported, \"This results in no timer\ninterrupts being delivered after the first. Initialization then hangs\nin calibrate_delay as the jiffies counter is not updated.\"\n\nOn mvme16x, enable the timer after requesting the irq, consistent with\nmvme147.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47016", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47016", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47016", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47016", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47016", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47016" } }, "CVE-2021-47017": { "affected_versions": "v5.8-rc1 to v5.13-rc1", "breaks": "c8334512f3dd1b94844baca629f9bedca4271593", "cmt_msg": "ath10k: Fix a use after free in ath10k_htc_send_bundle", "fixes": "8392df5d7e0b6a7d21440da1fc259f9938f4dec3", "last_affected_version": "5.12.3", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nath10k: Fix a use after free in ath10k_htc_send_bundle\n\nIn ath10k_htc_send_bundle, the bundle_skb could be freed by\ndev_kfree_skb_any(bundle_skb). But the bundle_skb is used later\nby bundle_skb->len.\n\nAs skb_len = bundle_skb->len, my patch replaces bundle_skb->len to\nskb_len after the bundle_skb was freed.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47017", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47017", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47017", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47017", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47017", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47017" } }, "CVE-2021-47018": { "affected_versions": "v5.5-rc1 to v5.13-rc1", "breaks": "265c3491c4bc8d40587996d6ee2f447a7ccfb4f3", "cmt_msg": "powerpc/64: Fix the definition of the fixmap area", "fixes": "9ccba66d4d2aff9a3909aa77d57ea8b7cc166f3c", "last_affected_version": "5.12.3", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/64: Fix the definition of the fixmap area\n\nAt the time being, the fixmap area is defined at the top of\nthe address space or just below KASAN.\n\nThis definition is not valid for PPC64.\n\nFor PPC64, use the top of the I/O space.\n\nBecause of circular dependencies, it is not possible to include\nasm/fixmap.h in asm/book3s/64/pgtable.h , so define a fixed size\nAREA at the top of the I/O space for fixmap and ensure during\nbuild that the size is big enough.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47018", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47018", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47018", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47018", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47018", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47018" } }, "CVE-2021-47019": { "affected_versions": "v5.12-rc1-dontuse to v5.13-rc1", "breaks": "ffa1bf97425bd511b105ce769976e20a845a71e9", "cmt_msg": "mt76: mt7921: fix possible invalid register access", "fixes": "fe3fccde8870764ba3e60610774bd7bc9f8faeff", "last_affected_version": "5.12.3", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nmt76: mt7921: fix possible invalid register access\n\nDisable the interrupt and synchronze for the pending irq handlers to ensure\nthe irq tasklet is not being scheduled after the suspend to avoid the\npossible invalid register access acts when the host pcie controller is\nsuspended.\n\n[17932.910534] mt7921e 0000:01:00.0: pci_pm_suspend+0x0/0x22c returned 0 after 21375 usecs\n[17932.910590] pcieport 0000:00:00.0: calling pci_pm_suspend+0x0/0x22c @ 18565, parent: pci0000:00\n[17932.910602] pcieport 0000:00:00.0: pci_pm_suspend+0x0/0x22c returned 0 after 8 usecs\n[17932.910671] mtk-pcie 11230000.pcie: calling platform_pm_suspend+0x0/0x60 @ 22783, parent: soc\n[17932.910674] mtk-pcie 11230000.pcie: platform_pm_suspend+0x0/0x60 returned 0 after 0 usecs\n\n...\n\n17933.615352] x1 : 00000000000d4200 x0 : ffffff8269ca2300\n[17933.620666] Call trace:\n[17933.623127] mt76_mmio_rr+0x28/0xf0 [mt76]\n[17933.627234] mt7921_rr+0x38/0x44 [mt7921e]\n[17933.631339] mt7921_irq_tasklet+0x54/0x1d8 [mt7921e]\n[17933.636309] tasklet_action_common+0x12c/0x16c\n[17933.640754] tasklet_action+0x24/0x2c\n[17933.644418] __do_softirq+0x16c/0x344\n[17933.648082] irq_exit+0xa8/0xac\n[17933.651224] scheduler_ipi+0xd4/0x148\n[17933.654890] handle_IPI+0x164/0x2d4\n[17933.658379] gic_handle_irq+0x140/0x178\n[17933.662216] el1_irq+0xb8/0x180\n[17933.665361] cpuidle_enter_state+0xf8/0x204\n[17933.669544] cpuidle_enter+0x38/0x4c\n[17933.673122] do_idle+0x1a4/0x2a8\n[17933.676352] cpu_startup_entry+0x24/0x28\n[17933.680276] rest_init+0xd4/0xe0\n[17933.683508] arch_call_rest_init+0x10/0x18\n[17933.687606] start_kernel+0x340/0x3b4\n[17933.691279] Code: aa0003f5 d503201f f953eaa8 8b344108 (b9400113)\n[17933.697373] ---[ end trace a24b8e26ffbda3c5 ]---\n[17933.767846] Kernel panic - not syncing: Fatal exception in interrupt", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47019", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47019", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47019", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47019", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47019", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47019" } }, "CVE-2021-47020": { "affected_versions": "v4.18-rc1 to v5.13-rc1", "breaks": "89e590535f32d4bc548bcf266f3b046e50942f6d", "cmt_msg": "soundwire: stream: fix memory leak in stream config error path", "fixes": "48f17f96a81763c7c8bf5500460a359b9939359f", "last_affected_version": "5.12.3", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoundwire: stream: fix memory leak in stream config error path\n\nWhen stream config is failed, master runtime will release all\nslave runtime in the slave_rt_list, but slave runtime is not\nadded to the list at this time. This patch frees slave runtime\nin the config error path to fix the memory leak.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47020", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47020", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47020", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47020", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47020", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47020" } }, "CVE-2021-47021": { "affected_versions": "v5.12-rc1-dontuse to v5.13-rc1", "breaks": "f285dfb98562e8380101095d168910df1d07d8be", "cmt_msg": "mt76: mt7915: fix memleak when mt7915_unregister_device()", "fixes": "e9d32af478cfc3744a45245c0b126738af4b3ac4", "last_affected_version": "5.12.3", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nmt76: mt7915: fix memleak when mt7915_unregister_device()\n\nmt7915_tx_token_put() should get call before mt76_free_pending_txwi().", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47021", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47021", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47021", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47021", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47021", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47021" } }, "CVE-2021-47022": { "affected_versions": "v5.12-rc1-dontuse to v5.13-rc1", "breaks": "a6275e934605646ef81b02d8d1164f21343149c9", "cmt_msg": "mt76: mt7615: fix memleak when mt7615_unregister_device()", "fixes": "8ab31da7b89f71c4c2defcca989fab7b42f87d71", "last_affected_version": "5.12.3", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nmt76: mt7615: fix memleak when mt7615_unregister_device()\n\nmt7615_tx_token_put() should get call before mt76_free_pending_txwi().", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47022", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47022", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47022", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47022", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47022", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47022" } }, "CVE-2021-47023": { "affected_versions": "v5.10-rc1 to v5.13-rc1", "breaks": "501ef3066c89d7f9045315e1be58749cf9e6814d", "cmt_msg": "net: marvell: prestera: fix port event handling on init", "fixes": "333980481b99edb24ebd5d1a53af70a15d9146de", "last_affected_version": "5.12.3", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: marvell: prestera: fix port event handling on init\n\nFor some reason there might be a crash during ports creation if port\nevents are handling at the same time because fw may send initial\nport event with down state.\n\nThe crash points to cancel_delayed_work() which is called when port went\nis down. Currently I did not find out the real cause of the issue, so\nfixed it by cancel port stats work only if previous port's state was up\n& runnig.\n\nThe following is the crash which can be triggered:\n\n[ 28.311104] Unable to handle kernel paging request at virtual address\n000071775f776600\n[ 28.319097] Mem abort info:\n[ 28.321914] ESR = 0x96000004\n[ 28.324996] EC = 0x25: DABT (current EL), IL = 32 bits\n[ 28.330350] SET = 0, FnV = 0\n[ 28.333430] EA = 0, S1PTW = 0\n[ 28.336597] Data abort info:\n[ 28.339499] ISV = 0, ISS = 0x00000004\n[ 28.343362] CM = 0, WnR = 0\n[ 28.346354] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000100bf7000\n[ 28.352842] [000071775f776600] pgd=0000000000000000,\np4d=0000000000000000\n[ 28.359695] Internal error: Oops: 96000004 [#1] PREEMPT SMP\n[ 28.365310] Modules linked in: prestera_pci(+) prestera\nuio_pdrv_genirq\n[ 28.372005] CPU: 0 PID: 1291 Comm: kworker/0:1H Not tainted\n5.11.0-rc4 #1\n[ 28.378846] Hardware name: DNI AmazonGo1 A7040 board (DT)\n[ 28.384283] Workqueue: prestera_fw_wq prestera_fw_evt_work_fn\n[prestera_pci]\n[ 28.391413] pstate: 60000085 (nZCv daIf -PAN -UAO -TCO BTYPE=--)\n[ 28.397468] pc : get_work_pool+0x48/0x60\n[ 28.401442] lr : try_to_grab_pending+0x6c/0x1b0\n[ 28.406018] sp : ffff80001391bc60\n[ 28.409358] x29: ffff80001391bc60 x28: 0000000000000000\n[ 28.414725] x27: ffff000104fc8b40 x26: ffff80001127de88\n[ 28.420089] x25: 0000000000000000 x24: ffff000106119760\n[ 28.425452] x23: ffff00010775dd60 x22: ffff00010567e000\n[ 28.430814] x21: 0000000000000000 x20: ffff80001391bcb0\n[ 28.436175] x19: ffff00010775deb8 x18: 00000000000000c0\n[ 28.441537] x17: 0000000000000000 x16: 000000008d9b0e88\n[ 28.446898] x15: 0000000000000001 x14: 00000000000002ba\n[ 28.452261] x13: 80a3002c00000002 x12: 00000000000005f4\n[ 28.457622] x11: 0000000000000030 x10: 000000000000000c\n[ 28.462985] x9 : 000000000000000c x8 : 0000000000000030\n[ 28.468346] x7 : ffff800014400000 x6 : ffff000106119758\n[ 28.473708] x5 : 0000000000000003 x4 : ffff00010775dc60\n[ 28.479068] x3 : 0000000000000000 x2 : 0000000000000060\n[ 28.484429] x1 : 000071775f776600 x0 : ffff00010775deb8\n[ 28.489791] Call trace:\n[ 28.492259] get_work_pool+0x48/0x60\n[ 28.495874] cancel_delayed_work+0x38/0xb0\n[ 28.500011] prestera_port_handle_event+0x90/0xa0 [prestera]\n[ 28.505743] prestera_evt_recv+0x98/0xe0 [prestera]\n[ 28.510683] prestera_fw_evt_work_fn+0x180/0x228 [prestera_pci]\n[ 28.516660] process_one_work+0x1e8/0x360\n[ 28.520710] worker_thread+0x44/0x480\n[ 28.524412] kthread+0x154/0x160\n[ 28.527670] ret_from_fork+0x10/0x38\n[ 28.531290] Code: a8c17bfd d50323bf d65f03c0 9278dc21 (f9400020)\n[ 28.537429] ---[ end trace 5eced933df3a080b ]---", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47023", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47023", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47023", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47023", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47023", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47023" } }, "CVE-2021-47024": { "affected_versions": "v5.2-rc2 to v5.13-rc1", "breaks": "ac03046ece2b158ebd204dfc4896fd9f39f0e6c8", "cmt_msg": "vsock/virtio: free queued packets when closing socket", "fixes": "8432b8114957235f42e070a16118a7f750de9d39", "last_affected_version": "5.12.3", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nvsock/virtio: free queued packets when closing socket\n\nAs reported by syzbot [1], there is a memory leak while closing the\nsocket. We partially solved this issue with commit ac03046ece2b\n(\"vsock/virtio: free packets during the socket release\"), but we\nforgot to drain the RX queue when the socket is definitely closed by\nthe scheduled work.\n\nTo avoid future issues, let's use the new virtio_transport_remove_sock()\nto drain the RX queue before removing the socket from the af_vsock lists\ncalling vsock_remove_sock().\n\n[1] https://syzkaller.appspot.com/bug?extid=24452624fc4c571eedd9", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47024", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47024", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47024", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47024", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47024", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47024" } }, "CVE-2021-47025": { "affected_versions": "v5.12-rc1-dontuse to v5.13-rc1", "breaks": "c0b57581b73be7b43f39e0dff201c93413f6a668", "cmt_msg": "iommu/mediatek: Always enable the clk on resume", "fixes": "b34ea31fe013569d42b7e8681ef3f717f77c5b72", "last_affected_version": "5.12.3", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/mediatek: Always enable the clk on resume\n\nIn mtk_iommu_runtime_resume always enable the clk, even\nif m4u_dom is null. Otherwise the 'suspend' cb might\ndisable the clk which is already disabled causing the warning:\n\n[ 1.586104] infra_m4u already disabled\n[ 1.586133] WARNING: CPU: 0 PID: 121 at drivers/clk/clk.c:952 clk_core_disable+0xb0/0xb8\n[ 1.594391] mtk-iommu 10205000.iommu: bound 18001000.larb (ops mtk_smi_larb_component_ops)\n[ 1.598108] Modules linked in:\n[ 1.598114] CPU: 0 PID: 121 Comm: kworker/0:2 Not tainted 5.12.0-rc5 #69\n[ 1.609246] mtk-iommu 10205000.iommu: bound 14027000.larb (ops mtk_smi_larb_component_ops)\n[ 1.617487] Hardware name: Google Elm (DT)\n[ 1.617491] Workqueue: pm pm_runtime_work\n[ 1.620545] mtk-iommu 10205000.iommu: bound 19001000.larb (ops mtk_smi_larb_component_ops)\n\n[ 1.627229] pstate: 60000085 (nZCv daIf -PAN -UAO -TCO BTYPE=--)\n[ 1.659297] pc : clk_core_disable+0xb0/0xb8\n[ 1.663475] lr : clk_core_disable+0xb0/0xb8\n[ 1.667652] sp : ffff800011b9bbe0\n[ 1.670959] x29: ffff800011b9bbe0 x28: 0000000000000000\n[ 1.676267] x27: ffff800011448000 x26: ffff8000100cfd98\n[ 1.681574] x25: ffff800011b9bd48 x24: 0000000000000000\n[ 1.686882] x23: 0000000000000000 x22: ffff8000106fad90\n[ 1.692189] x21: 000000000000000a x20: ffff0000c0048500\n[ 1.697496] x19: ffff0000c0048500 x18: ffffffffffffffff\n[ 1.702804] x17: 0000000000000000 x16: 0000000000000000\n[ 1.708112] x15: ffff800011460300 x14: fffffffffffe0000\n[ 1.713420] x13: ffff8000114602d8 x12: 0720072007200720\n[ 1.718727] x11: 0720072007200720 x10: 0720072007200720\n[ 1.724035] x9 : ffff800011b9bbe0 x8 : ffff800011b9bbe0\n[ 1.729342] x7 : 0000000000000009 x6 : ffff8000114b8328\n[ 1.734649] x5 : 0000000000000000 x4 : 0000000000000000\n[ 1.739956] x3 : 00000000ffffffff x2 : ffff800011460298\n[ 1.745263] x1 : 1af1d7de276f4500 x0 : 0000000000000000\n[ 1.750572] Call trace:\n[ 1.753010] clk_core_disable+0xb0/0xb8\n[ 1.756840] clk_core_disable_lock+0x24/0x40\n[ 1.761105] clk_disable+0x20/0x30\n[ 1.764501] mtk_iommu_runtime_suspend+0x88/0xa8\n[ 1.769114] pm_generic_runtime_suspend+0x2c/0x48\n[ 1.773815] __rpm_callback+0xe0/0x178\n[ 1.777559] rpm_callback+0x24/0x88\n[ 1.781041] rpm_suspend+0xdc/0x470\n[ 1.784523] rpm_idle+0x12c/0x170\n[ 1.787831] pm_runtime_work+0xa8/0xc0\n[ 1.791573] process_one_work+0x1e8/0x360\n[ 1.795580] worker_thread+0x44/0x478\n[ 1.799237] kthread+0x150/0x158\n[ 1.802460] ret_from_fork+0x10/0x30\n[ 1.806034] ---[ end trace 82402920ef64573b ]---\n[ 1.810728] ------------[ cut here ]------------\n\nIn addition, we now don't need to enable the clock from the\nfunction mtk_iommu_hw_init since it is already enabled by the resume.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47025", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47025", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47025", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47025", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47025", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47025" } }, "CVE-2021-47026": { "affected_versions": "v5.8-rc1 to v5.13-rc1", "breaks": "6a98d71daea186247005099758af549e6afdd244", "cmt_msg": "RDMA/rtrs-clt: destroy sysfs after removing session from active list", "fixes": "7f4a8592ff29f19c5a2ca549d0973821319afaad", "last_affected_version": "5.12.3", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/rtrs-clt: destroy sysfs after removing session from active list\n\nA session can be removed dynamically by sysfs interface \"remove_path\" that\neventually calls rtrs_clt_remove_path_from_sysfs function. The current\nrtrs_clt_remove_path_from_sysfs first removes the sysfs interfaces and\nfrees sess->stats object. Second it removes the session from the active\nlist.\n\nTherefore some functions could access non-connected session and access the\nfreed sess->stats object even-if they check the session status before\naccessing the session.\n\nFor instance rtrs_clt_request and get_next_path_min_inflight check the\nsession status and try to send IO to the session. The session status\ncould be changed when they are trying to send IO but they could not catch\nthe change and update the statistics information in sess->stats object,\nand generate use-after-free problem.\n(see: \"RDMA/rtrs-clt: Check state of the rtrs_clt_sess before reading its\nstats\")\n\nThis patch changes the rtrs_clt_remove_path_from_sysfs to remove the\nsession from the active session list and then destroy the sysfs\ninterfaces.\n\nEach function still should check the session status because closing or\nerror recovery paths can change the status.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47026", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47026", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47026", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47026", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47026", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47026" } }, "CVE-2021-47027": { "affected_versions": "v5.12-rc1-dontuse to v5.13-rc1", "breaks": "5c14a5f944b91371961548b1907802f74a4d2e5c", "cmt_msg": "mt76: mt7921: fix kernel crash when the firmware fails to download", "fixes": "e230f0c44f011f3270680a506b19b7e84c5e8923", "last_affected_version": "5.12.3", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nmt76: mt7921: fix kernel crash when the firmware fails to download\n\nFix kernel crash when the firmware is missing or fails to download.\n\n[ 9.444758] kernel BUG at drivers/pci/msi.c:375!\n[ 9.449363] Internal error: Oops - BUG: 0 [#1] PREEMPT SMP\n[ 9.501033] pstate: a0400009 (NzCv daif +PAN -UAO)\n[ 9.505814] pc : free_msi_irqs+0x180/0x184\n[ 9.509897] lr : free_msi_irqs+0x40/0x184\n[ 9.513893] sp : ffffffc015193870\n[ 9.517194] x29: ffffffc015193870 x28: 00000000f0e94fa2\n[ 9.522492] x27: 0000000000000acd x26: 000000000000009a\n[ 9.527790] x25: ffffffc0152cee58 x24: ffffffdbb383e0d8\n[ 9.533087] x23: ffffffdbb38628d0 x22: 0000000000040200\n[ 9.538384] x21: ffffff8cf7de7318 x20: ffffff8cd65a2480\n[ 9.543681] x19: ffffff8cf7de7000 x18: 0000000000000000\n[ 9.548979] x17: ffffff8cf9ca03b4 x16: ffffffdc13ad9a34\n[ 9.554277] x15: 0000000000000000 x14: 0000000000080800\n[ 9.559575] x13: ffffff8cd65a2980 x12: 0000000000000000\n[ 9.564873] x11: ffffff8cfa45d820 x10: ffffff8cfa45d6d0\n[ 9.570171] x9 : 0000000000000040 x8 : ffffff8ccef1b780\n[ 9.575469] x7 : aaaaaaaaaaaaaaaa x6 : 0000000000000000\n[ 9.580766] x5 : ffffffdc13824900 x4 : ffffff8ccefe0000\n[ 9.586063] x3 : 0000000000000000 x2 : 0000000000000000\n[ 9.591362] x1 : 0000000000000125 x0 : ffffff8ccefe0000\n[ 9.596660] Call trace:\n[ 9.599095] free_msi_irqs+0x180/0x184\n[ 9.602831] pci_disable_msi+0x100/0x130\n[ 9.606740] pci_free_irq_vectors+0x24/0x30\n[ 9.610915] mt7921_pci_probe+0xbc/0x250 [mt7921e]\n[ 9.615693] pci_device_probe+0xd4/0x14c\n[ 9.619604] really_probe+0x134/0x2ec\n[ 9.623252] driver_probe_device+0x64/0xfc\n[ 9.627335] device_driver_attach+0x4c/0x6c\n[ 9.631506] __driver_attach+0xac/0xc0\n[ 9.635243] bus_for_each_dev+0x8c/0xd4\n[ 9.639066] driver_attach+0x2c/0x38\n[ 9.642628] bus_add_driver+0xfc/0x1d0\n[ 9.646365] driver_register+0x64/0xf8\n[ 9.650101] __pci_register_driver+0x6c/0x7c\n[ 9.654360] init_module+0x28/0xfdc [mt7921e]\n[ 9.658704] do_one_initcall+0x13c/0x2d0\n[ 9.662615] do_init_module+0x58/0x1e8\n[ 9.666351] load_module+0xd80/0xeb4\n[ 9.669912] __arm64_sys_finit_module+0xa8/0xe0\n[ 9.674430] el0_svc_common+0xa4/0x16c\n[ 9.678168] el0_svc_compat_handler+0x2c/0x40\n[ 9.682511] el0_svc_compat+0x8/0x10\n[ 9.686076] Code: a94257f6 f9400bf7 a8c47bfd d65f03c0 (d4210000)\n[ 9.692155] ---[ end trace 7621f966afbf0a29 ]---\n[ 9.697385] Kernel panic - not syncing: Fatal exception\n[ 9.702599] SMP: stopping secondary CPUs\n[ 9.706549] Kernel Offset: 0x1c03600000 from 0xffffffc010000000\n[ 9.712456] PHYS_OFFSET: 0xfffffff440000000\n[ 9.716625] CPU features: 0x080026,2a80aa18\n[ 9.720795] Memory Limit: none", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47027", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47027", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47027", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47027", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47027", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47027" } }, "CVE-2021-47028": { "affected_versions": "unk to v5.13-rc1", "breaks": "", "cmt_msg": "mt76: mt7915: fix txrate reporting", "fixes": "f43b941fd61003659a3f0e039595e5e525917aa8", "last_affected_version": "5.12.3", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nmt76: mt7915: fix txrate reporting\n\nProperly check rate_info to fix unexpected reporting.\n\n[ 1215.161863] Call trace:\n[ 1215.164307] cfg80211_calculate_bitrate+0x124/0x200 [cfg80211]\n[ 1215.170139] ieee80211s_update_metric+0x80/0xc0 [mac80211]\n[ 1215.175624] ieee80211_tx_status_ext+0x508/0x838 [mac80211]\n[ 1215.181190] mt7915_mcu_get_rx_rate+0x28c/0x8d0 [mt7915e]\n[ 1215.186580] mt7915_mac_tx_free+0x324/0x7c0 [mt7915e]\n[ 1215.191623] mt7915_queue_rx_skb+0xa8/0xd0 [mt7915e]\n[ 1215.196582] mt76_dma_cleanup+0x7b0/0x11d0 [mt76]\n[ 1215.201276] __napi_poll+0x38/0xf8\n[ 1215.204668] napi_workfn+0x40/0x80\n[ 1215.208062] process_one_work+0x1fc/0x390\n[ 1215.212062] worker_thread+0x48/0x4d0\n[ 1215.215715] kthread+0x120/0x128\n[ 1215.218935] ret_from_fork+0x10/0x1c", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47028", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47028", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47028", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47028", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47028", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47028" } }, "CVE-2021-47029": { "affected_versions": "v5.12-rc1-dontuse to v5.13-rc1", "breaks": "d0e274af2f2e44b9d496f5d2c0431fdd2ea76fb8", "cmt_msg": "mt76: connac: fix kernel warning adding monitor interface", "fixes": "c996f0346e40e3b1ac2ebaf0681df898fb157f60", "last_affected_version": "5.12.3", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nmt76: connac: fix kernel warning adding monitor interface\n\nFix the following kernel warning adding a monitor interface in\nmt76_connac_mcu_uni_add_dev routine.\n\n[ 507.984882] ------------[ cut here ]------------\n[ 507.989515] WARNING: CPU: 1 PID: 3017 at mt76_connac_mcu_uni_add_dev+0x178/0x190 [mt76_connac_lib]\n[ 508.059379] CPU: 1 PID: 3017 Comm: ifconfig Not tainted 5.4.98 #0\n[ 508.065461] Hardware name: MT7622_MT7531 RFB (DT)\n[ 508.070156] pstate: 80000005 (Nzcv daif -PAN -UAO)\n[ 508.074939] pc : mt76_connac_mcu_uni_add_dev+0x178/0x190 [mt76_connac_lib]\n[ 508.081806] lr : mt7921_eeprom_init+0x1288/0x1cb8 [mt7921e]\n[ 508.087367] sp : ffffffc013a33930\n[ 508.090671] x29: ffffffc013a33930 x28: ffffff801e628ac0\n[ 508.095973] x27: ffffff801c7f1200 x26: ffffff801c7eb008\n[ 508.101275] x25: ffffff801c7eaef0 x24: ffffff801d025610\n[ 508.106577] x23: ffffff801d022990 x22: ffffff801d024de8\n[ 508.111879] x21: ffffff801d0226a0 x20: ffffff801c7eaee8\n[ 508.117181] x19: ffffff801d0226a0 x18: 000000005d00b000\n[ 508.122482] x17: 00000000ffffffff x16: 0000000000000000\n[ 508.127785] x15: 0000000000000080 x14: ffffff801d704000\n[ 508.133087] x13: 0000000000000040 x12: 0000000000000002\n[ 508.138389] x11: 000000000000000c x10: 0000000000000000\n[ 508.143691] x9 : 0000000000000020 x8 : 0000000000000001\n[ 508.148992] x7 : 0000000000000000 x6 : 0000000000000000\n[ 508.154294] x5 : ffffff801c7eaee8 x4 : 0000000000000006\n[ 508.159596] x3 : 0000000000000001 x2 : 0000000000000000\n[ 508.164898] x1 : ffffff801c7eac08 x0 : ffffff801d0226a0\n[ 508.170200] Call trace:\n[ 508.172640] mt76_connac_mcu_uni_add_dev+0x178/0x190 [mt76_connac_lib]\n[ 508.179159] mt7921_eeprom_init+0x1288/0x1cb8 [mt7921e]\n[ 508.184394] drv_add_interface+0x34/0x88 [mac80211]\n[ 508.189271] ieee80211_add_virtual_monitor+0xe0/0xb48 [mac80211]\n[ 508.195277] ieee80211_do_open+0x86c/0x918 [mac80211]\n[ 508.200328] ieee80211_do_open+0x900/0x918 [mac80211]\n[ 508.205372] __dev_open+0xcc/0x150\n[ 508.208763] __dev_change_flags+0x134/0x198\n[ 508.212937] dev_change_flags+0x20/0x60\n[ 508.216764] devinet_ioctl+0x3e8/0x748\n[ 508.220503] inet_ioctl+0x1e4/0x350\n[ 508.223983] sock_do_ioctl+0x48/0x2a0\n[ 508.227635] sock_ioctl+0x310/0x4f8\n[ 508.231116] do_vfs_ioctl+0xa4/0xac0\n[ 508.234681] ksys_ioctl+0x44/0x90\n[ 508.237985] __arm64_sys_ioctl+0x1c/0x48\n[ 508.241901] el0_svc_common.constprop.1+0x7c/0x100\n[ 508.246681] el0_svc_handler+0x18/0x20\n[ 508.250421] el0_svc+0x8/0x1c8\n[ 508.253465] ---[ end trace c7b90fee13d72c39 ]---\n[ 508.261278] ------------[ cut here ]------------", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47029", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47029", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47029", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47029", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47029", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47029" } }, "CVE-2021-47030": { "affected_versions": "v5.12-rc1-dontuse to v5.13-rc1", "breaks": "d2bf7959d9c0f631ef860edaf834d55773fdedff", "cmt_msg": "mt76: mt7615: fix memory leak in mt7615_coredump_work", "fixes": "49cc85059a2cb656f96ff3693f891e8fe8f669a9", "last_affected_version": "5.12.3", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nmt76: mt7615: fix memory leak in mt7615_coredump_work\n\nSimilar to the issue fixed in mt7921_coredump_work, fix a possible memory\nleak in mt7615_coredump_work routine.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47030", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47030", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47030", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47030", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47030", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47030" } }, "CVE-2021-47031": { "affected_versions": "v5.12-rc1-dontuse to v5.13-rc1", "breaks": "1c099ab44727c8e42fe4de4d91b53cec3ef02860", "cmt_msg": "mt76: mt7921: fix memory leak in mt7921_coredump_work", "fixes": "782b3e86ea970e899f8e723db9f64708a15ca30e", "last_affected_version": "5.12.3", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nmt76: mt7921: fix memory leak in mt7921_coredump_work\n\nFix possible memory leak in mt7921_coredump_work.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47031", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47031", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47031", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47031", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47031", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47031" } }, "CVE-2021-47032": { "affected_versions": "v5.10-rc1 to v5.13-rc1", "breaks": "27d5c528a7ca08dcd44877fdd9fc08b76630bf77", "cmt_msg": "mt76: mt7915: fix tx skb dma unmap", "fixes": "7dcf3c04f0aca746517a77433b33d40868ca4749", "last_affected_version": "5.12.3", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nmt76: mt7915: fix tx skb dma unmap\n\nThe first pointer in the txp needs to be unmapped as well, otherwise it will\nleak DMA mapping entries", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47032", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47032", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47032", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47032", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47032", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47032" } }, "CVE-2021-47033": { "affected_versions": "v5.10-rc1 to v5.13-rc1", "breaks": "27d5c528a7ca08dcd44877fdd9fc08b76630bf77", "cmt_msg": "mt76: mt7615: fix tx skb dma unmap", "fixes": "ebee7885bb12a8fe2c2f9bac87dbd87a05b645f9", "last_affected_version": "5.12.3", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nmt76: mt7615: fix tx skb dma unmap\n\nThe first pointer in the txp needs to be unmapped as well, otherwise it will\nleak DMA mapping entries", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47033", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47033", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47033", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47033", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47033", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47033" } }, "CVE-2021-47034": { "affected_versions": "v4.18-rc1 to v5.13-rc1", "breaks": "f1cb8f9beba8699dd1b4518418191499e53f7b17", "cmt_msg": "powerpc/64s: Fix pte update for kernel memory on radix", "fixes": "b8b2f37cf632434456182e9002d63cbc4cccc50c", "last_affected_version": "5.12.3", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/64s: Fix pte update for kernel memory on radix\n\nWhen adding a PTE a ptesync is needed to order the update of the PTE\nwith subsequent accesses otherwise a spurious fault may be raised.\n\nradix__set_pte_at() does not do this for performance gains. For\nnon-kernel memory this is not an issue as any faults of this kind are\ncorrected by the page fault handler. For kernel memory these faults\nare not handled. The current solution is that there is a ptesync in\nflush_cache_vmap() which should be called when mapping from the\nvmalloc region.\n\nHowever, map_kernel_page() does not call flush_cache_vmap(). This is\ntroublesome in particular for code patching with Strict RWX on radix.\nIn do_patch_instruction() the page frame that contains the instruction\nto be patched is mapped and then immediately patched. With no ordering\nor synchronization between setting up the PTE and writing to the page\nit is possible for faults.\n\nAs the code patching is done using __put_user_asm_goto() the resulting\nfault is obscured - but using a normal store instead it can be seen:\n\n BUG: Unable to handle kernel data access on write at 0xc008000008f24a3c\n Faulting instruction address: 0xc00000000008bd74\n Oops: Kernel access of bad area, sig: 11 [#1]\n LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA PowerNV\n Modules linked in: nop_module(PO+) [last unloaded: nop_module]\n CPU: 4 PID: 757 Comm: sh Tainted: P O 5.10.0-rc5-01361-ge3c1b78c8440-dirty #43\n NIP: c00000000008bd74 LR: c00000000008bd50 CTR: c000000000025810\n REGS: c000000016f634a0 TRAP: 0300 Tainted: P O (5.10.0-rc5-01361-ge3c1b78c8440-dirty)\n MSR: 9000000000009033 CR: 44002884 XER: 00000000\n CFAR: c00000000007c68c DAR: c008000008f24a3c DSISR: 42000000 IRQMASK: 1\n\nThis results in the kind of issue reported here:\n https://lore.kernel.org/linuxppc-dev/15AC5B0E-A221-4B8C-9039-FA96B8EF7C88@lca.pw/\n\nChris Riedl suggested a reliable way to reproduce the issue:\n $ mount -t debugfs none /sys/kernel/debug\n $ (while true; do echo function > /sys/kernel/debug/tracing/current_tracer ; echo nop > /sys/kernel/debug/tracing/current_tracer ; done) &\n\nTurning ftrace on and off does a large amount of code patching which\nin usually less then 5min will crash giving a trace like:\n\n ftrace-powerpc: (____ptrval____): replaced (4b473b11) != old (60000000)\n ------------[ ftrace bug ]------------\n ftrace failed to modify\n [] napi_busy_loop+0xc/0x390\n actual: 11:3b:47:4b\n Setting ftrace call site to call ftrace function\n ftrace record flags: 80000001\n (1)\n expected tramp: c00000000006c96c\n ------------[ cut here ]------------\n WARNING: CPU: 4 PID: 809 at kernel/trace/ftrace.c:2065 ftrace_bug+0x28c/0x2e8\n Modules linked in: nop_module(PO-) [last unloaded: nop_module]\n CPU: 4 PID: 809 Comm: sh Tainted: P O 5.10.0-rc5-01360-gf878ccaf250a #1\n NIP: c00000000024f334 LR: c00000000024f330 CTR: c0000000001a5af0\n REGS: c000000004c8b760 TRAP: 0700 Tainted: P O (5.10.0-rc5-01360-gf878ccaf250a)\n MSR: 900000000282b033 CR: 28008848 XER: 20040000\n CFAR: c0000000001a9c98 IRQMASK: 0\n GPR00: c00000000024f330 c000000004c8b9f0 c000000002770600 0000000000000022\n GPR04: 00000000ffff7fff c000000004c8b6d0 0000000000000027 c0000007fe9bcdd8\n GPR08: 0000000000000023 ffffffffffffffd8 0000000000000027 c000000002613118\n GPR12: 0000000000008000 c0000007fffdca00 0000000000000000 0000000000000000\n GPR16: 0000000023ec37c5 0000000000000000 0000000000000000 0000000000000008\n GPR20: c000000004c8bc90 c0000000027a2d20 c000000004c8bcd0 c000000002612fe8\n GPR24: 0000000000000038 0000000000000030 0000000000000028 0000000000000020\n GPR28: c000000000ff1b68 c000000000bf8e5c c00000000312f700 c000000000fbb9b0\n NIP ftrace_bug+0x28c/0x2e8\n LR ftrace_bug+0x288/0x2e8\n Call T\n---truncated---", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47034", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47034", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47034", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47034", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47034", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47034" } }, "CVE-2021-47035": { "affected_versions": "v5.6-rc1 to v5.13-rc1", "breaks": "b802d070a52a1565b47daaa808872cfbd4a17b01", "cmt_msg": "iommu/vt-d: Remove WO permissions on second-level paging entries", "fixes": "eea53c5816889ee8b64544fa2e9311a81184ff9c", "last_affected_version": "5.12.3", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/vt-d: Remove WO permissions on second-level paging entries\n\nWhen the first level page table is used for IOVA translation, it only\nsupports Read-Only and Read-Write permissions. The Write-Only permission\nis not supported as the PRESENT bit (implying Read permission) should\nalways set. When using second level, we still give separate permissions\nthat allows WriteOnly which seems inconsistent and awkward. We want to\nhave consistent behavior. After moving to 1st level, we don't want things\nto work sometimes, and break if we use 2nd level for the same mappings.\nHence remove this configuration.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47035", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47035", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47035", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47035", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47035", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47035" } }, "CVE-2021-47036": { "affected_versions": "v5.6-rc1 to v5.13-rc1", "breaks": "9fd1ff5d2ac7181844735806b0a703c942365291", "cmt_msg": "udp: skip L4 aggregation for UDP tunnel packets", "fixes": "18f25dc399901426dff61e676ba603ff52c666f7", "last_affected_version": "5.12.3", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nudp: skip L4 aggregation for UDP tunnel packets\n\nIf NETIF_F_GRO_FRAGLIST or NETIF_F_GRO_UDP_FWD are enabled, and there\nare UDP tunnels available in the system, udp_gro_receive() could end-up\ndoing L4 aggregation (either SKB_GSO_UDP_L4 or SKB_GSO_FRAGLIST) at\nthe outer UDP tunnel level for packets effectively carrying and UDP\ntunnel header.\n\nThat could cause inner protocol corruption. If e.g. the relevant\npackets carry a vxlan header, different vxlan ids will be ignored/\naggregated to the same GSO packet. Inner headers will be ignored, too,\nso that e.g. TCP over vxlan push packets will be held in the GRO\nengine till the next flush, etc.\n\nJust skip the SKB_GSO_UDP_L4 and SKB_GSO_FRAGLIST code path if the\ncurrent packet could land in a UDP tunnel, and let udp_gro_receive()\ndo GRO via udp_sk(sk)->gro_receive.\n\nThe check implemented in this patch is broader than what is strictly\nneeded, as the existing UDP tunnel could be e.g. configured on top of\na different device: we could end-up skipping GRO at-all for some packets.\n\nAnyhow, that is a very thin corner case and covering it will add quite\na bit of complexity.\n\nv1 -> v2:\n - hopefully clarify the commit message", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47036", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47036", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47036", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47036", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47036", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47036" } }, "CVE-2021-47037": { "affected_versions": "v5.10-rc1 to v5.13-rc1", "breaks": "520a1c396d1966b64884d8e0176a580150d5a09e", "cmt_msg": "ASoC: q6afe-clocks: fix reprobing of the driver", "fixes": "96fadf7e8ff49fdb74754801228942b67c3eeebd", "last_affected_version": "5.12.3", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: q6afe-clocks: fix reprobing of the driver\n\nQ6afe-clocks driver can get reprobed. For example if the APR services\nare restarted after the firmware crash. However currently Q6afe-clocks\ndriver will oops because hw.init will get cleared during first _probe\ncall. Rewrite the driver to fill the clock data at runtime rather than\nusing big static array of clocks.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47037", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47037", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47037", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47037", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47037", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47037" } }, "CVE-2021-47038": { "affected_versions": "v5.7-rc1 to v5.13-rc1", "breaks": "eab2404ba798a8efda2a970f44071c3406d94e57", "cmt_msg": "Bluetooth: avoid deadlock between hci_dev->lock and socket lock", "fixes": "17486960d79b900c45e0bb8fbcac0262848582ba", "last_affected_version": "5.12.3", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: avoid deadlock between hci_dev->lock and socket lock\n\nCommit eab2404ba798 (\"Bluetooth: Add BT_PHY socket option\") added a\ndependency between socket lock and hci_dev->lock that could lead to\ndeadlock.\n\nIt turns out that hci_conn_get_phy() is not in any way relying on hdev\nbeing immutable during the runtime of this function, neither does it even\nlook at any of the members of hdev, and as such there is no need to hold\nthat lock.\n\nThis fixes the lockdep splat below:\n\n ======================================================\n WARNING: possible circular locking dependency detected\n 5.12.0-rc1-00026-g73d464503354 #10 Not tainted\n ------------------------------------------------------\n bluetoothd/1118 is trying to acquire lock:\n ffff8f078383c078 (&hdev->lock){+.+.}-{3:3}, at: hci_conn_get_phy+0x1c/0x150 [bluetooth]\n\n but task is already holding lock:\n ffff8f07e831d920 (sk_lock-AF_BLUETOOTH-BTPROTO_L2CAP){+.+.}-{0:0}, at: l2cap_sock_getsockopt+0x8b/0x610\n\n which lock already depends on the new lock.\n\n the existing dependency chain (in reverse order) is:\n\n -> #3 (sk_lock-AF_BLUETOOTH-BTPROTO_L2CAP){+.+.}-{0:0}:\n lock_sock_nested+0x72/0xa0\n l2cap_sock_ready_cb+0x18/0x70 [bluetooth]\n l2cap_config_rsp+0x27a/0x520 [bluetooth]\n l2cap_sig_channel+0x658/0x1330 [bluetooth]\n l2cap_recv_frame+0x1ba/0x310 [bluetooth]\n hci_rx_work+0x1cc/0x640 [bluetooth]\n process_one_work+0x244/0x5f0\n worker_thread+0x3c/0x380\n kthread+0x13e/0x160\n ret_from_fork+0x22/0x30\n\n -> #2 (&chan->lock#2/1){+.+.}-{3:3}:\n __mutex_lock+0xa3/0xa10\n l2cap_chan_connect+0x33a/0x940 [bluetooth]\n l2cap_sock_connect+0x141/0x2a0 [bluetooth]\n __sys_connect+0x9b/0xc0\n __x64_sys_connect+0x16/0x20\n do_syscall_64+0x33/0x80\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\n -> #1 (&conn->chan_lock){+.+.}-{3:3}:\n __mutex_lock+0xa3/0xa10\n l2cap_chan_connect+0x322/0x940 [bluetooth]\n l2cap_sock_connect+0x141/0x2a0 [bluetooth]\n __sys_connect+0x9b/0xc0\n __x64_sys_connect+0x16/0x20\n do_syscall_64+0x33/0x80\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\n -> #0 (&hdev->lock){+.+.}-{3:3}:\n __lock_acquire+0x147a/0x1a50\n lock_acquire+0x277/0x3d0\n __mutex_lock+0xa3/0xa10\n hci_conn_get_phy+0x1c/0x150 [bluetooth]\n l2cap_sock_getsockopt+0x5a9/0x610 [bluetooth]\n __sys_getsockopt+0xcc/0x200\n __x64_sys_getsockopt+0x20/0x30\n do_syscall_64+0x33/0x80\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\n other info that might help us debug this:\n\n Chain exists of:\n &hdev->lock --> &chan->lock#2/1 --> sk_lock-AF_BLUETOOTH-BTPROTO_L2CAP\n\n Possible unsafe locking scenario:\n\n CPU0 CPU1\n ---- ----\n lock(sk_lock-AF_BLUETOOTH-BTPROTO_L2CAP);\n lock(&chan->lock#2/1);\n lock(sk_lock-AF_BLUETOOTH-BTPROTO_L2CAP);\n lock(&hdev->lock);\n\n *** DEADLOCK ***\n\n 1 lock held by bluetoothd/1118:\n #0: ffff8f07e831d920 (sk_lock-AF_BLUETOOTH-BTPROTO_L2CAP){+.+.}-{0:0}, at: l2cap_sock_getsockopt+0x8b/0x610 [bluetooth]\n\n stack backtrace:\n CPU: 3 PID: 1118 Comm: bluetoothd Not tainted 5.12.0-rc1-00026-g73d464503354 #10\n Hardware name: LENOVO 20K5S22R00/20K5S22R00, BIOS R0IET38W (1.16 ) 05/31/2017\n Call Trace:\n dump_stack+0x7f/0xa1\n check_noncircular+0x105/0x120\n ? __lock_acquire+0x147a/0x1a50\n __lock_acquire+0x147a/0x1a50\n lock_acquire+0x277/0x3d0\n ? hci_conn_get_phy+0x1c/0x150 [bluetooth]\n ? __lock_acquire+0x2e1/0x1a50\n ? lock_is_held_type+0xb4/0x120\n ? hci_conn_get_phy+0x1c/0x150 [bluetooth]\n __mutex_lock+0xa3/0xa10\n ? hci_conn_get_phy+0x1c/0x150 [bluetooth]\n ? lock_acquire+0x277/0x3d0\n ? mark_held_locks+0x49/0x70\n ? mark_held_locks+0x49/0x70\n ? hci_conn_get_phy+0x1c/0x150 [bluetooth]\n hci_conn_get_phy+0x\n---truncated---", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47038", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47038", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47038", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47038", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47038", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47038" } }, "CVE-2021-47039": { "affected_versions": "v5.11-rc1 to v5.13-rc1", "breaks": "bf9c0538e485b591a2ee02d9adb8a99db4be5a2a", "cmt_msg": "ataflop: potential out of bounds in do_format()", "fixes": "1ffec389a6431782a8a28805830b6fae9bf00af1", "last_affected_version": "5.12.3", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nataflop: potential out of bounds in do_format()\n\nThe function uses \"type\" as an array index:\n\n\tq = unit[drive].disk[type]->queue;\n\nUnfortunately the bounds check on \"type\" isn't done until later in the\nfunction. Fix this by moving the bounds check to the start.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47039", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47039", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47039", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47039", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47039", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47039" } }, "CVE-2021-47040": { "affected_versions": "v5.8-rc1 to v5.13-rc1", "breaks": "efe68c1ca8f49e8c06afd74b699411bfbb8ba1ff", "cmt_msg": "io_uring: fix overflows checks in provide buffers", "fixes": "38134ada0ceea3e848fe993263c0ff6207fd46e7", "last_affected_version": "5.12.3", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring: fix overflows checks in provide buffers\n\nColin reported before possible overflow and sign extension problems in\nio_provide_buffers_prep(). As Linus pointed out previous attempt did nothing\nuseful, see d81269fecb8ce (\"io_uring: fix provide_buffers sign extension\").\n\nDo that with help of check__overflow helpers. And fix struct\nio_provide_buf::len type, as it doesn't make much sense to keep it\nsigned.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47040", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47040", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47040", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47040", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47040", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47040" } }, "CVE-2021-47041": { "affected_versions": "v5.0-rc1 to v5.13-rc1", "breaks": "872d26a391da92ed8f0c0f5cb5fef428067b7f30", "cmt_msg": "nvmet-tcp: fix incorrect locking in state_change sk callback", "fixes": "b5332a9f3f3d884a1b646ce155e664cc558c1722", "last_affected_version": "5.12.3", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvmet-tcp: fix incorrect locking in state_change sk callback\n\nWe are not changing anything in the TCP connection state so\nwe should not take a write_lock but rather a read lock.\n\nThis caused a deadlock when running nvmet-tcp and nvme-tcp\non the same system, where state_change callbacks on the\nhost and on the controller side have causal relationship\nand made lockdep report on this with blktests:\n\n================================\nWARNING: inconsistent lock state\n5.12.0-rc3 #1 Tainted: G I\n--------------------------------\ninconsistent {IN-SOFTIRQ-W} -> {SOFTIRQ-ON-R} usage.\nnvme/1324 [HC0[0]:SC0[0]:HE1:SE1] takes:\nffff888363151000 (clock-AF_INET){++-?}-{2:2}, at: nvme_tcp_state_change+0x21/0x150 [nvme_tcp]\n{IN-SOFTIRQ-W} state was registered at:\n __lock_acquire+0x79b/0x18d0\n lock_acquire+0x1ca/0x480\n _raw_write_lock_bh+0x39/0x80\n nvmet_tcp_state_change+0x21/0x170 [nvmet_tcp]\n tcp_fin+0x2a8/0x780\n tcp_data_queue+0xf94/0x1f20\n tcp_rcv_established+0x6ba/0x1f00\n tcp_v4_do_rcv+0x502/0x760\n tcp_v4_rcv+0x257e/0x3430\n ip_protocol_deliver_rcu+0x69/0x6a0\n ip_local_deliver_finish+0x1e2/0x2f0\n ip_local_deliver+0x1a2/0x420\n ip_rcv+0x4fb/0x6b0\n __netif_receive_skb_one_core+0x162/0x1b0\n process_backlog+0x1ff/0x770\n __napi_poll.constprop.0+0xa9/0x5c0\n net_rx_action+0x7b3/0xb30\n __do_softirq+0x1f0/0x940\n do_softirq+0xa1/0xd0\n __local_bh_enable_ip+0xd8/0x100\n ip_finish_output2+0x6b7/0x18a0\n __ip_queue_xmit+0x706/0x1aa0\n __tcp_transmit_skb+0x2068/0x2e20\n tcp_write_xmit+0xc9e/0x2bb0\n __tcp_push_pending_frames+0x92/0x310\n inet_shutdown+0x158/0x300\n __nvme_tcp_stop_queue+0x36/0x270 [nvme_tcp]\n nvme_tcp_stop_queue+0x87/0xb0 [nvme_tcp]\n nvme_tcp_teardown_admin_queue+0x69/0xe0 [nvme_tcp]\n nvme_do_delete_ctrl+0x100/0x10c [nvme_core]\n nvme_sysfs_delete.cold+0x8/0xd [nvme_core]\n kernfs_fop_write_iter+0x2c7/0x460\n new_sync_write+0x36c/0x610\n vfs_write+0x5c0/0x870\n ksys_write+0xf9/0x1d0\n do_syscall_64+0x33/0x40\n entry_SYSCALL_64_after_hwframe+0x44/0xae\nirq event stamp: 10687\nhardirqs last enabled at (10687): [] _raw_spin_unlock_irqrestore+0x2d/0x40\nhardirqs last disabled at (10686): [] _raw_spin_lock_irqsave+0x68/0x90\nsoftirqs last enabled at (10684): [] __do_softirq+0x608/0x940\nsoftirqs last disabled at (10649): [] do_softirq+0xa1/0xd0\n\nother info that might help us debug this:\n Possible unsafe locking scenario:\n\n CPU0\n ----\n lock(clock-AF_INET);\n \n lock(clock-AF_INET);\n\n *** DEADLOCK ***\n\n5 locks held by nvme/1324:\n #0: ffff8884a01fe470 (sb_writers#4){.+.+}-{0:0}, at: ksys_write+0xf9/0x1d0\n #1: ffff8886e435c090 (&of->mutex){+.+.}-{3:3}, at: kernfs_fop_write_iter+0x216/0x460\n #2: ffff888104d90c38 (kn->active#255){++++}-{0:0}, at: kernfs_remove_self+0x22d/0x330\n #3: ffff8884634538d0 (&queue->queue_lock){+.+.}-{3:3}, at: nvme_tcp_stop_queue+0x52/0xb0 [nvme_tcp]\n #4: ffff888363150d30 (sk_lock-AF_INET){+.+.}-{0:0}, at: inet_shutdown+0x59/0x300\n\nstack backtrace:\nCPU: 26 PID: 1324 Comm: nvme Tainted: G I 5.12.0-rc3 #1\nHardware name: Dell Inc. PowerEdge R640/06NR82, BIOS 2.10.0 11/12/2020\nCall Trace:\n dump_stack+0x93/0xc2\n mark_lock_irq.cold+0x2c/0xb3\n ? verify_lock_unused+0x390/0x390\n ? stack_trace_consume_entry+0x160/0x160\n ? lock_downgrade+0x100/0x100\n ? save_trace+0x88/0x5e0\n ? _raw_spin_unlock_irqrestore+0x2d/0x40\n mark_lock+0x530/0x1470\n ? mark_lock_irq+0x1d10/0x1d10\n ? enqueue_timer+0x660/0x660\n mark_usage+0x215/0x2a0\n __lock_acquire+0x79b/0x18d0\n ? tcp_schedule_loss_probe.part.0+0x38c/0x520\n lock_acquire+0x1ca/0x480\n ? nvme_tcp_state_change+0x21/0x150 [nvme_tcp]\n ? rcu_read_unlock+0x40/0x40\n ? tcp_mtu_probe+0x1ae0/0x1ae0\n ? kmalloc_reserve+0xa0/0xa0\n ? sysfs_file_ops+0x170/0x170\n _raw_read_lock+0x3d/0xa0\n ? nvme_tcp_state_change+0x21/0x150 [nvme_tcp]\n nvme_tcp_state_change+0x21/0x150 [nvme_tcp]\n ? sysfs_file_ops\n---truncated---", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47041", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47041", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47041", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47041", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47041", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47041" } }, "CVE-2021-47042": { "affected_versions": "v5.12-rc1-dontuse to v5.13-rc1", "breaks": "3a00c04212d1cfe1426338b78f4ead623508c874", "cmt_msg": "drm/amd/display: Free local data after use", "fixes": "616cf23b6cf40ad6f03ffbddfa1b6c4eb68d8ae1", "last_affected_version": "5.12.3", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Free local data after use\n\nFixes the following memory leak in dc_link_construct():\n\nunreferenced object 0xffffa03e81471400 (size 1024):\ncomm \"amd_module_load\", pid 2486, jiffies 4294946026 (age 10.544s)\nhex dump (first 32 bytes):\n00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\nbacktrace:\n[<000000000bdf5c4a>] kmem_cache_alloc_trace+0x30a/0x4a0\n[<00000000e7c59f0e>] link_create+0xce/0xac0 [amdgpu]\n[<000000002fb6c072>] dc_create+0x370/0x720 [amdgpu]\n[<000000000094d1f3>] amdgpu_dm_init+0x18e/0x17a0 [amdgpu]\n[<00000000bec048fd>] dm_hw_init+0x12/0x20 [amdgpu]\n[<00000000a2bb7cf6>] amdgpu_device_init+0x1463/0x1e60 [amdgpu]\n[<0000000032d3bb13>] amdgpu_driver_load_kms+0x5b/0x330 [amdgpu]\n[<00000000a27834f9>] amdgpu_pci_probe+0x192/0x280 [amdgpu]\n[<00000000fec7d291>] local_pci_probe+0x47/0xa0\n[<0000000055dbbfa7>] pci_device_probe+0xe3/0x180\n[<00000000815da970>] really_probe+0x1c4/0x4e0\n[<00000000b4b6974b>] driver_probe_device+0x62/0x150\n[<000000000f9ecc61>] device_driver_attach+0x58/0x60\n[<000000000f65c843>] __driver_attach+0xd6/0x150\n[<000000002f5e3683>] bus_for_each_dev+0x6a/0xc0\n[<00000000a1cfc897>] driver_attach+0x1e/0x20", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47042", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47042", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47042", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47042", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47042", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47042" } }, "CVE-2021-47043": { "affected_versions": "v5.5-rc1 to v5.13-rc1", "breaks": "32f0a6ddc8c98a1aade2bf3d07c79d5d2c6ceb9a", "cmt_msg": "media: venus: core: Fix some resource leaks in the error path of 'venus_probe()'", "fixes": "5a465c5391a856a0c1e9554964d660676c35d1b2", "last_affected_version": "5.12.3", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: venus: core: Fix some resource leaks in the error path of 'venus_probe()'\n\nIf an error occurs after a successful 'of_icc_get()' call, it must be\nundone.\n\nUse 'devm_of_icc_get()' instead of 'of_icc_get()' to avoid the leak.\nUpdate the remove function accordingly and axe the now unneeded\n'icc_put()' calls.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47043", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47043", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47043", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47043", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47043", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47043" } }, "CVE-2021-47044": { "affected_versions": "v5.10-rc1 to v5.13-rc1", "breaks": "5a7f555904671c0737819fe4d19bd6143de3f6c0", "cmt_msg": "sched/fair: Fix shift-out-of-bounds in load_balance()", "fixes": "39a2a6eb5c9b66ea7c8055026303b3aa681b49a5", "last_affected_version": "5.12.3", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched/fair: Fix shift-out-of-bounds in load_balance()\n\nSyzbot reported a handful of occurrences where an sd->nr_balance_failed can\ngrow to much higher values than one would expect.\n\nA successful load_balance() resets it to 0; a failed one increments\nit. Once it gets to sd->cache_nice_tries + 3, this *should* trigger an\nactive balance, which will either set it to sd->cache_nice_tries+1 or reset\nit to 0. However, in case the to-be-active-balanced task is not allowed to\nrun on env->dst_cpu, then the increment is done without any further\nmodification.\n\nThis could then be repeated ad nauseam, and would explain the absurdly high\nvalues reported by syzbot (86, 149). VincentG noted there is value in\nletting sd->cache_nice_tries grow, so the shift itself should be\nfixed. That means preventing:\n\n \"\"\"\n If the value of the right operand is negative or is greater than or equal\n to the width of the promoted left operand, the behavior is undefined.\n \"\"\"\n\nThus we need to cap the shift exponent to\n BITS_PER_TYPE(typeof(lefthand)) - 1.\n\nI had a look around for other similar cases via coccinelle:\n\n @expr@\n position pos;\n expression E1;\n expression E2;\n @@\n (\n E1 >> E2@pos\n |\n E1 >> E2@pos\n )\n\n @cst depends on expr@\n position pos;\n expression expr.E1;\n constant cst;\n @@\n (\n E1 >> cst@pos\n |\n E1 << cst@pos\n )\n\n @script:python depends on !cst@\n pos << expr.pos;\n exp << expr.E2;\n @@\n # Dirty hack to ignore constexpr\n if exp.upper() != exp:\n coccilib.report.print_report(pos[0], \"Possible UB shift here\")\n\nThe only other match in kernel/sched is rq_clock_thermal() which employs\nsched_thermal_decay_shift, and that exponent is already capped to 10, so\nthat one is fine.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47044", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47044", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47044", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47044", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47044", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47044" } }, "CVE-2021-47045": { "affected_versions": "v5.11-rc1 to v5.13-rc1", "breaks": "4430f7fd09ecb037570119e0aacbf0c17b8f98b2", "cmt_msg": "scsi: lpfc: Fix null pointer dereference in lpfc_prep_els_iocb()", "fixes": "8dd1c125f7f838abad009b64bff5f0a11afe3cb6", "last_affected_version": "5.12.3", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: lpfc: Fix null pointer dereference in lpfc_prep_els_iocb()\n\nIt is possible to call lpfc_issue_els_plogi() passing a did for which no\nmatching ndlp is found. A call is then made to lpfc_prep_els_iocb() with a\nnull pointer to a lpfc_nodelist structure resulting in a null pointer\ndereference.\n\nFix by returning an error status if no valid ndlp is found. Fix up comments\nregarding ndlp reference counting.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47045", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47045", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47045", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47045", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47045", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47045" } }, "CVE-2021-47046": { "affected_versions": "unk to v5.13-rc1", "breaks": "", "cmt_msg": "drm/amd/display: Fix off by one in hdmi_14_process_transaction()", "fixes": "8e6fafd5a22e7a2eb216f5510db7aab54cc545c1", "last_affected_version": "5.12.3", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix off by one in hdmi_14_process_transaction()\n\nThe hdcp_i2c_offsets[] array did not have an entry for\nHDCP_MESSAGE_ID_WRITE_CONTENT_STREAM_TYPE so it led to an off by one\nread overflow. I added an entry and copied the 0x0 value for the offset\nfrom similar code in drivers/gpu/drm/amd/display/modules/hdcp/hdcp_ddc.c.\n\nI also declared several of these arrays as having HDCP_MESSAGE_ID_MAX\nentries. This doesn't change the code, but it's just a belt and\nsuspenders approach to try future proof the code.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47046", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47046", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47046", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47046", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47046", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47046" } }, "CVE-2021-47047": { "affected_versions": "v5.10-rc1 to v5.13-rc1", "breaks": "1c26372e5aa9e53391a1f8fe0dc7cd93a7e5ba9e", "cmt_msg": "spi: spi-zynqmp-gqspi: return -ENOMEM if dma_map_single fails", "fixes": "126bdb606fd2802454e6048caef1be3e25dd121e", "last_affected_version": "5.12.3", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: spi-zynqmp-gqspi: return -ENOMEM if dma_map_single fails\n\nThe spi controller supports 44-bit address space on AXI in DMA mode,\nso set dma_addr_t width to 44-bit to avoid using a swiotlb mapping.\nIn addition, if dma_map_single fails, it should return immediately\ninstead of continuing doing the DMA operation which bases on invalid\naddress.\n\nThis fixes the following crash which occurs in reading a big block\nfrom flash:\n\n[ 123.633577] zynqmp-qspi ff0f0000.spi: swiotlb buffer is full (sz: 4194304 bytes), total 32768 (slots), used 0 (slots)\n[ 123.644230] zynqmp-qspi ff0f0000.spi: ERR:rxdma:memory not mapped\n[ 123.784625] Unable to handle kernel paging request at virtual address 00000000003fffc0\n[ 123.792536] Mem abort info:\n[ 123.795313] ESR = 0x96000145\n[ 123.798351] EC = 0x25: DABT (current EL), IL = 32 bits\n[ 123.803655] SET = 0, FnV = 0\n[ 123.806693] EA = 0, S1PTW = 0\n[ 123.809818] Data abort info:\n[ 123.812683] ISV = 0, ISS = 0x00000145\n[ 123.816503] CM = 1, WnR = 1\n[ 123.819455] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000805047000\n[ 123.825887] [00000000003fffc0] pgd=0000000803b45003, p4d=0000000803b45003, pud=0000000000000000\n[ 123.834586] Internal error: Oops: 96000145 [#1] PREEMPT SMP", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47047", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47047", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47047", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47047", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47047", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47047" } }, "CVE-2021-47048": { "affected_versions": "v5.10-rc1 to v5.13-rc1", "breaks": "1c26372e5aa9e53391a1f8fe0dc7cd93a7e5ba9e", "cmt_msg": "spi: spi-zynqmp-gqspi: fix use-after-free in zynqmp_qspi_exec_op", "fixes": "a2c5bedb2d55dd27c642c7b9fb6886d7ad7bdb58", "last_affected_version": "5.12.3", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: spi-zynqmp-gqspi: fix use-after-free in zynqmp_qspi_exec_op\n\nWhen handling op->addr, it is using the buffer \"tmpbuf\" which has been\nfreed. This will trigger a use-after-free KASAN warning. Let's use\ntemporary variables to store op->addr.val and op->cmd.opcode to fix\nthis issue.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47048", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47048", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47048", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47048", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47048", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47048" } }, "CVE-2021-47049": { "affected_versions": "v4.14-rc1 to v5.13-rc1", "breaks": "6f3d791f300618caf82a2be0c27456edd76d5164", "cmt_msg": "Drivers: hv: vmbus: Use after free in __vmbus_open()", "fixes": "3e9bf43f7f7a46f21ec071cb47be92d0874c48da", "last_affected_version": "5.12.3", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nDrivers: hv: vmbus: Use after free in __vmbus_open()\n\nThe \"open_info\" variable is added to the &vmbus_connection.chn_msg_list,\nbut the error handling frees \"open_info\" without removing it from the\nlist. This will result in a use after free. First remove it from the\nlist, and then free it.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47049", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47049", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47049", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47049", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47049", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47049" } }, "CVE-2021-47050": { "affected_versions": "v5.9-rc1 to v5.13-rc1", "breaks": "ca7d8b980b67f133317525c4273e144116ee1ae5", "cmt_msg": "memory: renesas-rpc-if: fix possible NULL pointer dereference of resource", "fixes": "59e27d7c94aa02da039b000d33c304c179395801", "last_affected_version": "5.12.3", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nmemory: renesas-rpc-if: fix possible NULL pointer dereference of resource\n\nThe platform_get_resource_byname() can return NULL which would be\nimmediately dereferenced by resource_size(). Instead dereference it\nafter validating the resource.\n\nAddresses-Coverity: Dereference null return value", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47050", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47050", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47050", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47050", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47050", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47050" } }, "CVE-2021-47051": { "affected_versions": "v5.2-rc1 to v5.13-rc1", "breaks": "944c01a889d97dc08e1b71f4ed868f4023fd6034", "cmt_msg": "spi: fsl-lpspi: Fix PM reference leak in lpspi_prepare_xfer_hardware()", "fixes": "a03675497970a93fcf25d81d9d92a59c2d7377a7", "last_affected_version": "5.12.3", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: fsl-lpspi: Fix PM reference leak in lpspi_prepare_xfer_hardware()\n\npm_runtime_get_sync will increment pm usage counter even it failed.\nForgetting to putting operation will result in reference leak here.\nFix it by replacing it with pm_runtime_resume_and_get to keep usage\ncounter balanced.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47051", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47051", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47051", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47051", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47051", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47051" } }, "CVE-2021-47052": { "affected_versions": "unk to v5.13-rc1", "breaks": "", "cmt_msg": "crypto: sa2ul - Fix memory leak of rxd", "fixes": "854b7737199848a91f6adfa0a03cf6f0c46c86e8", "last_affected_version": "5.12.3", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: sa2ul - Fix memory leak of rxd\n\nThere are two error return paths that are not freeing rxd and causing\nmemory leaks. Fix these.\n\nAddresses-Coverity: (\"Resource leak\")", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47052", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47052", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47052", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47052", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47052", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47052" } }, "CVE-2021-47053": { "affected_versions": "v5.10-rc1 to v5.13-rc1", "breaks": "d9b45418a91773b7672e4c60037a28074b495c6d", "cmt_msg": "crypto: sun8i-ss - Fix memory leak of pad", "fixes": "50274b01ac1689b1a3f6bc4b5b3dbf361a55dd3a", "last_affected_version": "5.12.3", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: sun8i-ss - Fix memory leak of pad\n\nIt appears there are several failure return paths that don't seem\nto be free'ing pad. Fix these.\n\nAddresses-Coverity: (\"Resource leak\")", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47053", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47053", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47053", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47053", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47053", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47053" } }, "CVE-2021-47054": { "affected_versions": "v4.9-rc1 to v5.13-rc1", "breaks": "335a127548081322bd2b294d715418648912f20c", "cmt_msg": "bus: qcom: Put child node before return", "fixes": "ac6ad7c2a862d682bb584a4bc904d89fa7721af8", "last_affected_version": "5.12.3", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nbus: qcom: Put child node before return\n\nPut child node before return to fix potential reference count leak.\nGenerally, the reference count of child is incremented and decremented\nautomatically in the macro for_each_available_child_of_node() and should\nbe decremented manually if the loop is broken in loop body.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47054", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47054", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47054", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47054", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47054", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47054" } }, "CVE-2021-47055": { "affected_versions": "v5.9-rc1 to v5.13-rc1", "breaks": "f7e6b19bc76471ba03725fe58e0c218a3d6266c3", "cmt_msg": "mtd: require write permissions for locking and badblock ioctls", "fixes": "1e97743fd180981bef5f01402342bb54bf1c6366", "last_affected_version": "5.12.3", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nmtd: require write permissions for locking and badblock ioctls\n\nMEMLOCK, MEMUNLOCK and OTPLOCK modify protection bits. Thus require\nwrite permission. Depending on the hardware MEMLOCK might even be\nwrite-once, e.g. for SPI-NOR flashes with their WP# tied to GND. OTPLOCK\nis always write-once.\n\nMEMSETBADBLOCK modifies the bad block table.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47055", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47055", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47055", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47055", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47055", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47055" } }, "CVE-2021-47056": { "affected_versions": "v4.7-rc1 to v5.13-rc1", "breaks": "25c6ffb249f612c56a48ce48a3887adf57b8f4bd", "cmt_msg": "crypto: qat - ADF_STATUS_PF_RUNNING should be set after adf_dev_init", "fixes": "8609f5cfdc872fc3a462efa6a3eca5cb1e2f6446", "last_affected_version": "5.12.3", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: qat - ADF_STATUS_PF_RUNNING should be set after adf_dev_init\n\nADF_STATUS_PF_RUNNING is (only) used and checked by adf_vf2pf_shutdown()\nbefore calling adf_iov_putmsg()->mutex_lock(vf2pf_lock), however the\nvf2pf_lock is initialized in adf_dev_init(), which can fail and when it\nfail, the vf2pf_lock is either not initialized or destroyed, a subsequent\nuse of vf2pf_lock will cause issue.\nTo fix this issue, only set this flag if adf_dev_init() returns 0.\n\n[ 7.178404] BUG: KASAN: user-memory-access in __mutex_lock.isra.0+0x1ac/0x7c0\n[ 7.180345] Call Trace:\n[ 7.182576] mutex_lock+0xc9/0xd0\n[ 7.183257] adf_iov_putmsg+0x118/0x1a0 [intel_qat]\n[ 7.183541] adf_vf2pf_shutdown+0x4d/0x7b [intel_qat]\n[ 7.183834] adf_dev_shutdown+0x172/0x2b0 [intel_qat]\n[ 7.184127] adf_probe+0x5e9/0x600 [qat_dh895xccvf]", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47056", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47056", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47056", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47056", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47056", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47056" } }, "CVE-2021-47057": { "affected_versions": "v5.10-rc1 to v5.13-rc1", "breaks": "ac2614d721dea2ff273af19c6c5d508d58a2bb3e", "cmt_msg": "crypto: sun8i-ss - Fix memory leak of object d when dma_iv fails to map", "fixes": "98b5ef3e97b16eaeeedb936f8bda3594ff84a70e", "last_affected_version": "5.12.3", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: sun8i-ss - Fix memory leak of object d when dma_iv fails to map\n\nIn the case where the dma_iv mapping fails, the return error path leaks\nthe memory allocated to object d. Fix this by adding a new error return\nlabel and jumping to this to ensure d is free'd before the return.\n\nAddresses-Coverity: (\"Resource leak\")", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47057", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47057", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47057", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47057", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47057", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47057" } }, "CVE-2021-47058": { "affected_versions": "v5.11-rc3 to v5.13-rc1", "breaks": "cffa4b2122f5f3e53cf3d529bbc74651f95856d5", "cmt_msg": "regmap: set debugfs_name to NULL after it is freed", "fixes": "e41a962f82e7afb5b1ee644f48ad0b3aee656268", "last_affected_version": "5.12.3", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nregmap: set debugfs_name to NULL after it is freed\n\nThere is a upstream commit cffa4b2122f5(\"regmap:debugfs:\nFix a memory leak when calling regmap_attach_dev\") that\nadds a if condition when create name for debugfs_name.\nWith below function invoking logical, debugfs_name is\nfreed in regmap_debugfs_exit(), but it is not created again\nbecause of the if condition introduced by above commit.\nregmap_reinit_cache()\n\tregmap_debugfs_exit()\n\t...\n\tregmap_debugfs_init()\nSo, set debugfs_name to NULL after it is freed.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47058", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47058", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47058", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47058", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47058", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47058" } }, "CVE-2021-47059": { "affected_versions": "unk to v5.13-rc1", "breaks": "", "cmt_msg": "crypto: sun8i-ss - fix result memory leak on error path", "fixes": "1dbc6a1e25be8575d6c4114d1d2b841a796507f7", "last_affected_version": "5.12.3", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: sun8i-ss - fix result memory leak on error path\n\nThis patch fixes a memory leak on an error path.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47059", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47059", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47059", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47059", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47059", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47059" } }, "CVE-2021-47060": { "affected_versions": "v5.9-rc5 to v5.13-rc1", "breaks": "f65886606c2d3b562716de030706dfe1bea4ed5e", "cmt_msg": "KVM: Stop looking for coalesced MMIO zones if the bus is destroyed", "fixes": "5d3c4c79384af06e3c8e25b7770b6247496b4417", "last_affected_version": "5.12.3", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: Stop looking for coalesced MMIO zones if the bus is destroyed\n\nAbort the walk of coalesced MMIO zones if kvm_io_bus_unregister_dev()\nfails to allocate memory for the new instance of the bus. If it can't\ninstantiate a new bus, unregister_dev() destroys all devices _except_ the\ntarget device. But, it doesn't tell the caller that it obliterated the\nbus and invoked the destructor for all devices that were on the bus. In\nthe coalesced MMIO case, this can result in a deleted list entry\ndereference due to attempting to continue iterating on coalesced_zones\nafter future entries (in the walk) have been deleted.\n\nOpportunistically add curly braces to the for-loop, which encompasses\nmany lines but sneaks by without braces due to the guts being a single\nif statement.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47060", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47060", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47060", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47060", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47060", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47060" } }, "CVE-2021-47061": { "affected_versions": "v5.9-rc5 to v5.13-rc1", "breaks": "f65886606c2d3b562716de030706dfe1bea4ed5e", "cmt_msg": "KVM: Destroy I/O bus devices on unregister failure _after_ sync'ing SRCU", "fixes": "2ee3757424be7c1cd1d0bbfa6db29a7edd82a250", "last_affected_version": "5.12.3", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: Destroy I/O bus devices on unregister failure _after_ sync'ing SRCU\n\nIf allocating a new instance of an I/O bus fails when unregistering a\ndevice, wait to destroy the device until after all readers are guaranteed\nto see the new null bus. Destroying devices before the bus is nullified\ncould lead to use-after-free since readers expect the devices on their\nreference of the bus to remain valid.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47061", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47061", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47061", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47061", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47061", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47061" } }, "CVE-2021-47062": { "affected_versions": "v5.11-rc1 to v5.13-rc1", "breaks": "ad73109ae7ec30d5bfb76be108e304f9f0af4829", "cmt_msg": "KVM: SVM: Use online_vcpus, not created_vcpus, to iterate over vCPUs", "fixes": "c36b16d29f3af5f32fc1b2a3401bf48f71cabee1", "last_affected_version": "5.12.3", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: SVM: Use online_vcpus, not created_vcpus, to iterate over vCPUs\n\nUse the kvm_for_each_vcpu() helper to iterate over vCPUs when encrypting\nVMSAs for SEV, which effectively switches to use online_vcpus instead of\ncreated_vcpus. This fixes a possible null-pointer dereference as\ncreated_vcpus does not guarantee a vCPU exists, since it is updated at\nthe very beginning of KVM_CREATE_VCPU. created_vcpus exists to allow the\nbulk of vCPU creation to run in parallel, while still correctly\nrestricting the max number of max vCPUs.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47062", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47062", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47062", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47062", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47062", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47062" } }, "CVE-2021-47063": { "affected_versions": "v4.13-rc1 to v5.13-rc1", "breaks": "13dfc0540a575b47b2d640b093ac16e9e09474f6", "cmt_msg": "drm: bridge/panel: Cleanup connector on bridge detach", "fixes": "4d906839d321c2efbf3fed4bc31ffd9ff55b75c0", "last_affected_version": "5.12.3", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm: bridge/panel: Cleanup connector on bridge detach\n\nIf we don't call drm_connector_cleanup() manually in\npanel_bridge_detach(), the connector will be cleaned up with the other\nDRM objects in the call to drm_mode_config_cleanup(). However, since our\ndrm_connector is devm-allocated, by the time drm_mode_config_cleanup()\nwill be called, our connector will be long gone. Therefore, the\nconnector must be cleaned up when the bridge is detached to avoid\nuse-after-free conditions.\n\nv2: Cleanup connector only if it was created\n\nv3: Add FIXME\n\nv4: (Use connector->dev) directly in if() block", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47063", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47063", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47063", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47063", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47063", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47063" } }, "CVE-2021-47064": { "affected_versions": "v5.10-rc1 to v5.13-rc1", "breaks": "27d5c528a7ca08dcd44877fdd9fc08b76630bf77", "cmt_msg": "mt76: fix potential DMA mapping leak", "fixes": "b4403cee6400c5f679e9c4a82b91d61aa961eccf", "last_affected_version": "5.12.3", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nmt76: fix potential DMA mapping leak\n\nWith buf uninitialized in mt76_dma_tx_queue_skb_raw, its field skip_unmap\ncould potentially inherit a non-zero value from stack garbage.\nIf this happens, it will cause DMA mappings for MCU command frames to not be\nunmapped after completion", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47064", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47064", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47064", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47064", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47064", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47064" } }, "CVE-2021-47065": { "affected_versions": "unk to v5.13-rc1", "breaks": "", "cmt_msg": "rtw88: Fix array overrun in rtw_get_tx_power_params()", "fixes": "2ff25985ea9ccc6c9af2c77b0b49045adcc62e0e", "last_affected_version": "5.12.3", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nrtw88: Fix array overrun in rtw_get_tx_power_params()\n\nUsing a kernel with the Undefined Behaviour Sanity Checker (UBSAN) enabled, the\nfollowing array overrun is logged:\n\n================================================================================\nUBSAN: array-index-out-of-bounds in /home/finger/wireless-drivers-next/drivers/net/wireless/realtek/rtw88/phy.c:1789:34\nindex 5 is out of range for type 'u8 [5]'\nCPU: 2 PID: 84 Comm: kworker/u16:3 Tainted: G O 5.12.0-rc5-00086-gd88bba47038e-dirty #651\nHardware name: TOSHIBA TECRA A50-A/TECRA A50-A, BIOS Version 4.50 09/29/2014\nWorkqueue: phy0 ieee80211_scan_work [mac80211]\nCall Trace:\n dump_stack+0x64/0x7c\n ubsan_epilogue+0x5/0x40\n __ubsan_handle_out_of_bounds.cold+0x43/0x48\n rtw_get_tx_power_params+0x83a/drivers/net/wireless/realtek/rtw88/0xad0 [rtw_core]\n ? rtw_pci_read16+0x20/0x20 [rtw_pci]\n ? check_hw_ready+0x50/0x90 [rtw_core]\n rtw_phy_get_tx_power_index+0x4d/0xd0 [rtw_core]\n rtw_phy_set_tx_power_level+0xee/0x1b0 [rtw_core]\n rtw_set_channel+0xab/0x110 [rtw_core]\n rtw_ops_config+0x87/0xc0 [rtw_core]\n ieee80211_hw_config+0x9d/0x130 [mac80211]\n ieee80211_scan_state_set_channel+0x81/0x170 [mac80211]\n ieee80211_scan_work+0x19f/0x2a0 [mac80211]\n process_one_work+0x1dd/0x3a0\n worker_thread+0x49/0x330\n ? rescuer_thread+0x3a0/0x3a0\n kthread+0x134/0x150\n ? kthread_create_worker_on_cpu+0x70/0x70\n ret_from_fork+0x22/0x30\n================================================================================\n\nThe statement where an array is being overrun is shown in the following snippet:\n\n\tif (rate <= DESC_RATE11M)\n\t\ttx_power = pwr_idx_2g->cck_base[group];\n\telse\n====>\t\ttx_power = pwr_idx_2g->bw40_base[group];\n\nThe associated arrays are defined in main.h as follows:\n\nstruct rtw_2g_txpwr_idx {\n\tu8 cck_base[6];\n\tu8 bw40_base[5];\n\tstruct rtw_2g_1s_pwr_idx_diff ht_1s_diff;\n\tstruct rtw_2g_ns_pwr_idx_diff ht_2s_diff;\n\tstruct rtw_2g_ns_pwr_idx_diff ht_3s_diff;\n\tstruct rtw_2g_ns_pwr_idx_diff ht_4s_diff;\n};\n\nThe problem arises because the value of group is 5 for channel 14. The trivial\nincrease in the dimension of bw40_base fails as this struct must match the layout of\nefuse. The fix is to add the rate as an argument to rtw_get_channel_group() and set\nthe group for channel 14 to 4 if rate <= DESC_RATE11M.\n\nThis patch fixes commit fa6dfe6bff24 (\"rtw88: resolve order of tx power setting routines\")", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47065", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47065", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47065", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47065", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47065", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47065" } }, "CVE-2021-47066": { "affected_versions": "v5.10-rc1 to v5.13-rc1", "breaks": "29bcff787a2593b2126cfaff612c0b4e560022e9", "cmt_msg": "async_xor: increase src_offs when dropping destination page", "fixes": "ceaf2966ab082bbc4d26516f97b3ca8a676e2af8", "last_affected_version": "5.12.3", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nasync_xor: increase src_offs when dropping destination page\n\nNow we support sharing one page if PAGE_SIZE is not equal stripe size. To\nsupport this, it needs to support calculating xor value with different\noffsets for each r5dev. One offset array is used to record those offsets.\n\nIn RMW mode, parity page is used as a source page. It sets\nASYNC_TX_XOR_DROP_DST before calculating xor value in ops_run_prexor5.\nSo it needs to add src_list and src_offs at the same time. Now it only\nneeds src_list. So the xor value which is calculated is wrong. It can\ncause data corruption problem.\n\nI can reproduce this problem 100% on a POWER8 machine. The steps are:\n\n mdadm -CR /dev/md0 -l5 -n3 /dev/sdb1 /dev/sdc1 /dev/sdd1 --size=3G\n mkfs.xfs /dev/md0\n mount /dev/md0 /mnt/test\n mount: /mnt/test: mount(2) system call failed: Structure needs cleaning.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47066", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47066", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47066", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47066", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47066", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47066" } }, "CVE-2021-47067": { "affected_versions": "v5.5-rc1 to v5.13-rc1", "breaks": "783807436f363e5b1ad4d43ba7debbedfcadbb99", "cmt_msg": "soc/tegra: regulators: Fix locking up when voltage-spread is out of range", "fixes": "ef85bb582c41524e9e68dfdbde48e519dac4ab3d", "last_affected_version": "5.12.3", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoc/tegra: regulators: Fix locking up when voltage-spread is out of range\n\nFix voltage coupler lockup which happens when voltage-spread is out\nof range due to a bug in the code. The max-spread requirement shall be\naccounted when CPU regulator doesn't have consumers. This problem is\nobserved on Tegra30 Ouya game console once system-wide DVFS is enabled\nin a device-tree.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47067", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47067", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47067", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47067", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47067", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47067" } }, "CVE-2021-47068": { "affected_versions": "v5.12-rc7 to v5.13-rc1", "breaks": "c33b1cc62ac05c1dbb1cdafe2eb66da01c76ca8d", "cmt_msg": "net/nfc: fix use-after-free llcp_sock_bind/connect", "fixes": "c61760e6940dd4039a7f5e84a6afc9cdbf4d82b6", "last_affected_version": "5.12.3", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/nfc: fix use-after-free llcp_sock_bind/connect\n\nCommits 8a4cd82d (\"nfc: fix refcount leak in llcp_sock_connect()\")\nand c33b1cc62 (\"nfc: fix refcount leak in llcp_sock_bind()\")\nfixed a refcount leak bug in bind/connect but introduced a\nuse-after-free if the same local is assigned to 2 different sockets.\n\nThis can be triggered by the following simple program:\n int sock1 = socket( AF_NFC, SOCK_STREAM, NFC_SOCKPROTO_LLCP );\n int sock2 = socket( AF_NFC, SOCK_STREAM, NFC_SOCKPROTO_LLCP );\n memset( &addr, 0, sizeof(struct sockaddr_nfc_llcp) );\n addr.sa_family = AF_NFC;\n addr.nfc_protocol = NFC_PROTO_NFC_DEP;\n bind( sock1, (struct sockaddr*) &addr, sizeof(struct sockaddr_nfc_llcp) )\n bind( sock2, (struct sockaddr*) &addr, sizeof(struct sockaddr_nfc_llcp) )\n close(sock1);\n close(sock2);\n\nFix this by assigning NULL to llcp_sock->local after calling\nnfc_llcp_local_put.\n\nThis addresses CVE-2021-23134.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47068", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47068", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47068", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47068", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47068", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47068" } }, "CVE-2021-47069": { "affected_versions": "v5.6-rc1 to v5.13-rc3", "breaks": "c5b2cbdbdac563f46ecd5e187253ab1abbd6fc04", "cmt_msg": "ipc/mqueue, msg, sem: avoid relying on a stack reference past its expiry", "fixes": "a11ddb37bf367e6b5239b95ca759e5389bb46048", "last_affected_version": "5.12.6", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nipc/mqueue, msg, sem: avoid relying on a stack reference past its expiry\n\ndo_mq_timedreceive calls wq_sleep with a stack local address. The\nsender (do_mq_timedsend) uses this address to later call pipelined_send.\n\nThis leads to a very hard to trigger race where a do_mq_timedreceive\ncall might return and leave do_mq_timedsend to rely on an invalid\naddress, causing the following crash:\n\n RIP: 0010:wake_q_add_safe+0x13/0x60\n Call Trace:\n __x64_sys_mq_timedsend+0x2a9/0x490\n do_syscall_64+0x80/0x680\n entry_SYSCALL_64_after_hwframe+0x44/0xa9\n RIP: 0033:0x7f5928e40343\n\nThe race occurs as:\n\n1. do_mq_timedreceive calls wq_sleep with the address of `struct\n ext_wait_queue` on function stack (aliased as `ewq_addr` here) - it\n holds a valid `struct ext_wait_queue *` as long as the stack has not\n been overwritten.\n\n2. `ewq_addr` gets added to info->e_wait_q[RECV].list in wq_add, and\n do_mq_timedsend receives it via wq_get_first_waiter(info, RECV) to call\n __pipelined_op.\n\n3. Sender calls __pipelined_op::smp_store_release(&this->state,\n STATE_READY). Here is where the race window begins. (`this` is\n `ewq_addr`.)\n\n4. If the receiver wakes up now in do_mq_timedreceive::wq_sleep, it\n will see `state == STATE_READY` and break.\n\n5. do_mq_timedreceive returns, and `ewq_addr` is no longer guaranteed\n to be a `struct ext_wait_queue *` since it was on do_mq_timedreceive's\n stack. (Although the address may not get overwritten until another\n function happens to touch it, which means it can persist around for an\n indefinite time.)\n\n6. do_mq_timedsend::__pipelined_op() still believes `ewq_addr` is a\n `struct ext_wait_queue *`, and uses it to find a task_struct to pass to\n the wake_q_add_safe call. In the lucky case where nothing has\n overwritten `ewq_addr` yet, `ewq_addr->task` is the right task_struct.\n In the unlucky case, __pipelined_op::wake_q_add_safe gets handed a\n bogus address as the receiver's task_struct causing the crash.\n\ndo_mq_timedsend::__pipelined_op() should not dereference `this` after\nsetting STATE_READY, as the receiver counterpart is now free to return.\nChange __pipelined_op to call wake_q_add_safe on the receiver's\ntask_struct returned by get_task_struct, instead of dereferencing `this`\nwhich sits on the receiver's stack.\n\nAs Manfred pointed out, the race potentially also exists in\nipc/msg.c::expunge_all and ipc/sem.c::wake_up_sem_queue_prepare. Fix\nthose in the same way.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47069", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47069", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47069", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47069", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47069", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47069" } }, "CVE-2021-47070": { "affected_versions": "unk to v5.13-rc3", "breaks": "", "cmt_msg": "uio_hv_generic: Fix another memory leak in error handling paths", "fixes": "0b0226be3a52dadd965644bc52a807961c2c26df", "last_affected_version": "5.12.6", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nuio_hv_generic: Fix another memory leak in error handling paths\n\nMemory allocated by 'vmbus_alloc_ring()' at the beginning of the probe\nfunction is never freed in the error handling path.\n\nAdd the missing 'vmbus_free_ring()' call.\n\nNote that it is already freed in the .remove function.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47070", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47070", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47070", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47070", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47070", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47070" } }, "CVE-2021-47071": { "affected_versions": "v4.20-rc1 to v5.13-rc3", "breaks": "cdfa835c6e5e87d145f9f632b58843de97509f2b", "cmt_msg": "uio_hv_generic: Fix a memory leak in error handling paths", "fixes": "3ee098f96b8b6c1a98f7f97915f8873164e6af9d", "last_affected_version": "5.12.6", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nuio_hv_generic: Fix a memory leak in error handling paths\n\nIf 'vmbus_establish_gpadl()' fails, the (recv|send)_gpadl will not be\nupdated and 'hv_uio_cleanup()' in the error handling path will not be\nable to free the corresponding buffer.\n\nIn such a case, we need to free the buffer explicitly.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47071", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47071", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47071", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47071", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47071", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47071" } }, "CVE-2021-47072": { "affected_versions": "v5.12-rc1-dontuse to v5.13-rc3", "breaks": "64d6b281ba4db044c946158387c74e1149b9487e", "cmt_msg": "btrfs: fix removed dentries still existing after log is synced", "fixes": "54a40fc3a1da21b52dbf19f72fdc27a2ec740760", "last_affected_version": "5.12.6", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix removed dentries still existing after log is synced\n\nWhen we move one inode from one directory to another and both the inode\nand its previous parent directory were logged before, we are not supposed\nto have the dentry for the old parent if we have a power failure after the\nlog is synced. Only the new dentry is supposed to exist.\n\nGenerally this works correctly, however there is a scenario where this is\nnot currently working, because the old parent of the file/directory that\nwas moved is not authoritative for a range that includes the dir index and\ndir item keys of the old dentry. This case is better explained with the\nfollowing example and reproducer:\n\n # The test requires a very specific layout of keys and items in the\n # fs/subvolume btree to trigger the bug. So we want to make sure that\n # on whatever platform we are, we have the same leaf/node size.\n #\n # Currently in btrfs the node/leaf size can not be smaller than the page\n # size (but it can be greater than the page size). So use the largest\n # supported node/leaf size (64K).\n\n $ mkfs.btrfs -f -n 65536 /dev/sdc\n $ mount /dev/sdc /mnt\n\n # \"testdir\" is inode 257.\n $ mkdir /mnt/testdir\n $ chmod 755 /mnt/testdir\n\n # Create several empty files to have the directory \"testdir\" with its\n # items spread over several leaves (7 in this case).\n $ for ((i = 1; i <= 1200; i++)); do\n echo -n > /mnt/testdir/file$i\n done\n\n # Create our test directory \"dira\", inode number 1458, which gets all\n # its items in leaf 7.\n #\n # The BTRFS_DIR_ITEM_KEY item for inode 257 (\"testdir\") that points to\n # the entry named \"dira\" is in leaf 2, while the BTRFS_DIR_INDEX_KEY\n # item that points to that entry is in leaf 3.\n #\n # For this particular filesystem node size (64K), file count and file\n # names, we endup with the directory entry items from inode 257 in\n # leaves 2 and 3, as previously mentioned - what matters for triggering\n # the bug exercised by this test case is that those items are not placed\n # in leaf 1, they must be placed in a leaf different from the one\n # containing the inode item for inode 257.\n #\n # The corresponding BTRFS_DIR_ITEM_KEY and BTRFS_DIR_INDEX_KEY items for\n # the parent inode (257) are the following:\n #\n # item 460 key (257 DIR_ITEM 3724298081) itemoff 48344 itemsize 34\n # location key (1458 INODE_ITEM 0) type DIR\n # transid 6 data_len 0 name_len 4\n # name: dira\n #\n # and:\n #\n # item 771 key (257 DIR_INDEX 1202) itemoff 36673 itemsize 34\n # location key (1458 INODE_ITEM 0) type DIR\n # transid 6 data_len 0 name_len 4\n # name: dira\n\n $ mkdir /mnt/testdir/dira\n\n # Make sure everything done so far is durably persisted.\n $ sync\n\n # Now do a change to inode 257 (\"testdir\") that does not result in\n # COWing leaves 2 and 3 - the leaves that contain the directory items\n # pointing to inode 1458 (directory \"dira\").\n #\n # Changing permissions, the owner/group, updating or adding a xattr,\n # etc, will not change (COW) leaves 2 and 3. So for the sake of\n # simplicity change the permissions of inode 257, which results in\n # updating its inode item and therefore change (COW) only leaf 1.\n\n $ chmod 700 /mnt/testdir\n\n # Now fsync directory inode 257.\n #\n # Since only the first leaf was changed/COWed, we log the inode item of\n # inode 257 and only the dentries found in the first leaf, all have a\n # key type of BTRFS_DIR_ITEM_KEY, and no keys of type\n # BTRFS_DIR_INDEX_KEY, because they sort after the former type and none\n # exist in the first leaf.\n #\n # We also log 3 items that represent ranges for dir items and dir\n # indexes for which the log is authoritative:\n #\n # 1) a key of type BTRFS_DIR_LOG_ITEM_KEY, which indicates the log is\n # authoritative for all BTRFS_DIR_ITEM_KEY keys that have an offset\n # in the range [0, 2285968570] (the offset here is th\n---truncated---", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47072", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47072", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47072", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47072", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47072", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47072" } }, "CVE-2021-47073": { "affected_versions": "v4.15-rc1 to v5.13-rc3", "breaks": "1a258e670434f404a4500b65ba1afea2c2b29bba", "cmt_msg": "platform/x86: dell-smbios-wmi: Fix oops on rmmod dell_smbios", "fixes": "3a53587423d25c87af4b4126a806a0575104b45e", "last_affected_version": "5.12.6", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/x86: dell-smbios-wmi: Fix oops on rmmod dell_smbios\n\ninit_dell_smbios_wmi() only registers the dell_smbios_wmi_driver on systems\nwhere the Dell WMI interface is supported. While exit_dell_smbios_wmi()\nunregisters it unconditionally, this leads to the following oops:\n\n[ 175.722921] ------------[ cut here ]------------\n[ 175.722925] Unexpected driver unregister!\n[ 175.722939] WARNING: CPU: 1 PID: 3630 at drivers/base/driver.c:194 driver_unregister+0x38/0x40\n...\n[ 175.723089] Call Trace:\n[ 175.723094] cleanup_module+0x5/0xedd [dell_smbios]\n...\n[ 175.723148] ---[ end trace 064c34e1ad49509d ]---\n\nMake the unregister happen on the same condition the register happens\nto fix this.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47073", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47073", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47073", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47073", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47073", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47073" } }, "CVE-2021-47074": { "affected_versions": "v4.8-rc1 to v5.13-rc3", "breaks": "3a85a5de29ea779634ddfd768059e06196687aba", "cmt_msg": "nvme-loop: fix memory leak in nvme_loop_create_ctrl()", "fixes": "03504e3b54cc8118cc26c064e60a0b00c2308708", "last_affected_version": "5.12.6", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme-loop: fix memory leak in nvme_loop_create_ctrl()\n\nWhen creating loop ctrl in nvme_loop_create_ctrl(), if nvme_init_ctrl()\nfails, the loop ctrl should be freed before jumping to the \"out\" label.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47074", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47074", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47074", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47074", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47074", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47074" } }, "CVE-2021-47075": { "affected_versions": "unk to v5.13-rc3", "breaks": "", "cmt_msg": "nvmet: fix memory leak in nvmet_alloc_ctrl()", "fixes": "fec356a61aa3d3a66416b4321f1279e09e0f256f", "last_affected_version": "5.12.6", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvmet: fix memory leak in nvmet_alloc_ctrl()\n\nWhen creating ctrl in nvmet_alloc_ctrl(), if the cntlid_min is larger\nthan cntlid_max of the subsystem, and jumps to the\n\"out_free_changed_ns_list\" label, but the ctrl->sqs lack of be freed.\nFix this by jumping to the \"out_free_sqs\" label.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47075", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47075", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47075", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47075", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47075", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47075" } }, "CVE-2021-47076": { "affected_versions": "unk to v5.13-rc3", "breaks": "", "cmt_msg": "RDMA/rxe: Return CQE error if invalid lkey was supplied", "fixes": "dc07628bd2bbc1da768e265192c28ebd301f509d", "last_affected_version": "5.12.6", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/rxe: Return CQE error if invalid lkey was supplied\n\nRXE is missing update of WQE status in LOCAL_WRITE failures. This caused\nthe following kernel panic if someone sent an atomic operation with an\nexplicitly wrong lkey.\n\n[leonro@vm ~]$ mkt test\ntest_atomic_invalid_lkey (tests.test_atomic.AtomicTest) ...\n WARNING: CPU: 5 PID: 263 at drivers/infiniband/sw/rxe/rxe_comp.c:740 rxe_completer+0x1a6d/0x2e30 [rdma_rxe]\n Modules linked in: crc32_generic rdma_rxe ip6_udp_tunnel udp_tunnel rdma_ucm rdma_cm ib_umad ib_ipoib iw_cm ib_cm mlx5_ib ib_uverbs ib_core mlx5_core ptp pps_core\n CPU: 5 PID: 263 Comm: python3 Not tainted 5.13.0-rc1+ #2936\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n RIP: 0010:rxe_completer+0x1a6d/0x2e30 [rdma_rxe]\n Code: 03 0f 8e 65 0e 00 00 3b 93 10 06 00 00 0f 84 82 0a 00 00 4c 89 ff 4c 89 44 24 38 e8 2d 74 a9 e1 4c 8b 44 24 38 e9 1c f5 ff ff <0f> 0b e9 0c e8 ff ff b8 05 00 00 00 41 bf 05 00 00 00 e9 ab e7 ff\n RSP: 0018:ffff8880158af090 EFLAGS: 00010246\n RAX: 0000000000000000 RBX: ffff888016a78000 RCX: ffffffffa0cf1652\n RDX: 1ffff9200004b442 RSI: 0000000000000004 RDI: ffffc9000025a210\n RBP: dffffc0000000000 R08: 00000000ffffffea R09: ffff88801617740b\n R10: ffffed1002c2ee81 R11: 0000000000000007 R12: ffff88800f3b63e8\n R13: ffff888016a78008 R14: ffffc9000025a180 R15: 000000000000000c\n FS: 00007f88b622a740(0000) GS:ffff88806d540000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007f88b5a1fa10 CR3: 000000000d848004 CR4: 0000000000370ea0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n rxe_do_task+0x130/0x230 [rdma_rxe]\n rxe_rcv+0xb11/0x1df0 [rdma_rxe]\n rxe_loopback+0x157/0x1e0 [rdma_rxe]\n rxe_responder+0x5532/0x7620 [rdma_rxe]\n rxe_do_task+0x130/0x230 [rdma_rxe]\n rxe_rcv+0x9c8/0x1df0 [rdma_rxe]\n rxe_loopback+0x157/0x1e0 [rdma_rxe]\n rxe_requester+0x1efd/0x58c0 [rdma_rxe]\n rxe_do_task+0x130/0x230 [rdma_rxe]\n rxe_post_send+0x998/0x1860 [rdma_rxe]\n ib_uverbs_post_send+0xd5f/0x1220 [ib_uverbs]\n ib_uverbs_write+0x847/0xc80 [ib_uverbs]\n vfs_write+0x1c5/0x840\n ksys_write+0x176/0x1d0\n do_syscall_64+0x3f/0x80\n entry_SYSCALL_64_after_hwframe+0x44/0xae", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47076", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47076", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47076", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47076", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47076", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47076" } }, "CVE-2021-47077": { "affected_versions": "v4.11-rc1 to v5.13-rc3", "breaks": "61d8658b4a435eac729966cc94cdda077a8df5cd", "cmt_msg": "scsi: qedf: Add pointer checks in qedf_update_link_speed()", "fixes": "73578af92a0fae6609b955fcc9113e50e413c80f", "last_affected_version": "5.12.6", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qedf: Add pointer checks in qedf_update_link_speed()\n\nThe following trace was observed:\n\n [ 14.042059] Call Trace:\n [ 14.042061] \n [ 14.042068] qedf_link_update+0x144/0x1f0 [qedf]\n [ 14.042117] qed_link_update+0x5c/0x80 [qed]\n [ 14.042135] qed_mcp_handle_link_change+0x2d2/0x410 [qed]\n [ 14.042155] ? qed_set_ptt+0x70/0x80 [qed]\n [ 14.042170] ? qed_set_ptt+0x70/0x80 [qed]\n [ 14.042186] ? qed_rd+0x13/0x40 [qed]\n [ 14.042205] qed_mcp_handle_events+0x437/0x690 [qed]\n [ 14.042221] ? qed_set_ptt+0x70/0x80 [qed]\n [ 14.042239] qed_int_sp_dpc+0x3a6/0x3e0 [qed]\n [ 14.042245] tasklet_action_common.isra.14+0x5a/0x100\n [ 14.042250] __do_softirq+0xe4/0x2f8\n [ 14.042253] irq_exit+0xf7/0x100\n [ 14.042255] do_IRQ+0x7f/0xd0\n [ 14.042257] common_interrupt+0xf/0xf\n [ 14.042259] \n\nAPI qedf_link_update() is getting called from QED but by that time\nshost_data is not initialised. This results in a NULL pointer dereference\nwhen we try to dereference shost_data while updating supported_speeds.\n\nAdd a NULL pointer check before dereferencing shost_data.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47077", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47077", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47077", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47077", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47077", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47077" } }, "CVE-2021-47078": { "affected_versions": "v4.8-rc1 to v5.13-rc3", "breaks": "8700e3e7c4857d28ebaa824509934556da0b3e76", "cmt_msg": "RDMA/rxe: Clear all QP fields if creation failed", "fixes": "67f29896fdc83298eed5a6576ff8f9873f709228", "last_affected_version": "5.12.6", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/rxe: Clear all QP fields if creation failed\n\nrxe_qp_do_cleanup() relies on valid pointer values in QP for the properly\ncreated ones, but in case rxe_qp_from_init() failed it was filled with\ngarbage and caused tot the following error.\n\n refcount_t: underflow; use-after-free.\n WARNING: CPU: 1 PID: 12560 at lib/refcount.c:28 refcount_warn_saturate+0x1d1/0x1e0 lib/refcount.c:28\n Modules linked in:\n CPU: 1 PID: 12560 Comm: syz-executor.4 Not tainted 5.12.0-syzkaller #0\n Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\n RIP: 0010:refcount_warn_saturate+0x1d1/0x1e0 lib/refcount.c:28\n Code: e9 db fe ff ff 48 89 df e8 2c c2 ea fd e9 8a fe ff ff e8 72 6a a7 fd 48 c7 c7 e0 b2 c1 89 c6 05 dc 3a e6 09 01 e8 ee 74 fb 04 <0f> 0b e9 af fe ff ff 0f 1f 84 00 00 00 00 00 41 56 41 55 41 54 55\n RSP: 0018:ffffc900097ceba8 EFLAGS: 00010286\n RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000\n RDX: 0000000000040000 RSI: ffffffff815bb075 RDI: fffff520012f9d67\n RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000\n R10: ffffffff815b4eae R11: 0000000000000000 R12: ffff8880322a4800\n R13: ffff8880322a4940 R14: ffff888033044e00 R15: 0000000000000000\n FS: 00007f6eb2be3700(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007fdbe5d41000 CR3: 000000001d181000 CR4: 00000000001506e0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n __refcount_sub_and_test include/linux/refcount.h:283 [inline]\n __refcount_dec_and_test include/linux/refcount.h:315 [inline]\n refcount_dec_and_test include/linux/refcount.h:333 [inline]\n kref_put include/linux/kref.h:64 [inline]\n rxe_qp_do_cleanup+0x96f/0xaf0 drivers/infiniband/sw/rxe/rxe_qp.c:805\n execute_in_process_context+0x37/0x150 kernel/workqueue.c:3327\n rxe_elem_release+0x9f/0x180 drivers/infiniband/sw/rxe/rxe_pool.c:391\n kref_put include/linux/kref.h:65 [inline]\n rxe_create_qp+0x2cd/0x310 drivers/infiniband/sw/rxe/rxe_verbs.c:425\n _ib_create_qp drivers/infiniband/core/core_priv.h:331 [inline]\n ib_create_named_qp+0x2ad/0x1370 drivers/infiniband/core/verbs.c:1231\n ib_create_qp include/rdma/ib_verbs.h:3644 [inline]\n create_mad_qp+0x177/0x2d0 drivers/infiniband/core/mad.c:2920\n ib_mad_port_open drivers/infiniband/core/mad.c:3001 [inline]\n ib_mad_init_device+0xd6f/0x1400 drivers/infiniband/core/mad.c:3092\n add_client_context+0x405/0x5e0 drivers/infiniband/core/device.c:717\n enable_device_and_get+0x1cd/0x3b0 drivers/infiniband/core/device.c:1331\n ib_register_device drivers/infiniband/core/device.c:1413 [inline]\n ib_register_device+0x7c7/0xa50 drivers/infiniband/core/device.c:1365\n rxe_register_device+0x3d5/0x4a0 drivers/infiniband/sw/rxe/rxe_verbs.c:1147\n rxe_add+0x12fe/0x16d0 drivers/infiniband/sw/rxe/rxe.c:247\n rxe_net_add+0x8c/0xe0 drivers/infiniband/sw/rxe/rxe_net.c:503\n rxe_newlink drivers/infiniband/sw/rxe/rxe.c:269 [inline]\n rxe_newlink+0xb7/0xe0 drivers/infiniband/sw/rxe/rxe.c:250\n nldev_newlink+0x30e/0x550 drivers/infiniband/core/nldev.c:1555\n rdma_nl_rcv_msg+0x36d/0x690 drivers/infiniband/core/netlink.c:195\n rdma_nl_rcv_skb drivers/infiniband/core/netlink.c:239 [inline]\n rdma_nl_rcv+0x2ee/0x430 drivers/infiniband/core/netlink.c:259\n netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline]\n netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1338\n netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1927\n sock_sendmsg_nosec net/socket.c:654 [inline]\n sock_sendmsg+0xcf/0x120 net/socket.c:674\n ____sys_sendmsg+0x6e8/0x810 net/socket.c:2350\n ___sys_sendmsg+0xf3/0x170 net/socket.c:2404\n __sys_sendmsg+0xe5/0x1b0 net/socket.c:2433\n do_syscall_64+0x3a/0xb0 arch/x86/entry/common.c:47\n entry_SYSCALL_64_after_hwframe+0\n---truncated---", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47078", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47078", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47078", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47078", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47078", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47078" } }, "CVE-2021-47079": { "affected_versions": "v5.12-rc1-dontuse to v5.13-rc3", "breaks": "ff36b0d953dc4cbc40a72945920ff8e805f1b0da", "cmt_msg": "platform/x86: ideapad-laptop: fix a NULL pointer dereference", "fixes": "ff67dbd554b2aaa22be933eced32610ff90209dd", "last_affected_version": "5.12.6", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/x86: ideapad-laptop: fix a NULL pointer dereference\n\nThe third parameter of dytc_cql_command should not be NULL since it will\nbe dereferenced immediately.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47079", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47079", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47079", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47079", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47079", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47079" } }, "CVE-2021-47080": { "affected_versions": "v5.10-rc1 to v5.13-rc3", "breaks": "9f85cbe50aa044a46f0a22fda323fa27b80c82da", "cmt_msg": "RDMA/core: Prevent divide-by-zero error triggered by the user", "fixes": "54d87913f147a983589923c7f651f97de9af5be1", "last_affected_version": "5.12.6", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/core: Prevent divide-by-zero error triggered by the user\n\nThe user_entry_size is supplied by the user and later used as a\ndenominator to calculate number of entries. The zero supplied by the user\nwill trigger the following divide-by-zero error:\n\n divide error: 0000 [#1] SMP KASAN PTI\n CPU: 4 PID: 497 Comm: c_repro Not tainted 5.13.0-rc1+ #281\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n RIP: 0010:ib_uverbs_handler_UVERBS_METHOD_QUERY_GID_TABLE+0x1b1/0x510\n Code: 87 59 03 00 00 e8 9f ab 1e ff 48 8d bd a8 00 00 00 e8 d3 70 41 ff 44 0f b7 b5 a8 00 00 00 e8 86 ab 1e ff 31 d2 4c 89 f0 31 ff <49> f7 f5 48 89 d6 48 89 54 24 10 48 89 04 24 e8 1b ad 1e ff 48 8b\n RSP: 0018:ffff88810416f828 EFLAGS: 00010246\n RAX: 0000000000000008 RBX: 1ffff1102082df09 RCX: ffffffff82183f3d\n RDX: 0000000000000000 RSI: ffff888105f2da00 RDI: 0000000000000000\n RBP: ffff88810416fa98 R08: 0000000000000001 R09: ffffed102082df5f\n R10: ffff88810416faf7 R11: ffffed102082df5e R12: 0000000000000000\n R13: 0000000000000000 R14: 0000000000000008 R15: ffff88810416faf0\n FS: 00007f5715efa740(0000) GS:ffff88811a700000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000020000840 CR3: 000000010c2e0001 CR4: 0000000000370ea0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n ? ib_uverbs_handler_UVERBS_METHOD_INFO_HANDLES+0x4b0/0x4b0\n ib_uverbs_cmd_verbs+0x1546/0x1940\n ib_uverbs_ioctl+0x186/0x240\n __x64_sys_ioctl+0x38a/0x1220\n do_syscall_64+0x3f/0x80\n entry_SYSCALL_64_after_hwframe+0x44/0xae", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47080", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47080", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47080", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47080", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47080", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47080" } }, "CVE-2021-47081": { "affected_versions": "v5.12-rc1-dontuse to v5.13-rc3", "breaks": "423815bf02e257091d5337be5c63b57fc29e4254", "cmt_msg": "habanalabs/gaudi: Fix a potential use after free in gaudi_memset_device_memory", "fixes": "115726c5d312b462c9d9931ea42becdfa838a076", "last_affected_version": "5.12.6", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nhabanalabs/gaudi: Fix a potential use after free in gaudi_memset_device_memory\n\nOur code analyzer reported a uaf.\n\nIn gaudi_memset_device_memory, cb is get via hl_cb_kernel_create()\nwith 2 refcount.\nIf hl_cs_allocate_job() failed, the execution runs into release_cb\nbranch. One ref of cb is dropped by hl_cb_put(cb) and could be freed\nif other thread also drops one ref. Then cb is used by cb->id later,\nwhich is a potential uaf.\n\nMy patch add a variable 'id' to accept the value of cb->id before the\nhl_cb_put(cb) is called, to avoid the potential uaf.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47081", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47081", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47081", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47081", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47081", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47081" } }, "CVE-2021-47082": { "affected_versions": "v2.6.12-rc2 to v5.16-rc7", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "tun: avoid double free in tun_free_netdev", "fixes": "158b515f703e75e7d68289bf4d98c664e1d632df", "last_affected_version": "5.15.11", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\ntun: avoid double free in tun_free_netdev\n\nAvoid double free in tun_free_netdev() by moving the\ndev->tstats and tun->security allocs to a new ndo_init routine\n(tun_net_init()) that will be called by register_netdevice().\nndo_init is paired with the desctructor (tun_free_netdev()),\nso if there's an error in register_netdevice() the destructor\nwill handle the frees.\n\nBUG: KASAN: double-free or invalid-free in selinux_tun_dev_free_security+0x1a/0x20 security/selinux/hooks.c:5605\n\nCPU: 0 PID: 25750 Comm: syz-executor416 Not tainted 5.16.0-rc2-syzk #1\nHardware name: Red Hat KVM, BIOS\nCall Trace:\n\n__dump_stack lib/dump_stack.c:88 [inline]\ndump_stack_lvl+0x89/0xb5 lib/dump_stack.c:106\nprint_address_description.constprop.9+0x28/0x160 mm/kasan/report.c:247\nkasan_report_invalid_free+0x55/0x80 mm/kasan/report.c:372\n____kasan_slab_free mm/kasan/common.c:346 [inline]\n__kasan_slab_free+0x107/0x120 mm/kasan/common.c:374\nkasan_slab_free include/linux/kasan.h:235 [inline]\nslab_free_hook mm/slub.c:1723 [inline]\nslab_free_freelist_hook mm/slub.c:1749 [inline]\nslab_free mm/slub.c:3513 [inline]\nkfree+0xac/0x2d0 mm/slub.c:4561\nselinux_tun_dev_free_security+0x1a/0x20 security/selinux/hooks.c:5605\nsecurity_tun_dev_free_security+0x4f/0x90 security/security.c:2342\ntun_free_netdev+0xe6/0x150 drivers/net/tun.c:2215\nnetdev_run_todo+0x4df/0x840 net/core/dev.c:10627\nrtnl_unlock+0x13/0x20 net/core/rtnetlink.c:112\n__tun_chr_ioctl+0x80c/0x2870 drivers/net/tun.c:3302\ntun_chr_ioctl+0x2f/0x40 drivers/net/tun.c:3311\nvfs_ioctl fs/ioctl.c:51 [inline]\n__do_sys_ioctl fs/ioctl.c:874 [inline]\n__se_sys_ioctl fs/ioctl.c:860 [inline]\n__x64_sys_ioctl+0x19d/0x220 fs/ioctl.c:860\ndo_syscall_x64 arch/x86/entry/common.c:50 [inline]\ndo_syscall_64+0x3a/0x80 arch/x86/entry/common.c:80\nentry_SYSCALL_64_after_hwframe+0x44/0xae", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47082", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47082", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47082", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47082", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47082", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47082" } }, "CVE-2021-47083": { "affected_versions": "v2.6.12-rc2 to v5.16-rc7", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "pinctrl: mediatek: fix global-out-of-bounds issue", "fixes": "2d5446da5acecf9c67db1c9d55ae2c3e5de01f8d", "last_affected_version": "5.15.11", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\npinctrl: mediatek: fix global-out-of-bounds issue\n\nWhen eint virtual eint number is greater than gpio number,\nit maybe produce 'desc[eint_n]' size globle-out-of-bounds issue.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47083", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47083", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47083", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47083", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47083", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47083" } }, "CVE-2021-47086": { "affected_versions": "v3.3-rc1 to v5.16-rc7", "breaks": "bdb6e697b2a76c541960b86ab8fda88f3de1adf2", "cmt_msg": "phonet/pep: refuse to enable an unbound pipe", "fixes": "75a2f31520095600f650597c0ac41f48b5ba0068", "last_affected_version": "5.15.11", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nphonet/pep: refuse to enable an unbound pipe\n\nThis ioctl() implicitly assumed that the socket was already bound to\na valid local socket name, i.e. Phonet object. If the socket was not\nbound, two separate problems would occur:\n\n1) We'd send an pipe enablement request with an invalid source object.\n2) Later socket calls could BUG on the socket unexpectedly being\n connected yet not bound to a valid object.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47086", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47086", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47086", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47086", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47086", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47086" } }, "CVE-2021-47087": { "affected_versions": "v5.14-rc5 to v5.16-rc7", "breaks": "ec185dd3ab257dc2a60953fdf1b6622f524cc5b7", "cmt_msg": "tee: optee: Fix incorrect page free bug", "fixes": "18549bf4b21c739a9def39f27dcac53e27286ab5", "last_affected_version": "5.15.11", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\ntee: optee: Fix incorrect page free bug\n\nPointer to the allocated pages (struct page *page) has already\nprogressed towards the end of allocation. It is incorrect to perform\n__free_pages(page, order) using this pointer as we would free any\narbitrary pages. Fix this by stop modifying the page pointer.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47087", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47087", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47087", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47087", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47087", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47087" } }, "CVE-2021-47088": { "affected_versions": "v5.15-rc1 to v5.16-rc7", "breaks": "4bc05954d0076655cfaf6f0135585bdc20cd6b11", "cmt_msg": "mm/damon/dbgfs: protect targets destructions with kdamond_lock", "fixes": "34796417964b8d0aef45a99cf6c2d20cebe33733", "last_affected_version": "5.15.11", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/damon/dbgfs: protect targets destructions with kdamond_lock\n\nDAMON debugfs interface iterates current monitoring targets in\n'dbgfs_target_ids_read()' while holding the corresponding\n'kdamond_lock'. However, it also destructs the monitoring targets in\n'dbgfs_before_terminate()' without holding the lock. This can result in\na use_after_free bug. This commit avoids the race by protecting the\ndestruction with the corresponding 'kdamond_lock'.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47088", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47088", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47088", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47088", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47088", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47088" } }, "CVE-2021-47089": { "affected_versions": "v5.12-rc1-dontuse to v5.16-rc7", "breaks": "0ce20dd840897b12ae70869c69f1ba34d6d16965", "cmt_msg": "kfence: fix memory leak when cat kfence objects", "fixes": "0129ab1f268b6cf88825eae819b9b84aa0a85634", "last_affected_version": "5.15.11", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nkfence: fix memory leak when cat kfence objects\n\nHulk robot reported a kmemleak problem:\n\n unreferenced object 0xffff93d1d8cc02e8 (size 248):\n comm \"cat\", pid 23327, jiffies 4624670141 (age 495992.217s)\n hex dump (first 32 bytes):\n 00 40 85 19 d4 93 ff ff 00 10 00 00 00 00 00 00 .@..............\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace:\n seq_open+0x2a/0x80\n full_proxy_open+0x167/0x1e0\n do_dentry_open+0x1e1/0x3a0\n path_openat+0x961/0xa20\n do_filp_open+0xae/0x120\n do_sys_openat2+0x216/0x2f0\n do_sys_open+0x57/0x80\n do_syscall_64+0x33/0x40\n entry_SYSCALL_64_after_hwframe+0x44/0xa9\n unreferenced object 0xffff93d419854000 (size 4096):\n comm \"cat\", pid 23327, jiffies 4624670141 (age 495992.217s)\n hex dump (first 32 bytes):\n 6b 66 65 6e 63 65 2d 23 32 35 30 3a 20 30 78 30 kfence-#250: 0x0\n 30 30 30 30 30 30 30 37 35 34 62 64 61 31 32 2d 0000000754bda12-\n backtrace:\n seq_read_iter+0x313/0x440\n seq_read+0x14b/0x1a0\n full_proxy_read+0x56/0x80\n vfs_read+0xa5/0x1b0\n ksys_read+0xa0/0xf0\n do_syscall_64+0x33/0x40\n entry_SYSCALL_64_after_hwframe+0x44/0xa9\n\nI find that we can easily reproduce this problem with the following\ncommands:\n\n\tcat /sys/kernel/debug/kfence/objects\n\techo scan > /sys/kernel/debug/kmemleak\n\tcat /sys/kernel/debug/kmemleak\n\nThe leaked memory is allocated in the stack below:\n\n do_syscall_64\n do_sys_open\n do_dentry_open\n full_proxy_open\n seq_open ---> alloc seq_file\n vfs_read\n full_proxy_read\n seq_read\n seq_read_iter\n traverse ---> alloc seq_buf\n\nAnd it should have been released in the following process:\n\n do_syscall_64\n syscall_exit_to_user_mode\n exit_to_user_mode_prepare\n task_work_run\n ____fput\n __fput\n full_proxy_release ---> free here\n\nHowever, the release function corresponding to file_operations is not\nimplemented in kfence. As a result, a memory leak occurs. Therefore,\nthe solution to this problem is to implement the corresponding release\nfunction.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47089", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47089", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47089", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47089", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47089", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47089" } }, "CVE-2021-47090": { "affected_versions": "v5.10-rc1 to v5.16-rc7", "breaks": "b94e02822debdf0cc473556aad7dcc859f216653", "cmt_msg": "mm/hwpoison: clear MF_COUNT_INCREASED before retrying get_any_page()", "fixes": "2a57d83c78f889bf3f54eede908d0643c40d5418", "last_affected_version": "5.15.11", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/hwpoison: clear MF_COUNT_INCREASED before retrying get_any_page()\n\nHulk Robot reported a panic in put_page_testzero() when testing\nmadvise() with MADV_SOFT_OFFLINE. The BUG() is triggered when retrying\nget_any_page(). This is because we keep MF_COUNT_INCREASED flag in\nsecond try but the refcnt is not increased.\n\n page dumped because: VM_BUG_ON_PAGE(page_ref_count(page) == 0)\n ------------[ cut here ]------------\n kernel BUG at include/linux/mm.h:737!\n invalid opcode: 0000 [#1] PREEMPT SMP\n CPU: 5 PID: 2135 Comm: sshd Tainted: G B 5.16.0-rc6-dirty #373\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014\n RIP: release_pages+0x53f/0x840\n Call Trace:\n free_pages_and_swap_cache+0x64/0x80\n tlb_flush_mmu+0x6f/0x220\n unmap_page_range+0xe6c/0x12c0\n unmap_single_vma+0x90/0x170\n unmap_vmas+0xc4/0x180\n exit_mmap+0xde/0x3a0\n mmput+0xa3/0x250\n do_exit+0x564/0x1470\n do_group_exit+0x3b/0x100\n __do_sys_exit_group+0x13/0x20\n __x64_sys_exit_group+0x16/0x20\n do_syscall_64+0x34/0x80\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n Modules linked in:\n ---[ end trace e99579b570fe0649 ]---\n RIP: 0010:release_pages+0x53f/0x840", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47090", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47090", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47090", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47090", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47090", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47090" } }, "CVE-2021-47091": { "affected_versions": "v5.10-rc1 to v5.16-rc7", "breaks": "295b02c4be74bebf988593b8322369513fcecf68", "cmt_msg": "mac80211: fix locking in ieee80211_start_ap error path", "fixes": "87a270625a89fc841f1a7e21aae6176543d8385c", "last_affected_version": "5.15.11", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nmac80211: fix locking in ieee80211_start_ap error path\n\nWe need to hold the local->mtx to release the channel context,\nas even encoded by the lockdep_assert_held() there. Fix it.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47091", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47091", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47091", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47091", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47091", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47091" } }, "CVE-2021-47092": { "affected_versions": "v5.15-rc4 to v5.16-rc7", "breaks": "c8607e4a086fae05efe5bffb47c5199c65e7216e", "cmt_msg": "KVM: VMX: Always clear vmx->fail on emulation_required", "fixes": "a80dfc025924024d2c61a4c1b8ef62b2fce76a04", "last_affected_version": "5.15.11", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: VMX: Always clear vmx->fail on emulation_required\n\nRevert a relatively recent change that set vmx->fail if the vCPU is in L2\nand emulation_required is true, as that behavior is completely bogus.\nSetting vmx->fail and synthesizing a VM-Exit is contradictory and wrong:\n\n (a) it's impossible to have both a VM-Fail and VM-Exit\n (b) vmcs.EXIT_REASON is not modified on VM-Fail\n (c) emulation_required refers to guest state and guest state checks are\n always VM-Exits, not VM-Fails.\n\nFor KVM specifically, emulation_required is handled before nested exits\nin __vmx_handle_exit(), thus setting vmx->fail has no immediate effect,\ni.e. KVM calls into handle_invalid_guest_state() and vmx->fail is ignored.\nSetting vmx->fail can ultimately result in a WARN in nested_vmx_vmexit()\nfiring when tearing down the VM as KVM never expects vmx->fail to be set\nwhen L2 is active, KVM always reflects those errors into L1.\n\n ------------[ cut here ]------------\n WARNING: CPU: 0 PID: 21158 at arch/x86/kvm/vmx/nested.c:4548\n nested_vmx_vmexit+0x16bd/0x17e0\n arch/x86/kvm/vmx/nested.c:4547\n Modules linked in:\n CPU: 0 PID: 21158 Comm: syz-executor.1 Not tainted 5.16.0-rc3-syzkaller #0\n Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\n RIP: 0010:nested_vmx_vmexit+0x16bd/0x17e0 arch/x86/kvm/vmx/nested.c:4547\n Code: <0f> 0b e9 2e f8 ff ff e8 57 b3 5d 00 0f 0b e9 00 f1 ff ff 89 e9 80\n Call Trace:\n vmx_leave_nested arch/x86/kvm/vmx/nested.c:6220 [inline]\n nested_vmx_free_vcpu+0x83/0xc0 arch/x86/kvm/vmx/nested.c:330\n vmx_free_vcpu+0x11f/0x2a0 arch/x86/kvm/vmx/vmx.c:6799\n kvm_arch_vcpu_destroy+0x6b/0x240 arch/x86/kvm/x86.c:10989\n kvm_vcpu_destroy+0x29/0x90 arch/x86/kvm/../../../virt/kvm/kvm_main.c:441\n kvm_free_vcpus arch/x86/kvm/x86.c:11426 [inline]\n kvm_arch_destroy_vm+0x3ef/0x6b0 arch/x86/kvm/x86.c:11545\n kvm_destroy_vm arch/x86/kvm/../../../virt/kvm/kvm_main.c:1189 [inline]\n kvm_put_kvm+0x751/0xe40 arch/x86/kvm/../../../virt/kvm/kvm_main.c:1220\n kvm_vcpu_release+0x53/0x60 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3489\n __fput+0x3fc/0x870 fs/file_table.c:280\n task_work_run+0x146/0x1c0 kernel/task_work.c:164\n exit_task_work include/linux/task_work.h:32 [inline]\n do_exit+0x705/0x24f0 kernel/exit.c:832\n do_group_exit+0x168/0x2d0 kernel/exit.c:929\n get_signal+0x1740/0x2120 kernel/signal.c:2852\n arch_do_signal_or_restart+0x9c/0x730 arch/x86/kernel/signal.c:868\n handle_signal_work kernel/entry/common.c:148 [inline]\n exit_to_user_mode_loop kernel/entry/common.c:172 [inline]\n exit_to_user_mode_prepare+0x191/0x220 kernel/entry/common.c:207\n __syscall_exit_to_user_mode_work kernel/entry/common.c:289 [inline]\n syscall_exit_to_user_mode+0x2e/0x70 kernel/entry/common.c:300\n do_syscall_64+0x53/0xd0 arch/x86/entry/common.c:86\n entry_SYSCALL_64_after_hwframe+0x44/0xae", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47092", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47092", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47092", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47092", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47092", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47092" } }, "CVE-2021-47093": { "affected_versions": "v5.9 to v5.16-rc7", "breaks": "938835aa903ae19ad62805134f79bbcf20fc3bea", "cmt_msg": "platform/x86: intel_pmc_core: fix memleak on registration failure", "fixes": "26a8b09437804fabfb1db080d676b96c0de68e7c", "last_affected_version": "5.15.11", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/x86: intel_pmc_core: fix memleak on registration failure\n\nIn case device registration fails during module initialisation, the\nplatform device structure needs to be freed using platform_device_put()\nto properly free all resources (e.g. the device name).", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47093", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47093", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47093", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47093", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47093", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47093" } }, "CVE-2021-47094": { "affected_versions": "v5.10-rc1 to v5.16-rc7", "breaks": "faaf05b00aecdb347ffd1d763d024394ec0329f8", "cmt_msg": "KVM: x86/mmu: Don't advance iterator after restart due to yielding", "fixes": "3a0f64de479cae75effb630a2e0a237ca0d0623c", "last_affected_version": "5.15.11", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86/mmu: Don't advance iterator after restart due to yielding\n\nAfter dropping mmu_lock in the TDP MMU, restart the iterator during\ntdp_iter_next() and do not advance the iterator. Advancing the iterator\nresults in skipping the top-level SPTE and all its children, which is\nfatal if any of the skipped SPTEs were not visited before yielding.\n\nWhen zapping all SPTEs, i.e. when min_level == root_level, restarting the\niter and then invoking tdp_iter_next() is always fatal if the current gfn\nhas as a valid SPTE, as advancing the iterator results in try_step_side()\nskipping the current gfn, which wasn't visited before yielding.\n\nSprinkle WARNs on iter->yielded being true in various helpers that are\noften used in conjunction with yielding, and tag the helper with\n__must_check to reduce the probabily of improper usage.\n\nFailing to zap a top-level SPTE manifests in one of two ways. If a valid\nSPTE is skipped by both kvm_tdp_mmu_zap_all() and kvm_tdp_mmu_put_root(),\nthe shadow page will be leaked and KVM will WARN accordingly.\n\n WARNING: CPU: 1 PID: 3509 at arch/x86/kvm/mmu/tdp_mmu.c:46 [kvm]\n RIP: 0010:kvm_mmu_uninit_tdp_mmu+0x3e/0x50 [kvm]\n Call Trace:\n \n kvm_arch_destroy_vm+0x130/0x1b0 [kvm]\n kvm_destroy_vm+0x162/0x2a0 [kvm]\n kvm_vcpu_release+0x34/0x60 [kvm]\n __fput+0x82/0x240\n task_work_run+0x5c/0x90\n do_exit+0x364/0xa10\n ? futex_unqueue+0x38/0x60\n do_group_exit+0x33/0xa0\n get_signal+0x155/0x850\n arch_do_signal_or_restart+0xed/0x750\n exit_to_user_mode_prepare+0xc5/0x120\n syscall_exit_to_user_mode+0x1d/0x40\n do_syscall_64+0x48/0xc0\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nIf kvm_tdp_mmu_zap_all() skips a gfn/SPTE but that SPTE is then zapped by\nkvm_tdp_mmu_put_root(), KVM triggers a use-after-free in the form of\nmarking a struct page as dirty/accessed after it has been put back on the\nfree list. This directly triggers a WARN due to encountering a page with\npage_count() == 0, but it can also lead to data corruption and additional\nerrors in the kernel.\n\n WARNING: CPU: 7 PID: 1995658 at arch/x86/kvm/../../../virt/kvm/kvm_main.c:171\n RIP: 0010:kvm_is_zone_device_pfn.part.0+0x9e/0xd0 [kvm]\n Call Trace:\n \n kvm_set_pfn_dirty+0x120/0x1d0 [kvm]\n __handle_changed_spte+0x92e/0xca0 [kvm]\n __handle_changed_spte+0x63c/0xca0 [kvm]\n __handle_changed_spte+0x63c/0xca0 [kvm]\n __handle_changed_spte+0x63c/0xca0 [kvm]\n zap_gfn_range+0x549/0x620 [kvm]\n kvm_tdp_mmu_put_root+0x1b6/0x270 [kvm]\n mmu_free_root_page+0x219/0x2c0 [kvm]\n kvm_mmu_free_roots+0x1b4/0x4e0 [kvm]\n kvm_mmu_unload+0x1c/0xa0 [kvm]\n kvm_arch_destroy_vm+0x1f2/0x5c0 [kvm]\n kvm_put_kvm+0x3b1/0x8b0 [kvm]\n kvm_vcpu_release+0x4e/0x70 [kvm]\n __fput+0x1f7/0x8c0\n task_work_run+0xf8/0x1a0\n do_exit+0x97b/0x2230\n do_group_exit+0xda/0x2a0\n get_signal+0x3be/0x1e50\n arch_do_signal_or_restart+0x244/0x17f0\n exit_to_user_mode_prepare+0xcb/0x120\n syscall_exit_to_user_mode+0x1d/0x40\n do_syscall_64+0x4d/0x90\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nNote, the underlying bug existed even before commit 1af4a96025b3 (\"KVM:\nx86/mmu: Yield in TDU MMU iter even if no SPTES changed\") moved calls to\ntdp_mmu_iter_cond_resched() to the beginning of loops, as KVM could still\nincorrectly advance past a top-level entry when yielding on a lower-level\nentry. But with respect to leaking shadow pages, the bug was introduced\nby yielding before processing the current gfn.\n\nAlternatively, tdp_mmu_iter_cond_resched() could simply fall through, or\ncallers could jump to their \"retry\" label. The downside of that approach\nis that tdp_mmu_iter_cond_resched() _must_ be called before anything else\nin the loop, and there's no easy way to enfornce that requirement.\n\nIdeally, KVM would handling the cond_resched() fully within the iterator\nmacro (the code is actually quite clean) and avoid this entire class of\nbugs, but that is extremely difficult do wh\n---truncated---", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47094", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47094", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47094", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47094", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47094", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47094" } }, "CVE-2021-47095": { "affected_versions": "v5.4-rc1 to v5.16-rc7", "breaks": "c4436c9149c5d2bc0c49ab57ec85c75ea1c4d61c", "cmt_msg": "ipmi: ssif: initialize ssif_info->client early", "fixes": "34f35f8f14bc406efc06ee4ff73202c6fd245d15", "last_affected_version": "5.15.11", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nipmi: ssif: initialize ssif_info->client early\n\nDuring probe ssif_info->client is dereferenced in error path. However,\nit is set when some of the error checking has already been done. This\ncauses following kernel crash if an error path is taken:\n\n[ 30.645593][ T674] ipmi_ssif 0-000e: ipmi_ssif: Not probing, Interface already present\n[ 30.657616][ T674] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000088\n...\n[ 30.657723][ T674] pc : __dev_printk+0x28/0xa0\n[ 30.657732][ T674] lr : _dev_err+0x7c/0xa0\n...\n[ 30.657772][ T674] Call trace:\n[ 30.657775][ T674] __dev_printk+0x28/0xa0\n[ 30.657778][ T674] _dev_err+0x7c/0xa0\n[ 30.657781][ T674] ssif_probe+0x548/0x900 [ipmi_ssif 62ce4b08badc1458fd896206d9ef69a3c31f3d3e]\n[ 30.657791][ T674] i2c_device_probe+0x37c/0x3c0\n...\n\nInitialize ssif_info->client before any error path can be taken. Clear\ni2c_client data in the error path to prevent the dangling pointer from\nleaking.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47095", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47095", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47095", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47095", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47095", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47095" } }, "CVE-2021-47096": { "affected_versions": "v5.15-rc4 to v5.16-rc7", "breaks": "09d23174402da0f10e98da2c61bb5ac8e7d79fdd", "cmt_msg": "ALSA: rawmidi - fix the uninitalized user_pversion", "fixes": "39a8fc4971a00d22536aeb7d446ee4a97810611b", "last_affected_version": "5.15.11", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: rawmidi - fix the uninitalized user_pversion\n\nThe user_pversion was uninitialized for the user space file structure\nin the open function, because the file private structure use\nkmalloc for the allocation.\n\nThe kernel ALSA sequencer code clears the file structure, so no additional\nfixes are required.\n\nBugLink: https://github.com/alsa-project/alsa-lib/issues/178", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47096", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47096", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47096", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47096", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47096", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47096" } }, "CVE-2021-47097": { "affected_versions": "v5.11-rc1 to v5.16-rc7", "breaks": "e4c9062717feda88900b566463228d1c4910af6d", "cmt_msg": "Input: elantech - fix stack out of bound access in elantech_change_report_id()", "fixes": "1d72d9f960ccf1052a0630a68c3d358791dbdaaa", "last_affected_version": "5.15.11", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nInput: elantech - fix stack out of bound access in elantech_change_report_id()\n\nThe array param[] in elantech_change_report_id() must be at least 3\nbytes, because elantech_read_reg_params() is calling ps2_command() with\nPSMOUSE_CMD_GETINFO, that is going to access 3 bytes from param[], but\nit's defined in the stack as an array of 2 bytes, therefore we have a\npotential stack out-of-bounds access here, also confirmed by KASAN:\n\n[ 6.512374] BUG: KASAN: stack-out-of-bounds in __ps2_command+0x372/0x7e0\n[ 6.512397] Read of size 1 at addr ffff8881024d77c2 by task kworker/2:1/118\n\n[ 6.512416] CPU: 2 PID: 118 Comm: kworker/2:1 Not tainted 5.13.0-22-generic #22+arighi20211110\n[ 6.512428] Hardware name: LENOVO 20T8000QGE/20T8000QGE, BIOS R1AET32W (1.08 ) 08/14/2020\n[ 6.512436] Workqueue: events_long serio_handle_event\n[ 6.512453] Call Trace:\n[ 6.512462] show_stack+0x52/0x58\n[ 6.512474] dump_stack+0xa1/0xd3\n[ 6.512487] print_address_description.constprop.0+0x1d/0x140\n[ 6.512502] ? __ps2_command+0x372/0x7e0\n[ 6.512516] __kasan_report.cold+0x7d/0x112\n[ 6.512527] ? _raw_write_lock_irq+0x20/0xd0\n[ 6.512539] ? __ps2_command+0x372/0x7e0\n[ 6.512552] kasan_report+0x3c/0x50\n[ 6.512564] __asan_load1+0x6a/0x70\n[ 6.512575] __ps2_command+0x372/0x7e0\n[ 6.512589] ? ps2_drain+0x240/0x240\n[ 6.512601] ? dev_printk_emit+0xa2/0xd3\n[ 6.512612] ? dev_vprintk_emit+0xc5/0xc5\n[ 6.512621] ? __kasan_check_write+0x14/0x20\n[ 6.512634] ? mutex_lock+0x8f/0xe0\n[ 6.512643] ? __mutex_lock_slowpath+0x20/0x20\n[ 6.512655] ps2_command+0x52/0x90\n[ 6.512670] elantech_ps2_command+0x4f/0xc0 [psmouse]\n[ 6.512734] elantech_change_report_id+0x1e6/0x256 [psmouse]\n[ 6.512799] ? elantech_report_trackpoint.constprop.0.cold+0xd/0xd [psmouse]\n[ 6.512863] ? ps2_command+0x7f/0x90\n[ 6.512877] elantech_query_info.cold+0x6bd/0x9ed [psmouse]\n[ 6.512943] ? elantech_setup_ps2+0x460/0x460 [psmouse]\n[ 6.513005] ? psmouse_reset+0x69/0xb0 [psmouse]\n[ 6.513064] ? psmouse_attr_set_helper+0x2a0/0x2a0 [psmouse]\n[ 6.513122] ? phys_pmd_init+0x30e/0x521\n[ 6.513137] elantech_init+0x8a/0x200 [psmouse]\n[ 6.513200] ? elantech_init_ps2+0xf0/0xf0 [psmouse]\n[ 6.513249] ? elantech_query_info+0x440/0x440 [psmouse]\n[ 6.513296] ? synaptics_send_cmd+0x60/0x60 [psmouse]\n[ 6.513342] ? elantech_query_info+0x440/0x440 [psmouse]\n[ 6.513388] ? psmouse_try_protocol+0x11e/0x170 [psmouse]\n[ 6.513432] psmouse_extensions+0x65d/0x6e0 [psmouse]\n[ 6.513476] ? psmouse_try_protocol+0x170/0x170 [psmouse]\n[ 6.513519] ? mutex_unlock+0x22/0x40\n[ 6.513526] ? ps2_command+0x7f/0x90\n[ 6.513536] ? psmouse_probe+0xa3/0xf0 [psmouse]\n[ 6.513580] psmouse_switch_protocol+0x27d/0x2e0 [psmouse]\n[ 6.513624] psmouse_connect+0x272/0x530 [psmouse]\n[ 6.513669] serio_driver_probe+0x55/0x70\n[ 6.513679] really_probe+0x190/0x720\n[ 6.513689] driver_probe_device+0x160/0x1f0\n[ 6.513697] device_driver_attach+0x119/0x130\n[ 6.513705] ? device_driver_attach+0x130/0x130\n[ 6.513713] __driver_attach+0xe7/0x1a0\n[ 6.513720] ? device_driver_attach+0x130/0x130\n[ 6.513728] bus_for_each_dev+0xfb/0x150\n[ 6.513738] ? subsys_dev_iter_exit+0x10/0x10\n[ 6.513748] ? _raw_write_unlock_bh+0x30/0x30\n[ 6.513757] driver_attach+0x2d/0x40\n[ 6.513764] serio_handle_event+0x199/0x3d0\n[ 6.513775] process_one_work+0x471/0x740\n[ 6.513785] worker_thread+0x2d2/0x790\n[ 6.513794] ? process_one_work+0x740/0x740\n[ 6.513802] kthread+0x1b4/0x1e0\n[ 6.513809] ? set_kthread_struct+0x80/0x80\n[ 6.513816] ret_from_fork+0x22/0x30\n\n[ 6.513832] The buggy address belongs to the page:\n[ 6.513838] page:00000000bc35e189 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1024d7\n[ 6.513847] flags: 0x17ffffc0000000(node=0|zone=2|lastcpupid=0x1fffff)\n[ 6.513860] raw: 0\n---truncated---", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47097", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47097", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47097", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47097", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47097", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47097" } }, "CVE-2021-47098": { "affected_versions": "v5.14-rc1 to v5.16-rc7", "breaks": "b50aa49638c7e12abf4ecc483f4e928c5cccc1b0", "cmt_msg": "hwmon: (lm90) Prevent integer overflow/underflow in hysteresis calculations", "fixes": "55840b9eae5367b5d5b29619dc2fb7e4596dba46", "last_affected_version": "5.15.11", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nhwmon: (lm90) Prevent integer overflow/underflow in hysteresis calculations\n\nCommit b50aa49638c7 (\"hwmon: (lm90) Prevent integer underflows of\ntemperature calculations\") addressed a number of underflow situations\nwhen writing temperature limits. However, it missed one situation, seen\nwhen an attempt is made to set the hysteresis value to MAX_LONG and the\ncritical temperature limit is negative.\n\nUse clamp_val() when setting the hysteresis temperature to ensure that\nthe provided value can never overflow or underflow.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47098", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47098", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47098", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47098", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47098", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47098" } }, "CVE-2021-47099": { "affected_versions": "v5.13-rc1 to v5.16-rc7", "breaks": "d3256efd8e8b234a6251e4d4580bd2c3c31fdc4c", "cmt_msg": "veth: ensure skb entering GRO are not cloned.", "fixes": "9695b7de5b4760ed22132aca919570c0190cb0ce", "last_affected_version": "5.15.11", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nveth: ensure skb entering GRO are not cloned.\n\nAfter commit d3256efd8e8b (\"veth: allow enabling NAPI even without XDP\"),\nif GRO is enabled on a veth device and TSO is disabled on the peer\ndevice, TCP skbs will go through the NAPI callback. If there is no XDP\nprogram attached, the veth code does not perform any share check, and\nshared/cloned skbs could enter the GRO engine.\n\nIgnat reported a BUG triggered later-on due to the above condition:\n\n[ 53.970529][ C1] kernel BUG at net/core/skbuff.c:3574!\n[ 53.981755][ C1] invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI\n[ 53.982634][ C1] CPU: 1 PID: 19 Comm: ksoftirqd/1 Not tainted 5.16.0-rc5+ #25\n[ 53.982634][ C1] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015\n[ 53.982634][ C1] RIP: 0010:skb_shift+0x13ef/0x23b0\n[ 53.982634][ C1] Code: ea 03 0f b6 04 02 48 89 fa 83 e2 07 38 d0\n7f 08 84 c0 0f 85 41 0c 00 00 41 80 7f 02 00 4d 8d b5 d0 00 00 00 0f\n85 74 f5 ff ff <0f> 0b 4d 8d 77 20 be 04 00 00 00 4c 89 44 24 78 4c 89\nf7 4c 89 8c\n[ 53.982634][ C1] RSP: 0018:ffff8881008f7008 EFLAGS: 00010246\n[ 53.982634][ C1] RAX: 0000000000000000 RBX: ffff8881180b4c80 RCX: 0000000000000000\n[ 53.982634][ C1] RDX: 0000000000000002 RSI: ffff8881180b4d3c RDI: ffff88810bc9cac2\n[ 53.982634][ C1] RBP: ffff8881008f70b8 R08: ffff8881180b4cf4 R09: ffff8881180b4cf0\n[ 53.982634][ C1] R10: ffffed1022999e5c R11: 0000000000000002 R12: 0000000000000590\n[ 53.982634][ C1] R13: ffff88810f940c80 R14: ffff88810f940d50 R15: ffff88810bc9cac0\n[ 53.982634][ C1] FS: 0000000000000000(0000) GS:ffff888235880000(0000) knlGS:0000000000000000\n[ 53.982634][ C1] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 53.982634][ C1] CR2: 00007ff5f9b86680 CR3: 0000000108ce8004 CR4: 0000000000170ee0\n[ 53.982634][ C1] Call Trace:\n[ 53.982634][ C1] \n[ 53.982634][ C1] tcp_sacktag_walk+0xaba/0x18e0\n[ 53.982634][ C1] tcp_sacktag_write_queue+0xe7b/0x3460\n[ 53.982634][ C1] tcp_ack+0x2666/0x54b0\n[ 53.982634][ C1] tcp_rcv_established+0x4d9/0x20f0\n[ 53.982634][ C1] tcp_v4_do_rcv+0x551/0x810\n[ 53.982634][ C1] tcp_v4_rcv+0x22ed/0x2ed0\n[ 53.982634][ C1] ip_protocol_deliver_rcu+0x96/0xaf0\n[ 53.982634][ C1] ip_local_deliver_finish+0x1e0/0x2f0\n[ 53.982634][ C1] ip_sublist_rcv_finish+0x211/0x440\n[ 53.982634][ C1] ip_list_rcv_finish.constprop.0+0x424/0x660\n[ 53.982634][ C1] ip_list_rcv+0x2c8/0x410\n[ 53.982634][ C1] __netif_receive_skb_list_core+0x65c/0x910\n[ 53.982634][ C1] netif_receive_skb_list_internal+0x5f9/0xcb0\n[ 53.982634][ C1] napi_complete_done+0x188/0x6e0\n[ 53.982634][ C1] gro_cell_poll+0x10c/0x1d0\n[ 53.982634][ C1] __napi_poll+0xa1/0x530\n[ 53.982634][ C1] net_rx_action+0x567/0x1270\n[ 53.982634][ C1] __do_softirq+0x28a/0x9ba\n[ 53.982634][ C1] run_ksoftirqd+0x32/0x60\n[ 53.982634][ C1] smpboot_thread_fn+0x559/0x8c0\n[ 53.982634][ C1] kthread+0x3b9/0x490\n[ 53.982634][ C1] ret_from_fork+0x22/0x30\n[ 53.982634][ C1] \n\nAddress the issue by skipping the GRO stage for shared or cloned skbs.\nTo reduce the chance of OoO, try to unclone the skbs before giving up.\n\nv1 -> v2:\n - use avoid skb_copy and fallback to netif_receive_skb - Eric", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47099", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47099", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47099", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47099", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47099", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47099" } }, "CVE-2021-47100": { "affected_versions": "v4.15-rc1 to v5.16-rc7", "breaks": "b2cfd8ab4add53c2070367bfee2f5b738f51698d", "cmt_msg": "ipmi: Fix UAF when uninstall ipmi_si and ipmi_msghandler module", "fixes": "ffb76a86f8096a8206be03b14adda6092e18e275", "last_affected_version": "5.15.11", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nipmi: Fix UAF when uninstall ipmi_si and ipmi_msghandler module\n\nHi,\n\nWhen testing install and uninstall of ipmi_si.ko and ipmi_msghandler.ko,\nthe system crashed.\n\nThe log as follows:\n[ 141.087026] BUG: unable to handle kernel paging request at ffffffffc09b3a5a\n[ 141.087241] PGD 8fe4c0d067 P4D 8fe4c0d067 PUD 8fe4c0f067 PMD 103ad89067 PTE 0\n[ 141.087464] Oops: 0010 [#1] SMP NOPTI\n[ 141.087580] CPU: 67 PID: 668 Comm: kworker/67:1 Kdump: loaded Not tainted 4.18.0.x86_64 #47\n[ 141.088009] Workqueue: events 0xffffffffc09b3a40\n[ 141.088009] RIP: 0010:0xffffffffc09b3a5a\n[ 141.088009] Code: Bad RIP value.\n[ 141.088009] RSP: 0018:ffffb9094e2c3e88 EFLAGS: 00010246\n[ 141.088009] RAX: 0000000000000000 RBX: ffff9abfdb1f04a0 RCX: 0000000000000000\n[ 141.088009] RDX: 0000000000000000 RSI: 0000000000000246 RDI: 0000000000000246\n[ 141.088009] RBP: 0000000000000000 R08: ffff9abfffee3cb8 R09: 00000000000002e1\n[ 141.088009] R10: ffffb9094cb73d90 R11: 00000000000f4240 R12: ffff9abfffee8700\n[ 141.088009] R13: 0000000000000000 R14: ffff9abfdb1f04a0 R15: ffff9abfdb1f04a8\n[ 141.088009] FS: 0000000000000000(0000) GS:ffff9abfffec0000(0000) knlGS:0000000000000000\n[ 141.088009] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 141.088009] CR2: ffffffffc09b3a30 CR3: 0000008fe4c0a001 CR4: 00000000007606e0\n[ 141.088009] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 141.088009] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 141.088009] PKRU: 55555554\n[ 141.088009] Call Trace:\n[ 141.088009] ? process_one_work+0x195/0x390\n[ 141.088009] ? worker_thread+0x30/0x390\n[ 141.088009] ? process_one_work+0x390/0x390\n[ 141.088009] ? kthread+0x10d/0x130\n[ 141.088009] ? kthread_flush_work_fn+0x10/0x10\n[ 141.088009] ? ret_from_fork+0x35/0x40] BUG: unable to handle kernel paging request at ffffffffc0b28a5a\n[ 200.223240] PGD 97fe00d067 P4D 97fe00d067 PUD 97fe00f067 PMD a580cbf067 PTE 0\n[ 200.223464] Oops: 0010 [#1] SMP NOPTI\n[ 200.223579] CPU: 63 PID: 664 Comm: kworker/63:1 Kdump: loaded Not tainted 4.18.0.x86_64 #46\n[ 200.224008] Workqueue: events 0xffffffffc0b28a40\n[ 200.224008] RIP: 0010:0xffffffffc0b28a5a\n[ 200.224008] Code: Bad RIP value.\n[ 200.224008] RSP: 0018:ffffbf3c8e2a3e88 EFLAGS: 00010246\n[ 200.224008] RAX: 0000000000000000 RBX: ffffa0799ad6bca0 RCX: 0000000000000000\n[ 200.224008] RDX: 0000000000000000 RSI: 0000000000000246 RDI: 0000000000000246\n[ 200.224008] RBP: 0000000000000000 R08: ffff9fe43fde3cb8 R09: 00000000000000d5\n[ 200.224008] R10: ffffbf3c8cb53d90 R11: 00000000000f4240 R12: ffff9fe43fde8700\n[ 200.224008] R13: 0000000000000000 R14: ffffa0799ad6bca0 R15: ffffa0799ad6bca8\n[ 200.224008] FS: 0000000000000000(0000) GS:ffff9fe43fdc0000(0000) knlGS:0000000000000000\n[ 200.224008] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 200.224008] CR2: ffffffffc0b28a30 CR3: 00000097fe00a002 CR4: 00000000007606e0\n[ 200.224008] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 200.224008] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 200.224008] PKRU: 55555554\n[ 200.224008] Call Trace:\n[ 200.224008] ? process_one_work+0x195/0x390\n[ 200.224008] ? worker_thread+0x30/0x390\n[ 200.224008] ? process_one_work+0x390/0x390\n[ 200.224008] ? kthread+0x10d/0x130\n[ 200.224008] ? kthread_flush_work_fn+0x10/0x10\n[ 200.224008] ? ret_from_fork+0x35/0x40\n[ 200.224008] kernel fault(0x1) notification starting on CPU 63\n[ 200.224008] kernel fault(0x1) notification finished on CPU 63\n[ 200.224008] CR2: ffffffffc0b28a5a\n[ 200.224008] ---[ end trace c82a412d93f57412 ]---\n\nThe reason is as follows:\nT1: rmmod ipmi_si.\n ->ipmi_unregister_smi()\n -> ipmi_bmc_unregister()\n -> __ipmi_bmc_unregister()\n -> kref_put(&bmc->usecount, cleanup_bmc_device);\n -> schedule_work(&bmc->remove_work);\n\nT2: rmmod ipmi_msghandl\n---truncated---", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47100", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47100", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47100", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47100", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47100", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47100" } }, "CVE-2021-47101": { "affected_versions": "unk to v5.16-rc7", "breaks": "", "cmt_msg": "asix: fix uninit-value in asix_mdio_read()", "fixes": "8035b1a2a37a29d8c717ef84fca8fe7278bc9f03", "last_affected_version": "5.15.11", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nasix: fix uninit-value in asix_mdio_read()\n\nasix_read_cmd() may read less than sizeof(smsr) bytes and in this case\nsmsr will be uninitialized.\n\nFail log:\nBUG: KMSAN: uninit-value in asix_check_host_enable drivers/net/usb/asix_common.c:82 [inline]\nBUG: KMSAN: uninit-value in asix_check_host_enable drivers/net/usb/asix_common.c:82 [inline] drivers/net/usb/asix_common.c:497\nBUG: KMSAN: uninit-value in asix_mdio_read+0x3c1/0xb00 drivers/net/usb/asix_common.c:497 drivers/net/usb/asix_common.c:497\n asix_check_host_enable drivers/net/usb/asix_common.c:82 [inline]\n asix_check_host_enable drivers/net/usb/asix_common.c:82 [inline] drivers/net/usb/asix_common.c:497\n asix_mdio_read+0x3c1/0xb00 drivers/net/usb/asix_common.c:497 drivers/net/usb/asix_common.c:497", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47101", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47101", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47101", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47101", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47101", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47101" } }, "CVE-2021-47102": { "affected_versions": "v5.14-rc1 to v5.16-rc7", "breaks": "3d5048cc54bd250cfbb358c37fcc011135977887", "cmt_msg": "net: marvell: prestera: fix incorrect structure access", "fixes": "2efc2256febf214e7b2bdaa21fe6c3c3146acdcb", "last_affected_version": "5.15.11", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: marvell: prestera: fix incorrect structure access\n\nIn line:\n\tupper = info->upper_dev;\nWe access upper_dev field, which is related only for particular events\n(e.g. event == NETDEV_CHANGEUPPER). So, this line cause invalid memory\naccess for another events,\nwhen ptr is not netdev_notifier_changeupper_info.\n\nThe KASAN logs are as follows:\n\n[ 30.123165] BUG: KASAN: stack-out-of-bounds in prestera_netdev_port_event.constprop.0+0x68/0x538 [prestera]\n[ 30.133336] Read of size 8 at addr ffff80000cf772b0 by task udevd/778\n[ 30.139866]\n[ 30.141398] CPU: 0 PID: 778 Comm: udevd Not tainted 5.16.0-rc3 #6\n[ 30.147588] Hardware name: DNI AmazonGo1 A7040 board (DT)\n[ 30.153056] Call trace:\n[ 30.155547] dump_backtrace+0x0/0x2c0\n[ 30.159320] show_stack+0x18/0x30\n[ 30.162729] dump_stack_lvl+0x68/0x84\n[ 30.166491] print_address_description.constprop.0+0x74/0x2b8\n[ 30.172346] kasan_report+0x1e8/0x250\n[ 30.176102] __asan_load8+0x98/0xe0\n[ 30.179682] prestera_netdev_port_event.constprop.0+0x68/0x538 [prestera]\n[ 30.186847] prestera_netdev_event_handler+0x1b4/0x1c0 [prestera]\n[ 30.193313] raw_notifier_call_chain+0x74/0xa0\n[ 30.197860] call_netdevice_notifiers_info+0x68/0xc0\n[ 30.202924] register_netdevice+0x3cc/0x760\n[ 30.207190] register_netdev+0x24/0x50\n[ 30.211015] prestera_device_register+0x8a0/0xba0 [prestera]", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47102", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47102", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47102", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47102", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47102", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47102" } }, "CVE-2021-47103": { "affected_versions": "unk to v5.16-rc7", "breaks": "", "cmt_msg": "inet: fully convert sk->sk_rx_dst to RCU rules", "fixes": "8f905c0e7354ef261360fb7535ea079b1082c105", "last_affected_version": "5.15.11", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\ninet: fully convert sk->sk_rx_dst to RCU rules\n\nsyzbot reported various issues around early demux,\none being included in this changelog [1]\n\nsk->sk_rx_dst is using RCU protection without clearly\ndocumenting it.\n\nAnd following sequences in tcp_v4_do_rcv()/tcp_v6_do_rcv()\nare not following standard RCU rules.\n\n[a] dst_release(dst);\n[b] sk->sk_rx_dst = NULL;\n\nThey look wrong because a delete operation of RCU protected\npointer is supposed to clear the pointer before\nthe call_rcu()/synchronize_rcu() guarding actual memory freeing.\n\nIn some cases indeed, dst could be freed before [b] is done.\n\nWe could cheat by clearing sk_rx_dst before calling\ndst_release(), but this seems the right time to stick\nto standard RCU annotations and debugging facilities.\n\n[1]\nBUG: KASAN: use-after-free in dst_check include/net/dst.h:470 [inline]\nBUG: KASAN: use-after-free in tcp_v4_early_demux+0x95b/0x960 net/ipv4/tcp_ipv4.c:1792\nRead of size 2 at addr ffff88807f1cb73a by task syz-executor.5/9204\n\nCPU: 0 PID: 9204 Comm: syz-executor.5 Not tainted 5.16.0-rc5-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106\n print_address_description.constprop.0.cold+0x8d/0x320 mm/kasan/report.c:247\n __kasan_report mm/kasan/report.c:433 [inline]\n kasan_report.cold+0x83/0xdf mm/kasan/report.c:450\n dst_check include/net/dst.h:470 [inline]\n tcp_v4_early_demux+0x95b/0x960 net/ipv4/tcp_ipv4.c:1792\n ip_rcv_finish_core.constprop.0+0x15de/0x1e80 net/ipv4/ip_input.c:340\n ip_list_rcv_finish.constprop.0+0x1b2/0x6e0 net/ipv4/ip_input.c:583\n ip_sublist_rcv net/ipv4/ip_input.c:609 [inline]\n ip_list_rcv+0x34e/0x490 net/ipv4/ip_input.c:644\n __netif_receive_skb_list_ptype net/core/dev.c:5508 [inline]\n __netif_receive_skb_list_core+0x549/0x8e0 net/core/dev.c:5556\n __netif_receive_skb_list net/core/dev.c:5608 [inline]\n netif_receive_skb_list_internal+0x75e/0xd80 net/core/dev.c:5699\n gro_normal_list net/core/dev.c:5853 [inline]\n gro_normal_list net/core/dev.c:5849 [inline]\n napi_complete_done+0x1f1/0x880 net/core/dev.c:6590\n virtqueue_napi_complete drivers/net/virtio_net.c:339 [inline]\n virtnet_poll+0xca2/0x11b0 drivers/net/virtio_net.c:1557\n __napi_poll+0xaf/0x440 net/core/dev.c:7023\n napi_poll net/core/dev.c:7090 [inline]\n net_rx_action+0x801/0xb40 net/core/dev.c:7177\n __do_softirq+0x29b/0x9c2 kernel/softirq.c:558\n invoke_softirq kernel/softirq.c:432 [inline]\n __irq_exit_rcu+0x123/0x180 kernel/softirq.c:637\n irq_exit_rcu+0x5/0x20 kernel/softirq.c:649\n common_interrupt+0x52/0xc0 arch/x86/kernel/irq.c:240\n asm_common_interrupt+0x1e/0x40 arch/x86/include/asm/idtentry.h:629\nRIP: 0033:0x7f5e972bfd57\nCode: 39 d1 73 14 0f 1f 80 00 00 00 00 48 8b 50 f8 48 83 e8 08 48 39 ca 77 f3 48 39 c3 73 3e 48 89 13 48 8b 50 f8 48 89 38 49 8b 0e <48> 8b 3e 48 83 c3 08 48 83 c6 08 eb bc 48 39 d1 72 9e 48 39 d0 73\nRSP: 002b:00007fff8a413210 EFLAGS: 00000283\nRAX: 00007f5e97108990 RBX: 00007f5e97108338 RCX: ffffffff81d3aa45\nRDX: ffffffff81d3aa45 RSI: 00007f5e97108340 RDI: ffffffff81d3aa45\nRBP: 00007f5e97107eb8 R08: 00007f5e97108d88 R09: 0000000093c2e8d9\nR10: 0000000000000000 R11: 0000000000000000 R12: 00007f5e97107eb0\nR13: 00007f5e97108338 R14: 00007f5e97107ea8 R15: 0000000000000019\n \n\nAllocated by task 13:\n kasan_save_stack+0x1e/0x50 mm/kasan/common.c:38\n kasan_set_track mm/kasan/common.c:46 [inline]\n set_alloc_info mm/kasan/common.c:434 [inline]\n __kasan_slab_alloc+0x90/0xc0 mm/kasan/common.c:467\n kasan_slab_alloc include/linux/kasan.h:259 [inline]\n slab_post_alloc_hook mm/slab.h:519 [inline]\n slab_alloc_node mm/slub.c:3234 [inline]\n slab_alloc mm/slub.c:3242 [inline]\n kmem_cache_alloc+0x202/0x3a0 mm/slub.c:3247\n dst_alloc+0x146/0x1f0 net/core/dst.c:92\n rt_dst_alloc+0x73/0x430 net/ipv4/route.c:1613\n ip_route_input_slow+0x1817/0x3a20 net/ipv4/route.c:234\n---truncated---", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47103", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47103", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47103", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47103", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47103", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47103" } }, "CVE-2021-47104": { "affected_versions": "v5.15 to v5.16-rc7", "breaks": "d39bf40e55e666b5905fdbd46a0dced030ce87be", "cmt_msg": "IB/qib: Fix memory leak in qib_user_sdma_queue_pkts()", "fixes": "bee90911e0138c76ee67458ac0d58b38a3190f65", "last_affected_version": "5.15.11", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nIB/qib: Fix memory leak in qib_user_sdma_queue_pkts()\n\nThe wrong goto label was used for the error case and missed cleanup of the\npkt allocation.\n\nAddresses-Coverity-ID: 1493352 (\"Resource leak\")", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47104", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47104", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47104", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47104", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47104", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47104" } }, "CVE-2021-47105": { "affected_versions": "v5.5-rc1 to v5.16-rc7", "breaks": "2d4238f5569722197612656163d824098208519c", "cmt_msg": "ice: xsk: return xsk buffers back to pool when cleaning the ring", "fixes": "afe8a3ba85ec2a6b6849367e25c06a2f8e0ddd05", "last_affected_version": "5.15.11", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: xsk: return xsk buffers back to pool when cleaning the ring\n\nCurrently we only NULL the xdp_buff pointer in the internal SW ring but\nwe never give it back to the xsk buffer pool. This means that buffers\ncan be leaked out of the buff pool and never be used again.\n\nAdd missing xsk_buff_free() call to the routine that is supposed to\nclean the entries that are left in the ring so that these buffers in the\numem can be used by other sockets.\n\nAlso, only go through the space that is actually left to be cleaned\ninstead of a whole ring.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47105", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47105", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47105", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47105", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47105", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47105" } }, "CVE-2021-47106": { "affected_versions": "v5.13-rc1 to v5.16-rc7", "breaks": "aaa31047a6d25da0fa101da1ed544e1247949b40", "cmt_msg": "netfilter: nf_tables: fix use-after-free in nft_set_catchall_destroy()", "fixes": "0f7d9b31ce7abdbb29bf018131ac920c9f698518", "last_affected_version": "5.15.11", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: fix use-after-free in nft_set_catchall_destroy()\n\nWe need to use list_for_each_entry_safe() iterator\nbecause we can not access @catchall after kfree_rcu() call.\n\nsyzbot reported:\n\nBUG: KASAN: use-after-free in nft_set_catchall_destroy net/netfilter/nf_tables_api.c:4486 [inline]\nBUG: KASAN: use-after-free in nft_set_destroy net/netfilter/nf_tables_api.c:4504 [inline]\nBUG: KASAN: use-after-free in nft_set_destroy+0x3fd/0x4f0 net/netfilter/nf_tables_api.c:4493\nRead of size 8 at addr ffff8880716e5b80 by task syz-executor.3/8871\n\nCPU: 1 PID: 8871 Comm: syz-executor.3 Not tainted 5.16.0-rc5-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106\n print_address_description.constprop.0.cold+0x8d/0x2ed mm/kasan/report.c:247\n __kasan_report mm/kasan/report.c:433 [inline]\n kasan_report.cold+0x83/0xdf mm/kasan/report.c:450\n nft_set_catchall_destroy net/netfilter/nf_tables_api.c:4486 [inline]\n nft_set_destroy net/netfilter/nf_tables_api.c:4504 [inline]\n nft_set_destroy+0x3fd/0x4f0 net/netfilter/nf_tables_api.c:4493\n __nft_release_table+0x79f/0xcd0 net/netfilter/nf_tables_api.c:9626\n nft_rcv_nl_event+0x4f8/0x670 net/netfilter/nf_tables_api.c:9688\n notifier_call_chain+0xb5/0x200 kernel/notifier.c:83\n blocking_notifier_call_chain kernel/notifier.c:318 [inline]\n blocking_notifier_call_chain+0x67/0x90 kernel/notifier.c:306\n netlink_release+0xcb6/0x1dd0 net/netlink/af_netlink.c:788\n __sock_release+0xcd/0x280 net/socket.c:649\n sock_close+0x18/0x20 net/socket.c:1314\n __fput+0x286/0x9f0 fs/file_table.c:280\n task_work_run+0xdd/0x1a0 kernel/task_work.c:164\n tracehook_notify_resume include/linux/tracehook.h:189 [inline]\n exit_to_user_mode_loop kernel/entry/common.c:175 [inline]\n exit_to_user_mode_prepare+0x27e/0x290 kernel/entry/common.c:207\n __syscall_exit_to_user_mode_work kernel/entry/common.c:289 [inline]\n syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:300\n do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86\n entry_SYSCALL_64_after_hwframe+0x44/0xae\nRIP: 0033:0x7f75fbf28adb\nCode: 0f 05 48 3d 00 f0 ff ff 77 45 c3 0f 1f 40 00 48 83 ec 18 89 7c 24 0c e8 63 fc ff ff 8b 7c 24 0c 41 89 c0 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 35 44 89 c7 89 44 24 0c e8 a1 fc ff ff 8b 44\nRSP: 002b:00007ffd8da7ec10 EFLAGS: 00000293 ORIG_RAX: 0000000000000003\nRAX: 0000000000000000 RBX: 0000000000000004 RCX: 00007f75fbf28adb\nRDX: 00007f75fc08e828 RSI: ffffffffffffffff RDI: 0000000000000003\nRBP: 00007f75fc08a960 R08: 0000000000000000 R09: 00007f75fc08e830\nR10: 00007ffd8da7ed10 R11: 0000000000000293 R12: 00000000002067c3\nR13: 00007ffd8da7ed10 R14: 00007f75fc088f60 R15: 0000000000000032\n \n\nAllocated by task 8886:\n kasan_save_stack+0x1e/0x50 mm/kasan/common.c:38\n kasan_set_track mm/kasan/common.c:46 [inline]\n set_alloc_info mm/kasan/common.c:434 [inline]\n ____kasan_kmalloc mm/kasan/common.c:513 [inline]\n ____kasan_kmalloc mm/kasan/common.c:472 [inline]\n __kasan_kmalloc+0xa6/0xd0 mm/kasan/common.c:522\n kasan_kmalloc include/linux/kasan.h:269 [inline]\n kmem_cache_alloc_trace+0x1ea/0x4a0 mm/slab.c:3575\n kmalloc include/linux/slab.h:590 [inline]\n nft_setelem_catchall_insert net/netfilter/nf_tables_api.c:5544 [inline]\n nft_setelem_insert net/netfilter/nf_tables_api.c:5562 [inline]\n nft_add_set_elem+0x232e/0x2f40 net/netfilter/nf_tables_api.c:5936\n nf_tables_newsetelem+0x6ff/0xbb0 net/netfilter/nf_tables_api.c:6032\n nfnetlink_rcv_batch+0x1710/0x25f0 net/netfilter/nfnetlink.c:513\n nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:634 [inline]\n nfnetlink_rcv+0x3af/0x420 net/netfilter/nfnetlink.c:652\n netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]\n netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1345\n netlink_sendmsg+0x904/0xdf0 net/netlink/af_netlink.c:1921\n sock_sendmsg_nosec net/\n---truncated---", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47106", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47106", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47106", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47106", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47106", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47106" } }, "CVE-2021-47107": { "affected_versions": "v5.13-rc1 to v5.16-rc7", "breaks": "f5dcccd647da513a89f3b6ca392b0c1eb050b9fc", "cmt_msg": "NFSD: Fix READDIR buffer overflow", "fixes": "53b1119a6e5028b125f431a0116ba73510d82a72", "last_affected_version": "5.15.11", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSD: Fix READDIR buffer overflow\n\nIf a client sends a READDIR count argument that is too small (say,\nzero), then the buffer size calculation in the new init_dirlist\nhelper functions results in an underflow, allowing the XDR stream\nfunctions to write beyond the actual buffer.\n\nThis calculation has always been suspect. NFSD has never sanity-\nchecked the READDIR count argument, but the old entry encoders\nmanaged the problem correctly.\n\nWith the commits below, entry encoding changed, exposing the\nunderflow to the pointer arithmetic in xdr_reserve_space().\n\nModern NFS clients attempt to retrieve as much data as possible\nfor each READDIR request. Also, we have no unit tests that\nexercise the behavior of READDIR at the lower bound of @count\nvalues. Thus this case was missed during testing.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47107", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47107", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47107", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47107", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47107", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47107" } }, "CVE-2021-47108": { "affected_versions": "v5.14-rc1 to v5.16-rc7", "breaks": "41ca9caaae0bfc959b22dbcd59d88a7107707e17", "cmt_msg": "drm/mediatek: hdmi: Perform NULL pointer check for mtk_hdmi_conf", "fixes": "3b8e19a0aa3933a785be9f1541afd8d398c4ec69", "last_affected_version": "5.15.11", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/mediatek: hdmi: Perform NULL pointer check for mtk_hdmi_conf\n\nIn commit 41ca9caaae0b\n(\"drm/mediatek: hdmi: Add check for CEA modes only\") a check\nfor CEA modes was added to function mtk_hdmi_bridge_mode_valid()\nin order to address possible issues on MT8167;\nmoreover, with commit c91026a938c2\n(\"drm/mediatek: hdmi: Add optional limit on maximal HDMI mode clock\")\nanother similar check was introduced.\n\nUnfortunately though, at the time of writing, MT8173 does not provide\nany mtk_hdmi_conf structure and this is crashing the kernel with NULL\npointer upon entering mtk_hdmi_bridge_mode_valid(), which happens as\nsoon as a HDMI cable gets plugged in.\n\nTo fix this regression, add a NULL pointer check for hdmi->conf in the\nsaid function, restoring HDMI functionality and avoiding NULL pointer\nkernel panics.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47108", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47108", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47108", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47108", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47108", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47108" } }, "CVE-2021-47109": { "affected_versions": "v5.0-rc1 to v5.13-rc7", "breaks": "58956317c8de52009d1a38a721474c24aef74fe7", "cmt_msg": "neighbour: allow NUD_NOARP entries to be forced GCed", "fixes": "7a6b1ab7475fd6478eeaf5c9d1163e7a18125c8f", "last_affected_version": "5.12.9", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nneighbour: allow NUD_NOARP entries to be forced GCed\n\nIFF_POINTOPOINT interfaces use NUD_NOARP entries for IPv6. It's possible to\nfill up the neighbour table with enough entries that it will overflow for\nvalid connections after that.\n\nThis behaviour is more prevalent after commit 58956317c8de (\"neighbor:\nImprove garbage collection\") is applied, as it prevents removal from\nentries that are not NUD_FAILED, unless they are more than 5s old.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47109", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47109", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47109", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47109", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47109", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47109" } }, "CVE-2021-47110": { "affected_versions": "v2.6.12-rc2 to v5.13-rc2", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "x86/kvm: Disable kvmclock on all CPUs on shutdown", "fixes": "c02027b5742b5aa804ef08a4a9db433295533046", "last_affected_version": "5.12.9", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/kvm: Disable kvmclock on all CPUs on shutdown\n\nCurrenly, we disable kvmclock from machine_shutdown() hook and this\nonly happens for boot CPU. We need to disable it for all CPUs to\nguard against memory corruption e.g. on restore from hibernate.\n\nNote, writing '0' to kvmclock MSR doesn't clear memory location, it\njust prevents hypervisor from updating the location so for the short\nwhile after write and while CPU is still alive, the clock remains usable\nand correct so we don't need to switch to some other clocksource.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47110", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47110", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47110", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47110", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47110", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47110" } }, "CVE-2021-47111": { "affected_versions": "v5.5-rc1 to v5.13-rc6", "breaks": "2ac061ce97f413bfbbdd768f7d2e0fda2e8170df", "cmt_msg": "xen-netback: take a reference to the RX task thread", "fixes": "107866a8eb0b664675a260f1ba0655010fac1e08", "last_affected_version": "5.12.9", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nxen-netback: take a reference to the RX task thread\n\nDo this in order to prevent the task from being freed if the thread\nreturns (which can be triggered by the frontend) before the call to\nkthread_stop done as part of the backend tear down. Not taking the\nreference will lead to a use-after-free in that scenario. Such\nreference was taken before but dropped as part of the rework done in\n2ac061ce97f4.\n\nReintroduce the reference taking and add a comment this time\nexplaining why it's needed.\n\nThis is XSA-374 / CVE-2021-28691.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47111", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47111", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47111", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47111", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47111", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47111" } }, "CVE-2021-47112": { "affected_versions": "v2.6.12-rc2 to v5.13-rc2", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "x86/kvm: Teardown PV features on boot CPU as well", "fixes": "8b79feffeca28c5459458fe78676b081e87c93a4", "last_affected_version": "5.12.9", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/kvm: Teardown PV features on boot CPU as well\n\nVarious PV features (Async PF, PV EOI, steal time) work through memory\nshared with hypervisor and when we restore from hibernation we must\nproperly teardown all these features to make sure hypervisor doesn't\nwrite to stale locations after we jump to the previously hibernated kernel\n(which can try to place anything there). For secondary CPUs the job is\nalready done by kvm_cpu_down_prepare(), register syscore ops to do\nthe same for boot CPU.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47112", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47112", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47112", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47112", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47112", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47112" } }, "CVE-2021-47113": { "affected_versions": "v2.6.12-rc2 to v5.13-rc5", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "btrfs: abort in rename_exchange if we fail to insert the second ref", "fixes": "dc09ef3562726cd520c8338c1640872a60187af5", "last_affected_version": "5.12.9", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: abort in rename_exchange if we fail to insert the second ref\n\nError injection stress uncovered a problem where we'd leave a dangling\ninode ref if we failed during a rename_exchange. This happens because\nwe insert the inode ref for one side of the rename, and then for the\nother side. If this second inode ref insert fails we'll leave the first\none dangling and leave a corrupt file system behind. Fix this by\naborting if we did the insert for the first inode ref.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47113", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47113", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47113", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47113", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47113", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47113" } }, "CVE-2021-47114": { "affected_versions": "v2.6.12-rc2 to v5.13-rc5", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "ocfs2: fix data corruption by fallocate", "fixes": "6bba4471f0cc1296fe3c2089b9e52442d3074b2e", "last_affected_version": "5.12.9", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: fix data corruption by fallocate\n\nWhen fallocate punches holes out of inode size, if original isize is in\nthe middle of last cluster, then the part from isize to the end of the\ncluster will be zeroed with buffer write, at that time isize is not yet\nupdated to match the new size, if writeback is kicked in, it will invoke\nocfs2_writepage()->block_write_full_page() where the pages out of inode\nsize will be dropped. That will cause file corruption. Fix this by\nzero out eof blocks when extending the inode size.\n\nRunning the following command with qemu-image 4.2.1 can get a corrupted\ncoverted image file easily.\n\n qemu-img convert -p -t none -T none -f qcow2 $qcow_image \\\n -O qcow2 -o compat=1.1 $qcow_image.conv\n\nThe usage of fallocate in qemu is like this, it first punches holes out\nof inode size, then extend the inode size.\n\n fallocate(11, FALLOC_FL_KEEP_SIZE|FALLOC_FL_PUNCH_HOLE, 2276196352, 65536) = 0\n fallocate(11, 0, 2276196352, 65536) = 0\n\nv1: https://www.spinics.net/lists/linux-fsdevel/msg193999.html\nv2: https://lore.kernel.org/linux-fsdevel/20210525093034.GB4112@quack2.suse.cz/T/", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47114", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47114", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47114", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47114", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47114", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47114" } }, "CVE-2021-47116": { "affected_versions": "unk to v5.13-rc5", "breaks": "", "cmt_msg": "ext4: fix memory leak in ext4_mb_init_backend on error path.", "fixes": "a8867f4e3809050571c98de7a2d465aff5e4daf5", "last_affected_version": "5.12.9", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix memory leak in ext4_mb_init_backend on error path.\n\nFix a memory leak discovered by syzbot when a file system is corrupted\nwith an illegally large s_log_groups_per_flex.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47116", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47116", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47116", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47116", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47116", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47116" } }, "CVE-2021-47117": { "affected_versions": "v2.6.12-rc2 to v5.13-rc5", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "ext4: fix bug on in ext4_es_cache_extent as ext4_split_extent_at failed", "fixes": "082cd4ec240b8734a82a89ffb890216ac98fec68", "last_affected_version": "5.12.9", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix bug on in ext4_es_cache_extent as ext4_split_extent_at failed\n\nWe got follow bug_on when run fsstress with injecting IO fault:\n[130747.323114] kernel BUG at fs/ext4/extents_status.c:762!\n[130747.323117] Internal error: Oops - BUG: 0 [#1] SMP\n......\n[130747.334329] Call trace:\n[130747.334553] ext4_es_cache_extent+0x150/0x168 [ext4]\n[130747.334975] ext4_cache_extents+0x64/0xe8 [ext4]\n[130747.335368] ext4_find_extent+0x300/0x330 [ext4]\n[130747.335759] ext4_ext_map_blocks+0x74/0x1178 [ext4]\n[130747.336179] ext4_map_blocks+0x2f4/0x5f0 [ext4]\n[130747.336567] ext4_mpage_readpages+0x4a8/0x7a8 [ext4]\n[130747.336995] ext4_readpage+0x54/0x100 [ext4]\n[130747.337359] generic_file_buffered_read+0x410/0xae8\n[130747.337767] generic_file_read_iter+0x114/0x190\n[130747.338152] ext4_file_read_iter+0x5c/0x140 [ext4]\n[130747.338556] __vfs_read+0x11c/0x188\n[130747.338851] vfs_read+0x94/0x150\n[130747.339110] ksys_read+0x74/0xf0\n\nThis patch's modification is according to Jan Kara's suggestion in:\nhttps://patchwork.ozlabs.org/project/linux-ext4/patch/20210428085158.3728201-1-yebin10@huawei.com/\n\"I see. Now I understand your patch. Honestly, seeing how fragile is trying\nto fix extent tree after split has failed in the middle, I would probably\ngo even further and make sure we fix the tree properly in case of ENOSPC\nand EDQUOT (those are easily user triggerable). Anything else indicates a\nHW problem or fs corruption so I'd rather leave the extent tree as is and\ndon't try to fix it (which also means we will not create overlapping\nextents).\"", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47117", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47117", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47117", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47117", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47117", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47117" } }, "CVE-2021-47118": { "affected_versions": "v2.6.19-rc1 to v5.13-rc5", "breaks": "9ec52099e4b8678a60e9f93e41ad87885d64f3e6", "cmt_msg": "pid: take a reference when initializing `cad_pid`", "fixes": "0711f0d7050b9e07c44bc159bbc64ac0a1022c7f", "last_affected_version": "5.12.9", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\npid: take a reference when initializing `cad_pid`\n\nDuring boot, kernel_init_freeable() initializes `cad_pid` to the init\ntask's struct pid. Later on, we may change `cad_pid` via a sysctl, and\nwhen this happens proc_do_cad_pid() will increment the refcount on the\nnew pid via get_pid(), and will decrement the refcount on the old pid\nvia put_pid(). As we never called get_pid() when we initialized\n`cad_pid`, we decrement a reference we never incremented, can therefore\nfree the init task's struct pid early. As there can be dangling\nreferences to the struct pid, we can later encounter a use-after-free\n(e.g. when delivering signals).\n\nThis was spotted when fuzzing v5.13-rc3 with Syzkaller, but seems to\nhave been around since the conversion of `cad_pid` to struct pid in\ncommit 9ec52099e4b8 (\"[PATCH] replace cad_pid by a struct pid\") from the\npre-KASAN stone age of v2.6.19.\n\nFix this by getting a reference to the init task's struct pid when we\nassign it to `cad_pid`.\n\nFull KASAN splat below.\n\n ==================================================================\n BUG: KASAN: use-after-free in ns_of_pid include/linux/pid.h:153 [inline]\n BUG: KASAN: use-after-free in task_active_pid_ns+0xc0/0xc8 kernel/pid.c:509\n Read of size 4 at addr ffff23794dda0004 by task syz-executor.0/273\n\n CPU: 1 PID: 273 Comm: syz-executor.0 Not tainted 5.12.0-00001-g9aef892b2d15 #1\n Hardware name: linux,dummy-virt (DT)\n Call trace:\n ns_of_pid include/linux/pid.h:153 [inline]\n task_active_pid_ns+0xc0/0xc8 kernel/pid.c:509\n do_notify_parent+0x308/0xe60 kernel/signal.c:1950\n exit_notify kernel/exit.c:682 [inline]\n do_exit+0x2334/0x2bd0 kernel/exit.c:845\n do_group_exit+0x108/0x2c8 kernel/exit.c:922\n get_signal+0x4e4/0x2a88 kernel/signal.c:2781\n do_signal arch/arm64/kernel/signal.c:882 [inline]\n do_notify_resume+0x300/0x970 arch/arm64/kernel/signal.c:936\n work_pending+0xc/0x2dc\n\n Allocated by task 0:\n slab_post_alloc_hook+0x50/0x5c0 mm/slab.h:516\n slab_alloc_node mm/slub.c:2907 [inline]\n slab_alloc mm/slub.c:2915 [inline]\n kmem_cache_alloc+0x1f4/0x4c0 mm/slub.c:2920\n alloc_pid+0xdc/0xc00 kernel/pid.c:180\n copy_process+0x2794/0x5e18 kernel/fork.c:2129\n kernel_clone+0x194/0x13c8 kernel/fork.c:2500\n kernel_thread+0xd4/0x110 kernel/fork.c:2552\n rest_init+0x44/0x4a0 init/main.c:687\n arch_call_rest_init+0x1c/0x28\n start_kernel+0x520/0x554 init/main.c:1064\n 0x0\n\n Freed by task 270:\n slab_free_hook mm/slub.c:1562 [inline]\n slab_free_freelist_hook+0x98/0x260 mm/slub.c:1600\n slab_free mm/slub.c:3161 [inline]\n kmem_cache_free+0x224/0x8e0 mm/slub.c:3177\n put_pid.part.4+0xe0/0x1a8 kernel/pid.c:114\n put_pid+0x30/0x48 kernel/pid.c:109\n proc_do_cad_pid+0x190/0x1b0 kernel/sysctl.c:1401\n proc_sys_call_handler+0x338/0x4b0 fs/proc/proc_sysctl.c:591\n proc_sys_write+0x34/0x48 fs/proc/proc_sysctl.c:617\n call_write_iter include/linux/fs.h:1977 [inline]\n new_sync_write+0x3ac/0x510 fs/read_write.c:518\n vfs_write fs/read_write.c:605 [inline]\n vfs_write+0x9c4/0x1018 fs/read_write.c:585\n ksys_write+0x124/0x240 fs/read_write.c:658\n __do_sys_write fs/read_write.c:670 [inline]\n __se_sys_write fs/read_write.c:667 [inline]\n __arm64_sys_write+0x78/0xb0 fs/read_write.c:667\n __invoke_syscall arch/arm64/kernel/syscall.c:37 [inline]\n invoke_syscall arch/arm64/kernel/syscall.c:49 [inline]\n el0_svc_common.constprop.1+0x16c/0x388 arch/arm64/kernel/syscall.c:129\n do_el0_svc+0xf8/0x150 arch/arm64/kernel/syscall.c:168\n el0_svc+0x28/0x38 arch/arm64/kernel/entry-common.c:416\n el0_sync_handler+0x134/0x180 arch/arm64/kernel/entry-common.c:432\n el0_sync+0x154/0x180 arch/arm64/kernel/entry.S:701\n\n The buggy address belongs to the object at ffff23794dda0000\n which belongs to the cache pid of size 224\n The buggy address is located 4 bytes inside of\n 224-byte region [ff\n---truncated---", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47118", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47118", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47118", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47118", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47118", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47118" } }, "CVE-2021-47119": { "affected_versions": "v2.6.25-rc1 to v5.13-rc5", "breaks": "ce40733ce93de402ed629762f0e912d9af187cef", "cmt_msg": "ext4: fix memory leak in ext4_fill_super", "fixes": "afd09b617db3786b6ef3dc43e28fe728cfea84df", "last_affected_version": "5.12.17", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix memory leak in ext4_fill_super\n\nBuffer head references must be released before calling kill_bdev();\notherwise the buffer head (and its page referenced by b_data) will not\nbe freed by kill_bdev, and subsequently that bh will be leaked.\n\nIf blocksizes differ, sb_set_blocksize() will kill current buffers and\npage cache by using kill_bdev(). And then super block will be reread\nagain but using correct blocksize this time. sb_set_blocksize() didn't\nfully free superblock page and buffer head, and being busy, they were\nnot freed and instead leaked.\n\nThis can easily be reproduced by calling an infinite loop of:\n\n systemctl start .mount, and\n systemctl stop .mount\n\n... since systemd creates a cgroup for each slice which it mounts, and\nthe bh leak get amplified by a dying memory cgroup that also never\ngets freed, and memory consumption is much more easily noticed.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47119", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47119", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47119", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47119", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47119", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47119" } }, "CVE-2021-47120": { "affected_versions": "v4.20-rc1 to v5.13-rc5", "breaks": "9d7b18668956c411a422d04c712994c5fdb23a4b", "cmt_msg": "HID: magicmouse: fix NULL-deref on disconnect", "fixes": "4b4f6cecca446abcb686c6e6c451d4f1ec1a7497", "last_affected_version": "5.12.9", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: magicmouse: fix NULL-deref on disconnect\n\nCommit 9d7b18668956 (\"HID: magicmouse: add support for Apple Magic\nTrackpad 2\") added a sanity check for an Apple trackpad but returned\nsuccess instead of -ENODEV when the check failed. This means that the\nremove callback will dereference the never-initialised driver data\npointer when the driver is later unbound (e.g. on USB disconnect).", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47120", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47120", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47120", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47120", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47120", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47120" } }, "CVE-2021-47121": { "affected_versions": "v3.3-rc1 to v5.13-rc5", "breaks": "7ad65bf68d705b445ef10b77ab50dab22be185ee", "cmt_msg": "net: caif: fix memory leak in cfusbl_device_notify", "fixes": "7f5d86669fa4d485523ddb1d212e0a2d90bd62bb", "last_affected_version": "5.12.9", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: caif: fix memory leak in cfusbl_device_notify\n\nIn case of caif_enroll_dev() fail, allocated\nlink_support won't be assigned to the corresponding\nstructure. So simply free allocated pointer in case\nof error.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47121", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47121", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47121", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47121", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47121", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47121" } }, "CVE-2021-47122": { "affected_versions": "v3.3-rc1 to v5.13-rc5", "breaks": "7c18d2205ea76eef9674e59e1ecae4f332a53e9e", "cmt_msg": "net: caif: fix memory leak in caif_device_notify", "fixes": "b53558a950a89824938e9811eddfc8efcd94e1bb", "last_affected_version": "5.12.9", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: caif: fix memory leak in caif_device_notify\n\nIn case of caif_enroll_dev() fail, allocated\nlink_support won't be assigned to the corresponding\nstructure. So simply free allocated pointer in case\nof error", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47122", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47122", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47122", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47122", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47122", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47122" } }, "CVE-2021-47123": { "affected_versions": "v5.11-rc1 to v5.13-rc2", "breaks": "90cd7e424969d29aff653333b4dcb4e2e199d791", "cmt_msg": "io_uring: fix ltout double free on completion race", "fixes": "447c19f3b5074409c794b350b10306e1da1ef4ba", "last_affected_version": "5.12.9", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring: fix ltout double free on completion race\n\nAlways remove linked timeout on io_link_timeout_fn() from the master\nrequest link list, otherwise we may get use-after-free when first\nio_link_timeout_fn() puts linked timeout in the fail path, and then\nwill be found and put on master's free.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47123", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47123", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47123", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47123", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47123", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47123" } }, "CVE-2021-47124": { "affected_versions": "unk to v5.13-rc2", "breaks": "", "cmt_msg": "io_uring: fix link timeout refs", "fixes": "a298232ee6b9a1d5d732aa497ff8be0d45b5bd82", "last_affected_version": "5.12.18", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring: fix link timeout refs\n\nWARNING: CPU: 0 PID: 10242 at lib/refcount.c:28 refcount_warn_saturate+0x15b/0x1a0 lib/refcount.c:28\nRIP: 0010:refcount_warn_saturate+0x15b/0x1a0 lib/refcount.c:28\nCall Trace:\n __refcount_sub_and_test include/linux/refcount.h:283 [inline]\n __refcount_dec_and_test include/linux/refcount.h:315 [inline]\n refcount_dec_and_test include/linux/refcount.h:333 [inline]\n io_put_req fs/io_uring.c:2140 [inline]\n io_queue_linked_timeout fs/io_uring.c:6300 [inline]\n __io_queue_sqe+0xbef/0xec0 fs/io_uring.c:6354\n io_submit_sqe fs/io_uring.c:6534 [inline]\n io_submit_sqes+0x2bbd/0x7c50 fs/io_uring.c:6660\n __do_sys_io_uring_enter fs/io_uring.c:9240 [inline]\n __se_sys_io_uring_enter+0x256/0x1d60 fs/io_uring.c:9182\n\nio_link_timeout_fn() should put only one reference of the linked timeout\nrequest, however in case of racing with the master request's completion\nfirst io_req_complete() puts one and then io_put_req_deferred() is\ncalled.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47124", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47124", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47124", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47124", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47124", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47124" } }, "CVE-2021-47125": { "affected_versions": "unk to v5.13-rc5", "breaks": "", "cmt_msg": "sch_htb: fix refcount leak in htb_parent_to_leaf_offload", "fixes": "944d671d5faa0d78980a3da5c0f04960ef1ad893", "last_affected_version": "5.12.9", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nsch_htb: fix refcount leak in htb_parent_to_leaf_offload\n\nThe commit ae81feb7338c (\"sch_htb: fix null pointer dereference\non a null new_q\") fixes a NULL pointer dereference bug, but it\nis not correct.\n\nBecause htb_graft_helper properly handles the case when new_q\nis NULL, and after the previous patch by skipping this call\nwhich creates an inconsistency : dev_queue->qdisc will still\npoint to the old qdisc, but cl->parent->leaf.q will point to\nthe new one (which will be noop_qdisc, because new_q was NULL).\nThe code is based on an assumption that these two pointers are\nthe same, so it can lead to refcount leaks.\n\nThe correct fix is to add a NULL pointer check to protect\nqdisc_refcount_inc inside htb_parent_to_leaf_offload.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47125", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47125", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47125", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47125", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47125", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47125" } }, "CVE-2021-47126": { "affected_versions": "v5.3-rc1 to v5.13-rc5", "breaks": "f88d8ea67fbdbac7a64bfa6ed9a2ba27bb822f74", "cmt_msg": "ipv6: Fix KASAN: slab-out-of-bounds Read in fib6_nh_flush_exceptions", "fixes": "821bbf79fe46a8b1d18aa456e8ed0a3c208c3754", "last_affected_version": "5.12.9", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: Fix KASAN: slab-out-of-bounds Read in fib6_nh_flush_exceptions\n\nReported by syzbot:\nHEAD commit: 90c911ad Merge tag 'fixes' of git://git.kernel.org/pub/scm..\ngit tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master\ndashboard link: https://syzkaller.appspot.com/bug?extid=123aa35098fd3c000eb7\ncompiler: Debian clang version 11.0.1-2\n\n==================================================================\nBUG: KASAN: slab-out-of-bounds in fib6_nh_get_excptn_bucket net/ipv6/route.c:1604 [inline]\nBUG: KASAN: slab-out-of-bounds in fib6_nh_flush_exceptions+0xbd/0x360 net/ipv6/route.c:1732\nRead of size 8 at addr ffff8880145c78f8 by task syz-executor.4/17760\n\nCPU: 0 PID: 17760 Comm: syz-executor.4 Not tainted 5.12.0-rc8-syzkaller #0\nCall Trace:\n \n __dump_stack lib/dump_stack.c:79 [inline]\n dump_stack+0x202/0x31e lib/dump_stack.c:120\n print_address_description+0x5f/0x3b0 mm/kasan/report.c:232\n __kasan_report mm/kasan/report.c:399 [inline]\n kasan_report+0x15c/0x200 mm/kasan/report.c:416\n fib6_nh_get_excptn_bucket net/ipv6/route.c:1604 [inline]\n fib6_nh_flush_exceptions+0xbd/0x360 net/ipv6/route.c:1732\n fib6_nh_release+0x9a/0x430 net/ipv6/route.c:3536\n fib6_info_destroy_rcu+0xcb/0x1c0 net/ipv6/ip6_fib.c:174\n rcu_do_batch kernel/rcu/tree.c:2559 [inline]\n rcu_core+0x8f6/0x1450 kernel/rcu/tree.c:2794\n __do_softirq+0x372/0x7a6 kernel/softirq.c:345\n invoke_softirq kernel/softirq.c:221 [inline]\n __irq_exit_rcu+0x22c/0x260 kernel/softirq.c:422\n irq_exit_rcu+0x5/0x20 kernel/softirq.c:434\n sysvec_apic_timer_interrupt+0x91/0xb0 arch/x86/kernel/apic/apic.c:1100\n \n asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:632\nRIP: 0010:lock_acquire+0x1f6/0x720 kernel/locking/lockdep.c:5515\nCode: f6 84 24 a1 00 00 00 02 0f 85 8d 02 00 00 f7 c3 00 02 00 00 49 bd 00 00 00 00 00 fc ff df 74 01 fb 48 c7 44 24 40 0e 36 e0 45 <4b> c7 44 3d 00 00 00 00 00 4b c7 44 3d 09 00 00 00 00 43 c7 44 3d\nRSP: 0018:ffffc90009e06560 EFLAGS: 00000206\nRAX: 1ffff920013c0cc0 RBX: 0000000000000246 RCX: dffffc0000000000\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: ffffc90009e066e0 R08: dffffc0000000000 R09: fffffbfff1f992b1\nR10: fffffbfff1f992b1 R11: 0000000000000000 R12: 0000000000000000\nR13: dffffc0000000000 R14: 0000000000000000 R15: 1ffff920013c0cb4\n rcu_lock_acquire+0x2a/0x30 include/linux/rcupdate.h:267\n rcu_read_lock include/linux/rcupdate.h:656 [inline]\n ext4_get_group_info+0xea/0x340 fs/ext4/ext4.h:3231\n ext4_mb_prefetch+0x123/0x5d0 fs/ext4/mballoc.c:2212\n ext4_mb_regular_allocator+0x8a5/0x28f0 fs/ext4/mballoc.c:2379\n ext4_mb_new_blocks+0xc6e/0x24f0 fs/ext4/mballoc.c:4982\n ext4_ext_map_blocks+0x2be3/0x7210 fs/ext4/extents.c:4238\n ext4_map_blocks+0xab3/0x1cb0 fs/ext4/inode.c:638\n ext4_getblk+0x187/0x6c0 fs/ext4/inode.c:848\n ext4_bread+0x2a/0x1c0 fs/ext4/inode.c:900\n ext4_append+0x1a4/0x360 fs/ext4/namei.c:67\n ext4_init_new_dir+0x337/0xa10 fs/ext4/namei.c:2768\n ext4_mkdir+0x4b8/0xc00 fs/ext4/namei.c:2814\n vfs_mkdir+0x45b/0x640 fs/namei.c:3819\n ovl_do_mkdir fs/overlayfs/overlayfs.h:161 [inline]\n ovl_mkdir_real+0x53/0x1a0 fs/overlayfs/dir.c:146\n ovl_create_real+0x280/0x490 fs/overlayfs/dir.c:193\n ovl_workdir_create+0x425/0x600 fs/overlayfs/super.c:788\n ovl_make_workdir+0xed/0x1140 fs/overlayfs/super.c:1355\n ovl_get_workdir fs/overlayfs/super.c:1492 [inline]\n ovl_fill_super+0x39ee/0x5370 fs/overlayfs/super.c:2035\n mount_nodev+0x52/0xe0 fs/super.c:1413\n legacy_get_tree+0xea/0x180 fs/fs_context.c:592\n vfs_get_tree+0x86/0x270 fs/super.c:1497\n do_new_mount fs/namespace.c:2903 [inline]\n path_mount+0x196f/0x2be0 fs/namespace.c:3233\n do_mount fs/namespace.c:3246 [inline]\n __do_sys_mount fs/namespace.c:3454 [inline]\n __se_sys_mount+0x2f9/0x3b0 fs/namespace.c:3431\n do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46\n entry_SYSCALL_64_after_hwframe+0x44/0xae\nRIP: 0033:0x4665f9\nCode: ff ff c3 66 2e 0f 1f 84 \n---truncated---", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47126", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47126", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47126", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47126", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47126", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47126" } }, "CVE-2021-47127": { "affected_versions": "v5.12-rc1-dontuse to v5.13-rc5", "breaks": "c7a219048e459cf99c6fec0f7c1e42414e9e6202", "cmt_msg": "ice: track AF_XDP ZC enabled queues in bitmap", "fixes": "e102db780e1c14f10c70dafa7684af22a745b51d", "last_affected_version": "5.12.9", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: track AF_XDP ZC enabled queues in bitmap\n\nCommit c7a219048e45 (\"ice: Remove xsk_buff_pool from VSI structure\")\nsilently introduced a regression and broke the Tx side of AF_XDP in copy\nmode. xsk_pool on ice_ring is set only based on the existence of the XDP\nprog on the VSI which in turn picks ice_clean_tx_irq_zc to be executed.\nThat is not something that should happen for copy mode as it should use\nthe regular data path ice_clean_tx_irq.\n\nThis results in a following splat when xdpsock is run in txonly or l2fwd\nscenarios in copy mode:\n\n\n[ 106.050195] BUG: kernel NULL pointer dereference, address: 0000000000000030\n[ 106.057269] #PF: supervisor read access in kernel mode\n[ 106.062493] #PF: error_code(0x0000) - not-present page\n[ 106.067709] PGD 0 P4D 0\n[ 106.070293] Oops: 0000 [#1] PREEMPT SMP NOPTI\n[ 106.074721] CPU: 61 PID: 0 Comm: swapper/61 Not tainted 5.12.0-rc2+ #45\n[ 106.081436] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0008.031920191559 03/19/2019\n[ 106.092027] RIP: 0010:xp_raw_get_dma+0x36/0x50\n[ 106.096551] Code: 74 14 48 b8 ff ff ff ff ff ff 00 00 48 21 f0 48 c1 ee 30 48 01 c6 48 8b 87 90 00 00 00 48 89 f2 81 e6 ff 0f 00 00 48 c1 ea 0c <48> 8b 04 d0 48 83 e0 fe 48 01 f0 c3 66 66 2e 0f 1f 84 00 00 00 00\n[ 106.115588] RSP: 0018:ffffc9000d694e50 EFLAGS: 00010206\n[ 106.120893] RAX: 0000000000000000 RBX: ffff88984b8c8a00 RCX: ffff889852581800\n[ 106.128137] RDX: 0000000000000006 RSI: 0000000000000000 RDI: ffff88984cd8b800\n[ 106.135383] RBP: ffff888123b50001 R08: ffff889896800000 R09: 0000000000000800\n[ 106.142628] R10: 0000000000000000 R11: ffffffff826060c0 R12: 00000000000000ff\n[ 106.149872] R13: 0000000000000000 R14: 0000000000000040 R15: ffff888123b50018\n[ 106.157117] FS: 0000000000000000(0000) GS:ffff8897e0f40000(0000) knlGS:0000000000000000\n[ 106.165332] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 106.171163] CR2: 0000000000000030 CR3: 000000000560a004 CR4: 00000000007706e0\n[ 106.178408] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 106.185653] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 106.192898] PKRU: 55555554\n[ 106.195653] Call Trace:\n[ 106.198143] \n[ 106.200196] ice_clean_tx_irq_zc+0x183/0x2a0 [ice]\n[ 106.205087] ice_napi_poll+0x3e/0x590 [ice]\n[ 106.209356] __napi_poll+0x2a/0x160\n[ 106.212911] net_rx_action+0xd6/0x200\n[ 106.216634] __do_softirq+0xbf/0x29b\n[ 106.220274] irq_exit_rcu+0x88/0xc0\n[ 106.223819] common_interrupt+0x7b/0xa0\n[ 106.227719] \n[ 106.229857] asm_common_interrupt+0x1e/0x40\n\n\nFix this by introducing the bitmap of queues that are zero-copy enabled,\nwhere each bit, corresponding to a queue id that xsk pool is being\nconfigured on, will be set/cleared within ice_xsk_pool_{en,dis}able and\nchecked within ice_xsk_pool(). The latter is a function used for\ndeciding which napi poll routine is executed.\nIdea is being taken from our other drivers such as i40e and ixgbe.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47127", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47127", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47127", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47127", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47127", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47127" } }, "CVE-2021-47128": { "affected_versions": "unk to v5.13-rc5", "breaks": "", "cmt_msg": "bpf, lockdown, audit: Fix buggy SELinux lockdown permission checks", "fixes": "ff40e51043af63715ab413995ff46996ecf9583f", "last_affected_version": "5.12.9", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, lockdown, audit: Fix buggy SELinux lockdown permission checks\n\nCommit 59438b46471a (\"security,lockdown,selinux: implement SELinux lockdown\")\nadded an implementation of the locked_down LSM hook to SELinux, with the aim\nto restrict which domains are allowed to perform operations that would breach\nlockdown. This is indirectly also getting audit subsystem involved to report\nevents. The latter is problematic, as reported by Ondrej and Serhei, since it\ncan bring down the whole system via audit:\n\n 1) The audit events that are triggered due to calls to security_locked_down()\n can OOM kill a machine, see below details [0].\n\n 2) It also seems to be causing a deadlock via avc_has_perm()/slow_avc_audit()\n when trying to wake up kauditd, for example, when using trace_sched_switch()\n tracepoint, see details in [1]. Triggering this was not via some hypothetical\n corner case, but with existing tools like runqlat & runqslower from bcc, for\n example, which make use of this tracepoint. Rough call sequence goes like:\n\n rq_lock(rq) -> -------------------------+\n trace_sched_switch() -> |\n bpf_prog_xyz() -> +-> deadlock\n selinux_lockdown() -> |\n audit_log_end() -> |\n wake_up_interruptible() -> |\n try_to_wake_up() -> |\n rq_lock(rq) --------------+\n\nWhat's worse is that the intention of 59438b46471a to further restrict lockdown\nsettings for specific applications in respect to the global lockdown policy is\ncompletely broken for BPF. The SELinux policy rule for the current lockdown check\nlooks something like this:\n\n allow : lockdown { };\n\nHowever, this doesn't match with the 'current' task where the security_locked_down()\nis executed, example: httpd does a syscall. There is a tracing program attached\nto the syscall which triggers a BPF program to run, which ends up doing a\nbpf_probe_read_kernel{,_str}() helper call. The selinux_lockdown() hook does\nthe permission check against 'current', that is, httpd in this example. httpd\nhas literally zero relation to this tracing program, and it would be nonsensical\nhaving to write an SELinux policy rule against httpd to let the tracing helper\npass. The policy in this case needs to be against the entity that is installing\nthe BPF program. For example, if bpftrace would generate a histogram of syscall\ncounts by user space application:\n\n bpftrace -e 'tracepoint:raw_syscalls:sys_enter { @[comm] = count(); }'\n\nbpftrace would then go and generate a BPF program from this internally. One way\nof doing it [for the sake of the example] could be to call bpf_get_current_task()\nhelper and then access current->comm via one of bpf_probe_read_kernel{,_str}()\nhelpers. So the program itself has nothing to do with httpd or any other random\napp doing a syscall here. The BPF program _explicitly initiated_ the lockdown\ncheck. The allow/deny policy belongs in the context of bpftrace: meaning, you\nwant to grant bpftrace access to use these helpers, but other tracers on the\nsystem like my_random_tracer _not_.\n\nTherefore fix all three issues at the same time by taking a completely different\napproach for the security_locked_down() hook, that is, move the check into the\nprogram verification phase where we actually retrieve the BPF func proto. This\nalso reliably gets the task (current) that is trying to install the BPF tracing\nprogram, e.g. bpftrace/bcc/perf/systemtap/etc, and it also fixes the OOM since\nwe're moving this out of the BPF helper's fast-path which can be called several\nmillions of times per second.\n\nThe check is then also in line with other security_locked_down() hooks in the\nsystem where the enforcement is performed at open/load time, for example,\nopen_kcore() for /proc/kcore access or module_sig_check() for module signatures\njust to pick f\n---truncated---", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47128", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47128", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47128", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47128", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47128", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47128" } }, "CVE-2021-47129": { "affected_versions": "v5.3-rc1 to v5.13-rc5", "breaks": "857b46027d6f91150797295752581b7155b9d0e1", "cmt_msg": "netfilter: nft_ct: skip expectations for confirmed conntrack", "fixes": "1710eb913bdcda3917f44d383c32de6bdabfc836", "last_affected_version": "5.12.9", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_ct: skip expectations for confirmed conntrack\n\nnft_ct_expect_obj_eval() calls nf_ct_ext_add() for a confirmed\nconntrack entry. However, nf_ct_ext_add() can only be called for\n!nf_ct_is_confirmed().\n\n[ 1825.349056] WARNING: CPU: 0 PID: 1279 at net/netfilter/nf_conntrack_extend.c:48 nf_ct_xt_add+0x18e/0x1a0 [nf_conntrack]\n[ 1825.351391] RIP: 0010:nf_ct_ext_add+0x18e/0x1a0 [nf_conntrack]\n[ 1825.351493] Code: 41 5c 41 5d 41 5e 41 5f c3 41 bc 0a 00 00 00 e9 15 ff ff ff ba 09 00 00 00 31 f6 4c 89 ff e8 69 6c 3d e9 eb 96 45 31 ed eb cd <0f> 0b e9 b1 fe ff ff e8 86 79 14 e9 eb bf 0f 1f 40 00 0f 1f 44 00\n[ 1825.351721] RSP: 0018:ffffc90002e1f1e8 EFLAGS: 00010202\n[ 1825.351790] RAX: 000000000000000e RBX: ffff88814f5783c0 RCX: ffffffffc0e4f887\n[ 1825.351881] RDX: dffffc0000000000 RSI: 0000000000000008 RDI: ffff88814f578440\n[ 1825.351971] RBP: 0000000000000000 R08: 0000000000000000 R09: ffff88814f578447\n[ 1825.352060] R10: ffffed1029eaf088 R11: 0000000000000001 R12: ffff88814f578440\n[ 1825.352150] R13: ffff8882053f3a00 R14: 0000000000000000 R15: 0000000000000a20\n[ 1825.352240] FS: 00007f992261c900(0000) GS:ffff889faec00000(0000) knlGS:0000000000000000\n[ 1825.352343] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 1825.352417] CR2: 000056070a4d1158 CR3: 000000015efe0000 CR4: 0000000000350ee0\n[ 1825.352508] Call Trace:\n[ 1825.352544] nf_ct_helper_ext_add+0x10/0x60 [nf_conntrack]\n[ 1825.352641] nft_ct_expect_obj_eval+0x1b8/0x1e0 [nft_ct]\n[ 1825.352716] nft_do_chain+0x232/0x850 [nf_tables]\n\nAdd the ct helper extension only for unconfirmed conntrack. Skip rule\nevaluation if the ct helper extension does not exist. Thus, you can\nonly create expectations from the first packet.\n\nIt should be possible to remove this limitation by adding a new action\nto attach a generic ct helper to the first packet. Then, use this ct\nhelper extension from follow up packets to create the ct expectation.\n\nWhile at it, add a missing check to skip the template conntrack too\nand remove check for IPCT_UNTRACK which is implicit to !ct.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47129", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47129", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47129", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47129", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47129", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47129" } }, "CVE-2021-47130": { "affected_versions": "v5.8-rc1 to v5.13-rc5", "breaks": "c6e3f13398123a008cd2ee28f93510b113a32791", "cmt_msg": "nvmet: fix freeing unallocated p2pmem", "fixes": "bcd9a0797d73eeff659582f23277e7ab6e5f18f3", "last_affected_version": "5.12.9", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvmet: fix freeing unallocated p2pmem\n\nIn case p2p device was found but the p2p pool is empty, the nvme target\nis still trying to free the sgl from the p2p pool instead of the\nregular sgl pool and causing a crash (BUG() is called). Instead, assign\nthe p2p_dev for the request only if it was allocated from p2p pool.\n\nThis is the crash that was caused:\n\n[Sun May 30 19:13:53 2021] ------------[ cut here ]------------\n[Sun May 30 19:13:53 2021] kernel BUG at lib/genalloc.c:518!\n[Sun May 30 19:13:53 2021] invalid opcode: 0000 [#1] SMP PTI\n...\n[Sun May 30 19:13:53 2021] kernel BUG at lib/genalloc.c:518!\n...\n[Sun May 30 19:13:53 2021] RIP: 0010:gen_pool_free_owner+0xa8/0xb0\n...\n[Sun May 30 19:13:53 2021] Call Trace:\n[Sun May 30 19:13:53 2021] ------------[ cut here ]------------\n[Sun May 30 19:13:53 2021] pci_free_p2pmem+0x2b/0x70\n[Sun May 30 19:13:53 2021] pci_p2pmem_free_sgl+0x4f/0x80\n[Sun May 30 19:13:53 2021] nvmet_req_free_sgls+0x1e/0x80 [nvmet]\n[Sun May 30 19:13:53 2021] kernel BUG at lib/genalloc.c:518!\n[Sun May 30 19:13:53 2021] nvmet_rdma_release_rsp+0x4e/0x1f0 [nvmet_rdma]\n[Sun May 30 19:13:53 2021] nvmet_rdma_send_done+0x1c/0x60 [nvmet_rdma]", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47130", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47130", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47130", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47130", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47130", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47130" } }, "CVE-2021-47131": { "affected_versions": "unk to v5.13-rc5", "breaks": "", "cmt_msg": "net/tls: Fix use-after-free after the TLS device goes down and up", "fixes": "c55dcdd435aa6c6ad6ccac0a4c636d010ee367a4", "last_affected_version": "5.12.9", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/tls: Fix use-after-free after the TLS device goes down and up\n\nWhen a netdev with active TLS offload goes down, tls_device_down is\ncalled to stop the offload and tear down the TLS context. However, the\nsocket stays alive, and it still points to the TLS context, which is now\ndeallocated. If a netdev goes up, while the connection is still active,\nand the data flow resumes after a number of TCP retransmissions, it will\nlead to a use-after-free of the TLS context.\n\nThis commit addresses this bug by keeping the context alive until its\nnormal destruction, and implements the necessary fallbacks, so that the\nconnection can resume in software (non-offloaded) kTLS mode.\n\nOn the TX side tls_sw_fallback is used to encrypt all packets. The RX\nside already has all the necessary fallbacks, because receiving\nnon-decrypted packets is supported. The thing needed on the RX side is\nto block resync requests, which are normally produced after receiving\nnon-decrypted packets.\n\nThe necessary synchronization is implemented for a graceful teardown:\nfirst the fallbacks are deployed, then the driver resources are released\n(it used to be possible to have a tls_dev_resync after tls_dev_del).\n\nA new flag called TLS_RX_DEV_DEGRADED is added to indicate the fallback\nmode. It's used to skip the RX resync logic completely, as it becomes\nuseless, and some objects may be released (for example, resync_async,\nwhich is allocated and freed by the driver).", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47131", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47131", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47131", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47131", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47131", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47131" } }, "CVE-2021-47132": { "affected_versions": "v5.12-rc1-dontuse to v5.13-rc5", "breaks": "64b9cea7a0afe579dd2682f1f1c04f2e4e72fd25", "cmt_msg": "mptcp: fix sk_forward_memory corruption on retransmission", "fixes": "b5941f066b4ca331db225a976dae1d6ca8cf0ae3", "last_affected_version": "5.12.9", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: fix sk_forward_memory corruption on retransmission\n\nMPTCP sk_forward_memory handling is a bit special, as such field\nis protected by the msk socket spin_lock, instead of the plain\nsocket lock.\n\nCurrently we have a code path updating such field without handling\nthe relevant lock:\n\n__mptcp_retrans() -> __mptcp_clean_una_wakeup()\n\nSeveral helpers in __mptcp_clean_una_wakeup() will update\nsk_forward_alloc, possibly causing such field corruption, as reported\nby Matthieu.\n\nAddress the issue providing and using a new variant of blamed function\nwhich explicitly acquires the msk spin lock.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47132", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47132", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47132", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47132", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47132", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47132" } }, "CVE-2021-47133": { "affected_versions": "unk to v5.13-rc5", "breaks": "", "cmt_msg": "HID: amd_sfh: Fix memory leak in amd_sfh_work", "fixes": "5ad755fd2b326aa2bc8910b0eb351ee6aece21b1", "last_affected_version": "5.12.9", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: amd_sfh: Fix memory leak in amd_sfh_work\n\nKmemleak tool detected a memory leak in the amd_sfh driver.\n\n====================\nunreferenced object 0xffff88810228ada0 (size 32):\n comm \"insmod\", pid 3968, jiffies 4295056001 (age 775.792s)\n hex dump (first 32 bytes):\n 00 20 73 1f 81 88 ff ff 00 01 00 00 00 00 ad de . s.............\n 22 01 00 00 00 00 ad de 01 00 02 00 00 00 00 00 \"...............\n backtrace:\n [<000000007b4c8799>] kmem_cache_alloc_trace+0x163/0x4f0\n [<0000000005326893>] amd_sfh_get_report+0xa4/0x1d0 [amd_sfh]\n [<000000002a9e5ec4>] amdtp_hid_request+0x62/0x80 [amd_sfh]\n [<00000000b8a95807>] sensor_hub_get_feature+0x145/0x270 [hid_sensor_hub]\n [<00000000fda054ee>] hid_sensor_parse_common_attributes+0x215/0x460 [hid_sensor_iio_common]\n [<0000000021279ecf>] hid_accel_3d_probe+0xff/0x4a0 [hid_sensor_accel_3d]\n [<00000000915760ce>] platform_probe+0x6a/0xd0\n [<0000000060258a1f>] really_probe+0x192/0x620\n [<00000000fa812f2d>] driver_probe_device+0x14a/0x1d0\n [<000000005e79f7fd>] __device_attach_driver+0xbd/0x110\n [<0000000070d15018>] bus_for_each_drv+0xfd/0x160\n [<0000000013a3c312>] __device_attach+0x18b/0x220\n [<000000008c7b4afc>] device_initial_probe+0x13/0x20\n [<00000000e6e99665>] bus_probe_device+0xfe/0x120\n [<00000000833fa90b>] device_add+0x6a6/0xe00\n [<00000000fa901078>] platform_device_add+0x180/0x380\n====================\n\nThe fix is to freeing request_list entry once the processed entry is\nremoved from the request_list.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47133", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47133", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47133", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47133", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47133", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47133" } }, "CVE-2021-47134": { "affected_versions": "v5.10-rc1 to v5.13-rc5", "breaks": "b91540d52a08b65eb6a2b09132e1bd54fa82754c", "cmt_msg": "efi/fdt: fix panic when no valid fdt found", "fixes": "668a84c1bfb2b3fd5a10847825a854d63fac7baa", "last_affected_version": "5.12.9", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nefi/fdt: fix panic when no valid fdt found\n\nsetup_arch() would invoke efi_init()->efi_get_fdt_params(). If no\nvalid fdt found then initial_boot_params will be null. So we\nshould stop further fdt processing here. I encountered this\nissue on risc-v.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47134", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47134", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47134", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47134", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47134", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47134" } }, "CVE-2021-47135": { "affected_versions": "unk to v5.13-rc5", "breaks": "", "cmt_msg": "mt76: mt7921: fix possible AOOB issue in mt7921_mcu_tx_rate_report", "fixes": "d874e6c06952382897d35bf4094193cd44ae91bd", "last_affected_version": "5.12.9", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nmt76: mt7921: fix possible AOOB issue in mt7921_mcu_tx_rate_report\n\nFix possible array out of bound access in mt7921_mcu_tx_rate_report.\nRemove unnecessary varibable in mt7921_mcu_tx_rate_report", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47135", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47135", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47135", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47135", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47135", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47135" } }, "CVE-2021-47136": { "affected_versions": "unk to v5.13-rc4", "breaks": "", "cmt_msg": "net: zero-initialize tc skb extension on allocation", "fixes": "9453d45ecb6c2199d72e73c993e9d98677a2801b", "last_affected_version": "5.12.8", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: zero-initialize tc skb extension on allocation\n\nFunction skb_ext_add() doesn't initialize created skb extension with any\nvalue and leaves it up to the user. However, since extension of type\nTC_SKB_EXT originally contained only single value tc_skb_ext->chain its\nusers used to just assign the chain value without setting whole extension\nmemory to zero first. This assumption changed when TC_SKB_EXT extension was\nextended with additional fields but not all users were updated to\ninitialize the new fields which leads to use of uninitialized memory\nafterwards. UBSAN log:\n\n[ 778.299821] UBSAN: invalid-load in net/openvswitch/flow.c:899:28\n[ 778.301495] load of value 107 is not a valid value for type '_Bool'\n[ 778.303215] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.12.0-rc7+ #2\n[ 778.304933] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n[ 778.307901] Call Trace:\n[ 778.308680] \n[ 778.309358] dump_stack+0xbb/0x107\n[ 778.310307] ubsan_epilogue+0x5/0x40\n[ 778.311167] __ubsan_handle_load_invalid_value.cold+0x43/0x48\n[ 778.312454] ? memset+0x20/0x40\n[ 778.313230] ovs_flow_key_extract.cold+0xf/0x14 [openvswitch]\n[ 778.314532] ovs_vport_receive+0x19e/0x2e0 [openvswitch]\n[ 778.315749] ? ovs_vport_find_upcall_portid+0x330/0x330 [openvswitch]\n[ 778.317188] ? create_prof_cpu_mask+0x20/0x20\n[ 778.318220] ? arch_stack_walk+0x82/0xf0\n[ 778.319153] ? secondary_startup_64_no_verify+0xb0/0xbb\n[ 778.320399] ? stack_trace_save+0x91/0xc0\n[ 778.321362] ? stack_trace_consume_entry+0x160/0x160\n[ 778.322517] ? lock_release+0x52e/0x760\n[ 778.323444] netdev_frame_hook+0x323/0x610 [openvswitch]\n[ 778.324668] ? ovs_netdev_get_vport+0xe0/0xe0 [openvswitch]\n[ 778.325950] __netif_receive_skb_core+0x771/0x2db0\n[ 778.327067] ? lock_downgrade+0x6e0/0x6f0\n[ 778.328021] ? lock_acquire+0x565/0x720\n[ 778.328940] ? generic_xdp_tx+0x4f0/0x4f0\n[ 778.329902] ? inet_gro_receive+0x2a7/0x10a0\n[ 778.330914] ? lock_downgrade+0x6f0/0x6f0\n[ 778.331867] ? udp4_gro_receive+0x4c4/0x13e0\n[ 778.332876] ? lock_release+0x52e/0x760\n[ 778.333808] ? dev_gro_receive+0xcc8/0x2380\n[ 778.334810] ? lock_downgrade+0x6f0/0x6f0\n[ 778.335769] __netif_receive_skb_list_core+0x295/0x820\n[ 778.336955] ? process_backlog+0x780/0x780\n[ 778.337941] ? mlx5e_rep_tc_netdevice_event_unregister+0x20/0x20 [mlx5_core]\n[ 778.339613] ? seqcount_lockdep_reader_access.constprop.0+0xa7/0xc0\n[ 778.341033] ? kvm_clock_get_cycles+0x14/0x20\n[ 778.342072] netif_receive_skb_list_internal+0x5f5/0xcb0\n[ 778.343288] ? __kasan_kmalloc+0x7a/0x90\n[ 778.344234] ? mlx5e_handle_rx_cqe_mpwrq+0x9e0/0x9e0 [mlx5_core]\n[ 778.345676] ? mlx5e_xmit_xdp_frame_mpwqe+0x14d0/0x14d0 [mlx5_core]\n[ 778.347140] ? __netif_receive_skb_list_core+0x820/0x820\n[ 778.348351] ? mlx5e_post_rx_mpwqes+0xa6/0x25d0 [mlx5_core]\n[ 778.349688] ? napi_gro_flush+0x26c/0x3c0\n[ 778.350641] napi_complete_done+0x188/0x6b0\n[ 778.351627] mlx5e_napi_poll+0x373/0x1b80 [mlx5_core]\n[ 778.352853] __napi_poll+0x9f/0x510\n[ 778.353704] ? mlx5_flow_namespace_set_mode+0x260/0x260 [mlx5_core]\n[ 778.355158] net_rx_action+0x34c/0xa40\n[ 778.356060] ? napi_threaded_poll+0x3d0/0x3d0\n[ 778.357083] ? sched_clock_cpu+0x18/0x190\n[ 778.358041] ? __common_interrupt+0x8e/0x1a0\n[ 778.359045] __do_softirq+0x1ce/0x984\n[ 778.359938] __irq_exit_rcu+0x137/0x1d0\n[ 778.360865] irq_exit_rcu+0xa/0x20\n[ 778.361708] common_interrupt+0x80/0xa0\n[ 778.362640] \n[ 778.363212] asm_common_interrupt+0x1e/0x40\n[ 778.364204] RIP: 0010:native_safe_halt+0xe/0x10\n[ 778.365273] Code: 4f ff ff ff 4c 89 e7 e8 50 3f 40 fe e9 dc fe ff ff 48 89 df e8 43 3f 40 fe eb 90 cc e9 07 00 00 00 0f 00 2d 74 05 62 00 fb f4 90 e9 07 00 00 00 0f 00 2d 64 05 62 00 f4 c3 cc cc 0f 1f 44 00\n[ 778.369355] RSP: 0018:ffffffff84407e48 EFLAGS: 00000246\n[ 778.370570] RAX\n---truncated---", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47136", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47136", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47136", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47136", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47136", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47136" } }, "CVE-2021-47137": { "affected_versions": "unk to v5.13-rc4", "breaks": "", "cmt_msg": "net: lantiq: fix memory corruption in RX ring", "fixes": "c7718ee96dbc2f9c5fc3b578abdf296dd44b9c20", "last_affected_version": "5.12.8", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: lantiq: fix memory corruption in RX ring\n\nIn a situation where memory allocation or dma mapping fails, an\ninvalid address is programmed into the descriptor. This can lead\nto memory corruption. If the memory allocation fails, DMA should\nreuse the previous skb and mapping and drop the packet. This patch\nalso increments rx drop counter.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47137", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47137", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47137", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47137", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47137", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47137" } }, "CVE-2021-47138": { "affected_versions": "v5.2-rc1 to v5.13-rc4", "breaks": "b1a79360ee862f8ada4798ad2346fa45bb41b527", "cmt_msg": "cxgb4: avoid accessing registers when clearing filters", "fixes": "88c380df84fbd03f9b137c2b9d0a44b9f2f553b0", "last_affected_version": "5.12.8", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\ncxgb4: avoid accessing registers when clearing filters\n\nHardware register having the server TID base can contain\ninvalid values when adapter is in bad state (for example,\ndue to AER fatal error). Reading these invalid values in the\nregister can lead to out-of-bound memory access. So, fix\nby using the saved server TID base when clearing filters.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47138", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47138", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47138", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47138", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47138", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47138" } }, "CVE-2021-47139": { "affected_versions": "v5.6-rc1 to v5.13-rc4", "breaks": "08a100689d4baf296d6898c687ea8d005da8d234", "cmt_msg": "net: hns3: put off calling register_netdev() until client initialize complete", "fixes": "a289a7e5c1d49b7d47df9913c1cc81fb48fab613", "last_affected_version": "5.12.8", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: hns3: put off calling register_netdev() until client initialize complete\n\nCurrently, the netdevice is registered before client initializing\ncomplete. So there is a timewindow between netdevice available\nand usable. In this case, if user try to change the channel number\nor ring param, it may cause the hns3_set_rx_cpu_rmap() being called\ntwice, and report bug.\n\n[47199.416502] hns3 0000:35:00.0 eth1: set channels: tqp_num=1, rxfh=0\n[47199.430340] hns3 0000:35:00.0 eth1: already uninitialized\n[47199.438554] hns3 0000:35:00.0: rss changes from 4 to 1\n[47199.511854] hns3 0000:35:00.0: Channels changed, rss_size from 4 to 1, tqps from 4 to 1\n[47200.163524] ------------[ cut here ]------------\n[47200.171674] kernel BUG at lib/cpu_rmap.c:142!\n[47200.177847] Internal error: Oops - BUG: 0 [#1] PREEMPT SMP\n[47200.185259] Modules linked in: hclge(+) hns3(-) hns3_cae(O) hns_roce_hw_v2 hnae3 vfio_iommu_type1 vfio_pci vfio_virqfd vfio pv680_mii(O) [last unloaded: hclge]\n[47200.205912] CPU: 1 PID: 8260 Comm: ethtool Tainted: G O 5.11.0-rc3+ #1\n[47200.215601] Hardware name: , xxxxxx 02/04/2021\n[47200.223052] pstate: 60400009 (nZCv daif +PAN -UAO -TCO BTYPE=--)\n[47200.230188] pc : cpu_rmap_add+0x38/0x40\n[47200.237472] lr : irq_cpu_rmap_add+0x84/0x140\n[47200.243291] sp : ffff800010e93a30\n[47200.247295] x29: ffff800010e93a30 x28: ffff082100584880\n[47200.254155] x27: 0000000000000000 x26: 0000000000000000\n[47200.260712] x25: 0000000000000000 x24: 0000000000000004\n[47200.267241] x23: ffff08209ba03000 x22: ffff08209ba038c0\n[47200.273789] x21: 000000000000003f x20: ffff0820e2bc1680\n[47200.280400] x19: ffff0820c970ec80 x18: 00000000000000c0\n[47200.286944] x17: 0000000000000000 x16: ffffb43debe4a0d0\n[47200.293456] x15: fffffc2082990600 x14: dead000000000122\n[47200.300059] x13: ffffffffffffffff x12: 000000000000003e\n[47200.306606] x11: ffff0820815b8080 x10: ffff53e411988000\n[47200.313171] x9 : 0000000000000000 x8 : ffff0820e2bc1700\n[47200.319682] x7 : 0000000000000000 x6 : 000000000000003f\n[47200.326170] x5 : 0000000000000040 x4 : ffff800010e93a20\n[47200.332656] x3 : 0000000000000004 x2 : ffff0820c970ec80\n[47200.339168] x1 : ffff0820e2bc1680 x0 : 0000000000000004\n[47200.346058] Call trace:\n[47200.349324] cpu_rmap_add+0x38/0x40\n[47200.354300] hns3_set_rx_cpu_rmap+0x6c/0xe0 [hns3]\n[47200.362294] hns3_reset_notify_init_enet+0x1cc/0x340 [hns3]\n[47200.370049] hns3_change_channels+0x40/0xb0 [hns3]\n[47200.376770] hns3_set_channels+0x12c/0x2a0 [hns3]\n[47200.383353] ethtool_set_channels+0x140/0x250\n[47200.389772] dev_ethtool+0x714/0x23d0\n[47200.394440] dev_ioctl+0x4cc/0x640\n[47200.399277] sock_do_ioctl+0x100/0x2a0\n[47200.404574] sock_ioctl+0x28c/0x470\n[47200.409079] __arm64_sys_ioctl+0xb4/0x100\n[47200.415217] el0_svc_common.constprop.0+0x84/0x210\n[47200.422088] do_el0_svc+0x28/0x34\n[47200.426387] el0_svc+0x28/0x70\n[47200.431308] el0_sync_handler+0x1a4/0x1b0\n[47200.436477] el0_sync+0x174/0x180\n[47200.441562] Code: 11000405 79000c45 f8247861 d65f03c0 (d4210000)\n[47200.448869] ---[ end trace a01efe4ce42e5f34 ]---\n\nThe process is like below:\nexcuting hns3_client_init\n|\nregister_netdev()\n| hns3_set_channels()\n| |\nhns3_set_rx_cpu_rmap() hns3_reset_notify_uninit_enet()\n| |\n| quit without calling function\n| hns3_free_rx_cpu_rmap for flag\n| HNS3_NIC_STATE_INITED is unset.\n| |\n| hns3_reset_notify_init_enet()\n| |\nset HNS3_NIC_STATE_INITED call hns3_set_rx_cpu_rmap()-- crash\n\nFix it by calling register_netdev() at the end of function\nhns3_client_init().", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47139", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47139", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47139", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47139", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47139", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47139" } }, "CVE-2021-47140": { "affected_versions": "unk to v5.13-rc4", "breaks": "", "cmt_msg": "iommu/amd: Clear DMA ops when switching domain", "fixes": "d6177a6556f853785867e2ec6d5b7f4906f0d809", "last_affected_version": "5.12.8", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/amd: Clear DMA ops when switching domain\n\nSince commit 08a27c1c3ecf (\"iommu: Add support to change default domain\nof an iommu group\") a user can switch a device between IOMMU and direct\nDMA through sysfs. This doesn't work for AMD IOMMU at the moment because\ndev->dma_ops is not cleared when switching from a DMA to an identity\nIOMMU domain. The DMA layer thus attempts to use the dma-iommu ops on an\nidentity domain, causing an oops:\n\n # echo 0000:00:05.0 > /sys/sys/bus/pci/drivers/e1000e/unbind\n # echo identity > /sys/bus/pci/devices/0000:00:05.0/iommu_group/type\n # echo 0000:00:05.0 > /sys/sys/bus/pci/drivers/e1000e/bind\n ...\n BUG: kernel NULL pointer dereference, address: 0000000000000028\n ...\n Call Trace:\n iommu_dma_alloc\n e1000e_setup_tx_resources\n e1000e_open\n\nSince iommu_change_dev_def_domain() calls probe_finalize() again, clear\nthe dma_ops there like Vt-d does.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47140", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47140", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47140", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47140", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47140", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47140" } }, "CVE-2021-47141": { "affected_versions": "v5.3-rc1 to v5.13-rc4", "breaks": "893ce44df56580fb878ca5af9c4a5fd87567da50", "cmt_msg": "gve: Add NULL pointer checks when freeing irqs.", "fixes": "5218e919c8d06279884aa0baf76778a6817d5b93", "last_affected_version": "5.12.8", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\ngve: Add NULL pointer checks when freeing irqs.\n\nWhen freeing notification blocks, we index priv->msix_vectors.\nIf we failed to allocate priv->msix_vectors (see abort_with_msix_vectors)\nthis could lead to a NULL pointer dereference if the driver is unloaded.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47141", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47141", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47141", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47141", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47141", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47141" } }, "CVE-2021-47142": { "affected_versions": "v2.6.12-rc2 to v5.13-rc3", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "drm/amdgpu: Fix a use-after-free", "fixes": "1e5c37385097c35911b0f8a0c67ffd10ee1af9a2", "last_affected_version": "5.12.8", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Fix a use-after-free\n\nlooks like we forget to set ttm->sg to NULL.\nHit panic below\n\n[ 1235.844104] general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b7b4b: 0000 [#1] SMP DEBUG_PAGEALLOC NOPTI\n[ 1235.989074] Call Trace:\n[ 1235.991751] sg_free_table+0x17/0x20\n[ 1235.995667] amdgpu_ttm_backend_unbind.cold+0x4d/0xf7 [amdgpu]\n[ 1236.002288] amdgpu_ttm_backend_destroy+0x29/0x130 [amdgpu]\n[ 1236.008464] ttm_tt_destroy+0x1e/0x30 [ttm]\n[ 1236.013066] ttm_bo_cleanup_memtype_use+0x51/0xa0 [ttm]\n[ 1236.018783] ttm_bo_release+0x262/0xa50 [ttm]\n[ 1236.023547] ttm_bo_put+0x82/0xd0 [ttm]\n[ 1236.027766] amdgpu_bo_unref+0x26/0x50 [amdgpu]\n[ 1236.032809] amdgpu_amdkfd_gpuvm_alloc_memory_of_gpu+0x7aa/0xd90 [amdgpu]\n[ 1236.040400] kfd_ioctl_alloc_memory_of_gpu+0xe2/0x330 [amdgpu]\n[ 1236.046912] kfd_ioctl+0x463/0x690 [amdgpu]", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47142", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47142", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47142", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47142", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47142", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47142" } }, "CVE-2021-47143": { "affected_versions": "unk to v5.13-rc4", "breaks": "", "cmt_msg": "net/smc: remove device from smcd_dev_list after failed device_add()", "fixes": "444d7be9532dcfda8e0385226c862fd7e986f607", "last_affected_version": "5.12.8", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/smc: remove device from smcd_dev_list after failed device_add()\n\nIf the device_add() for a smcd_dev fails, there's no cleanup step that\nrolls back the earlier list_add(). The device subsequently gets freed,\nand we end up with a corrupted list.\n\nAdd some error handling that removes the device from the list.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47143", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47143", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47143", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47143", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47143", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47143" } }, "CVE-2021-47144": { "affected_versions": "v2.6.12-rc2 to v5.13-rc3", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "drm/amd/amdgpu: fix refcount leak", "fixes": "fa7e6abc75f3d491bc561734312d065dc9dc2a77", "last_affected_version": "5.12.8", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/amdgpu: fix refcount leak\n\n[Why]\nthe gem object rfb->base.obj[0] is get according to num_planes\nin amdgpufb_create, but is not put according to num_planes\n\n[How]\nput rfb->base.obj[0] in amdgpu_fbdev_destroy according to num_planes", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47144", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47144", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47144", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47144", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47144", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47144" } }, "CVE-2021-47145": { "affected_versions": "unk to v5.13-rc3", "breaks": "", "cmt_msg": "btrfs: do not BUG_ON in link_to_fixup_dir", "fixes": "91df99a6eb50d5a1bc70fff4a09a0b7ae6aab96d", "last_affected_version": "5.12.8", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: do not BUG_ON in link_to_fixup_dir\n\nWhile doing error injection testing I got the following panic\n\n kernel BUG at fs/btrfs/tree-log.c:1862!\n invalid opcode: 0000 [#1] SMP NOPTI\n CPU: 1 PID: 7836 Comm: mount Not tainted 5.13.0-rc1+ #305\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-2.fc32 04/01/2014\n RIP: 0010:link_to_fixup_dir+0xd5/0xe0\n RSP: 0018:ffffb5800180fa30 EFLAGS: 00010216\n RAX: fffffffffffffffb RBX: 00000000fffffffb RCX: ffff8f595287faf0\n RDX: ffffb5800180fa37 RSI: ffff8f5954978800 RDI: 0000000000000000\n RBP: ffff8f5953af9450 R08: 0000000000000019 R09: 0000000000000001\n R10: 000151f408682970 R11: 0000000120021001 R12: ffff8f5954978800\n R13: ffff8f595287faf0 R14: ffff8f5953c77dd0 R15: 0000000000000065\n FS: 00007fc5284c8c40(0000) GS:ffff8f59bbd00000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007fc5287f47c0 CR3: 000000011275e002 CR4: 0000000000370ee0\n Call Trace:\n replay_one_buffer+0x409/0x470\n ? btree_read_extent_buffer_pages+0xd0/0x110\n walk_up_log_tree+0x157/0x1e0\n walk_log_tree+0xa6/0x1d0\n btrfs_recover_log_trees+0x1da/0x360\n ? replay_one_extent+0x7b0/0x7b0\n open_ctree+0x1486/0x1720\n btrfs_mount_root.cold+0x12/0xea\n ? __kmalloc_track_caller+0x12f/0x240\n legacy_get_tree+0x24/0x40\n vfs_get_tree+0x22/0xb0\n vfs_kern_mount.part.0+0x71/0xb0\n btrfs_mount+0x10d/0x380\n ? vfs_parse_fs_string+0x4d/0x90\n legacy_get_tree+0x24/0x40\n vfs_get_tree+0x22/0xb0\n path_mount+0x433/0xa10\n __x64_sys_mount+0xe3/0x120\n do_syscall_64+0x3d/0x80\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nWe can get -EIO or any number of legitimate errors from\nbtrfs_search_slot(), panicing here is not the appropriate response. The\nerror path for this code handles errors properly, simply return the\nerror.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47145", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47145", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47145", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47145", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47145", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47145" } }, "CVE-2021-47146": { "affected_versions": "unk to v5.13-rc4", "breaks": "", "cmt_msg": "mld: fix panic in mld_newpack()", "fixes": "020ef930b826d21c5446fdc9db80fd72a791bc21", "last_affected_version": "5.12.8", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nmld: fix panic in mld_newpack()\n\nmld_newpack() doesn't allow to allocate high order page,\nonly order-0 allocation is allowed.\nIf headroom size is too large, a kernel panic could occur in skb_put().\n\nTest commands:\n ip netns del A\n ip netns del B\n ip netns add A\n ip netns add B\n ip link add veth0 type veth peer name veth1\n ip link set veth0 netns A\n ip link set veth1 netns B\n\n ip netns exec A ip link set lo up\n ip netns exec A ip link set veth0 up\n ip netns exec A ip -6 a a 2001:db8:0::1/64 dev veth0\n ip netns exec B ip link set lo up\n ip netns exec B ip link set veth1 up\n ip netns exec B ip -6 a a 2001:db8:0::2/64 dev veth1\n for i in {1..99}\n do\n let A=$i-1\n ip netns exec A ip link add ip6gre$i type ip6gre \\\n\tlocal 2001:db8:$A::1 remote 2001:db8:$A::2 encaplimit 100\n ip netns exec A ip -6 a a 2001:db8:$i::1/64 dev ip6gre$i\n ip netns exec A ip link set ip6gre$i up\n\n ip netns exec B ip link add ip6gre$i type ip6gre \\\n\tlocal 2001:db8:$A::2 remote 2001:db8:$A::1 encaplimit 100\n ip netns exec B ip -6 a a 2001:db8:$i::2/64 dev ip6gre$i\n ip netns exec B ip link set ip6gre$i up\n done\n\nSplat looks like:\nkernel BUG at net/core/skbuff.c:110!\ninvalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN PTI\nCPU: 0 PID: 7 Comm: kworker/0:1 Not tainted 5.12.0+ #891\nWorkqueue: ipv6_addrconf addrconf_dad_work\nRIP: 0010:skb_panic+0x15d/0x15f\nCode: 92 fe 4c 8b 4c 24 10 53 8b 4d 70 45 89 e0 48 c7 c7 00 ae 79 83\n41 57 41 56 41 55 48 8b 54 24 a6 26 f9 ff <0f> 0b 48 8b 6c 24 20 89\n34 24 e8 4a 4e 92 fe 8b 34 24 48 c7 c1 20\nRSP: 0018:ffff88810091f820 EFLAGS: 00010282\nRAX: 0000000000000089 RBX: ffff8881086e9000 RCX: 0000000000000000\nRDX: 0000000000000089 RSI: 0000000000000008 RDI: ffffed1020123efb\nRBP: ffff888005f6eac0 R08: ffffed1022fc0031 R09: ffffed1022fc0031\nR10: ffff888117e00187 R11: ffffed1022fc0030 R12: 0000000000000028\nR13: ffff888008284eb0 R14: 0000000000000ed8 R15: 0000000000000ec0\nFS: 0000000000000000(0000) GS:ffff888117c00000(0000)\nknlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f8b801c5640 CR3: 0000000033c2c006 CR4: 00000000003706f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n ? ip6_mc_hdr.isra.26.constprop.46+0x12a/0x600\n ? ip6_mc_hdr.isra.26.constprop.46+0x12a/0x600\n skb_put.cold.104+0x22/0x22\n ip6_mc_hdr.isra.26.constprop.46+0x12a/0x600\n ? rcu_read_lock_sched_held+0x91/0xc0\n mld_newpack+0x398/0x8f0\n ? ip6_mc_hdr.isra.26.constprop.46+0x600/0x600\n ? lock_contended+0xc40/0xc40\n add_grhead.isra.33+0x280/0x380\n add_grec+0x5ca/0xff0\n ? mld_sendpack+0xf40/0xf40\n ? lock_downgrade+0x690/0x690\n mld_send_initial_cr.part.34+0xb9/0x180\n ipv6_mc_dad_complete+0x15d/0x1b0\n addrconf_dad_completed+0x8d2/0xbb0\n ? lock_downgrade+0x690/0x690\n ? addrconf_rs_timer+0x660/0x660\n ? addrconf_dad_work+0x73c/0x10e0\n addrconf_dad_work+0x73c/0x10e0\n\nAllowing high order page allocation could fix this problem.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47146", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47146", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47146", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47146", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47146", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47146" } }, "CVE-2021-47147": { "affected_versions": "unk to v5.13-rc4", "breaks": "", "cmt_msg": "ptp: ocp: Fix a resource leak in an error handling path", "fixes": "9c1bb37f8cad5e2ee1933fa1da9a6baa7876a8e4", "last_affected_version": "5.12.8", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nptp: ocp: Fix a resource leak in an error handling path\n\nIf an error occurs after a successful 'pci_ioremap_bar()' call, it must be\nundone by a corresponding 'pci_iounmap()' call, as already done in the\nremove function.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47147", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47147", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47147", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47147", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47147", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47147" } }, "CVE-2021-47148": { "affected_versions": "v5.12-rc1-dontuse to v5.13-rc4", "breaks": "81a4362016e7d8b17031fe1aa43cdb58a7f0f163", "cmt_msg": "octeontx2-pf: fix a buffer overflow in otx2_set_rxfh_context()", "fixes": "e5cc361e21648b75f935f9571d4003aaee480214", "last_affected_version": "5.12.8", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nocteontx2-pf: fix a buffer overflow in otx2_set_rxfh_context()\n\nThis function is called from ethtool_set_rxfh() and \"*rss_context\"\ncomes from the user. Add some bounds checking to prevent memory\ncorruption.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47148", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47148", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47148", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47148", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47148", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47148" } }, "CVE-2021-47149": { "affected_versions": "v2.6.12-rc2 to v5.13-rc3", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "net: fujitsu: fix potential null-ptr-deref", "fixes": "52202be1cd996cde6e8969a128dc27ee45a7cb5e", "last_affected_version": "5.12.8", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fujitsu: fix potential null-ptr-deref\n\nIn fmvj18x_get_hwinfo(), if ioremap fails there will be NULL pointer\nderef. To fix this, check the return value of ioremap and return -1\nto the caller in case of failure.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47149", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47149", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47149", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47149", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47149", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47149" } }, "CVE-2021-47150": { "affected_versions": "v3.18-rc1 to v5.13-rc4", "breaks": "59d0f746564495c7f54526674deabfcf101236a1", "cmt_msg": "net: fec: fix the potential memory leak in fec_enet_init()", "fixes": "619fee9eb13b5d29e4267cb394645608088c28a8", "last_affected_version": "5.12.8", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fec: fix the potential memory leak in fec_enet_init()\n\nIf the memory allocated for cbd_base is failed, it should\nfree the memory allocated for the queues, otherwise it causes\nmemory leak.\n\nAnd if the memory allocated for the queues is failed, it can\nreturn error directly.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47150", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47150", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47150", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47150", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47150", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47150" } }, "CVE-2021-47151": { "affected_versions": "unk to v5.13-rc4", "breaks": "", "cmt_msg": "interconnect: qcom: bcm-voter: add a missing of_node_put()", "fixes": "a00593737f8bac2c9e97b696e7ff84a4446653e8", "last_affected_version": "5.12.8", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\ninterconnect: qcom: bcm-voter: add a missing of_node_put()\n\nAdd a missing of_node_put() in of_bcm_voter_get() to avoid the\nreference leak.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47151", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47151", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47151", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47151", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47151", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47151" } }, "CVE-2021-47152": { "affected_versions": "v5.7-rc1 to v5.13-rc4", "breaks": "18b683bff89d46ace55f12d00c0440d44d6160c4", "cmt_msg": "mptcp: fix data stream corruption", "fixes": "29249eac5225429b898f278230a6ca2baa1ae154", "last_affected_version": "5.12.8", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: fix data stream corruption\n\nMaxim reported several issues when forcing a TCP transparent proxy\nto use the MPTCP protocol for the inbound connections. He also\nprovided a clean reproducer.\n\nThe problem boils down to 'mptcp_frag_can_collapse_to()' assuming\nthat only MPTCP will use the given page_frag.\n\nIf others - e.g. the plain TCP protocol - allocate page fragments,\nwe can end-up re-using already allocated memory for mptcp_data_frag.\n\nFix the issue ensuring that the to-be-expanded data fragment is\nlocated at the current page frag end.\n\nv1 -> v2:\n - added missing fixes tag (Mat)", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47152", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47152", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47152", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47152", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47152", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47152" } }, "CVE-2021-47153": { "affected_versions": "v3.6-rc1 to v5.13-rc4", "breaks": "636752bcb5177a301d0266270661581de8624828", "cmt_msg": "i2c: i801: Don't generate an interrupt on bus reset", "fixes": "e4d8716c3dcec47f1557024add24e1f3c09eb24b", "last_affected_version": "5.12.8", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: i801: Don't generate an interrupt on bus reset\n\nNow that the i2c-i801 driver supports interrupts, setting the KILL bit\nin a attempt to recover from a timed out transaction triggers an\ninterrupt. Unfortunately, the interrupt handler (i801_isr) is not\nprepared for this situation and will try to process the interrupt as\nif it was signaling the end of a successful transaction. In the case\nof a block transaction, this can result in an out-of-range memory\naccess.\n\nThis condition was reproduced several times by syzbot:\nhttps://syzkaller.appspot.com/bug?extid=ed71512d469895b5b34e\nhttps://syzkaller.appspot.com/bug?extid=8c8dedc0ba9e03f6c79e\nhttps://syzkaller.appspot.com/bug?extid=c8ff0b6d6c73d81b610e\nhttps://syzkaller.appspot.com/bug?extid=33f6c360821c399d69eb\nhttps://syzkaller.appspot.com/bug?extid=be15dc0b1933f04b043a\nhttps://syzkaller.appspot.com/bug?extid=b4d3fd1dfd53e90afd79\n\nSo disable interrupts while trying to reset the bus. Interrupts will\nbe enabled again for the following transaction.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47153", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47153", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47153", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47153", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47153", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47153" } }, "CVE-2021-47158": { "affected_versions": "unk to v5.13-rc4", "breaks": "", "cmt_msg": "net: dsa: sja1105: add error handling in sja1105_setup()", "fixes": "cec279a898a3b004411682f212215ccaea1cd0fb", "last_affected_version": "5.12.8", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dsa: sja1105: add error handling in sja1105_setup()\n\nIf any of sja1105_static_config_load(), sja1105_clocking_setup() or\nsja1105_devlink_setup() fails, we can't just return in the middle of\nsja1105_setup() or memory will leak. Add a cleanup path.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47158", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47158", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47158", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47158", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47158", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47158" } }, "CVE-2021-47159": { "affected_versions": "v4.7-rc1 to v5.13-rc4", "breaks": "badf3ada60ab8f76f9488dc8f5c0c57f70682f5a", "cmt_msg": "net: dsa: fix a crash if ->get_sset_count() fails", "fixes": "a269333fa5c0c8e53c92b5a28a6076a28cde3e83", "last_affected_version": "5.12.8", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dsa: fix a crash if ->get_sset_count() fails\n\nIf ds->ops->get_sset_count() fails then it \"count\" is a negative error\ncode such as -EOPNOTSUPP. Because \"i\" is an unsigned int, the negative\nerror code is type promoted to a very high value and the loop will\ncorrupt memory until the system crashes.\n\nFix this by checking for error codes and changing the type of \"i\" to\njust int.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47159", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47159", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47159", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47159", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47159", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47159" } }, "CVE-2021-47160": { "affected_versions": "unk to v5.13-rc4", "breaks": "", "cmt_msg": "net: dsa: mt7530: fix VLAN traffic leaks", "fixes": "474a2ddaa192777522a7499784f1d60691cd831a", "last_affected_version": "5.12.8", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dsa: mt7530: fix VLAN traffic leaks\n\nPCR_MATRIX field was set to all 1's when VLAN filtering is enabled, but\nwas not reset when it is disabled, which may cause traffic leaks:\n\n\tip link add br0 type bridge vlan_filtering 1\n\tip link add br1 type bridge vlan_filtering 1\n\tip link set swp0 master br0\n\tip link set swp1 master br1\n\tip link set br0 type bridge vlan_filtering 0\n\tip link set br1 type bridge vlan_filtering 0\n\t# traffic in br0 and br1 will start leaking to each other\n\nAs port_bridge_{add,del} have set up PCR_MATRIX properly, remove the\nPCR_MATRIX write from mt7530_port_set_vlan_aware.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47160", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47160", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47160", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47160", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47160", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47160" } }, "CVE-2021-47161": { "affected_versions": "v4.10-rc1 to v5.13-rc4", "breaks": "90ba37033cb94207e97c4ced9be575770438213b", "cmt_msg": "spi: spi-fsl-dspi: Fix a resource leak in an error handling path", "fixes": "680ec0549a055eb464dce6ffb4bfb736ef87236e", "last_affected_version": "5.12.8", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: spi-fsl-dspi: Fix a resource leak in an error handling path\n\n'dspi_request_dma()' should be undone by a 'dspi_release_dma()' call in the\nerror handling path of the probe function, as already done in the remove\nfunction", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47161", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47161", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47161", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47161", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47161", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47161" } }, "CVE-2021-47162": { "affected_versions": "v4.3 to v5.13-rc4", "breaks": "45c8b7b175ceb2d542e0fe15247377bf3bce29ec", "cmt_msg": "tipc: skb_linearize the head skb when reassembling msgs", "fixes": "b7df21cf1b79ab7026f545e7bf837bd5750ac026", "last_affected_version": "5.12.8", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\ntipc: skb_linearize the head skb when reassembling msgs\n\nIt's not a good idea to append the frag skb to a skb's frag_list if\nthe frag_list already has skbs from elsewhere, such as this skb was\ncreated by pskb_copy() where the frag_list was cloned (all the skbs\nin it were skb_get'ed) and shared by multiple skbs.\n\nHowever, the new appended frag skb should have been only seen by the\ncurrent skb. Otherwise, it will cause use after free crashes as this\nappended frag skb are seen by multiple skbs but it only got skb_get\ncalled once.\n\nThe same thing happens with a skb updated by pskb_may_pull() with a\nskb_cloned skb. Li Shuang has reported quite a few crashes caused\nby this when doing testing over macvlan devices:\n\n [] kernel BUG at net/core/skbuff.c:1970!\n [] Call Trace:\n [] skb_clone+0x4d/0xb0\n [] macvlan_broadcast+0xd8/0x160 [macvlan]\n [] macvlan_process_broadcast+0x148/0x150 [macvlan]\n [] process_one_work+0x1a7/0x360\n [] worker_thread+0x30/0x390\n\n [] kernel BUG at mm/usercopy.c:102!\n [] Call Trace:\n [] __check_heap_object+0xd3/0x100\n [] __check_object_size+0xff/0x16b\n [] simple_copy_to_iter+0x1c/0x30\n [] __skb_datagram_iter+0x7d/0x310\n [] __skb_datagram_iter+0x2a5/0x310\n [] skb_copy_datagram_iter+0x3b/0x90\n [] tipc_recvmsg+0x14a/0x3a0 [tipc]\n [] ____sys_recvmsg+0x91/0x150\n [] ___sys_recvmsg+0x7b/0xc0\n\n [] kernel BUG at mm/slub.c:305!\n [] Call Trace:\n [] \n [] kmem_cache_free+0x3ff/0x400\n [] __netif_receive_skb_core+0x12c/0xc40\n [] ? kmem_cache_alloc+0x12e/0x270\n [] netif_receive_skb_internal+0x3d/0xb0\n [] ? get_rx_page_info+0x8e/0xa0 [be2net]\n [] be_poll+0x6ef/0xd00 [be2net]\n [] ? irq_exit+0x4f/0x100\n [] net_rx_action+0x149/0x3b0\n\n ...\n\nThis patch is to fix it by linearizing the head skb if it has frag_list\nset in tipc_buf_append(). Note that we choose to do this before calling\nskb_unshare(), as __skb_linearize() will avoid skb_copy(). Also, we can\nnot just drop the frag_list either as the early time.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47162", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47162", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47162", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47162", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47162", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47162" } }, "CVE-2021-47163": { "affected_versions": "v4.1-rc1 to v5.13-rc4", "breaks": "d0f91938bede204a343473792529e0db7d599836", "cmt_msg": "tipc: wait and exit until all work queues are done", "fixes": "04c26faa51d1e2fe71cf13c45791f5174c37f986", "last_affected_version": "5.12.8", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\ntipc: wait and exit until all work queues are done\n\nOn some host, a crash could be triggered simply by repeating these\ncommands several times:\n\n # modprobe tipc\n # tipc bearer enable media udp name UDP1 localip 127.0.0.1\n # rmmod tipc\n\n [] BUG: unable to handle kernel paging request at ffffffffc096bb00\n [] Workqueue: events 0xffffffffc096bb00\n [] Call Trace:\n [] ? process_one_work+0x1a7/0x360\n [] ? worker_thread+0x30/0x390\n [] ? create_worker+0x1a0/0x1a0\n [] ? kthread+0x116/0x130\n [] ? kthread_flush_work_fn+0x10/0x10\n [] ? ret_from_fork+0x35/0x40\n\nWhen removing the TIPC module, the UDP tunnel sock will be delayed to\nrelease in a work queue as sock_release() can't be done in rtnl_lock().\nIf the work queue is schedule to run after the TIPC module is removed,\nkernel will crash as the work queue function cleanup_beareri() code no\nlonger exists when trying to invoke it.\n\nTo fix it, this patch introduce a member wq_count in tipc_net to track\nthe numbers of work queues in schedule, and wait and exit until all\nwork queues are done in tipc_exit_net().", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47163", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47163", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47163", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47163", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47163", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47163" } }, "CVE-2021-47164": { "affected_versions": "v5.8-rc1 to v5.13-rc4", "breaks": "7e51891a237f9ea319f53f9beb83afb0077d88e6", "cmt_msg": "net/mlx5e: Fix null deref accessing lag dev", "fixes": "83026d83186bc48bb41ee4872f339b83f31dfc55", "last_affected_version": "5.12.8", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Fix null deref accessing lag dev\n\nIt could be the lag dev is null so stop processing the event.\nIn bond_enslave() the active/backup slave being set before setting the\nupper dev so first event is without an upper dev.\nAfter setting the upper dev with bond_master_upper_dev_link() there is\na second event and in that event we have an upper dev.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47164", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47164", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47164", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47164", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47164", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47164" } }, "CVE-2021-47165": { "affected_versions": "unk to v5.13-rc4", "breaks": "", "cmt_msg": "drm/meson: fix shutdown crash when component not probed", "fixes": "7cfc4ea78fc103ea51ecbacd9236abb5b1c490d2", "last_affected_version": "5.12.8", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/meson: fix shutdown crash when component not probed\n\nWhen main component is not probed, by example when the dw-hdmi module is\nnot loaded yet or in probe defer, the following crash appears on shutdown:\n\nUnable to handle kernel NULL pointer dereference at virtual address 0000000000000038\n...\npc : meson_drv_shutdown+0x24/0x50\nlr : platform_drv_shutdown+0x20/0x30\n...\nCall trace:\nmeson_drv_shutdown+0x24/0x50\nplatform_drv_shutdown+0x20/0x30\ndevice_shutdown+0x158/0x360\nkernel_restart_prepare+0x38/0x48\nkernel_restart+0x18/0x68\n__do_sys_reboot+0x224/0x250\n__arm64_sys_reboot+0x24/0x30\n...\n\nSimply check if the priv struct has been allocated before using it.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47165", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47165", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47165", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47165", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47165", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47165" } }, "CVE-2021-47166": { "affected_versions": "v4.0-rc1 to v5.13-rc4", "breaks": "a7d42ddb3099727f58366fa006f850a219cce6c8", "cmt_msg": "NFS: Don't corrupt the value of pg_bytes_written in nfs_do_recoalesce()", "fixes": "0d0ea309357dea0d85a82815f02157eb7fcda39f", "last_affected_version": "5.12.8", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFS: Don't corrupt the value of pg_bytes_written in nfs_do_recoalesce()\n\nThe value of mirror->pg_bytes_written should only be updated after a\nsuccessful attempt to flush out the requests on the list.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47166", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47166", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47166", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47166", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47166", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47166" } }, "CVE-2021-47167": { "affected_versions": "v4.0-rc1 to v5.13-rc4", "breaks": "a7d42ddb3099727f58366fa006f850a219cce6c8", "cmt_msg": "NFS: Fix an Oopsable condition in __nfs_pageio_add_request()", "fixes": "56517ab958b7c11030e626250c00b9b1a24b41eb", "last_affected_version": "5.12.8", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFS: Fix an Oopsable condition in __nfs_pageio_add_request()\n\nEnsure that nfs_pageio_error_cleanup() resets the mirror array contents,\nso that the structure reflects the fact that it is now empty.\nAlso change the test in nfs_pageio_do_add_request() to be more robust by\nchecking whether or not the list is empty rather than relying on the\nvalue of pg_count.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47167", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47167", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47167", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47167", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47167", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47167" } }, "CVE-2021-47168": { "affected_versions": "v2.6.37-rc1 to v5.13-rc4", "breaks": "16b374ca439fb406e46e071f75428f5b033056f8", "cmt_msg": "NFS: fix an incorrect limit in filelayout_decode_layout()", "fixes": "769b01ea68b6c49dc3cde6adf7e53927dacbd3a8", "last_affected_version": "5.12.8", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFS: fix an incorrect limit in filelayout_decode_layout()\n\nThe \"sizeof(struct nfs_fh)\" is two bytes too large and could lead to\nmemory corruption. It should be NFS_MAXFHSIZE because that's the size\nof the ->data[] buffer.\n\nI reversed the size of the arguments to put the variable on the left.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47168", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47168", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47168", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47168", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47168", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47168" } }, "CVE-2021-47169": { "affected_versions": "v2.6.12-rc2 to v5.13-rc4", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "serial: rp2: use 'request_firmware' instead of 'request_firmware_nowait'", "fixes": "016002848c82eeb5d460489ce392d91fe18c475c", "last_affected_version": "5.12.8", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: rp2: use 'request_firmware' instead of 'request_firmware_nowait'\n\nIn 'rp2_probe', the driver registers 'rp2_uart_interrupt' then calls\n'rp2_fw_cb' through 'request_firmware_nowait'. In 'rp2_fw_cb', if the\nfirmware don't exists, function just return without initializing ports\nof 'rp2_card'. But now the interrupt handler function has been\nregistered, and when an interrupt comes, 'rp2_uart_interrupt' may access\nthose ports then causing NULL pointer dereference or other bugs.\n\nBecause the driver does some initialization work in 'rp2_fw_cb', in\norder to make the driver ready to handle interrupts, 'request_firmware'\nshould be used instead of asynchronous 'request_firmware_nowait'.\n\nThis report reveals it:\n\nINFO: trying to register non-static key.\nthe code is fine but needs lockdep annotation.\nturning off the locking correctness validator.\nCPU: 2 PID: 0 Comm: swapper/2 Not tainted 4.19.177-gdba4159c14ef-dirty #45\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-\ngc9ba5276e321-prebuilt.qemu.org 04/01/2014\nCall Trace:\n \n __dump_stack lib/dump_stack.c:77 [inline]\n dump_stack+0xec/0x156 lib/dump_stack.c:118\n assign_lock_key kernel/locking/lockdep.c:727 [inline]\n register_lock_class+0x14e5/0x1ba0 kernel/locking/lockdep.c:753\n __lock_acquire+0x187/0x3750 kernel/locking/lockdep.c:3303\n lock_acquire+0x124/0x340 kernel/locking/lockdep.c:3907\n __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]\n _raw_spin_lock+0x32/0x50 kernel/locking/spinlock.c:144\n spin_lock include/linux/spinlock.h:329 [inline]\n rp2_ch_interrupt drivers/tty/serial/rp2.c:466 [inline]\n rp2_asic_interrupt.isra.9+0x15d/0x990 drivers/tty/serial/rp2.c:493\n rp2_uart_interrupt+0x49/0xe0 drivers/tty/serial/rp2.c:504\n __handle_irq_event_percpu+0xfb/0x770 kernel/irq/handle.c:149\n handle_irq_event_percpu+0x79/0x150 kernel/irq/handle.c:189\n handle_irq_event+0xac/0x140 kernel/irq/handle.c:206\n handle_fasteoi_irq+0x232/0x5c0 kernel/irq/chip.c:725\n generic_handle_irq_desc include/linux/irqdesc.h:155 [inline]\n handle_irq+0x230/0x3a0 arch/x86/kernel/irq_64.c:87\n do_IRQ+0xa7/0x1e0 arch/x86/kernel/irq.c:247\n common_interrupt+0xf/0xf arch/x86/entry/entry_64.S:670\n \nRIP: 0010:native_safe_halt+0x28/0x30 arch/x86/include/asm/irqflags.h:61\nCode: 00 00 55 be 04 00 00 00 48 c7 c7 00 c2 2f 8c 48 89 e5 e8 fb 31 e7 f8\n8b 05 75 af 8d 03 85 c0 7e 07 0f 00 2d 8a 61 65 00 fb f4 <5d> c3 90 90 90\n90 90 90 0f 1f 44 00 00 55 48 89 e5 41 57 41 56 41\nRSP: 0018:ffff88806b71fcc8 EFLAGS: 00000246 ORIG_RAX: ffffffffffffffde\nRAX: 0000000000000000 RBX: ffffffff8bde7e48 RCX: ffffffff88a21285\nRDX: 0000000000000000 RSI: 0000000000000004 RDI: ffffffff8c2fc200\nRBP: ffff88806b71fcc8 R08: fffffbfff185f840 R09: fffffbfff185f840\nR10: 0000000000000001 R11: fffffbfff185f840 R12: 0000000000000002\nR13: ffffffff8bea18a0 R14: 0000000000000000 R15: 0000000000000000\n arch_safe_halt arch/x86/include/asm/paravirt.h:94 [inline]\n default_idle+0x6f/0x360 arch/x86/kernel/process.c:557\n arch_cpu_idle+0xf/0x20 arch/x86/kernel/process.c:548\n default_idle_call+0x3b/0x60 kernel/sched/idle.c:93\n cpuidle_idle_call kernel/sched/idle.c:153 [inline]\n do_idle+0x2ab/0x3c0 kernel/sched/idle.c:263\n cpu_startup_entry+0xcb/0xe0 kernel/sched/idle.c:369\n start_secondary+0x3b8/0x4e0 arch/x86/kernel/smpboot.c:271\n secondary_startup_64+0xa4/0xb0 arch/x86/kernel/head_64.S:243\nBUG: unable to handle kernel NULL pointer dereference at 0000000000000010\nPGD 8000000056d27067 P4D 8000000056d27067 PUD 56d28067 PMD 0\nOops: 0000 [#1] PREEMPT SMP KASAN PTI\nCPU: 2 PID: 0 Comm: swapper/2 Not tainted 4.19.177-gdba4159c14ef-dirty #45\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-\ngc9ba5276e321-prebuilt.qemu.org 04/01/2014\nRIP: 0010:readl arch/x86/include/asm/io.h:59 [inline]\nRIP: 0010:rp2_ch_interrupt drivers/tty/serial/rp2.c:472 [inline]\nRIP: 0010:rp2_asic_interrupt.isra.9+0x181/0x990 drivers/tty/serial/rp2.c:\n493\nCo\n---truncated---", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47169", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47169", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47169", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47169", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47169", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47169" } }, "CVE-2021-47170": { "affected_versions": "v2.6.12-rc2 to v5.13-rc4", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "USB: usbfs: Don't WARN about excessively large memory allocations", "fixes": "4f2629ea67e7225c3fd292c7fe4f5b3c9d6392de", "last_affected_version": "5.12.8", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: usbfs: Don't WARN about excessively large memory allocations\n\nSyzbot found that the kernel generates a WARNing if the user tries to\nsubmit a bulk transfer through usbfs with a buffer that is way too\nlarge. This isn't a bug in the kernel; it's merely an invalid request\nfrom the user and the usbfs code does handle it correctly.\n\nIn theory the same thing can happen with async transfers, or with the\npacket descriptor table for isochronous transfers.\n\nTo prevent the MM subsystem from complaining about these bad\nallocation requests, add the __GFP_NOWARN flag to the kmalloc calls\nfor these buffers.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47170", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47170", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47170", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47170", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47170", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47170" } }, "CVE-2021-47171": { "affected_versions": "v2.6.34-rc2 to v5.13-rc4", "breaks": "d0cad871703b898a442e4049c532ec39168e5b57", "cmt_msg": "net: usb: fix memory leak in smsc75xx_bind", "fixes": "46a8b29c6306d8bbfd92b614ef65a47c900d8e70", "last_affected_version": "5.12.8", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: usb: fix memory leak in smsc75xx_bind\n\nSyzbot reported memory leak in smsc75xx_bind().\nThe problem was is non-freed memory in case of\nerrors after memory allocation.\n\nbacktrace:\n [] kmalloc include/linux/slab.h:556 [inline]\n [] kzalloc include/linux/slab.h:686 [inline]\n [] smsc75xx_bind+0x7a/0x334 drivers/net/usb/smsc75xx.c:1460\n [] usbnet_probe+0x3b6/0xc30 drivers/net/usb/usbnet.c:1728", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47171", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47171", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47171", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47171", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47171", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47171" } }, "CVE-2021-47172": { "affected_versions": "unk to v5.13-rc4", "breaks": "", "cmt_msg": "iio: adc: ad7124: Fix potential overflow due to non sequential channel numbers", "fixes": "f2a772c51206b0c3f262e4f6a3812c89a650191b", "last_affected_version": "5.12.8", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: adc: ad7124: Fix potential overflow due to non sequential channel numbers\n\nChannel numbering must start at 0 and then not have any holes, or\nit is possible to overflow the available storage. Note this bug was\nintroduced as part of a fix to ensure we didn't rely on the ordering\nof child nodes. So we need to support arbitrary ordering but they all\nneed to be there somewhere.\n\nNote I hit this when using qemu to test the rest of this series.\nArguably this isn't the best fix, but it is probably the most minimal\noption for backporting etc.\n\nAlexandru's sign-off is here because he carried this patch in a larger\nset that Jonathan then applied.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47172", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47172", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47172", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47172", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47172", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47172" } }, "CVE-2021-47173": { "affected_versions": "unk to v5.13-rc4", "breaks": "", "cmt_msg": "misc/uss720: fix memory leak in uss720_probe", "fixes": "dcb4b8ad6a448532d8b681b5d1a7036210b622de", "last_affected_version": "5.12.8", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nmisc/uss720: fix memory leak in uss720_probe\n\nuss720_probe forgets to decrease the refcount of usbdev in uss720_probe.\nFix this by decreasing the refcount of usbdev by usb_put_dev.\n\nBUG: memory leak\nunreferenced object 0xffff888101113800 (size 2048):\n comm \"kworker/0:1\", pid 7, jiffies 4294956777 (age 28.870s)\n hex dump (first 32 bytes):\n ff ff ff ff 31 00 00 00 00 00 00 00 00 00 00 00 ....1...........\n 00 00 00 00 00 00 00 00 00 00 00 00 03 00 00 00 ................\n backtrace:\n [] kmalloc include/linux/slab.h:554 [inline]\n [] kzalloc include/linux/slab.h:684 [inline]\n [] usb_alloc_dev+0x32/0x450 drivers/usb/core/usb.c:582\n [] hub_port_connect drivers/usb/core/hub.c:5129 [inline]\n [] hub_port_connect_change drivers/usb/core/hub.c:5363 [inline]\n [] port_event drivers/usb/core/hub.c:5509 [inline]\n [] hub_event+0x1171/0x20c0 drivers/usb/core/hub.c:5591\n [] process_one_work+0x2c9/0x600 kernel/workqueue.c:2275\n [] worker_thread+0x59/0x5d0 kernel/workqueue.c:2421\n [] kthread+0x178/0x1b0 kernel/kthread.c:292\n [] ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47173", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47173", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47173", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47173", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47173", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47173" } }, "CVE-2021-47174": { "affected_versions": "v5.7-rc1 to v5.13-rc4", "breaks": "7400b063969bdca4a06cd97f1294d765c8eecbe1", "cmt_msg": "netfilter: nft_set_pipapo_avx2: Add irq_fpu_usable() check, fallback to non-AVX2 version", "fixes": "f0b3d338064e1fe7531f0d2977e35f3b334abfb4", "last_affected_version": "5.12.8", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_set_pipapo_avx2: Add irq_fpu_usable() check, fallback to non-AVX2 version\n\nArturo reported this backtrace:\n\n[709732.358791] WARNING: CPU: 3 PID: 456 at arch/x86/kernel/fpu/core.c:128 kernel_fpu_begin_mask+0xae/0xe0\n[709732.358793] Modules linked in: binfmt_misc nft_nat nft_chain_nat nf_nat nft_counter nft_ct nf_tables nf_conntrack_netlink nfnetlink 8021q garp stp mrp llc vrf intel_rapl_msr intel_rapl_common skx_edac nfit libnvdimm ipmi_ssif x86_pkg_temp_thermal intel_powerclamp coretemp crc32_pclmul mgag200 ghash_clmulni_intel drm_kms_helper cec aesni_intel drm libaes crypto_simd cryptd glue_helper mei_me dell_smbios iTCO_wdt evdev intel_pmc_bxt iTCO_vendor_support dcdbas pcspkr rapl dell_wmi_descriptor wmi_bmof sg i2c_algo_bit watchdog mei acpi_ipmi ipmi_si button nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ipmi_devintf ipmi_msghandler ip_tables x_tables autofs4 ext4 crc16 mbcache jbd2 dm_mod raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor sd_mod t10_pi crc_t10dif crct10dif_generic raid6_pq libcrc32c crc32c_generic raid1 raid0 multipath linear md_mod ahci libahci tg3 libata xhci_pci libphy xhci_hcd ptp usbcore crct10dif_pclmul crct10dif_common bnxt_en crc32c_intel scsi_mod\n[709732.358941] pps_core i2c_i801 lpc_ich i2c_smbus wmi usb_common\n[709732.358957] CPU: 3 PID: 456 Comm: jbd2/dm-0-8 Not tainted 5.10.0-0.bpo.5-amd64 #1 Debian 5.10.24-1~bpo10+1\n[709732.358959] Hardware name: Dell Inc. PowerEdge R440/04JN2K, BIOS 2.9.3 09/23/2020\n[709732.358964] RIP: 0010:kernel_fpu_begin_mask+0xae/0xe0\n[709732.358969] Code: ae 54 24 04 83 e3 01 75 38 48 8b 44 24 08 65 48 33 04 25 28 00 00 00 75 33 48 83 c4 10 5b c3 65 8a 05 5e 21 5e 76 84 c0 74 92 <0f> 0b eb 8e f0 80 4f 01 40 48 81 c7 00 14 00 00 e8 dd fb ff ff eb\n[709732.358972] RSP: 0018:ffffbb9700304740 EFLAGS: 00010202\n[709732.358976] RAX: 0000000000000001 RBX: 0000000000000003 RCX: 0000000000000001\n[709732.358979] RDX: ffffbb9700304970 RSI: ffff922fe1952e00 RDI: 0000000000000003\n[709732.358981] RBP: ffffbb9700304970 R08: ffff922fc868a600 R09: ffff922fc711e462\n[709732.358984] R10: 000000000000005f R11: ffff922ff0b27180 R12: ffffbb9700304960\n[709732.358987] R13: ffffbb9700304b08 R14: ffff922fc664b6c8 R15: ffff922fc664b660\n[709732.358990] FS: 0000000000000000(0000) GS:ffff92371fec0000(0000) knlGS:0000000000000000\n[709732.358993] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[709732.358996] CR2: 0000557a6655bdd0 CR3: 000000026020a001 CR4: 00000000007706e0\n[709732.358999] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[709732.359001] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[709732.359003] PKRU: 55555554\n[709732.359005] Call Trace:\n[709732.359009] \n[709732.359035] nft_pipapo_avx2_lookup+0x4c/0x1cba [nf_tables]\n[709732.359046] ? sched_clock+0x5/0x10\n[709732.359054] ? sched_clock_cpu+0xc/0xb0\n[709732.359061] ? record_times+0x16/0x80\n[709732.359068] ? plist_add+0xc1/0x100\n[709732.359073] ? psi_group_change+0x47/0x230\n[709732.359079] ? skb_clone+0x4d/0xb0\n[709732.359085] ? enqueue_task_rt+0x22b/0x310\n[709732.359098] ? bnxt_start_xmit+0x1e8/0xaf0 [bnxt_en]\n[709732.359102] ? packet_rcv+0x40/0x4a0\n[709732.359121] nft_lookup_eval+0x59/0x160 [nf_tables]\n[709732.359133] nft_do_chain+0x350/0x500 [nf_tables]\n[709732.359152] ? nft_lookup_eval+0x59/0x160 [nf_tables]\n[709732.359163] ? nft_do_chain+0x364/0x500 [nf_tables]\n[709732.359172] ? fib4_rule_action+0x6d/0x80\n[709732.359178] ? fib_rules_lookup+0x107/0x250\n[709732.359184] nft_nat_do_chain+0x8a/0xf2 [nft_chain_nat]\n[709732.359193] nf_nat_inet_fn+0xea/0x210 [nf_nat]\n[709732.359202] nf_nat_ipv4_out+0x14/0xa0 [nf_nat]\n[709732.359207] nf_hook_slow+0x44/0xc0\n[709732.359214] ip_output+0xd2/0x100\n[709732.359221] ? __ip_finish_output+0x210/0x210\n[709732.359226] ip_forward+0x37d/0x4a0\n[709732.359232] ? ip4_key_hashfn+0xb0/0xb0\n[709732.359238] ip_subli\n---truncated---", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47174", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47174", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47174", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47174", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47174", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47174" } }, "CVE-2021-47175": { "affected_versions": "unk to v5.13-rc4", "breaks": "", "cmt_msg": "net/sched: fq_pie: fix OOB access in the traffic path", "fixes": "e70f7a11876a1a788ceadf75e9e5f7af2c868680", "last_affected_version": "5.12.8", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: fq_pie: fix OOB access in the traffic path\n\nthe following script:\n\n # tc qdisc add dev eth0 handle 0x1 root fq_pie flows 2\n # tc qdisc add dev eth0 clsact\n # tc filter add dev eth0 egress matchall action skbedit priority 0x10002\n # ping 192.0.2.2 -I eth0 -c2 -w1 -q\n\nproduces the following splat:\n\n BUG: KASAN: slab-out-of-bounds in fq_pie_qdisc_enqueue+0x1314/0x19d0 [sch_fq_pie]\n Read of size 4 at addr ffff888171306924 by task ping/942\n\n CPU: 3 PID: 942 Comm: ping Not tainted 5.12.0+ #441\n Hardware name: Red Hat KVM, BIOS 1.11.1-4.module+el8.1.0+4066+0f1aadab 04/01/2014\n Call Trace:\n dump_stack+0x92/0xc1\n print_address_description.constprop.7+0x1a/0x150\n kasan_report.cold.13+0x7f/0x111\n fq_pie_qdisc_enqueue+0x1314/0x19d0 [sch_fq_pie]\n __dev_queue_xmit+0x1034/0x2b10\n ip_finish_output2+0xc62/0x2120\n __ip_finish_output+0x553/0xea0\n ip_output+0x1ca/0x4d0\n ip_send_skb+0x37/0xa0\n raw_sendmsg+0x1c4b/0x2d00\n sock_sendmsg+0xdb/0x110\n __sys_sendto+0x1d7/0x2b0\n __x64_sys_sendto+0xdd/0x1b0\n do_syscall_64+0x3c/0x80\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n RIP: 0033:0x7fe69735c3eb\n Code: 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 f3 0f 1e fa 48 8d 05 75 42 2c 00 41 89 ca 8b 00 85 c0 75 14 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 75 c3 0f 1f 40 00 41 57 4d 89 c7 41 56 41 89\n RSP: 002b:00007fff06d7fb38 EFLAGS: 00000246 ORIG_RAX: 000000000000002c\n RAX: ffffffffffffffda RBX: 000055e961413700 RCX: 00007fe69735c3eb\n RDX: 0000000000000040 RSI: 000055e961413700 RDI: 0000000000000003\n RBP: 0000000000000040 R08: 000055e961410500 R09: 0000000000000010\n R10: 0000000000000000 R11: 0000000000000246 R12: 00007fff06d81260\n R13: 00007fff06d7fb40 R14: 00007fff06d7fc30 R15: 000055e96140f0a0\n\n Allocated by task 917:\n kasan_save_stack+0x19/0x40\n __kasan_kmalloc+0x7f/0xa0\n __kmalloc_node+0x139/0x280\n fq_pie_init+0x555/0x8e8 [sch_fq_pie]\n qdisc_create+0x407/0x11b0\n tc_modify_qdisc+0x3c2/0x17e0\n rtnetlink_rcv_msg+0x346/0x8e0\n netlink_rcv_skb+0x120/0x380\n netlink_unicast+0x439/0x630\n netlink_sendmsg+0x719/0xbf0\n sock_sendmsg+0xe2/0x110\n ____sys_sendmsg+0x5ba/0x890\n ___sys_sendmsg+0xe9/0x160\n __sys_sendmsg+0xd3/0x170\n do_syscall_64+0x3c/0x80\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\n The buggy address belongs to the object at ffff888171306800\n which belongs to the cache kmalloc-256 of size 256\n The buggy address is located 36 bytes to the right of\n 256-byte region [ffff888171306800, ffff888171306900)\n The buggy address belongs to the page:\n page:00000000bcfb624e refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x171306\n head:00000000bcfb624e order:1 compound_mapcount:0\n flags: 0x17ffffc0010200(slab|head|node=0|zone=2|lastcpupid=0x1fffff)\n raw: 0017ffffc0010200 dead000000000100 dead000000000122 ffff888100042b40\n raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000\n page dumped because: kasan: bad access detected\n\n Memory state around the buggy address:\n ffff888171306800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n ffff888171306880: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc\n >ffff888171306900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n ^\n ffff888171306980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n ffff888171306a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n\nfix fq_pie traffic path to avoid selecting 'q->flows + q->flows_cnt' as a\nvalid flow: it's an address beyond the allocated memory.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47175", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47175", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47175", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47175", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47175", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47175" } }, "CVE-2021-47176": { "affected_versions": "v5.11-rc1 to v5.13-rc4", "breaks": "b72949328869dfd45f6452c2410647afd7db5f1a", "cmt_msg": "s390/dasd: add missing discipline function", "fixes": "c0c8a8397fa8a74d04915f4d3d28cb4a5d401427", "last_affected_version": "5.12.8", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/dasd: add missing discipline function\n\nFix crash with illegal operation exception in dasd_device_tasklet.\nCommit b72949328869 (\"s390/dasd: Prepare for additional path event handling\")\nrenamed the verify_path function for ECKD but not for FBA and DIAG.\nThis leads to a panic when the path verification function is called for a\nFBA or DIAG device.\n\nFix by defining a wrapper function for dasd_generic_verify_path().", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47176", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47176", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47176", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47176", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47176", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47176" } }, "CVE-2021-47177": { "affected_versions": "v4.11-rc1 to v5.13-rc4", "breaks": "39ab9555c24110671f8dc671311a26e5c985b592", "cmt_msg": "iommu/vt-d: Fix sysfs leak in alloc_iommu()", "fixes": "0ee74d5a48635c848c20f152d0d488bf84641304", "last_affected_version": "5.12.8", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/vt-d: Fix sysfs leak in alloc_iommu()\n\niommu_device_sysfs_add() is called before, so is has to be cleaned on subsequent\nerrors.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47177", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47177", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47177", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47177", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47177", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47177" } }, "CVE-2021-47178": { "affected_versions": "v5.11-rc1 to v5.13-rc4", "breaks": "1526d9f10c6184031e42afad0adbdde1213e8ad1", "cmt_msg": "scsi: target: core: Avoid smp_processor_id() in preemptible code", "fixes": "70ca3c57ff914113f681e657634f7fbfa68e1ad1", "last_affected_version": "5.12.8", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: target: core: Avoid smp_processor_id() in preemptible code\n\nThe BUG message \"BUG: using smp_processor_id() in preemptible [00000000]\ncode\" was observed for TCMU devices with kernel config DEBUG_PREEMPT.\n\nThe message was observed when blktests block/005 was run on TCMU devices\nwith fileio backend or user:zbc backend [1]. The commit 1130b499b4a7\n(\"scsi: target: tcm_loop: Use LIO wq cmd submission helper\") triggered the\nsymptom. The commit modified work queue to handle commands and changed\n'current->nr_cpu_allowed' at smp_processor_id() call.\n\nThe message was also observed at system shutdown when TCMU devices were not\ncleaned up [2]. The function smp_processor_id() was called in SCSI host\nwork queue for abort handling, and triggered the BUG message. This symptom\nwas observed regardless of the commit 1130b499b4a7 (\"scsi: target:\ntcm_loop: Use LIO wq cmd submission helper\").\n\nTo avoid the preemptible code check at smp_processor_id(), get CPU ID with\nraw_smp_processor_id() instead. The CPU ID is used for performance\nimprovement then thread move to other CPU will not affect the code.\n\n[1]\n\n[ 56.468103] run blktests block/005 at 2021-05-12 14:16:38\n[ 57.369473] check_preemption_disabled: 85 callbacks suppressed\n[ 57.369480] BUG: using smp_processor_id() in preemptible [00000000] code: fio/1511\n[ 57.369506] BUG: using smp_processor_id() in preemptible [00000000] code: fio/1510\n[ 57.369512] BUG: using smp_processor_id() in preemptible [00000000] code: fio/1506\n[ 57.369552] caller is __target_init_cmd+0x157/0x170 [target_core_mod]\n[ 57.369606] CPU: 4 PID: 1506 Comm: fio Not tainted 5.13.0-rc1+ #34\n[ 57.369613] Hardware name: System manufacturer System Product Name/PRIME Z270-A, BIOS 1302 03/15/2018\n[ 57.369617] Call Trace:\n[ 57.369621] BUG: using smp_processor_id() in preemptible [00000000] code: fio/1507\n[ 57.369628] dump_stack+0x6d/0x89\n[ 57.369642] check_preemption_disabled+0xc8/0xd0\n[ 57.369628] caller is __target_init_cmd+0x157/0x170 [target_core_mod]\n[ 57.369655] __target_init_cmd+0x157/0x170 [target_core_mod]\n[ 57.369695] target_init_cmd+0x76/0x90 [target_core_mod]\n[ 57.369732] tcm_loop_queuecommand+0x109/0x210 [tcm_loop]\n[ 57.369744] scsi_queue_rq+0x38e/0xc40\n[ 57.369761] __blk_mq_try_issue_directly+0x109/0x1c0\n[ 57.369779] blk_mq_try_issue_directly+0x43/0x90\n[ 57.369790] blk_mq_submit_bio+0x4e5/0x5d0\n[ 57.369812] submit_bio_noacct+0x46e/0x4e0\n[ 57.369830] __blkdev_direct_IO_simple+0x1a3/0x2d0\n[ 57.369859] ? set_init_blocksize.isra.0+0x60/0x60\n[ 57.369880] generic_file_read_iter+0x89/0x160\n[ 57.369898] blkdev_read_iter+0x44/0x60\n[ 57.369906] new_sync_read+0x102/0x170\n[ 57.369929] vfs_read+0xd4/0x160\n[ 57.369941] __x64_sys_pread64+0x6e/0xa0\n[ 57.369946] ? lockdep_hardirqs_on+0x79/0x100\n[ 57.369958] do_syscall_64+0x3a/0x70\n[ 57.369965] entry_SYSCALL_64_after_hwframe+0x44/0xae\n[ 57.369973] RIP: 0033:0x7f7ed4c1399f\n[ 57.369979] Code: 08 89 3c 24 48 89 4c 24 18 e8 7d f3 ff ff 4c 8b 54 24 18 48 8b 54 24 10 41 89 c0 48 8b 74 24 08 8b 3c 24 b8 11 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 48 89 04 24 e8 cd f3 ff ff 48 8b\n[ 57.369983] RSP: 002b:00007ffd7918c580 EFLAGS: 00000293 ORIG_RAX: 0000000000000011\n[ 57.369990] RAX: ffffffffffffffda RBX: 00000000015b4540 RCX: 00007f7ed4c1399f\n[ 57.369993] RDX: 0000000000001000 RSI: 00000000015de000 RDI: 0000000000000009\n[ 57.369996] RBP: 00000000015b4540 R08: 0000000000000000 R09: 0000000000000001\n[ 57.369999] R10: 0000000000e5c000 R11: 0000000000000293 R12: 00007f7eb5269a70\n[ 57.370002] R13: 0000000000000000 R14: 0000000000001000 R15: 00000000015b4568\n[ 57.370031] CPU: 7 PID: 1507 Comm: fio Not tainted 5.13.0-rc1+ #34\n[ 57.370036] Hardware name: System manufacturer System Product Name/PRIME Z270-A, BIOS 1302 03/15/2018\n[ 57.370039] Call Trace:\n[ 57.370045] dump_stack+0x6d/0x89\n[ 57.370056] ch\n---truncated---", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47178", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47178", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47178", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47178", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47178", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47178" } }, "CVE-2021-47179": { "affected_versions": "unk to v5.13-rc4", "breaks": "", "cmt_msg": "NFSv4: Fix a NULL pointer dereference in pnfs_mark_matching_lsegs_return()", "fixes": "a421d218603ffa822a0b8045055c03eae394a7eb", "last_affected_version": "5.12.8", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSv4: Fix a NULL pointer dereference in pnfs_mark_matching_lsegs_return()\n\nCommit de144ff4234f changes _pnfs_return_layout() to call\npnfs_mark_matching_lsegs_return() passing NULL as the struct\npnfs_layout_range argument. Unfortunately,\npnfs_mark_matching_lsegs_return() doesn't check if we have a value here\nbefore dereferencing it, causing an oops.\n\nI'm able to hit this crash consistently when running connectathon basic\ntests on NFS v4.1/v4.2 against Ontap.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47179", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47179", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47179", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47179", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47179", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47179" } }, "CVE-2021-47180": { "affected_versions": "unk to v5.13-rc4", "breaks": "", "cmt_msg": "NFC: nci: fix memory leak in nci_allocate_device", "fixes": "e0652f8bb44d6294eeeac06d703185357f25d50b", "last_affected_version": "5.12.7", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFC: nci: fix memory leak in nci_allocate_device\n\nnfcmrvl_disconnect fails to free the hci_dev field in struct nci_dev.\nFix this by freeing hci_dev in nci_free_device.\n\nBUG: memory leak\nunreferenced object 0xffff888111ea6800 (size 1024):\n comm \"kworker/1:0\", pid 19, jiffies 4294942308 (age 13.580s)\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 00 60 fd 0c 81 88 ff ff .........`......\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace:\n [<000000004bc25d43>] kmalloc include/linux/slab.h:552 [inline]\n [<000000004bc25d43>] kzalloc include/linux/slab.h:682 [inline]\n [<000000004bc25d43>] nci_hci_allocate+0x21/0xd0 net/nfc/nci/hci.c:784\n [<00000000c59cff92>] nci_allocate_device net/nfc/nci/core.c:1170 [inline]\n [<00000000c59cff92>] nci_allocate_device+0x10b/0x160 net/nfc/nci/core.c:1132\n [<00000000006e0a8e>] nfcmrvl_nci_register_dev+0x10a/0x1c0 drivers/nfc/nfcmrvl/main.c:153\n [<000000004da1b57e>] nfcmrvl_probe+0x223/0x290 drivers/nfc/nfcmrvl/usb.c:345\n [<00000000d506aed9>] usb_probe_interface+0x177/0x370 drivers/usb/core/driver.c:396\n [<00000000bc632c92>] really_probe+0x159/0x4a0 drivers/base/dd.c:554\n [<00000000f5009125>] driver_probe_device+0x84/0x100 drivers/base/dd.c:740\n [<000000000ce658ca>] __device_attach_driver+0xee/0x110 drivers/base/dd.c:846\n [<000000007067d05f>] bus_for_each_drv+0xb7/0x100 drivers/base/bus.c:431\n [<00000000f8e13372>] __device_attach+0x122/0x250 drivers/base/dd.c:914\n [<000000009cf68860>] bus_probe_device+0xc6/0xe0 drivers/base/bus.c:491\n [<00000000359c965a>] device_add+0x5be/0xc30 drivers/base/core.c:3109\n [<00000000086e4bd3>] usb_set_configuration+0x9d9/0xb90 drivers/usb/core/message.c:2164\n [<00000000ca036872>] usb_generic_driver_probe+0x8c/0xc0 drivers/usb/core/generic.c:238\n [<00000000d40d36f6>] usb_probe_device+0x5c/0x140 drivers/usb/core/driver.c:293\n [<00000000bc632c92>] really_probe+0x159/0x4a0 drivers/base/dd.c:554", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2021-47180", "ExploitDB": "https://www.exploit-db.com/search?cve=2021-47180", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2021-47180", "Red Hat": "https://access.redhat.com/security/cve/CVE-2021-47180", "SUSE": "https://www.suse.com/security/cve/CVE-2021-47180", "Ubuntu": "https://ubuntu.com/security/CVE-2021-47180" } }, "CVE-2022-0001": { "affected_versions": "v2.6.12-rc2 to v5.17-rc8", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "x86/speculation: Rename RETPOLINE_AMD to RETPOLINE_LFENCE", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Changed", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "score": 6.5 }, "cwe": "Unspecified", "fixes": "d45476d9832409371537013ebdd8dc1a7781f97a", "last_affected_version": "5.16.13", "last_modified": "2023-12-06", "nvd_text": "Non-transparent sharing of branch predictor selectors between contexts in some Intel(R) Processors may allow an authorized user to potentially enable information disclosure via local access.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-0001", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-0001", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-0001", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-0001", "SUSE": "https://www.suse.com/security/cve/CVE-2022-0001", "Ubuntu": "https://ubuntu.com/security/CVE-2022-0001" } }, "CVE-2022-0002": { "affected_versions": "v2.6.12-rc2 to v5.17-rc8", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "x86/speculation: Rename RETPOLINE_AMD to RETPOLINE_LFENCE", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Changed", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "score": 6.5 }, "cwe": "Unspecified", "fixes": "d45476d9832409371537013ebdd8dc1a7781f97a", "last_affected_version": "5.16.13", "last_modified": "2023-12-06", "nvd_text": "Non-transparent sharing of branch predictor within a context in some Intel(R) Processors may allow an authorized user to potentially enable information disclosure via local access.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-0002", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-0002", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-0002", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-0002", "SUSE": "https://www.suse.com/security/cve/CVE-2022-0002", "Ubuntu": "https://ubuntu.com/security/CVE-2022-0002" } }, "CVE-2022-0168": { "affected_versions": "v2.6.12-rc2 to v5.18-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "cifs: fix NULL ptr dereference in smb2_ioctl_query_info()", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "score": 4.4 }, "cwe": "NULL Pointer Dereference", "fixes": "d6f5e358452479fa8a773b5c6ccc9e4ec5a20880", "last_affected_version": "5.17.1", "last_modified": "2023-12-06", "nvd_text": "A denial of service (DOS) issue was found in the Linux kernel\u2019s smb2_ioctl_query_info function in the fs/cifs/smb2ops.c Common Internet File System (CIFS) due to an incorrect return from the memdup_user function. This flaw allows a local, privileged (CAP_SYS_ADMIN) attacker to crash the system.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-0168", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-0168", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-0168", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-0168", "SUSE": "https://www.suse.com/security/cve/CVE-2022-0168", "Ubuntu": "https://ubuntu.com/security/CVE-2022-0168" } }, "CVE-2022-0171": { "affected_versions": "v5.10-rc1 to v5.18-rc4", "breaks": "f980f9c31a923e9040dee0bc679a5f5b09e61f40", "cmt_msg": "KVM: SEV: add cache flush to solve SEV cache incoherency issues", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Incomplete Cleanup", "fixes": "683412ccf61294d727ead4a73d97397396e69a6b", "last_affected_version": "5.15.69", "last_modified": "2023-12-06", "nvd_text": "A flaw was found in the Linux kernel. The existing KVM SEV API has a vulnerability that allows a non-root (host) user-level application to crash the host kernel by creating a confidential guest VM instance in AMD CPU that supports Secure Encrypted Virtualization (SEV).", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-0171", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-0171", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-0171", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-0171", "SUSE": "https://www.suse.com/security/cve/CVE-2022-0171", "Ubuntu": "https://ubuntu.com/security/CVE-2022-0171" } }, "CVE-2022-0185": { "affected_versions": "v5.1-rc1 to v5.17-rc1", "breaks": "3e1aeb00e6d132efc151dacc062b38269bc9eccc", "cmt_msg": "vfs: fs_context: fix up param length parsing in legacy_parse_param", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "score": 8.4 }, "cwe": "Integer Overflow or Wraparound", "fixes": "722d94847de29310e8aa03fcbdb41fc92c521756", "last_affected_version": "5.16.1", "last_modified": "2023-12-06", "nvd_text": "A heap-based buffer overflow flaw was found in the way the legacy_parse_param function in the Filesystem Context functionality of the Linux kernel verified the supplied parameters length. An unprivileged (in case of unprivileged user namespaces enabled, otherwise needs namespaced CAP_SYS_ADMIN privilege) local user able to open a filesystem that does not support the Filesystem Context API (and thus fallbacks to legacy handling) could use this flaw to escalate their privileges on the system.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-0185", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-0185", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-0185", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-0185", "SUSE": "https://www.suse.com/security/cve/CVE-2022-0185", "Ubuntu": "https://ubuntu.com/security/CVE-2022-0185" } }, "CVE-2022-0264": { "affected_versions": "v5.12-rc1-dontuse to v5.16-rc6", "breaks": "37086bfdc737ea6f66bf68dcf16757004d68e1e1", "cmt_msg": "bpf: Fix kernel address leakage in atomic fetch", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.5 }, "cwe": "Improper Handling of Exceptional Conditions", "fixes": "7d3baf0afa3aa9102d6a521a8e4c41888bb79882", "last_affected_version": "5.15.10", "last_modified": "2023-12-06", "nvd_text": "A vulnerability was found in the Linux kernel's eBPF verifier when handling internal data structures. Internal memory locations could be returned to userspace. A local attacker with the permissions to insert eBPF code to the kernel can use this to leak internal kernel memory details defeating some of the exploit mitigations in place for the kernel. This flaws affects kernel versions < v5.16-rc6", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-0264", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-0264", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-0264", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-0264", "SUSE": "https://www.suse.com/security/cve/CVE-2022-0264", "Ubuntu": "https://ubuntu.com/security/CVE-2022-0264" } }, "CVE-2022-0286": { "affected_versions": "v5.9-rc1 to v5.14-rc2", "breaks": "18cb261afd7bf50134e5ccacc5ec91ea16efadd4", "cmt_msg": "bonding: fix null dereference in bond_ipsec_add_sa()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "NULL Pointer Dereference", "fixes": "105cd17a866017b45f3c45901b394c711c97bf40", "last_affected_version": "5.13.5", "last_modified": "2023-12-06", "nvd_text": "A flaw was found in the Linux kernel. A null pointer dereference in bond_ipsec_add_sa() may lead to local denial of service.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-0286", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-0286", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-0286", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-0286", "SUSE": "https://www.suse.com/security/cve/CVE-2022-0286", "Ubuntu": "https://ubuntu.com/security/CVE-2022-0286" } }, "CVE-2022-0322": { "affected_versions": "v4.11-rc1 to v5.15-rc6", "breaks": "cc16f00f6529aa2378f2b949a6f68e9dc6dec363", "cmt_msg": "sctp: account stream padding length for reconf chunk", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Incorrect Type Conversion or Cast", "fixes": "a2d859e3fc97e79d907761550dbc03ff1b36479c", "last_affected_version": "5.14.13", "last_modified": "2023-12-06", "nvd_text": "A flaw was found in the sctp_make_strreset_req function in net/sctp/sm_make_chunk.c in the SCTP network protocol in the Linux kernel with a local user privilege access. In this flaw, an attempt to use more buffer than is allocated triggers a BUG_ON issue, leading to a denial of service (DOS).", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-0322", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-0322", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-0322", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-0322", "SUSE": "https://www.suse.com/security/cve/CVE-2022-0322", "Ubuntu": "https://ubuntu.com/security/CVE-2022-0322" } }, "CVE-2022-0330": { "affected_versions": "v2.6.12-rc2 to v5.17-rc2", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "drm/i915: Flush TLBs before releasing backing store", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Improper Preservation of Permissions", "fixes": "7938d61591d33394a21bdd7797a245b65428f44c", "last_affected_version": "5.16.3", "last_modified": "2023-12-06", "nvd_text": "A random memory access flaw was found in the Linux kernel's GPU i915 kernel driver functionality in the way a user may run malicious code on the GPU. This flaw allows a local user to crash the system or escalate their privileges on the system.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-0330", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-0330", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-0330", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-0330", "SUSE": "https://www.suse.com/security/cve/CVE-2022-0330", "Ubuntu": "https://ubuntu.com/security/CVE-2022-0330" } }, "CVE-2022-0382": { "affected_versions": "v2.6.12-rc2 to v5.16", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "net ticp:fix a kernel-infoleak in __tipc_sendmsg()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.5 }, "cwe": "Missing Initialization of Resource", "fixes": "d6d86830705f173fca6087a3e67ceaf68db80523", "last_affected_version": "5.15", "last_modified": "2023-12-06", "nvd_text": "An information leak flaw was found due to uninitialized memory in the Linux kernel's TIPC protocol subsystem, in the way a user sends a TIPC datagram to one or more destinations. This flaw allows a local user to read some kernel memory. This issue is limited to no more than 7 bytes, and the user cannot control what is read. This flaw affects the Linux kernel versions prior to 5.17-rc1.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-0382", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-0382", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-0382", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-0382", "SUSE": "https://www.suse.com/security/cve/CVE-2022-0382", "Ubuntu": "https://ubuntu.com/security/CVE-2022-0382" } }, "CVE-2022-0400": { "affected_versions": "unk to unk", "breaks": "", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 7.5 }, "cwe": "Out-of-bounds Read", "fixes": "", "last_modified": "2023-12-06", "nvd_text": "An out-of-bounds read vulnerability was discovered in linux kernel in the smc protocol stack, causing remote dos.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-0400", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-0400", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-0400", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-0400", "SUSE": "https://www.suse.com/security/cve/CVE-2022-0400", "Ubuntu": "https://ubuntu.com/security/CVE-2022-0400" } }, "CVE-2022-0433": { "affected_versions": "v5.16-rc1 to v5.17-rc1", "breaks": "9330986c03006ab1d33d243b7cfe598a7a3c1baa", "cmt_msg": "bpf: Add missing map_get_next_key method to bloom filter map.", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "NULL Pointer Dereference", "fixes": "3ccdcee28415c4226de05438b4d89eb5514edf73", "last_affected_version": "5.16.2", "last_modified": "2023-12-06", "nvd_text": "A NULL pointer dereference flaw was found in the Linux kernel's BPF subsystem in the way a user triggers the map_get_next_key function of the BPF bloom filter. This flaw allows a local user to crash the system. This flaw affects Linux kernel versions prior to 5.17-rc1.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-0433", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-0433", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-0433", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-0433", "SUSE": "https://www.suse.com/security/cve/CVE-2022-0433", "Ubuntu": "https://ubuntu.com/security/CVE-2022-0433" } }, "CVE-2022-0435": { "affected_versions": "v4.8-rc1 to v5.17-rc4", "breaks": "35c55c9877f8de0ab129fa1a309271d0ecc868b9", "cmt_msg": "tipc: improve size validations for received domain records", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "Single", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "score": 9.0 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 8.8 }, "cwe": "Out-of-bounds Write", "fixes": "9aa422ad326634b76309e8ff342c246800621216", "last_affected_version": "5.16.8", "last_modified": "2023-12-06", "nvd_text": "A stack overflow flaw was found in the Linux kernel's TIPC protocol functionality in the way a user sends a packet with malicious content where the number of domain member nodes is higher than the 64 allowed. This flaw allows a remote user to crash the system or possibly escalate their privileges if they have access to the TIPC network.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-0435", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-0435", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-0435", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-0435", "SUSE": "https://www.suse.com/security/cve/CVE-2022-0435", "Ubuntu": "https://ubuntu.com/security/CVE-2022-0435" } }, "CVE-2022-0480": { "affected_versions": "v2.6.12-rc2 to v5.15-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "memcg: enable accounting for file lock caches", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Allocation of Resources Without Limits or Throttling", "fixes": "0f12156dff2862ac54235fc72703f18770769042", "last_modified": "2023-12-06", "nvd_text": "A flaw was found in the filelock_init in fs/locks.c function in the Linux kernel. This issue can lead to host memory exhaustion due to memcg not limiting the number of Portable Operating System Interface (POSIX) file locks.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-0480", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-0480", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-0480", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-0480", "SUSE": "https://www.suse.com/security/cve/CVE-2022-0480", "Ubuntu": "https://ubuntu.com/security/CVE-2022-0480" } }, "CVE-2022-0487": { "affected_versions": "v3.16-rc1 to v5.17-rc4", "breaks": "1b66e94e6b9995323190f31c51d8e1a6f516627e", "cmt_msg": "moxart: fix potential use-after-free on remove path", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.5 }, "cwe": "Use After Free", "fixes": "bd2db32e7c3e35bd4d9b8bbff689434a50893546", "last_affected_version": "5.16.8", "last_modified": "2023-12-06", "nvd_text": "A use-after-free vulnerability was found in rtsx_usb_ms_drv_remove in drivers/memstick/host/rtsx_usb_ms.c in memstick in the Linux kernel. In this flaw, a local attacker with a user privilege may impact system Confidentiality. This flaw affects kernel versions prior to 5.14 rc1.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-0487", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-0487", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-0487", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-0487", "SUSE": "https://www.suse.com/security/cve/CVE-2022-0487", "Ubuntu": "https://ubuntu.com/security/CVE-2022-0487" } }, "CVE-2022-0492": { "affected_versions": "v2.6.24-rc1 to v5.17-rc3", "breaks": "81a6a5cdd2c5cd70874b88afe524ab09e9e869af", "cmt_msg": "cgroup-v1: Require capabilities to set release_agent", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "score": 6.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Improper Authentication", "fixes": "24f6008564183aa120d07c03d9289519c2fe02af", "last_affected_version": "5.16.5", "last_modified": "2023-12-06", "nvd_text": "A vulnerability was found in the Linux kernel\u2019s cgroup_release_agent_write in the kernel/cgroup/cgroup-v1.c function. This flaw, under certain circumstances, allows the use of the cgroups v1 release_agent feature to escalate privileges and bypass the namespace isolation unexpectedly.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-0492", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-0492", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-0492", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-0492", "SUSE": "https://www.suse.com/security/cve/CVE-2022-0492", "Ubuntu": "https://ubuntu.com/security/CVE-2022-0492" } }, "CVE-2022-0494": { "affected_versions": "v2.6.12-rc2 to v5.17-rc5", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "block-map: add __GFP_ZERO flag for alloc_page in function bio_copy_kern", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Complete", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:C/I:N/A:N", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "score": 4.4 }, "cwe": "Exposure of Sensitive Information to an Unauthorized Actor", "fixes": "cc8f7fe1f5eab010191aa4570f27641876fa1267", "last_affected_version": "5.16.12", "last_modified": "2023-12-06", "nvd_text": "A kernel information leak flaw was identified in the scsi_ioctl function in drivers/scsi/scsi_ioctl.c in the Linux kernel. This flaw allows a local attacker with a special user privilege (CAP_SYS_ADMIN or CAP_SYS_RAWIO) to create issues with confidentiality.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-0494", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-0494", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-0494", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-0494", "SUSE": "https://www.suse.com/security/cve/CVE-2022-0494", "Ubuntu": "https://ubuntu.com/security/CVE-2022-0494" } }, "CVE-2022-0500": { "affected_versions": "v5.10-rc1 to v5.17-rc1", "breaks": "63d9b80dcf2c67bc5ade61cbbaa09d7af21f43f1", "cmt_msg": "bpf: Introduce MEM_RDONLY flag", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Improper Restriction of Operations within the Bounds of a Memory Buffer", "fixes": "20b2aff4bc15bda809f994761d5719827d66c0b4", "last_affected_version": "5.16.10", "last_modified": "2023-12-06", "nvd_text": "A flaw was found in unrestricted eBPF usage by the BPF_BTF_LOAD, leading to a possible out-of-bounds memory write in the Linux kernel\u2019s BPF subsystem due to the way a user loads BTF. This flaw allows a local user to crash or escalate their privileges on the system.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-0500", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-0500", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-0500", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-0500", "SUSE": "https://www.suse.com/security/cve/CVE-2022-0500", "Ubuntu": "https://ubuntu.com/security/CVE-2022-0500" } }, "CVE-2022-0516": { "affected_versions": "v5.7-rc1 to v5.17-rc4", "breaks": "19e1227768863a1469797c13ef8fea1af7beac2c", "cmt_msg": "KVM: s390: Return error on SIDA memop on normal guest", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Unspecified", "fixes": "2c212e1baedcd782b2535a3f86bc491977677c0e", "last_affected_version": "5.16.8", "last_modified": "2023-12-06", "nvd_text": "A vulnerability was found in kvm_s390_guest_sida_op in the arch/s390/kvm/kvm-s390.c function in KVM for s390 in the Linux kernel. This flaw allows a local attacker with a normal user privilege to obtain unauthorized memory write access. This flaw affects Linux kernel versions prior to 5.17-rc4.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-0516", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-0516", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-0516", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-0516", "SUSE": "https://www.suse.com/security/cve/CVE-2022-0516", "Ubuntu": "https://ubuntu.com/security/CVE-2022-0516" } }, "CVE-2022-0617": { "affected_versions": "v4.2-rc1 to v5.17-rc2", "breaks": "52ebea749aaed195245701a8f90a23d672c7a933", "cmt_msg": "udf: Fix NULL ptr deref when converting from inline format", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "NULL Pointer Dereference", "fixes": "7fc3b7c2981bbd1047916ade327beccb90994eee", "last_affected_version": "5.16.4", "last_modified": "2023-12-06", "nvd_text": "A flaw null pointer dereference in the Linux kernel UDF file system functionality was found in the way user triggers udf_file_write_iter function for the malicious UDF image. A local user could use this flaw to crash the system. Actual from Linux kernel 4.2-rc1 till 5.17-rc2.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-0617", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-0617", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-0617", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-0617", "SUSE": "https://www.suse.com/security/cve/CVE-2022-0617", "Ubuntu": "https://ubuntu.com/security/CVE-2022-0617" } }, "CVE-2022-0644": { "affected_versions": "v4.6-rc1 to v5.15-rc7", "breaks": "b844f0ecbc5626ec26cfc70cb144a4c9b85dc3f2", "cmt_msg": "vfs: check fd has read access in kernel_read_file_from_fd()", "fixes": "032146cda85566abcd1c4884d9d23e4e30a07e9a", "last_affected_version": "5.14.14", "last_modified": "2023-12-06", "nvd_text": "Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-0644", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-0644", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-0644", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-0644", "SUSE": "https://www.suse.com/security/cve/CVE-2022-0644", "Ubuntu": "https://ubuntu.com/security/CVE-2022-0644" }, "rejected": true }, "CVE-2022-0646": { "affected_versions": "v5.17-rc1 to v5.17-rc5", "breaks": "7bd9890f3d74e96f0e1a898f68decfc711de3001", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Use After Free", "fixes": "6c342ce2239c182c2428ce5a44cb32330434ae6e", "last_modified": "2023-12-06", "nvd_text": "A flaw use after free in the Linux kernel Management Component Transport Protocol (MCTP) subsystem was found in the way user triggers cancel_work_sync after the unregister_netdev during removing device. A local user could use this flaw to crash the system or escalate their privileges on the system. It is actual from Linux Kernel 5.17-rc1 (when mctp-serial.c introduced) till 5.17-rc5.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-0646", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-0646", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-0646", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-0646", "SUSE": "https://www.suse.com/security/cve/CVE-2022-0646", "Ubuntu": "https://ubuntu.com/security/CVE-2022-0646" } }, "CVE-2022-0742": { "affected_versions": "v5.13-rc1 to v5.17-rc7", "breaks": "f185de28d9ae6c978135993769352e523ee8df06", "cmt_msg": "ipv6: fix skb drops in igmp6_event_query() and igmp6_event_report()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "score": 7.8 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 7.5 }, "cwe": "Missing Release of Memory after Effective Lifetime", "fixes": "2d3916f3189172d5c69d33065c3c21119fe539fc", "last_affected_version": "5.16.12", "last_modified": "2023-12-06", "nvd_text": "Memory leak in icmp6 implementation in Linux Kernel 5.13+ allows a remote attacker to DoS a host by making it go out-of-memory via icmp6 packets of type 130 or 131. We recommend upgrading past commit 2d3916f3189172d5c69d33065c3c21119fe539fc.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-0742", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-0742", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-0742", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-0742", "SUSE": "https://www.suse.com/security/cve/CVE-2022-0742", "Ubuntu": "https://ubuntu.com/security/CVE-2022-0742" } }, "CVE-2022-0812": { "affected_versions": "v4.7-rc1 to v5.8-rc6", "breaks": "302d3deb20682a076e1ab551821cacfdc81c5e4f", "cmt_msg": "xprtrdma: fix incorrect header size calculations", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "None", "Confidentiality": "Low", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "score": 4.3 }, "cwe": "Unspecified", "fixes": "912288442cb2f431bf3c8cb097a5de83bc6dbac1", "last_affected_version": "5.7.9", "last_modified": "2023-12-06", "nvd_text": "An information leak flaw was found in NFS over RDMA in the net/sunrpc/xprtrdma/rpc_rdma.c in the Linux Kernel. This flaw allows an attacker with normal user privileges to leak kernel information.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-0812", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-0812", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-0812", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-0812", "SUSE": "https://www.suse.com/security/cve/CVE-2022-0812", "Ubuntu": "https://ubuntu.com/security/CVE-2022-0812" } }, "CVE-2022-0847": { "affected_versions": "v5.8-rc1 to v5.17-rc6", "breaks": "f6dd975583bd8ce088400648fd9819e4691c8958", "cmt_msg": "lib/iov_iter: initialize \"flags\" in new pipe_buffer", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Improper Initialization", "fixes": "9d2231c5d74e13b2a0546fee6737ee4446017903", "last_affected_version": "5.16.10", "last_modified": "2023-12-06", "name": "Dirty Pipe", "nvd_text": "A flaw was found in the way the \"flags\" member of the new pipe buffer structure was lacking proper initialization in copy_page_to_iter_pipe and push_pipe functions in the Linux kernel and could thus contain stale values. An unprivileged local user could use this flaw to write to pages in the page cache backed by read only files and as such escalate their privileges on the system.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-0847", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-0847", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-0847", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-0847", "SUSE": "https://www.suse.com/security/cve/CVE-2022-0847", "Ubuntu": "https://ubuntu.com/security/CVE-2022-0847" } }, "CVE-2022-0850": { "affected_versions": "v2.6.19-rc2 to v5.14-rc1", "breaks": "a86c61812637c7dd0c57e29880cffd477b62f2e7", "cmt_msg": "ext4: fix kernel infoleak via ext4_extent_header", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "score": 7.1 }, "cwe": "Unspecified", "fixes": "ce3aba43599f0b50adbebff133df8d08a3d5fffe", "last_affected_version": "5.13.1", "last_modified": "2023-12-06", "nvd_text": "A vulnerability was found in linux kernel, where an information leak occurs via ext4_extent_header to userspace.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-0850", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-0850", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-0850", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-0850", "SUSE": "https://www.suse.com/security/cve/CVE-2022-0850", "Ubuntu": "https://ubuntu.com/security/CVE-2022-0850" } }, "CVE-2022-0854": { "affected_versions": "v5.17-rc6 to v5.17-rc8", "breaks": "ddbd89deb7d32b1fbb879f48d68fda1a8ac58e8e", "cmt_msg": "swiotlb: rework \"fix info leak with DMA_FROM_DEVICE\"", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.5 }, "cwe": "Missing Release of Memory after Effective Lifetime", "fixes": "aa6f8dcbab473f3a3c7454b74caa46d36cdc5d13", "last_affected_version": "5.16.14", "last_modified": "2023-12-06", "nvd_text": "A memory leak flaw was found in the Linux kernel\u2019s DMA subsystem, in the way a user calls DMA_FROM_DEVICE. This flaw allows a local user to read random memory from the kernel space.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-0854", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-0854", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-0854", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-0854", "SUSE": "https://www.suse.com/security/cve/CVE-2022-0854", "Ubuntu": "https://ubuntu.com/security/CVE-2022-0854" } }, "CVE-2022-0995": { "affected_versions": "v5.8-rc1 to v5.17-rc8", "breaks": "c73be61cede5882f9605a852414db559c0ebedfd", "cmt_msg": "watch_queue: Fix filter limit check", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Out-of-bounds Write", "fixes": "c993ee0f9f81caf5767a50d1faeba39a0dc82af2", "last_affected_version": "5.16.14", "last_modified": "2023-12-06", "nvd_text": "An out-of-bounds (OOB) memory write flaw was found in the Linux kernel\u2019s watch_queue event notification subsystem. This flaw can overwrite parts of the kernel state, potentially allowing a local user to gain privileged access or cause a denial of service on the system.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-0995", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-0995", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-0995", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-0995", "SUSE": "https://www.suse.com/security/cve/CVE-2022-0995", "Ubuntu": "https://ubuntu.com/security/CVE-2022-0995" } }, "CVE-2022-0998": { "affected_versions": "v5.7-rc1 to v5.17-rc1", "breaks": "4c8cf31885f69e86be0b5b9e6677a26797365e1d", "cmt_msg": "vdpa: clean up get_config_size ret value handling", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Integer Overflow or Wraparound", "fixes": "870aaff92e959e29d40f9cfdb5ed06ba2fc2dae0", "last_modified": "2023-12-06", "nvd_text": "An integer overflow flaw was found in the Linux kernel\u2019s virtio device driver code in the way a user triggers the vhost_vdpa_config_validate function. This flaw allows a local user to crash or potentially escalate their privileges on the system.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-0998", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-0998", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-0998", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-0998", "SUSE": "https://www.suse.com/security/cve/CVE-2022-0998", "Ubuntu": "https://ubuntu.com/security/CVE-2022-0998" } }, "CVE-2022-1011": { "affected_versions": "v2.6.35-rc1 to v5.17-rc8", "breaks": "c3021629a0d820247ee12b6c5192a1d5380e21c6", "cmt_msg": "fuse: fix pipe buffer lifetime for direct_io", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Use After Free", "fixes": "0c4bcfdecb1ac0967619ee7ff44871d93c08c909", "last_affected_version": "5.16.14", "last_modified": "2023-12-06", "nvd_text": "A use-after-free flaw was found in the Linux kernel\u2019s FUSE filesystem in the way a user triggers write(). This flaw allows a local user to gain unauthorized access to data from the FUSE filesystem, resulting in privilege escalation.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-1011", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-1011", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-1011", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-1011", "SUSE": "https://www.suse.com/security/cve/CVE-2022-1011", "Ubuntu": "https://ubuntu.com/security/CVE-2022-1011" } }, "CVE-2022-1012": { "affected_versions": "v2.6.12-rc2 to v5.18-rc6", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "secure_seq: use the 64 bits of the siphash for port offset calculation", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "Low", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H", "score": 8.2 }, "cwe": "Missing Release of Memory after Effective Lifetime", "fixes": "b2d057560b8107c633b39aabe517ff9d93f285e3", "last_affected_version": "5.17.8", "last_modified": "2023-12-06", "nvd_text": "A memory leak problem was found in the TCP source port generation algorithm in net/ipv4/tcp.c due to the small table perturb size. This flaw may allow an attacker to information leak and may cause a denial of service problem.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-1012", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-1012", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-1012", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-1012", "SUSE": "https://www.suse.com/security/cve/CVE-2022-1012", "Ubuntu": "https://ubuntu.com/security/CVE-2022-1012" } }, "CVE-2022-1015": { "affected_versions": "v5.12-rc1-dontuse to v5.18-rc1", "breaks": "345023b0db315648ccc3c1a36aee88304a8b4d91", "cmt_msg": "netfilter: nf_tables: validate registers coming from userspace.", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "Low", "Integrity": "Low", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H", "score": 6.6 }, "cwe": "Out-of-bounds Write", "fixes": "6e1acfa387b9ff82cfc7db8cc3b6959221a95851", "last_affected_version": "5.17.0", "last_modified": "2023-12-06", "nvd_text": "A flaw was found in the Linux kernel in linux/net/netfilter/nf_tables_api.c of the netfilter subsystem. This flaw allows a local user to cause an out-of-bounds write issue.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-1015", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-1015", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-1015", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-1015", "SUSE": "https://www.suse.com/security/cve/CVE-2022-1015", "Ubuntu": "https://ubuntu.com/security/CVE-2022-1015" } }, "CVE-2022-1016": { "affected_versions": "v3.13-rc1 to v5.18-rc1", "breaks": "96518518cc417bb0a8c80b9fb736202e28acdf96", "cmt_msg": "netfilter: nf_tables: initialize registers in nft_do_chain()", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.5 }, "cwe": "Use After Free", "fixes": "4c905f6740a365464e91467aa50916555b28213d", "last_affected_version": "5.17.0", "last_modified": "2023-12-06", "nvd_text": "A flaw was found in the Linux kernel in net/netfilter/nf_tables_core.c:nft_do_chain, which can cause a use-after-free. This issue needs to handle 'return' with proper preconditions, as it can lead to a kernel information leak problem caused by a local, unprivileged attacker.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-1016", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-1016", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-1016", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-1016", "SUSE": "https://www.suse.com/security/cve/CVE-2022-1016", "Ubuntu": "https://ubuntu.com/security/CVE-2022-1016" } }, "CVE-2022-1043": { "affected_versions": "v5.12-rc3 to v5.14-rc7", "breaks": "61cf93700fe6359552848ed5e3becba6cd760efa", "cmt_msg": "io_uring: fix xa_alloc_cycle() error return value check", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Changed", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "score": 8.8 }, "cwe": "Use After Free", "fixes": "a30f895ad3239f45012e860d4f94c1a388b36d14", "last_affected_version": "5.13.12", "last_modified": "2023-12-06", "nvd_text": "A flaw was found in the Linux kernel\u2019s io_uring implementation. This flaw allows an attacker with a local account to corrupt system memory, crash the system or escalate privileges.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-1043", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-1043", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-1043", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-1043", "SUSE": "https://www.suse.com/security/cve/CVE-2022-1043", "Ubuntu": "https://ubuntu.com/security/CVE-2022-1043" } }, "CVE-2022-1048": { "affected_versions": "v2.6.12-rc2 to v5.18-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "ALSA: pcm: Fix races among concurrent hw_params and hw_free calls", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "score": 6.9 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.0 }, "cwe": "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", "fixes": "92ee3c60ec9fe64404dc035e7c41277d74aa26cb", "last_affected_version": "5.17.0", "last_modified": "2023-12-06", "nvd_text": "A use-after-free flaw was found in the Linux kernel\u2019s sound subsystem in the way a user triggers concurrent calls of PCM hw_params. The hw_free ioctls or similar race condition happens inside ALSA PCM for other ioctls. This flaw allows a local user to crash or potentially escalate their privileges on the system.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-1048", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-1048", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-1048", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-1048", "SUSE": "https://www.suse.com/security/cve/CVE-2022-1048", "Ubuntu": "https://ubuntu.com/security/CVE-2022-1048" } }, "CVE-2022-1055": { "affected_versions": "v5.1-rc1 to v5.17-rc3", "breaks": "470502de5bdb1ed0def643a4458593a40b8f6b66", "cmt_msg": "net: sched: fix use-after-free in tc_new_tfilter()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Use After Free", "fixes": "04c2a47ffb13c29778e2a14e414ad4cb5a5db4b5", "last_affected_version": "5.16.5", "last_modified": "2023-12-06", "nvd_text": "A use-after-free exists in the Linux Kernel in tc_new_tfilter that could allow a local attacker to gain privilege escalation. The exploit requires unprivileged user namespaces. We recommend upgrading past commit 04c2a47ffb13c29778e2a14e414ad4cb5a5db4b5", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-1055", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-1055", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-1055", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-1055", "SUSE": "https://www.suse.com/security/cve/CVE-2022-1055", "Ubuntu": "https://ubuntu.com/security/CVE-2022-1055" } }, "CVE-2022-1116": { "affected_versions": "unk to unk", "backport": true, "breaks": "cac68d12c531aa3010509a5a55a5dfd18dedaa80", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Integer Overflow or Wraparound", "fixes": "1a623d361ffe5cecd4244a02f449528416360038", "last_modified": "2023-12-06", "nvd_text": "Integer Overflow or Wraparound vulnerability in io_uring of Linux Kernel allows local attacker to cause memory corruption and escalate privileges to root. This issue affects: Linux Kernel versions prior to 5.4.189; version 5.4.24 and later versions.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-1116", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-1116", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-1116", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-1116", "SUSE": "https://www.suse.com/security/cve/CVE-2022-1116", "Ubuntu": "https://ubuntu.com/security/CVE-2022-1116" } }, "CVE-2022-1158": { "affected_versions": "v5.2-rc1 to v5.18-rc1", "breaks": "bd53cb35a3e9adb73a834a36586e9ad80e877767", "cmt_msg": "KVM: x86/mmu: do compare-and-exchange of gPTE via the user address", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Use After Free", "fixes": "2a8859f373b0a86f0ece8ec8312607eacf12485d", "last_affected_version": "5.17.1", "last_modified": "2023-12-06", "nvd_text": "A flaw was found in KVM. When updating a guest's page table entry, vm_pgoff was improperly used as the offset to get the page's pfn. As vaddr and vm_pgoff are controllable by user-mode processes, this flaw allows unprivileged local users on the host to write outside the userspace region and potentially corrupt the kernel, resulting in a denial of service condition.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-1158", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-1158", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-1158", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-1158", "SUSE": "https://www.suse.com/security/cve/CVE-2022-1158", "Ubuntu": "https://ubuntu.com/security/CVE-2022-1158" } }, "CVE-2022-1184": { "affected_versions": "v2.6.12-rc2 to v5.19-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "ext4: verify dir block before splitting it", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Use After Free", "fixes": "46c116b920ebec58031f0a78c5ea9599b0d2a371", "last_affected_version": "5.18.2", "last_modified": "2023-12-06", "nvd_text": "A use-after-free flaw was found in fs/ext4/namei.c:dx_insert_block() in the Linux kernel\u2019s filesystem sub-component. This flaw allows a local attacker with a user privilege to cause a denial of service.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-1184", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-1184", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-1184", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-1184", "SUSE": "https://www.suse.com/security/cve/CVE-2022-1184", "Ubuntu": "https://ubuntu.com/security/CVE-2022-1184" } }, "CVE-2022-1195": { "affected_versions": "v2.6.12-rc2 to v5.16-rc7", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "hamradio: improve the incomplete fix to avoid NPD", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Use After Free", "fixes": "b2f37aead1b82a770c48b5d583f35ec22aabb61e", "last_affected_version": "5.15.11", "last_modified": "2023-12-06", "nvd_text": "A use-after-free vulnerability was found in the Linux kernel in drivers/net/hamradio. This flaw allows a local attacker with a user privilege to cause a denial of service (DOS) when the mkiss or sixpack device is detached and reclaim resources early.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-1195", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-1195", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-1195", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-1195", "SUSE": "https://www.suse.com/security/cve/CVE-2022-1195", "Ubuntu": "https://ubuntu.com/security/CVE-2022-1195" } }, "CVE-2022-1198": { "affected_versions": "v2.6.12-rc2 to v5.17-rc6", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "drivers: hamradio: 6pack: fix UAF bug caused by mod_timer()", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Use After Free", "fixes": "efe4186e6a1b54bf38b9e05450d43b0da1fd7739", "last_affected_version": "5.16.14", "last_modified": "2023-12-06", "nvd_text": "A use-after-free vulnerabilitity was discovered in drivers/net/hamradio/6pack.c of linux that allows an attacker to crash linux kernel by simulating ax25 device using 6pack driver from user space.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-1198", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-1198", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-1198", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-1198", "SUSE": "https://www.suse.com/security/cve/CVE-2022-1198", "Ubuntu": "https://ubuntu.com/security/CVE-2022-1198" } }, "CVE-2022-1199": { "affected_versions": "v2.6.12-rc2 to v5.17-rc8", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "ax25: Fix NULL pointer dereference in ax25_kill_by_device", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 7.5 }, "cwe": "NULL Pointer Dereference", "fixes": "71171ac8eb34ce7fe6b3267dce27c313ab3cb3ac", "last_affected_version": "5.16.14", "last_modified": "2023-12-06", "nvd_text": "A flaw was found in the Linux kernel. This flaw allows an attacker to crash the Linux kernel by simulating amateur radio from the user space, resulting in a null-ptr-deref vulnerability and a use-after-free vulnerability.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-1199", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-1199", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-1199", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-1199", "SUSE": "https://www.suse.com/security/cve/CVE-2022-1199", "Ubuntu": "https://ubuntu.com/security/CVE-2022-1199" } }, "CVE-2022-1204": { "affected_versions": "v2.6.12-rc2 to v5.18-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "ax25: Fix refcount leaks caused by ax25_cb_del()", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Use After Free", "fixes": "9fd75b66b8f68498454d685dc4ba13192ae069b0", "last_affected_version": "5.17.1", "last_modified": "2023-12-06", "nvd_text": "A use-after-free flaw was found in the Linux kernel\u2019s Amateur Radio AX.25 protocol functionality in the way a user connects with the protocol. This flaw allows a local user to crash the system.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-1204", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-1204", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-1204", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-1204", "SUSE": "https://www.suse.com/security/cve/CVE-2022-1204", "Ubuntu": "https://ubuntu.com/security/CVE-2022-1204" } }, "CVE-2022-1205": { "affected_versions": "v5.17-rc4 to v5.18-rc1", "breaks": "7ec02f5ac8a5be5a3f20611731243dc5e1d9ba10", "cmt_msg": "ax25: Fix NULL pointer dereferences in ax25 timers", "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 4.7 }, "cwe": "NULL Pointer Dereference", "fixes": "fc6d01ff9ef03b66d4a3a23b46fc3c3d8cf92009", "last_affected_version": "5.17.1", "last_modified": "2023-12-06", "nvd_text": "A NULL pointer dereference flaw was found in the Linux kernel\u2019s Amateur Radio AX.25 protocol functionality in the way a user connects with the protocol. This flaw allows a local user to crash the system.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-1205", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-1205", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-1205", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-1205", "SUSE": "https://www.suse.com/security/cve/CVE-2022-1205", "Ubuntu": "https://ubuntu.com/security/CVE-2022-1205" } }, "CVE-2022-1247": { "affected_versions": "unk to unk", "breaks": "", "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.0 }, "cwe": "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", "fixes": "", "last_modified": "2023-12-06", "nvd_text": "An issue found in linux-kernel that leads to a race condition in rose_connect(). The rose driver uses rose_neigh->use to represent how many objects are using the rose_neigh. When a user wants to delete a rose_route via rose_ioctl(), the rose driver calls rose_del_node() and removes neighbours only if their \u201ccount\u201d and \u201cuse\u201d are zero.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-1247", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-1247", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-1247", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-1247", "SUSE": "https://www.suse.com/security/cve/CVE-2022-1247", "Ubuntu": "https://ubuntu.com/security/CVE-2022-1247" } }, "CVE-2022-1263": { "affected_versions": "v2.6.12-rc2 to v5.18-rc3", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "KVM: avoid NULL pointer dereference in kvm_dirty_ring_push", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "NULL Pointer Dereference", "fixes": "5593473a1e6c743764b08e3b6071cb43b5cfa6c4", "last_affected_version": "5.17.2", "last_modified": "2023-12-06", "nvd_text": "A NULL pointer dereference issue was found in KVM when releasing a vCPU with dirty ring support enabled. This flaw allows an unprivileged local attacker on the host to issue specific ioctl calls, causing a kernel oops condition that results in a denial of service.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-1263", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-1263", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-1263", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-1263", "SUSE": "https://www.suse.com/security/cve/CVE-2022-1263", "Ubuntu": "https://ubuntu.com/security/CVE-2022-1263" } }, "CVE-2022-1280": { "affected_versions": "v2.6.12-rc2 to v5.15-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "drm: avoid circular locks in drm_mode_getconnector", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:M/Au:N/C:P/I:N/A:P", "score": 3.3 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:H", "score": 6.3 }, "cwe": "Use After Free", "fixes": "869e76f7a918f010bd4518d58886969b1f642a04", "last_modified": "2023-12-06", "nvd_text": "A use-after-free vulnerability was found in drm_lease_held in drivers/gpu/drm/drm_lease.c in the Linux kernel due to a race problem. This flaw allows a local user privilege attacker to cause a denial of service (DoS) or a kernel information leak.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-1280", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-1280", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-1280", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-1280", "SUSE": "https://www.suse.com/security/cve/CVE-2022-1280", "Ubuntu": "https://ubuntu.com/security/CVE-2022-1280" } }, "CVE-2022-1353": { "affected_versions": "v2.6.12-rc2 to v5.17", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "af_key: add __GFP_ZERO flag for compose_sadb_supported in function pfkey_register", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:P", "score": 3.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "score": 7.1 }, "cwe": "Unspecified", "fixes": "9a564bccb78a76740ea9d75a259942df8143d02c", "last_affected_version": "5.16", "last_modified": "2023-12-06", "nvd_text": "A vulnerability was found in the pfkey_register function in net/key/af_key.c in the Linux kernel. This flaw allows a local, unprivileged user to gain access to kernel memory, leading to a system crash or a leak of internal kernel information.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-1353", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-1353", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-1353", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-1353", "SUSE": "https://www.suse.com/security/cve/CVE-2022-1353", "Ubuntu": "https://ubuntu.com/security/CVE-2022-1353" } }, "CVE-2022-1419": { "affected_versions": "v4.1-rc1 to v5.6-rc2", "breaks": "502e95c6678505474f1056480310cd9382bacbac", "cmt_msg": "drm/vgem: Close use-after-free race in vgem_gem_create", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Use After Free", "fixes": "4b848f20eda5974020f043ca14bacf7a7e634fc8", "last_affected_version": "5.5.4", "last_modified": "2023-12-06", "nvd_text": "The root cause of this vulnerability is that the ioctl$DRM_IOCTL_MODE_DESTROY_DUMB can decrease refcount of *drm_vgem_gem_object *(created in *vgem_gem_dumb_create*) concurrently, and *vgem_gem_dumb_create *will access the freed drm_vgem_gem_object.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-1419", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-1419", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-1419", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-1419", "SUSE": "https://www.suse.com/security/cve/CVE-2022-1419", "Ubuntu": "https://ubuntu.com/security/CVE-2022-1419" } }, "CVE-2022-1462": { "affected_versions": "v2.6.12-rc2 to v5.19-rc7", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "tty: use new tty_insert_flip_string_and_push_buffer() in pty_write()", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:M/Au:N/C:P/I:N/A:P", "score": 3.3 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:H", "score": 6.3 }, "cwe": "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", "fixes": "a501ab75e7624d133a5a3c7ec010687c8b961d23", "last_affected_version": "5.18.12", "last_modified": "2023-12-06", "nvd_text": "An out-of-bounds read flaw was found in the Linux kernel\u2019s TeleTYpe subsystem. The issue occurs in how a user triggers a race condition using ioctls TIOCSPTLCK and TIOCGPTPEER and TIOCSTI and TCXONC with leakage of memory in the flush_to_ldisc function. This flaw allows a local user to crash the system or read unauthorized random data from memory.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-1462", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-1462", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-1462", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-1462", "SUSE": "https://www.suse.com/security/cve/CVE-2022-1462", "Ubuntu": "https://ubuntu.com/security/CVE-2022-1462" } }, "CVE-2022-1508": { "affected_versions": "v5.11-rc1 to v5.15-rc1", "breaks": "632546c4b5a4dad8e3ac456406c65c0db9a0b570", "cmt_msg": "io_uring: reexpand under-reexpanded iters", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "Low", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H", "score": 6.1 }, "cwe": "Out-of-bounds Read", "fixes": "89c2b3b74918200e46699338d7bcc19b1ea12110", "last_modified": "2024-01-15", "nvd_text": "An out-of-bounds read flaw was found in the Linux kernel\u2019s io_uring module in the way a user triggers the io_read() function with some special parameters. This flaw allows a local user to read some memory out of bounds.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-1508", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-1508", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-1508", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-1508", "SUSE": "https://www.suse.com/security/cve/CVE-2022-1508", "Ubuntu": "https://ubuntu.com/security/CVE-2022-1508" } }, "CVE-2022-1516": { "affected_versions": "v5.7-rc5 to v5.18-rc1", "breaks": "4becb7ee5b3d2829ed7b9261a245a77d5b7de902", "cmt_msg": "net/x25: Fix null-ptr-deref caused by x25_disconnect", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Use After Free", "fixes": "7781607938c8371d4c2b243527430241c62e39c2", "last_affected_version": "5.17.1", "last_modified": "2023-12-06", "nvd_text": "A NULL pointer dereference flaw was found in the Linux kernel\u2019s X.25 set of standardized network protocols functionality in the way a user terminates their session using a simulated Ethernet card and continued usage of this connection. This flaw allows a local user to crash the system.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-1516", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-1516", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-1516", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-1516", "SUSE": "https://www.suse.com/security/cve/CVE-2022-1516", "Ubuntu": "https://ubuntu.com/security/CVE-2022-1516" } }, "CVE-2022-1651": { "affected_versions": "v5.12-rc1-dontuse to v5.18-rc1", "breaks": "9c5137aedd112f78a968bdd2325de2ea06df46c0", "cmt_msg": "virt: acrn: fix a memory leak in acrn_dev_ioctl()", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "score": 7.1 }, "cwe": "Missing Release of Memory after Effective Lifetime", "fixes": "ecd1735f14d6ac868ae5d8b7a2bf193fa11f388b", "last_affected_version": "5.17.1", "last_modified": "2023-12-06", "nvd_text": "A memory leak flaw was found in the Linux kernel in acrn_dev_ioctl in the drivers/virt/acrn/hsm.c function in how the ACRN Device Model emulates virtual NICs in VM. This flaw allows a local privileged attacker to leak unauthorized kernel information, causing a denial of service.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-1651", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-1651", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-1651", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-1651", "SUSE": "https://www.suse.com/security/cve/CVE-2022-1651", "Ubuntu": "https://ubuntu.com/security/CVE-2022-1651" } }, "CVE-2022-1652": { "affected_versions": "v2.6.12-rc2 to v5.18-rc6", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "floppy: use a statically allocated error counter", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Use After Free", "fixes": "f71f01394f742fc4558b3f9f4c7ef4c4cf3b07c8", "last_affected_version": "5.17.9", "last_modified": "2023-12-06", "nvd_text": "Linux Kernel could allow a local attacker to execute arbitrary code on the system, caused by a concurrency use-after-free flaw in the bad_flp_intr function. By executing a specially-crafted program, an attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service condition on the system.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-1652", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-1652", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-1652", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-1652", "SUSE": "https://www.suse.com/security/cve/CVE-2022-1652", "Ubuntu": "https://ubuntu.com/security/CVE-2022-1652" } }, "CVE-2022-1671": { "affected_versions": "v5.11-rc1 to v5.18-rc1", "breaks": "12da59fcab5a05d01773e7cb413b8b8f3bb4e334", "cmt_msg": "rxrpc: fix some null-ptr-deref bugs in server_key.c", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "score": 7.1 }, "cwe": "NULL Pointer Dereference", "fixes": "ff8376ade4f668130385839cef586a0990f8ef87", "last_affected_version": "5.17.1", "last_modified": "2023-12-06", "nvd_text": "A NULL pointer dereference flaw was found in rxrpc_preparse_s in net/rxrpc/server_key.c in the Linux kernel. This flaw allows a local attacker to crash the system or leak internal kernel information.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-1671", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-1671", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-1671", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-1671", "SUSE": "https://www.suse.com/security/cve/CVE-2022-1671", "Ubuntu": "https://ubuntu.com/security/CVE-2022-1671" } }, "CVE-2022-1678": { "affected_versions": "v4.18-rc1 to v4.20-rc1", "alt_msg": "tcp: fix possible socket leaks in internal pacing mode", "breaks": "73a6bab5aa2a83cb7df85805e08bc03b4065aea7", "cmt_msg": "tcp: optimize tcp internal pacing", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "score": 5.0 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 7.5 }, "cwe": "Unspecified", "fixes": "864e5c090749448e879e86bec06ee396aa2c19c5", "last_affected_version": "4.19.227", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux Kernel from 4.18 to 4.19, an improper update of sock reference in TCP pacing can lead to memory/netns leak, which can be used by remote clients.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-1678", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-1678", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-1678", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-1678", "SUSE": "https://www.suse.com/security/cve/CVE-2022-1678", "Ubuntu": "https://ubuntu.com/security/CVE-2022-1678" } }, "CVE-2022-1679": { "affected_versions": "v2.6.35-rc1 to v6.0-rc1", "breaks": "fb9987d0f748c983bb795a86f47522313f701a08", "cmt_msg": "ath9k: fix use-after-free in ath9k_hif_usb_rx_cb", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Use After Free", "fixes": "0ac4827f78c7ffe8eef074bc010e7e34bc22f533", "last_affected_version": "5.19.1", "last_modified": "2023-12-06", "nvd_text": "A use-after-free flaw was found in the Linux kernel\u2019s Atheros wireless adapter driver in the way a user forces the ath9k_htc_wait_for_target function to fail with some input messages. This flaw allows a local user to crash or potentially escalate their privileges on the system.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-1679", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-1679", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-1679", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-1679", "SUSE": "https://www.suse.com/security/cve/CVE-2022-1679", "Ubuntu": "https://ubuntu.com/security/CVE-2022-1679" } }, "CVE-2022-1729": { "affected_versions": "v4.0-rc1 to v5.18", "breaks": "f63a8daa5812afef4f06c962351687e1ff9ccb2b", "cmt_msg": "perf: Fix sys_perf_event_open() race against self", "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.0 }, "cwe": "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", "fixes": "3ac6487e584a1eb54071dbe1212e05b884136704", "last_affected_version": "5.17", "last_modified": "2023-12-06", "nvd_text": "A race condition was found the Linux kernel in perf_event_open() which can be exploited by an unprivileged user to gain root privileges. The bug allows to build several exploit primitives such as kernel address information leak, arbitrary execution, etc.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-1729", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-1729", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-1729", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-1729", "SUSE": "https://www.suse.com/security/cve/CVE-2022-1729", "Ubuntu": "https://ubuntu.com/security/CVE-2022-1729" } }, "CVE-2022-1734": { "affected_versions": "v4.4-rc1 to v5.18-rc6", "breaks": "3194c6870158e305dac2af52f83681e9cb67280f", "cmt_msg": "nfc: nfcmrvl: main: reorder destructive operations in nfcmrvl_nci_unregister_dev to avoid bugs", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "score": 4.4 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.0 }, "cwe": "Use After Free", "fixes": "d270453a0d9ec10bb8a802a142fb1b3601a83098", "last_affected_version": "5.17.6", "last_modified": "2023-12-06", "nvd_text": "A flaw in Linux Kernel found in nfcmrvl_nci_unregister_dev() in drivers/nfc/nfcmrvl/main.c can lead to use after free both read or write when non synchronized between cleanup routine and firmware download routine.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-1734", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-1734", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-1734", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-1734", "SUSE": "https://www.suse.com/security/cve/CVE-2022-1734", "Ubuntu": "https://ubuntu.com/security/CVE-2022-1734" } }, "CVE-2022-1786": { "affected_versions": "v5.10-rc1 to v5.12-rc1-dontuse", "alt_msg": "io_uring: always use original task when preparing req identity", "backport": true, "breaks": "500a373d731ac506612db12631ec21295c1ff360", "cmt_msg": "io_uring: remove io_identity", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Use After Free", "fixes": "4379bf8bd70b5de6bba7d53015b0c36c57a634ee", "last_affected_version": "5.10.116", "last_modified": "2024-01-12", "nvd_text": "A use-after-free flaw was found in the Linux kernel\u2019s io_uring subsystem in the way a user sets up a ring with IORING_SETUP_IOPOLL with more than one task completing submissions on this ring. This flaw allows a local user to crash or escalate their privileges on the system.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-1786", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-1786", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-1786", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-1786", "SUSE": "https://www.suse.com/security/cve/CVE-2022-1786", "Ubuntu": "https://ubuntu.com/security/CVE-2022-1786" } }, "CVE-2022-1789": { "affected_versions": "v4.19-rc1 to v5.18", "breaks": "eb4b248e152d3ecf189b9d32c04961360dbd938a", "cmt_msg": "KVM: x86/mmu: fix NULL pointer dereference on guest INVPCID", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "score": 6.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Physical", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "score": 6.8 }, "cwe": "NULL Pointer Dereference", "fixes": "9f46c187e2e680ecd9de7983e4d081c3391acc76", "last_affected_version": "5.17", "last_modified": "2023-12-06", "nvd_text": "With shadow paging enabled, the INVPCID instruction results in a call to kvm_mmu_invpcid_gva. If INVPCID is executed with CR0.PG=0, the invlpg callback is not set and the result is a NULL pointer dereference.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-1789", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-1789", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-1789", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-1789", "SUSE": "https://www.suse.com/security/cve/CVE-2022-1789", "Ubuntu": "https://ubuntu.com/security/CVE-2022-1789" } }, "CVE-2022-1836": { "affected_versions": "unk to v5.18-rc5", "breaks": "", "cmt_msg": "floppy: disable FDRAWCMD by default", "fixes": "233087ca063686964a53c829d547c7571e3f67bf", "last_affected_version": "5.17.5", "last_modified": "2023-12-06", "nvd_text": "Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2022-33981. Reason: This candidate is a reservation duplicate of CVE-2022-33981. Notes: All CVE users should reference CVE-2022-33981 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-1836", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-1836", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-1836", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-1836", "SUSE": "https://www.suse.com/security/cve/CVE-2022-1836", "Ubuntu": "https://ubuntu.com/security/CVE-2022-1836" }, "rejected": true }, "CVE-2022-1852": { "affected_versions": "v5.12-rc1-dontuse to v5.19-rc1", "breaks": "4aa2691dcbd38ce1c461188799d863398dd2865d", "cmt_msg": "KVM: x86: avoid calling x86 emulator without a decoded instruction", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "NULL Pointer Dereference", "fixes": "fee060cd52d69c114b62d1a2948ea9648b5131f9", "last_affected_version": "5.18.1", "last_modified": "2023-12-06", "nvd_text": "A NULL pointer dereference flaw was found in the Linux kernel\u2019s KVM module, which can lead to a denial of service in the x86_emulate_insn in arch/x86/kvm/emulate.c. This flaw occurs while executing an illegal instruction in guest in the Intel CPU.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-1852", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-1852", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-1852", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-1852", "SUSE": "https://www.suse.com/security/cve/CVE-2022-1852", "Ubuntu": "https://ubuntu.com/security/CVE-2022-1852" } }, "CVE-2022-1882": { "affected_versions": "v5.17-rc8 to v5.19-rc8", "breaks": "db8facfc9fafacefe8a835416a6b77c838088f8b", "cmt_msg": "watchqueue: make sure to serialize 'wqueue->defunct' properly", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Use After Free", "fixes": "353f7988dd8413c47718f7ca79c030b6fb62cfe5", "last_affected_version": "5.18.14", "last_modified": "2023-12-06", "nvd_text": "A use-after-free flaw was found in the Linux kernel\u2019s pipes functionality in how a user performs manipulations with the pipe post_one_notification() after free_pipe_info() that is already called. This flaw allows a local user to crash or potentially escalate their privileges on the system.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-1882", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-1882", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-1882", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-1882", "SUSE": "https://www.suse.com/security/cve/CVE-2022-1882", "Ubuntu": "https://ubuntu.com/security/CVE-2022-1882" } }, "CVE-2022-1943": { "affected_versions": "v5.15-rc1 to v5.18-rc7", "breaks": "979a6e28dd969a2222545001f79566b4bfaf06c0", "cmt_msg": "udf: Avoid using stale lengthOfImpUse", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Out-of-bounds Write", "fixes": "c1ad35dd0548ce947d97aaf92f7f2f9a202951cf", "last_affected_version": "5.17.7", "last_modified": "2023-12-06", "nvd_text": "A flaw out of bounds memory write in the Linux kernel UDF file system functionality was found in the way user triggers some file operation which triggers udf_write_fi(). A local user could use this flaw to crash the system or potentially", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-1943", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-1943", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-1943", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-1943", "SUSE": "https://www.suse.com/security/cve/CVE-2022-1943", "Ubuntu": "https://ubuntu.com/security/CVE-2022-1943" } }, "CVE-2022-1966": { "affected_versions": "unk to v5.19-rc1", "breaks": "", "cmt_msg": "netfilter: nf_tables: disallow non-stateful expression in sets earlier", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Use After Free", "fixes": "520778042ccca019f3ffa136dd0ca565c486cedd", "last_affected_version": "5.18.1", "last_modified": "2023-12-06", "nvd_text": "Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2022-32250. Reason: This candidate is a duplicate of CVE-2022-32250. Notes: All CVE users should reference CVE-2022-32250 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-1966", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-1966", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-1966", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-1966", "SUSE": "https://www.suse.com/security/cve/CVE-2022-1966", "Ubuntu": "https://ubuntu.com/security/CVE-2022-1966" }, "rejected": true }, "CVE-2022-1972": { "affected_versions": "v5.6-rc1 to v5.19-rc1", "breaks": "f3a2181e16f1dcbf5446ed43f6b5d9f56c459f85", "cmt_msg": "netfilter: nf_tables: sanitize nft_set_desc_concat_parse()", "fixes": "fecf31ee395b0295f2d7260aa29946b7605f7c85", "last_affected_version": "5.18.1", "last_modified": "2023-12-06", "nvd_text": "Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2022-2078. Reason: This candidate is a reservation duplicate of CVE-2022-2078. Notes: All CVE users should reference CVE-2022-2078 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-1972", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-1972", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-1972", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-1972", "SUSE": "https://www.suse.com/security/cve/CVE-2022-1972", "Ubuntu": "https://ubuntu.com/security/CVE-2022-1972" }, "rejected": true }, "CVE-2022-1973": { "affected_versions": "v5.15-rc1 to v5.19-rc1", "breaks": "b46acd6a6a627d876898e1c84d3f84902264b445", "cmt_msg": "fs/ntfs3: Fix invalid free in log_replay", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "score": 7.1 }, "cwe": "Use After Free", "fixes": "f26967b9f7a830e228bb13fb41bd516ddd9d789d", "last_affected_version": "5.18.2", "last_modified": "2023-12-06", "nvd_text": "A use-after-free flaw was found in the Linux kernel in log_replay in fs/ntfs3/fslog.c in the NTFS journal. This flaw allows a local attacker to crash the system and leads to a kernel information leak problem.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-1973", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-1973", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-1973", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-1973", "SUSE": "https://www.suse.com/security/cve/CVE-2022-1973", "Ubuntu": "https://ubuntu.com/security/CVE-2022-1973" } }, "CVE-2022-1974": { "affected_versions": "v3.1-rc1 to v5.18-rc6", "breaks": "3e256b8f8dfa309a80b5dece388d85d9a9801a29", "cmt_msg": "nfc: replace improper check device_is_registered() in netlink related functions", "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N", "score": 4.1 }, "cwe": "Use After Free", "fixes": "da5c0f119203ad9728920456a0f52a6d850c01cd", "last_affected_version": "5.17.6", "last_modified": "2023-12-06", "nvd_text": "A use-after-free flaw was found in the Linux kernel's NFC core functionality due to a race condition between kobject creation and delete. This vulnerability allows a local attacker with CAP_NET_ADMIN privilege to leak kernel information.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-1974", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-1974", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-1974", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-1974", "SUSE": "https://www.suse.com/security/cve/CVE-2022-1974", "Ubuntu": "https://ubuntu.com/security/CVE-2022-1974" } }, "CVE-2022-1975": { "affected_versions": "v3.11-rc1 to v5.18-rc6", "breaks": "9674da8759df0d6c0d24e1ede6e2a1acdef91e3c", "cmt_msg": "NFC: netlink: fix sleep in atomic bug when firmware download timeout", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Unspecified", "fixes": "4071bf121d59944d5cd2238de0642f3d7995a997", "last_affected_version": "5.17.6", "last_modified": "2023-12-06", "nvd_text": "There is a sleep-in-atomic bug in /net/nfc/netlink.c that allows an attacker to crash the Linux kernel by simulating a nfc device from user-space.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-1975", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-1975", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-1975", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-1975", "SUSE": "https://www.suse.com/security/cve/CVE-2022-1975", "Ubuntu": "https://ubuntu.com/security/CVE-2022-1975" } }, "CVE-2022-1976": { "affected_versions": "v5.18-rc2 to v5.19-rc1", "breaks": "d5361233e9ab920e135819f73dd8466355f1fddd", "cmt_msg": "io_uring: reinstate the inflight tracking", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Use After Free", "fixes": "9cae36a094e7e9d6e5fe8b6dcd4642138b3eb0c7", "last_affected_version": "5.18.5", "last_modified": "2023-12-06", "nvd_text": "A flaw was found in the Linux kernel\u2019s implementation of IO-URING. This flaw allows an attacker with local executable permission to create a string of requests that can cause a use-after-free flaw within the kernel. This issue leads to memory corruption and possible privilege escalation.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-1976", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-1976", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-1976", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-1976", "SUSE": "https://www.suse.com/security/cve/CVE-2022-1976", "Ubuntu": "https://ubuntu.com/security/CVE-2022-1976" } }, "CVE-2022-1998": { "affected_versions": "v5.13-rc7 to v5.17-rc3", "breaks": "f644bc449b37cc32d3ce7b36a88073873aa21bd5", "cmt_msg": "fanotify: Fix stale file descriptor in copy_event_to_user()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Use After Free", "fixes": "ee12595147ac1fbfb5bcb23837e26dd58d94b15d", "last_affected_version": "5.16.5", "last_modified": "2023-12-06", "nvd_text": "A use after free in the Linux kernel File System notify functionality was found in the way user triggers copy_info_records_to_user() call to fail in copy_event_to_user(). A local user could use this flaw to crash the system or potentially escalate their privileges on the system.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-1998", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-1998", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-1998", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-1998", "SUSE": "https://www.suse.com/security/cve/CVE-2022-1998", "Ubuntu": "https://ubuntu.com/security/CVE-2022-1998" } }, "CVE-2022-20008": { "affected_versions": "v4.16-rc1 to v5.17-rc5", "breaks": "81196976ed946cbf36bb41ddda402853c7df7cfa", "cmt_msg": "mmc: block: fix read single on recovery logic", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Physical", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "score": 4.6 }, "cwe": "Use of Uninitialized Resource", "fixes": "54309fde1a352ad2674ebba004a79f7d20b9f037", "last_affected_version": "5.16.10", "last_modified": "2023-12-06", "nvd_text": "In mmc_blk_read_single of block.c, there is a possible way to read kernel heap memory due to uninitialized data. This could lead to local information disclosure if reading from an SD card that triggers errors, with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-216481035References: Upstream kernel", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-20008", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-20008", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-20008", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-20008", "SUSE": "https://www.suse.com/security/cve/CVE-2022-20008", "Ubuntu": "https://ubuntu.com/security/CVE-2022-20008" } }, "CVE-2022-20132": { "affected_versions": "v2.6.12-rc2 to v5.16-rc5", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "HID: add hid_is_usb() function to make it simpler for USB detection", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Complete", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:C/I:N/A:N", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Physical", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "score": 4.6 }, "cwe": "Out-of-bounds Read", "fixes": "f83baa0cb6cfc92ebaf7f9d3a99d7e34f2e77a8a", "last_affected_version": "5.15.7", "last_modified": "2023-12-06", "nvd_text": "In lg_probe and related functions of hid-lg.c and other USB HID files, there is a possible out of bounds read due to improper input validation. This could lead to local information disclosure if a malicious USB HID device were plugged in, with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-188677105References: Upstream kernel", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-20132", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-20132", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-20132", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-20132", "SUSE": "https://www.suse.com/security/cve/CVE-2022-20132", "Ubuntu": "https://ubuntu.com/security/CVE-2022-20132" } }, "CVE-2022-20141": { "affected_versions": "v2.6.12-rc2 to v5.15-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "igmp: Add ip_mc_list lock in ip_check_mc_rcu", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "score": 6.9 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.0 }, "cwe": "Improper Locking", "fixes": "23d2b94043ca8835bd1e67749020e839f396a1c2", "last_affected_version": "5.14.2", "last_modified": "2023-12-06", "nvd_text": "In ip_check_mc_rcu of igmp.c, there is a possible use after free due to improper locking. This could lead to local escalation of privilege when opening and closing inet sockets with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-112551163References: Upstream kernel", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-20141", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-20141", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-20141", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-20141", "SUSE": "https://www.suse.com/security/cve/CVE-2022-20141", "Ubuntu": "https://ubuntu.com/security/CVE-2022-20141" } }, "CVE-2022-20148": { "affected_versions": "v2.6.12-rc2 to v5.16-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "f2fs: fix UAF in f2fs_available_free_memory", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "score": 6.9 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "score": 6.4 }, "cwe": "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", "fixes": "5429c9dbc9025f9a166f64e22e3a69c94fd5b29b", "last_affected_version": "5.15.2", "last_modified": "2023-12-06", "nvd_text": "In TBD of TBD, there is a possible use-after-free due to a race condition. This could lead to local escalation of privilege in the kernel with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-219513976References: Upstream kernel", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-20148", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-20148", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-20148", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-20148", "SUSE": "https://www.suse.com/security/cve/CVE-2022-20148", "Ubuntu": "https://ubuntu.com/security/CVE-2022-20148" } }, "CVE-2022-20153": { "affected_versions": "v5.12-rc1-dontuse to v5.13-rc1", "breaks": "cb5e1b81304e089ee3ca948db4d29f71902eb575", "cmt_msg": "io_uring: return back safer resurrect", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "score": 6.7 }, "cwe": "Use After Free", "fixes": "f70865db5ff35f5ed0c7e9ef63e7cca3d4947f04", "last_affected_version": "5.10.106", "last_modified": "2023-12-06", "nvd_text": "In rcu_cblist_dequeue of rcu_segcblist.c, there is a possible use-after-free due to improper locking. This could lead to local escalation of privilege in the kernel with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-222091980References: Upstream kernel", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-20153", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-20153", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-20153", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-20153", "SUSE": "https://www.suse.com/security/cve/CVE-2022-20153", "Ubuntu": "https://ubuntu.com/security/CVE-2022-20153" } }, "CVE-2022-20154": { "affected_versions": "v4.14-rc1 to v5.16-rc8", "breaks": "d25adbeb0cdb860fb39e09cdd025e9cfc954c5ab", "cmt_msg": "sctp: use call_rcu to free endpoint", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "score": 4.4 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "score": 6.4 }, "cwe": "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", "fixes": "5ec7d18d1813a5bead0b495045606c93873aecbb", "last_affected_version": "5.15.12", "last_modified": "2023-12-06", "nvd_text": "In lock_sock_nested of sock.c, there is a possible use after free due to a race condition. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-174846563References: Upstream kernel", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-20154", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-20154", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-20154", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-20154", "SUSE": "https://www.suse.com/security/cve/CVE-2022-20154", "Ubuntu": "https://ubuntu.com/security/CVE-2022-20154" } }, "CVE-2022-20158": { "affected_versions": "v2.6.14-rc3 to v5.17", "breaks": "0fb375fb9b93b7d822debc6a734052337ccfdb1f", "cmt_msg": "net/packet: fix slab-out-of-bounds access in packet_recvmsg()", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "score": 6.7 }, "cwe": "Use After Free", "fixes": "c700525fcc06b05adfea78039de02628af79e07a", "last_affected_version": "5.16", "last_modified": "2023-12-06", "nvd_text": "In bdi_put and bdi_unregister of backing-dev.c, there is a possible memory corruption due to a use after free. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-182815710References: Upstream kernel", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-20158", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-20158", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-20158", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-20158", "SUSE": "https://www.suse.com/security/cve/CVE-2022-20158", "Ubuntu": "https://ubuntu.com/security/CVE-2022-20158" } }, "CVE-2022-20166": { "affected_versions": "v2.6.12-rc2 to v5.10-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "drivers core: Use sysfs_emit and sysfs_emit_at for show(device *...) functions", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "score": 6.7 }, "cwe": "Out-of-bounds Write", "fixes": "aa838896d87af561a33ecefea1caa4c15a68bc47", "last_modified": "2023-12-06", "nvd_text": "In various methods of kernel base drivers, there is a possible out of bounds write due to a heap buffer overflow. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-182388481References: Upstream kernel", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-20166", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-20166", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-20166", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-20166", "SUSE": "https://www.suse.com/security/cve/CVE-2022-20166", "Ubuntu": "https://ubuntu.com/security/CVE-2022-20166" } }, "CVE-2022-20368": { "affected_versions": "v2.6.14-rc3 to v5.17", "breaks": "0fb375fb9b93b7d822debc6a734052337ccfdb1f", "cmt_msg": "net/packet: fix slab-out-of-bounds access in packet_recvmsg()", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Unspecified", "fixes": "c700525fcc06b05adfea78039de02628af79e07a", "last_affected_version": "5.16", "last_modified": "2023-12-06", "nvd_text": "Product: AndroidVersions: Android kernelAndroid ID: A-224546354References: Upstream kernel", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-20368", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-20368", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-20368", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-20368", "SUSE": "https://www.suse.com/security/cve/CVE-2022-20368", "Ubuntu": "https://ubuntu.com/security/CVE-2022-20368" } }, "CVE-2022-20369": { "affected_versions": "v2.6.35-rc1 to v5.18-rc1", "breaks": "7f98639def42a676998d734b381af6c0e64d7791", "cmt_msg": "media: v4l2-mem2mem: Apply DST_QUEUE_OFF_BASE on MMAP buffers across ioctls", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "score": 6.7 }, "cwe": "Out-of-bounds Write", "fixes": "8310ca94075e784bbb06593cd6c068ee6b6e4ca6", "last_affected_version": "5.17.1", "last_modified": "2023-12-06", "nvd_text": "In v4l2_m2m_querybuf of v4l2-mem2mem.c, there is a possible out of bounds write due to improper input validation. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-223375145References: Upstream kernel", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-20369", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-20369", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-20369", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-20369", "SUSE": "https://www.suse.com/security/cve/CVE-2022-20369", "Ubuntu": "https://ubuntu.com/security/CVE-2022-20369" } }, "CVE-2022-20409": { "affected_versions": "v5.10-rc1 to v5.12-rc1-dontuse", "breaks": "5c3462cfd123b341c9d3c947c1a2bab373f1697f", "cmt_msg": "io_uring: remove io_identity", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "score": 6.7 }, "cwe": "Use After Free", "fixes": "4379bf8bd70b5de6bba7d53015b0c36c57a634ee", "last_modified": "2023-12-06", "nvd_text": "In io_identity_cow of io_uring.c, there is a possible way to corrupt memory due to a use after free. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-238177383References: Upstream kernel", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-20409", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-20409", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-20409", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-20409", "SUSE": "https://www.suse.com/security/cve/CVE-2022-20409", "Ubuntu": "https://ubuntu.com/security/CVE-2022-20409" } }, "CVE-2022-20421": { "affected_versions": "v4.14-rc1 to v6.0-rc4", "breaks": "a60b890f607dc6d7806afc0dc8666577faf40bb4", "cmt_msg": "binder: fix UAF of ref->proc caused by race condition", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Use After Free", "fixes": "a0e44c64b6061dda7e00b7c458e4523e2331b739", "last_affected_version": "5.19.7", "last_modified": "2023-12-06", "nvd_text": "In binder_inc_ref_for_node of binder.c, there is a possible way to corrupt memory due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-239630375References: Upstream kernel", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-20421", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-20421", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-20421", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-20421", "SUSE": "https://www.suse.com/security/cve/CVE-2022-20421", "Ubuntu": "https://ubuntu.com/security/CVE-2022-20421" } }, "CVE-2022-20422": { "affected_versions": "v3.19-rc1 to v6.0-rc1", "breaks": "587064b610c703f259317d00dc37bf6d40f4fc74", "cmt_msg": "arm64: fix oops in concurrently setting insn_emulation sysctls", "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.0 }, "cwe": "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", "fixes": "af483947d472eccb79e42059276c4deed76f99a6", "last_affected_version": "5.19.1", "last_modified": "2023-12-06", "nvd_text": "In emulation_proc_handler of armv8_deprecated.c, there is a possible way to corrupt memory due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-237540956References: Upstream kernel", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-20422", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-20422", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-20422", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-20422", "SUSE": "https://www.suse.com/security/cve/CVE-2022-20422", "Ubuntu": "https://ubuntu.com/security/CVE-2022-20422" } }, "CVE-2022-20423": { "affected_versions": "v5.17-rc4 to v5.17", "breaks": "38ea1eac7d88072bbffb630e2b3db83ca649b826", "cmt_msg": "usb: gadget: rndis: prevent integer overflow in rndis_set_response()", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Physical", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "score": 4.6 }, "cwe": "Integer Overflow or Wraparound", "fixes": "65f3324f4b6fed78b8761c3b74615ecf0ffa81fa", "last_affected_version": "5.16", "last_modified": "2023-12-06", "nvd_text": "In rndis_set_response of rndis.c, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege if a malicious USB device is attached with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-239842288References: Upstream kernel", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-20423", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-20423", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-20423", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-20423", "SUSE": "https://www.suse.com/security/cve/CVE-2022-20423", "Ubuntu": "https://ubuntu.com/security/CVE-2022-20423" } }, "CVE-2022-20424": { "affected_versions": "unk to v5.12-rc1-dontuse", "breaks": "", "cmt_msg": "io_uring: remove io_identity", "fixes": "4379bf8bd70b5de6bba7d53015b0c36c57a634ee", "last_modified": "2023-12-06", "nvd_text": "Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-20424", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-20424", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-20424", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-20424", "SUSE": "https://www.suse.com/security/cve/CVE-2022-20424", "Ubuntu": "https://ubuntu.com/security/CVE-2022-20424" }, "rejected": true }, "CVE-2022-20565": { "affected_versions": "v2.6.12-rc2 to v5.9-rc4", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "HID: core: Correctly handle ReportSize being zero", "fixes": "bce1305c0ece3dc549663605e567655dd701752c", "last_affected_version": "5.8.6", "last_modified": "2022-12-08", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-20565", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-20565", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-20565", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-20565", "SUSE": "https://www.suse.com/security/cve/CVE-2022-20565", "Ubuntu": "https://ubuntu.com/security/CVE-2022-20565" } }, "CVE-2022-20566": { "affected_versions": "v2.6.12-rc2 to v5.19", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "Bluetooth: L2CAP: Fix use-after-free caused by l2cap_chan_put", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Use After Free", "fixes": "d0be8347c623e0ac4202a1d4e0373882821f56b0", "last_affected_version": "5.18.15", "last_modified": "2023-12-06", "nvd_text": "In l2cap_chan_put of l2cap_core, there is a possible use after free due to improper locking. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-165329981References: Upstream kernel", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-20566", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-20566", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-20566", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-20566", "SUSE": "https://www.suse.com/security/cve/CVE-2022-20566", "Ubuntu": "https://ubuntu.com/security/CVE-2022-20566" } }, "CVE-2022-20567": { "affected_versions": "v4.15-rc1 to v4.16-rc5", "breaks": "ee40fb2e1eb5bc0ddd3f2f83c6e39a454ef5a741", "cmt_msg": "l2tp: fix race in pppol2tp_release with session object destroy", "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "score": 6.4 }, "cwe": "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", "fixes": "d02ba2a6110c530a32926af8ad441111774d2893", "last_affected_version": "4.15.7", "last_modified": "2023-12-06", "nvd_text": "In pppol2tp_create of l2tp_ppp.c, there is a possible use after free due to a race condition. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-186777253References: Upstream kernel", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-20567", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-20567", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-20567", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-20567", "SUSE": "https://www.suse.com/security/cve/CVE-2022-20567", "Ubuntu": "https://ubuntu.com/security/CVE-2022-20567" } }, "CVE-2022-20568": { "affected_versions": "v5.7-rc4 to v5.12-rc1-dontuse", "breaks": "5b0bbee4732cbd58aa98213d4c11a366356bba3d", "cmt_msg": "Merge tag 'io_uring-worker.v3-2021-02-25' of git://git.kernel.dk/linux-block", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Use After Free", "fixes": "5695e51619745d4fe3ec2506a2f0cd982c5e27a4", "last_modified": "2023-12-06", "nvd_text": "In (TBD) of (TBD), there is a possible way to corrupt kernel memory due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-220738351References: Upstream kernel", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-20568", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-20568", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-20568", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-20568", "SUSE": "https://www.suse.com/security/cve/CVE-2022-20568", "Ubuntu": "https://ubuntu.com/security/CVE-2022-20568" } }, "CVE-2022-20572": { "affected_versions": "v3.4-rc1 to v5.19-rc1", "breaks": "a4ffc152198efba2ed9e6eac0eb97f17bfebce85", "cmt_msg": "dm verity: set DM_TARGET_IMMUTABLE feature flag", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "score": 6.7 }, "cwe": "Incorrect Authorization", "fixes": "4caae58406f8ceb741603eee460d79bacca9b1b5", "last_affected_version": "5.18.1", "last_modified": "2023-12-06", "nvd_text": "In verity_target of dm-verity-target.c, there is a possible way to modify read-only files due to a missing permission check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-234475629References: Upstream kernel", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-20572", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-20572", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-20572", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-20572", "SUSE": "https://www.suse.com/security/cve/CVE-2022-20572", "Ubuntu": "https://ubuntu.com/security/CVE-2022-20572" } }, "CVE-2022-2078": { "affected_versions": "v5.6-rc1 to v5.19-rc1", "breaks": "f3a2181e16f1dcbf5446ed43f6b5d9f56c459f85", "cmt_msg": "netfilter: nf_tables: sanitize nft_set_desc_concat_parse()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')", "fixes": "fecf31ee395b0295f2d7260aa29946b7605f7c85", "last_affected_version": "5.18.1", "last_modified": "2023-12-06", "nvd_text": "A vulnerability was found in the Linux kernel's nft_set_desc_concat_parse() function .This flaw allows an attacker to trigger a buffer overflow via nft_set_desc_concat_parse() , causing a denial of service and possibly to run code.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-2078", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-2078", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-2078", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-2078", "SUSE": "https://www.suse.com/security/cve/CVE-2022-2078", "Ubuntu": "https://ubuntu.com/security/CVE-2022-2078" } }, "CVE-2022-21123": { "affected_versions": "v2.6.12-rc2 to v5.19-rc3", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "x86/speculation/mmio: Add mitigation for Processor MMIO Stale Data", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.5 }, "cwe": "Incomplete Cleanup", "fixes": "8cb861e9e3c9a55099ad3d08e1a3b653d29c33ca", "last_affected_version": "5.18.4", "last_modified": "2023-12-06", "nvd_text": "Incomplete cleanup of multi-core shared buffers for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-21123", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-21123", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-21123", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-21123", "SUSE": "https://www.suse.com/security/cve/CVE-2022-21123", "Ubuntu": "https://ubuntu.com/security/CVE-2022-21123" } }, "CVE-2022-21125": { "affected_versions": "v2.6.12-rc2 to v5.19-rc3", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "x86/speculation/mmio: Reuse SRBDS mitigation for SBDS", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.5 }, "cwe": "Incomplete Cleanup", "fixes": "a992b8a4682f119ae035a01b40d4d0665c4a2875", "last_affected_version": "5.18.4", "last_modified": "2023-12-06", "nvd_text": "Incomplete cleanup of microarchitectural fill buffers on some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-21125", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-21125", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-21125", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-21125", "SUSE": "https://www.suse.com/security/cve/CVE-2022-21125", "Ubuntu": "https://ubuntu.com/security/CVE-2022-21125" } }, "CVE-2022-21166": { "affected_versions": "v2.6.12-rc2 to v5.19-rc3", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "x86/speculation/mmio: Enable CPU Fill buffer clearing on idle", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.5 }, "cwe": "Incomplete Cleanup", "fixes": "99a83db5a605137424e1efe29dc0573d6a5b6316", "last_affected_version": "5.18.4", "last_modified": "2023-12-06", "nvd_text": "Incomplete cleanup in specific special register write operations for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-21166", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-21166", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-21166", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-21166", "SUSE": "https://www.suse.com/security/cve/CVE-2022-21166", "Ubuntu": "https://ubuntu.com/security/CVE-2022-21166" } }, "CVE-2022-21385": { "affected_versions": "v2.6.12-rc2 to v4.20", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "net/rds: fix warn in rds_message_alloc_sgs", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 6.2 }, "cwe": "Unspecified", "fixes": "ea010070d0a7497253d5a6f919f6dd107450b31a", "last_affected_version": "4.19", "last_modified": "2023-12-06", "nvd_text": "A flaw in net_rds_alloc_sgs() in Oracle Linux kernels allows unprivileged local users to crash the machine. CVSS 3.1 Base Score 6.2 (Availability impacts). CVSS Vector (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-21385", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-21385", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-21385", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-21385", "SUSE": "https://www.suse.com/security/cve/CVE-2022-21385", "Ubuntu": "https://ubuntu.com/security/CVE-2022-21385" } }, "CVE-2022-21499": { "affected_versions": "v2.6.12-rc2 to v5.19-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "lockdown: also lock down previous kgdb use", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "score": 6.7 }, "cwe": "Out-of-bounds Write", "fixes": "eadb2f47a3ced5c64b23b90fd2a3463f63726066", "last_affected_version": "5.18.0", "last_modified": "2023-12-06", "nvd_text": "KGDB and KDB allow read and write access to kernel memory, and thus should be restricted during lockdown. An attacker with access to a serial port could trigger the debugger so it is important that the debugger respect the lockdown mode when/if it is triggered. CVSS 3.1 Base Score 6.7 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-21499", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-21499", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-21499", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-21499", "SUSE": "https://www.suse.com/security/cve/CVE-2022-21499", "Ubuntu": "https://ubuntu.com/security/CVE-2022-21499" } }, "CVE-2022-21505": { "affected_versions": "v5.4-rc1 to v5.19-rc8", "breaks": "29d3c1c8dfe752c01b7115ecd5a3142b232a38e1", "cmt_msg": "lockdown: Fix kexec lockdown bypass with ima policy", "fixes": "543ce63b664e2c2f9533d089a4664b559c3e6b5b", "last_affected_version": "5.18.14", "last_modified": "2022-08-04", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-21505", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-21505", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-21505", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-21505", "SUSE": "https://www.suse.com/security/cve/CVE-2022-21505", "Ubuntu": "https://ubuntu.com/security/CVE-2022-21505" } }, "CVE-2022-2153": { "affected_versions": "v3.7-rc1 to v5.18-rc1", "breaks": "1e08ec4a130e2745d96df169e67c58df98a07311", "cmt_msg": "KVM: x86: Avoid theoretical NULL pointer dereference in kvm_irq_delivery_to_apic_fast()", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "NULL Pointer Dereference", "fixes": "00b5f37189d24ac3ed46cb7f11742094778c46ce", "last_affected_version": "5.17.1", "last_modified": "2023-12-06", "nvd_text": "A flaw was found in the Linux kernel\u2019s KVM when attempting to set a SynIC IRQ. This issue makes it possible for a misbehaving VMM to write to SYNIC/STIMER MSRs, causing a NULL pointer dereference. This flaw allows an unprivileged local attacker on the host to issue specific ioctl calls, causing a kernel oops condition that results in a denial of service.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-2153", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-2153", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-2153", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-2153", "SUSE": "https://www.suse.com/security/cve/CVE-2022-2153", "Ubuntu": "https://ubuntu.com/security/CVE-2022-2153" } }, "CVE-2022-2196": { "affected_versions": "v5.8-rc1 to v6.2-rc1", "breaks": "5c911beff20aa8639e7a1f28988736c13e03ed54", "cmt_msg": "KVM: VMX: Execute IBPB on emulated VM-exit when guest has IBRS", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Changed", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "score": 8.8 }, "cwe": "Insecure Default Initialization of Resource", "fixes": "2e7eab81425ad6c875f2ed47c0ce01e78afc38a5", "last_affected_version": "6.1.13", "last_modified": "2023-12-06", "nvd_text": "A regression exists in the Linux Kernel within KVM: nVMX that allowed for speculative execution attacks.\u00a0L2 can carry out Spectre v2 attacks on L1 due to L1 thinking it doesn't need retpolines or IBPB\u00a0after running L2 due to KVM (L0) advertising eIBRS support to L1. An attacker at L2 with code execution can execute code on an indirect branch on the host machine. We recommend upgrading to Kernel 6.2 or past commit\u00a02e7eab81425a\n", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-2196", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-2196", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-2196", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-2196", "SUSE": "https://www.suse.com/security/cve/CVE-2022-2196", "Ubuntu": "https://ubuntu.com/security/CVE-2022-2196" } }, "CVE-2022-2209": { "affected_versions": "unk to unk", "breaks": "", "fixes": "", "last_modified": "2023-12-06", "nvd_text": "Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. Reason: This CVE has been rejected as it was incorrectly assigned. All references and descriptions in this candidate have been removed to prevent accidental usage", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-2209", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-2209", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-2209", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-2209", "SUSE": "https://www.suse.com/security/cve/CVE-2022-2209", "Ubuntu": "https://ubuntu.com/security/CVE-2022-2209" }, "rejected": true }, "CVE-2022-22942": { "affected_versions": "v4.14-rc1 to v5.17-rc2", "breaks": "c906965dee22d5e95d0651759ba107b420212a9f", "cmt_msg": "drm/vmwgfx: Fix stale file descriptors on failed usercopy", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "fixes": "a0f90c8815706981c483a652a6aefca51a5e191c", "last_affected_version": "5.16.3", "last_modified": "2023-12-27", "nvd_text": "The vmwgfx driver contains a local privilege escalation vulnerability that allows unprivileged users to gain access to files opened by other processes on the system through a dangling 'file' pointer.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-22942", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-22942", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-22942", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-22942", "SUSE": "https://www.suse.com/security/cve/CVE-2022-22942", "Ubuntu": "https://ubuntu.com/security/CVE-2022-22942" } }, "CVE-2022-23036": { "affected_versions": "v2.6.12-rc2 to v5.17-rc8", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "xen/grant-table: add gnttab_try_end_foreign_access()", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "score": 4.4 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.0 }, "cwe": "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", "fixes": "6b1775f26a2da2b05a6dc8ec2b5d14e9a4701a1a", "last_affected_version": "5.16.13", "last_modified": "2023-12-06", "nvd_text": "Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious backends: blkfront, netfront, scsifront and the gntalloc driver are testing whether a grant reference is still in use. If this is not the case, they assume that a following removal of the granted access will always succeed, which is not true in case the backend has mapped the granted page between those two operations. As a result the backend can keep access to the memory page of the guest no matter how the page will be used after the frontend I/O has finished. The xenbus driver has a similar problem, as it doesn't check the success of removing the granted access of a shared ring buffer. blkfront: CVE-2022-23036 netfront: CVE-2022-23037 scsifront: CVE-2022-23038 gntalloc: CVE-2022-23039 xenbus: CVE-2022-23040 blkfront, netfront, scsifront, usbfront, dmabuf, xenbus, 9p, kbdfront, and pvcalls are using a functionality to delay freeing a grant reference until it is no longer in use, but the freeing of the related data page is not synchronized with dropping the granted access. As a result the backend can keep access to the memory page even after it has been freed and then re-used for a different purpose. CVE-2022-23041 netfront will fail a BUG_ON() assertion if it fails to revoke access in the rx path. This will result in a Denial of Service (DoS) situation of the guest which can be triggered by the backend. CVE-2022-23042", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-23036", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-23036", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-23036", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-23036", "SUSE": "https://www.suse.com/security/cve/CVE-2022-23036", "Ubuntu": "https://ubuntu.com/security/CVE-2022-23036" } }, "CVE-2022-23037": { "affected_versions": "v2.6.12-rc2 to v5.17-rc8", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "xen/netfront: don't use gnttab_query_foreign_access() for mapped status", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "score": 4.4 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.0 }, "cwe": "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", "fixes": "31185df7e2b1d2fa1de4900247a12d7b9c7087eb", "last_affected_version": "5.16.13", "last_modified": "2023-12-06", "nvd_text": "Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious backends: blkfront, netfront, scsifront and the gntalloc driver are testing whether a grant reference is still in use. If this is not the case, they assume that a following removal of the granted access will always succeed, which is not true in case the backend has mapped the granted page between those two operations. As a result the backend can keep access to the memory page of the guest no matter how the page will be used after the frontend I/O has finished. The xenbus driver has a similar problem, as it doesn't check the success of removing the granted access of a shared ring buffer. blkfront: CVE-2022-23036 netfront: CVE-2022-23037 scsifront: CVE-2022-23038 gntalloc: CVE-2022-23039 xenbus: CVE-2022-23040 blkfront, netfront, scsifront, usbfront, dmabuf, xenbus, 9p, kbdfront, and pvcalls are using a functionality to delay freeing a grant reference until it is no longer in use, but the freeing of the related data page is not synchronized with dropping the granted access. As a result the backend can keep access to the memory page even after it has been freed and then re-used for a different purpose. CVE-2022-23041 netfront will fail a BUG_ON() assertion if it fails to revoke access in the rx path. This will result in a Denial of Service (DoS) situation of the guest which can be triggered by the backend. CVE-2022-23042", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-23037", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-23037", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-23037", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-23037", "SUSE": "https://www.suse.com/security/cve/CVE-2022-23037", "Ubuntu": "https://ubuntu.com/security/CVE-2022-23037" } }, "CVE-2022-23038": { "affected_versions": "v2.6.12-rc2 to v5.17-rc8", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "xen/grant-table: add gnttab_try_end_foreign_access()", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "score": 4.4 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.0 }, "cwe": "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", "fixes": "6b1775f26a2da2b05a6dc8ec2b5d14e9a4701a1a", "last_affected_version": "5.16.13", "last_modified": "2023-12-06", "nvd_text": "Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious backends: blkfront, netfront, scsifront and the gntalloc driver are testing whether a grant reference is still in use. If this is not the case, they assume that a following removal of the granted access will always succeed, which is not true in case the backend has mapped the granted page between those two operations. As a result the backend can keep access to the memory page of the guest no matter how the page will be used after the frontend I/O has finished. The xenbus driver has a similar problem, as it doesn't check the success of removing the granted access of a shared ring buffer. blkfront: CVE-2022-23036 netfront: CVE-2022-23037 scsifront: CVE-2022-23038 gntalloc: CVE-2022-23039 xenbus: CVE-2022-23040 blkfront, netfront, scsifront, usbfront, dmabuf, xenbus, 9p, kbdfront, and pvcalls are using a functionality to delay freeing a grant reference until it is no longer in use, but the freeing of the related data page is not synchronized with dropping the granted access. As a result the backend can keep access to the memory page even after it has been freed and then re-used for a different purpose. CVE-2022-23041 netfront will fail a BUG_ON() assertion if it fails to revoke access in the rx path. This will result in a Denial of Service (DoS) situation of the guest which can be triggered by the backend. CVE-2022-23042", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-23038", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-23038", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-23038", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-23038", "SUSE": "https://www.suse.com/security/cve/CVE-2022-23038", "Ubuntu": "https://ubuntu.com/security/CVE-2022-23038" } }, "CVE-2022-23039": { "affected_versions": "v2.6.12-rc2 to v5.17-rc8", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "xen/gntalloc: don't use gnttab_query_foreign_access()", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "score": 4.4 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.0 }, "cwe": "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", "fixes": "d3b6372c5881cb54925212abb62c521df8ba4809", "last_affected_version": "5.16.13", "last_modified": "2023-12-06", "nvd_text": "Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious backends: blkfront, netfront, scsifront and the gntalloc driver are testing whether a grant reference is still in use. If this is not the case, they assume that a following removal of the granted access will always succeed, which is not true in case the backend has mapped the granted page between those two operations. As a result the backend can keep access to the memory page of the guest no matter how the page will be used after the frontend I/O has finished. The xenbus driver has a similar problem, as it doesn't check the success of removing the granted access of a shared ring buffer. blkfront: CVE-2022-23036 netfront: CVE-2022-23037 scsifront: CVE-2022-23038 gntalloc: CVE-2022-23039 xenbus: CVE-2022-23040 blkfront, netfront, scsifront, usbfront, dmabuf, xenbus, 9p, kbdfront, and pvcalls are using a functionality to delay freeing a grant reference until it is no longer in use, but the freeing of the related data page is not synchronized with dropping the granted access. As a result the backend can keep access to the memory page even after it has been freed and then re-used for a different purpose. CVE-2022-23041 netfront will fail a BUG_ON() assertion if it fails to revoke access in the rx path. This will result in a Denial of Service (DoS) situation of the guest which can be triggered by the backend. CVE-2022-23042", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-23039", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-23039", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-23039", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-23039", "SUSE": "https://www.suse.com/security/cve/CVE-2022-23039", "Ubuntu": "https://ubuntu.com/security/CVE-2022-23039" } }, "CVE-2022-23040": { "affected_versions": "v2.6.12-rc2 to v5.17-rc8", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "xen/xenbus: don't let xenbus_grant_ring() remove grants in error case", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "score": 4.4 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.0 }, "cwe": "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", "fixes": "3777ea7bac3113005b7180e6b9dadf16d19a5827", "last_affected_version": "5.16.13", "last_modified": "2023-12-06", "nvd_text": "Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious backends: blkfront, netfront, scsifront and the gntalloc driver are testing whether a grant reference is still in use. If this is not the case, they assume that a following removal of the granted access will always succeed, which is not true in case the backend has mapped the granted page between those two operations. As a result the backend can keep access to the memory page of the guest no matter how the page will be used after the frontend I/O has finished. The xenbus driver has a similar problem, as it doesn't check the success of removing the granted access of a shared ring buffer. blkfront: CVE-2022-23036 netfront: CVE-2022-23037 scsifront: CVE-2022-23038 gntalloc: CVE-2022-23039 xenbus: CVE-2022-23040 blkfront, netfront, scsifront, usbfront, dmabuf, xenbus, 9p, kbdfront, and pvcalls are using a functionality to delay freeing a grant reference until it is no longer in use, but the freeing of the related data page is not synchronized with dropping the granted access. As a result the backend can keep access to the memory page even after it has been freed and then re-used for a different purpose. CVE-2022-23041 netfront will fail a BUG_ON() assertion if it fails to revoke access in the rx path. This will result in a Denial of Service (DoS) situation of the guest which can be triggered by the backend. CVE-2022-23042", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-23040", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-23040", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-23040", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-23040", "SUSE": "https://www.suse.com/security/cve/CVE-2022-23040", "Ubuntu": "https://ubuntu.com/security/CVE-2022-23040" } }, "CVE-2022-23041": { "affected_versions": "v4.12-rc1 to v5.17-rc8", "breaks": "71ebd71921e451f0f942ddfe85d01e31ddc6eb88", "cmt_msg": "xen/9p: use alloc/free_pages_exact()", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "score": 4.4 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.0 }, "cwe": "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", "fixes": "5cadd4bb1d7fc9ab201ac14620d1a478357e4ebd", "last_affected_version": "5.16.13", "last_modified": "2023-12-06", "nvd_text": "Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious backends: blkfront, netfront, scsifront and the gntalloc driver are testing whether a grant reference is still in use. If this is not the case, they assume that a following removal of the granted access will always succeed, which is not true in case the backend has mapped the granted page between those two operations. As a result the backend can keep access to the memory page of the guest no matter how the page will be used after the frontend I/O has finished. The xenbus driver has a similar problem, as it doesn't check the success of removing the granted access of a shared ring buffer. blkfront: CVE-2022-23036 netfront: CVE-2022-23037 scsifront: CVE-2022-23038 gntalloc: CVE-2022-23039 xenbus: CVE-2022-23040 blkfront, netfront, scsifront, usbfront, dmabuf, xenbus, 9p, kbdfront, and pvcalls are using a functionality to delay freeing a grant reference until it is no longer in use, but the freeing of the related data page is not synchronized with dropping the granted access. As a result the backend can keep access to the memory page even after it has been freed and then re-used for a different purpose. CVE-2022-23041 netfront will fail a BUG_ON() assertion if it fails to revoke access in the rx path. This will result in a Denial of Service (DoS) situation of the guest which can be triggered by the backend. CVE-2022-23042", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-23041", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-23041", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-23041", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-23041", "SUSE": "https://www.suse.com/security/cve/CVE-2022-23041", "Ubuntu": "https://ubuntu.com/security/CVE-2022-23041" } }, "CVE-2022-23042": { "affected_versions": "v2.6.12-rc2 to v5.17-rc8", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "xen/netfront: react properly to failing gnttab_end_foreign_access_ref()", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "score": 4.4 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.0 }, "cwe": "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", "fixes": "66e3531b33ee51dad17c463b4d9c9f52e341503d", "last_affected_version": "5.16.13", "last_modified": "2023-12-06", "nvd_text": "Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious backends: blkfront, netfront, scsifront and the gntalloc driver are testing whether a grant reference is still in use. If this is not the case, they assume that a following removal of the granted access will always succeed, which is not true in case the backend has mapped the granted page between those two operations. As a result the backend can keep access to the memory page of the guest no matter how the page will be used after the frontend I/O has finished. The xenbus driver has a similar problem, as it doesn't check the success of removing the granted access of a shared ring buffer. blkfront: CVE-2022-23036 netfront: CVE-2022-23037 scsifront: CVE-2022-23038 gntalloc: CVE-2022-23039 xenbus: CVE-2022-23040 blkfront, netfront, scsifront, usbfront, dmabuf, xenbus, 9p, kbdfront, and pvcalls are using a functionality to delay freeing a grant reference until it is no longer in use, but the freeing of the related data page is not synchronized with dropping the granted access. As a result the backend can keep access to the memory page even after it has been freed and then re-used for a different purpose. CVE-2022-23041 netfront will fail a BUG_ON() assertion if it fails to revoke access in the rx path. This will result in a Denial of Service (DoS) situation of the guest which can be triggered by the backend. CVE-2022-23042", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-23042", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-23042", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-23042", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-23042", "SUSE": "https://www.suse.com/security/cve/CVE-2022-23042", "Ubuntu": "https://ubuntu.com/security/CVE-2022-23042" } }, "CVE-2022-2308": { "affected_versions": "v5.15-rc1 to v6.0", "breaks": "c8a6153b6c59d95c0e091f053f6f180952ade91e", "cmt_msg": "vduse: prevent uninitialized memory accesses", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Changed", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "score": 6.5 }, "cwe": "Use of Uninitialized Resource", "fixes": "46f8a29272e51b6df7393d58fc5cb8967397ef2b", "last_affected_version": "6.-1", "last_modified": "2023-12-06", "nvd_text": "A flaw was found in vDPA with VDUSE backend. There are currently no checks in VDUSE kernel driver to ensure the size of the device config space is in line with the features advertised by the VDUSE userspace application. In case of a mismatch, Virtio drivers config read helpers do not initialize the memory indirectly passed to vduse_vdpa_get_config() returning uninitialized memory from the stack. This could cause undefined behavior or data leaks in Virtio drivers.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-2308", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-2308", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-2308", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-2308", "SUSE": "https://www.suse.com/security/cve/CVE-2022-2308", "Ubuntu": "https://ubuntu.com/security/CVE-2022-2308" } }, "CVE-2022-2318": { "affected_versions": "v2.6.12-rc2 to v5.19-rc5", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "net: rose: fix UAF bugs caused by timer handler", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Use After Free", "fixes": "9cc02ede696272c5271a401e4f27c262359bc2f6", "last_affected_version": "5.18.9", "last_modified": "2023-12-06", "nvd_text": "There are use-after-free vulnerabilities caused by timer handler in net/rose/rose_timer.c of linux that allow attackers to crash linux kernel without any privileges.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-2318", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-2318", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-2318", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-2318", "SUSE": "https://www.suse.com/security/cve/CVE-2022-2318", "Ubuntu": "https://ubuntu.com/security/CVE-2022-2318" } }, "CVE-2022-23222": { "affected_versions": "v2.6.12-rc2 to v5.17-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "bpf: Replace PTR_TO_XXX_OR_NULL with PTR_TO_XXX | PTR_MAYBE_NULL", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "NULL Pointer Dereference", "fixes": "c25b2ae136039ffa820c26138ed4a5e5f3ab3841", "last_affected_version": "5.16.10", "last_modified": "2023-12-06", "nvd_text": "kernel/bpf/verifier.c in the Linux kernel through 5.15.14 allows local users to gain privileges because of the availability of pointer arithmetic via certain *_OR_NULL pointer types.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-23222", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-23222", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-23222", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-23222", "SUSE": "https://www.suse.com/security/cve/CVE-2022-23222", "Ubuntu": "https://ubuntu.com/security/CVE-2022-23222" } }, "CVE-2022-2327": { "affected_versions": "v5.1-rc1 to v5.12-rc1-dontuse", "breaks": "2b188cc1bb857a9d4701ae59aa7768b5124e262e", "cmt_msg": "io_uring: remove any grabbing of context", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Double Free", "fixes": "44526bedc2ff8fcd58552e3c5bae928524b6f13c", "last_modified": "2024-01-12", "nvd_text": "io_uring use work_flags to determine which identity need to grab from the calling process to make sure it is consistent with the calling process when executing IORING_OP. Some operations are missing some types, which can lead to incorrect reference counts which can then lead to a double free. We recommend upgrading the kernel past commit df3f3bb5059d20ef094d6b2f0256c4bf4127a859", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-2327", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-2327", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-2327", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-2327", "SUSE": "https://www.suse.com/security/cve/CVE-2022-2327", "Ubuntu": "https://ubuntu.com/security/CVE-2022-2327" } }, "CVE-2022-2380": { "affected_versions": "v2.6.12-rc2 to v5.18-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "video: fbdev: sm712fb: Fix crash in smtcfb_read()", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Out-of-bounds Write", "fixes": "bd771cf5c4254511cc4abb88f3dab3bd58bdf8e8", "last_affected_version": "5.17.1", "last_modified": "2023-12-06", "nvd_text": "The Linux kernel was found vulnerable out of bounds memory access in the drivers/video/fbdev/sm712fb.c:smtcfb_read() function. The vulnerability could result in local attackers being able to crash the kernel.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-2380", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-2380", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-2380", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-2380", "SUSE": "https://www.suse.com/security/cve/CVE-2022-2380", "Ubuntu": "https://ubuntu.com/security/CVE-2022-2380" } }, "CVE-2022-23816": { "affected_versions": "unk to v5.19-rc7", "breaks": "", "cmt_msg": "x86/kvm/vmx: Make noinstr clean", "fixes": "742ab6df974ae8384a2dd213db1a3a06cf6d8936", "last_affected_version": "5.18.13", "last_modified": "2023-12-06", "nvd_text": "Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate is unused by its CNA. Notes: none.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-23816", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-23816", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-23816", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-23816", "SUSE": "https://www.suse.com/security/cve/CVE-2022-23816", "Ubuntu": "https://ubuntu.com/security/CVE-2022-23816" }, "rejected": true }, "CVE-2022-23825": { "affected_versions": "unk to unk", "breaks": "", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Changed", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "score": 6.5 }, "cwe": "Exposure of Resource to Wrong Sphere", "fixes": "", "last_modified": "2023-12-06", "nvd_text": "Aliases in the branch predictor may cause some AMD processors to predict the wrong branch type potentially leading to information disclosure.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-23825", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-23825", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-23825", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-23825", "SUSE": "https://www.suse.com/security/cve/CVE-2022-23825", "Ubuntu": "https://ubuntu.com/security/CVE-2022-23825" } }, "CVE-2022-23960": { "affected_versions": "v2.6.12-rc2 to v5.17-rc8", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "ARM: report Spectre v2 status through sysfs", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "score": 1.9 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Changed", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N", "score": 5.6 }, "cwe": "Unspecified", "fixes": "9dd78194a3722fa6712192cdd4f7032d45112a9a", "last_affected_version": "5.16.13", "last_modified": "2023-12-06", "nvd_text": "Certain Arm Cortex and Neoverse processors through 2022-03-08 do not properly restrict cache speculation, aka Spectre-BHB. An attacker can leverage the shared branch history in the Branch History Buffer (BHB) to influence mispredicted branches. Then, cache allocation can allow the attacker to obtain sensitive information.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-23960", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-23960", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-23960", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-23960", "SUSE": "https://www.suse.com/security/cve/CVE-2022-23960", "Ubuntu": "https://ubuntu.com/security/CVE-2022-23960" } }, "CVE-2022-24122": { "affected_versions": "v5.14-rc1 to v5.17-rc2", "breaks": "d64696905554e919321e31afc210606653b8f6a4", "cmt_msg": "ucount: Make get_ucount a safe get_user replacement", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "score": 6.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Use After Free", "fixes": "f9d87929d451d3e649699d0f1d74f71f77ad38f5", "last_affected_version": "5.15.18", "last_modified": "2023-12-06", "nvd_text": "kernel/ucount.c in the Linux kernel 5.14 through 5.16.4, when unprivileged user namespaces are enabled, allows a use-after-free and privilege escalation because a ucounts object can outlive its namespace.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-24122", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-24122", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-24122", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-24122", "SUSE": "https://www.suse.com/security/cve/CVE-2022-24122", "Ubuntu": "https://ubuntu.com/security/CVE-2022-24122" } }, "CVE-2022-24448": { "affected_versions": "v3.6-rc1 to v5.17-rc2", "breaks": "0dd2b474d0b69d58859399b1df7fdc699ea005d4", "cmt_msg": "NFSv4: Handle case where the lookup of a directory fails", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "score": 1.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "Low", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "score": 3.3 }, "cwe": "Missing Initialization of Resource", "fixes": "ac795161c93699d600db16c1a8cc23a65a1eceaf", "last_affected_version": "5.16.4", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in fs/nfs/dir.c in the Linux kernel before 5.16.5. If an application sets the O_DIRECTORY flag, and tries to open a regular file, nfs_atomic_open() performs a regular lookup. If a regular file is found, ENOTDIR should occur, but the server instead returns uninitialized data in the file descriptor.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-24448", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-24448", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-24448", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-24448", "SUSE": "https://www.suse.com/security/cve/CVE-2022-24448", "Ubuntu": "https://ubuntu.com/security/CVE-2022-24448" } }, "CVE-2022-24958": { "affected_versions": "v2.6.12-rc2 to v5.17-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "usb: gadget: don't release an existing dev->buf", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Release of Invalid Pointer or Reference", "fixes": "89f3594d0de58e8a57d92d497dea9fee3d4b9cda", "last_affected_version": "5.16.12", "last_modified": "2023-12-06", "nvd_text": "drivers/usb/gadget/legacy/inode.c in the Linux kernel through 5.16.8 mishandles dev->buf release.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-24958", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-24958", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-24958", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-24958", "SUSE": "https://www.suse.com/security/cve/CVE-2022-24958", "Ubuntu": "https://ubuntu.com/security/CVE-2022-24958" } }, "CVE-2022-24959": { "affected_versions": "v4.19-rc7 to v5.17-rc2", "breaks": "0781168e23a2fc8dceb989f11fc5b39b3ccacc35", "cmt_msg": "yam: fix a memory leak in yam_siocdevprivate()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Missing Release of Memory after Effective Lifetime", "fixes": "29eb31542787e1019208a2e1047bb7c76c069536", "last_affected_version": "5.16.4", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel before 5.16.5. There is a memory leak in yam_siocdevprivate in drivers/net/hamradio/yam.c.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-24959", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-24959", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-24959", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-24959", "SUSE": "https://www.suse.com/security/cve/CVE-2022-24959", "Ubuntu": "https://ubuntu.com/security/CVE-2022-24959" } }, "CVE-2022-2503": { "affected_versions": "v3.4-rc1 to v5.19-rc1", "breaks": "a4ffc152198efba2ed9e6eac0eb97f17bfebce85", "cmt_msg": "dm verity: set DM_TARGET_IMMUTABLE feature flag", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "score": 6.7 }, "cwe": "Improper Authentication", "fixes": "4caae58406f8ceb741603eee460d79bacca9b1b5", "last_affected_version": "5.18.1", "last_modified": "2023-12-06", "nvd_text": "Dm-verity is used for extending root-of-trust to root filesystems. LoadPin builds on this property to restrict module/firmware loads to just the trusted root filesystem. Device-mapper table reloads currently allow users with root privileges to switch out the target with an equivalent dm-linear target and bypass verification till reboot. This allows root to bypass LoadPin and can be used to load untrusted and unverified kernel modules and firmware, which implies arbitrary kernel execution and persistence for peripherals that do not verify firmware updates. We recommend upgrading past commit 4caae58406f8ceb741603eee460d79bacca9b1b5", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-2503", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-2503", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-2503", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-2503", "SUSE": "https://www.suse.com/security/cve/CVE-2022-2503", "Ubuntu": "https://ubuntu.com/security/CVE-2022-2503" } }, "CVE-2022-25258": { "affected_versions": "v3.16-rc1 to v5.17-rc4", "breaks": "37a3a533429ef9b3cc9f15a656c19623f0e88df7", "cmt_msg": "USB: gadget: validate interface OS descriptor requests", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Physical", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 4.6 }, "cwe": "NULL Pointer Dereference", "fixes": "75e5b4849b81e19e9efe1654b30d7f3151c33c2c", "last_affected_version": "5.16.9", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in drivers/usb/gadget/composite.c in the Linux kernel before 5.16.10. The USB Gadget subsystem lacks certain validation of interface OS descriptor requests (ones with a large array index and ones associated with NULL function pointer retrieval). Memory corruption might occur.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-25258", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-25258", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-25258", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-25258", "SUSE": "https://www.suse.com/security/cve/CVE-2022-25258", "Ubuntu": "https://ubuntu.com/security/CVE-2022-25258" } }, "CVE-2022-25265": { "affected_versions": "unk to unk", "breaks": "", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "score": 4.4 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Improper Control of Dynamically-Managed Code Resources", "fixes": "", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel through 5.16.10, certain binary files may have the exec-all attribute if they were built in approximately 2003 (e.g., with GCC 3.2.2 and Linux kernel 2.4.20). This can cause execution of bytes located in supposedly non-executable regions of a file.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-25265", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-25265", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-25265", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-25265", "SUSE": "https://www.suse.com/security/cve/CVE-2022-25265", "Ubuntu": "https://ubuntu.com/security/CVE-2022-25265" } }, "CVE-2022-25375": { "affected_versions": "v2.6.12-rc2 to v5.17-rc4", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "usb: gadget: rndis: check size of RNDIS_MSG_SET command", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.5 }, "cwe": "Exposure of Resource to Wrong Sphere", "fixes": "38ea1eac7d88072bbffb630e2b3db83ca649b826", "last_affected_version": "5.16.9", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in drivers/usb/gadget/function/rndis.c in the Linux kernel before 5.16.10. The RNDIS USB gadget lacks validation of the size of the RNDIS_MSG_SET command. Attackers can obtain sensitive information from kernel memory.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-25375", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-25375", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-25375", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-25375", "SUSE": "https://www.suse.com/security/cve/CVE-2022-25375", "Ubuntu": "https://ubuntu.com/security/CVE-2022-25375" } }, "CVE-2022-25636": { "affected_versions": "v5.4-rc1 to v5.17-rc6", "breaks": "be2861dc36d77ff3778979b9c3c79ada4affa131", "cmt_msg": "netfilter: nf_tables_offload: incorrect flow offload action array size", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "score": 6.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Improper Privilege Management", "fixes": "b1a5983f56e371046dcf164f90bfaf704d2b89f6", "last_affected_version": "5.16.11", "last_modified": "2023-12-06", "nvd_text": "net/netfilter/nf_dup_netdev.c in the Linux kernel 5.4 through 5.6.10 allows local users to gain privileges because of a heap out-of-bounds write. This is related to nf_tables_offload.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-25636", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-25636", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-25636", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-25636", "SUSE": "https://www.suse.com/security/cve/CVE-2022-25636", "Ubuntu": "https://ubuntu.com/security/CVE-2022-25636" } }, "CVE-2022-2585": { "affected_versions": "v5.7-rc1 to v6.0-rc1", "breaks": "55e8c8eb2c7b6bf30e99423ccfe7ca032f498f59", "cmt_msg": "posix-cpu-timers: Cleanup CPU timers before freeing them during exec", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "fixes": "e362359ace6f87c201531872486ff295df306d13", "last_affected_version": "5.19.1", "last_modified": "2024-02-02", "nvd_text": "It was discovered that when exec'ing from a non-leader thread, armed POSIX CPU timers would be left on a list but freed, leading to a use-after-free.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-2585", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-2585", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-2585", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-2585", "SUSE": "https://www.suse.com/security/cve/CVE-2022-2585", "Ubuntu": "https://ubuntu.com/security/CVE-2022-2585" } }, "CVE-2022-2586": { "affected_versions": "v3.16-rc1 to v6.0-rc1", "breaks": "958bee14d0718ca7a5002c0f48a099d1d345812a", "cmt_msg": "netfilter: nf_tables: do not allow SET_ID to refer to another table", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "fixes": "470ee20e069a6d05ae549f7d0ef2bdbcee6a81b2", "last_affected_version": "5.19.1", "last_modified": "2024-01-12", "nvd_text": "It was discovered that a nft object or expression could reference a nft set on a different nft table, leading to a use-after-free once that table was deleted.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-2586", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-2586", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-2586", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-2586", "SUSE": "https://www.suse.com/security/cve/CVE-2022-2586", "Ubuntu": "https://ubuntu.com/security/CVE-2022-2586" } }, "CVE-2022-2588": { "affected_versions": "v2.6.12-rc2 to v6.0-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "net_sched: cls_route: remove from list when handle is 0", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "fixes": "9ad36309e2719a884f946678e0296be10f0bb4c1", "last_affected_version": "5.19.1", "last_modified": "2024-01-12", "nvd_text": "It was discovered that the cls_route filter implementation in the Linux kernel would not remove an old filter from the hashtable before freeing it if its handle had the value 0.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-2588", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-2588", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-2588", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-2588", "SUSE": "https://www.suse.com/security/cve/CVE-2022-2588", "Ubuntu": "https://ubuntu.com/security/CVE-2022-2588" } }, "CVE-2022-2590": { "affected_versions": "v5.16-rc1 to v6.0-rc3", "breaks": "9ae0f87d009ca6c4aab2882641ddfc319727e3db", "cmt_msg": "mm/gup: fix FOLL_FORCE COW security issue and remove FOLL_COW", "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.0 }, "cwe": "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", "fixes": "5535be3099717646781ce1540cf725965d680e7b", "last_affected_version": "5.19.5", "last_modified": "2023-12-06", "nvd_text": "A race condition was found in the way the Linux kernel's memory subsystem handled the copy-on-write (COW) breakage of private read-only shared memory mappings. This flaw allows an unprivileged, local user to gain write access to read-only memory mappings, increasing their privileges on the system.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-2590", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-2590", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-2590", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-2590", "SUSE": "https://www.suse.com/security/cve/CVE-2022-2590", "Ubuntu": "https://ubuntu.com/security/CVE-2022-2590" } }, "CVE-2022-2602": { "affected_versions": "v5.1-rc1 to v6.1-rc1", "breaks": "6b06314c47e141031be043539900d80d2c7ba10f", "cmt_msg": "io_uring/af_unix: defer registered files gc to io_uring release", "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.0 }, "fixes": "0091bfc81741b8d3aeb3b7ab8636f911b2de6e80", "last_affected_version": "6.0.2", "last_modified": "2024-01-12", "nvd_text": "io_uring UAF, Unix SCM garbage collection", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-2602", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-2602", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-2602", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-2602", "SUSE": "https://www.suse.com/security/cve/CVE-2022-2602", "Ubuntu": "https://ubuntu.com/security/CVE-2022-2602" } }, "CVE-2022-26365": { "affected_versions": "v2.6.12-rc2 to v5.19-rc6", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "xen/blkfront: fix leaking data in shared pages", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:P", "score": 3.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "score": 7.1 }, "cwe": "Exposure of Sensitive Information to an Unauthorized Actor", "fixes": "2f446ffe9d737e9a844b97887919c4fda18246e7", "last_affected_version": "5.18.9", "last_modified": "2023-12-06", "nvd_text": "Linux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740). Additionally the granularity of the grant table doesn't allow sharing less than a 4K page, leading to unrelated data residing in the same 4K page as data shared with a backend being accessible by such backend (CVE-2022-33741, CVE-2022-33742).", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-26365", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-26365", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-26365", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-26365", "SUSE": "https://www.suse.com/security/cve/CVE-2022-26365", "Ubuntu": "https://ubuntu.com/security/CVE-2022-26365" } }, "CVE-2022-26373": { "affected_versions": "v2.6.12-rc2 to v6.0-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "x86/speculation: Add RSB VM Exit protections", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.5 }, "cwe": "Unspecified", "fixes": "2b1299322016731d56807aa49254a5ea3080b6b3", "last_affected_version": "5.19.0", "last_modified": "2023-12-06", "nvd_text": "Non-transparent sharing of return predictor targets between contexts in some Intel(R) Processors may allow an authorized user to potentially enable information disclosure via local access.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-26373", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-26373", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-26373", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-26373", "SUSE": "https://www.suse.com/security/cve/CVE-2022-26373", "Ubuntu": "https://ubuntu.com/security/CVE-2022-26373" } }, "CVE-2022-2639": { "affected_versions": "v5.1-rc4 to v5.18-rc4", "breaks": "f28cd2af22a0c134e4aa1c64a70f70d815d473fb", "cmt_msg": "openvswitch: fix OOB access in reserve_sfa_size()", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Out-of-bounds Write", "fixes": "cefa91b2332d7009bc0be5d951d6cbbf349f90f8", "last_affected_version": "5.17.4", "last_modified": "2023-12-06", "nvd_text": "An integer coercion error was found in the openvswitch kernel module. Given a sufficiently large number of actions, while copying and reserving memory for a new action of a new flow, the reserve_sfa_size() function does not return -EMSGSIZE as expected, potentially leading to an out-of-bounds write access. This flaw allows a local user to crash or potentially escalate their privileges on the system.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-2639", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-2639", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-2639", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-2639", "SUSE": "https://www.suse.com/security/cve/CVE-2022-2639", "Ubuntu": "https://ubuntu.com/security/CVE-2022-2639" } }, "CVE-2022-26490": { "affected_versions": "v4.0-rc1 to v5.17-rc1", "breaks": "26fc6c7f02cb26c39c4733de3dbc3c0646fc1074", "cmt_msg": "nfc: st21nfca: Fix potential buffer overflows in EVT_TRANSACTION", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')", "fixes": "4fbcc1a4cb20fe26ad0225679c536c80f1648221", "last_affected_version": "5.16.17", "last_modified": "2023-12-06", "nvd_text": "st21nfca_connectivity_event_received in drivers/nfc/st21nfca/se.c in the Linux kernel through 5.16.12 has EVT_TRANSACTION buffer overflows because of untrusted length parameters.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-26490", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-26490", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-26490", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-26490", "SUSE": "https://www.suse.com/security/cve/CVE-2022-26490", "Ubuntu": "https://ubuntu.com/security/CVE-2022-26490" } }, "CVE-2022-2663": { "affected_versions": "v2.6.20-rc1 to v6.0-rc5", "breaks": "869f37d8e48f3911eb70f38a994feaa8f8380008", "cmt_msg": "netfilter: nf_conntrack_irc: Fix forged IP logic", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "None", "Confidentiality": "None", "Integrity": "Low", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "score": 5.3 }, "cwe": "Improper Restriction of Communication Channel to Intended Endpoints", "fixes": "0efe125cfb99e6773a7434f3463f7c2fa28f3a43", "last_affected_version": "5.19.8", "last_modified": "2023-12-06", "nvd_text": "An issue was found in the Linux kernel in nf_conntrack_irc where the message handling can be confused and incorrectly matches the message. A firewall may be able to be bypassed when users are using unencrypted IRC with nf_conntrack_irc configured.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-2663", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-2663", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-2663", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-2663", "SUSE": "https://www.suse.com/security/cve/CVE-2022-2663", "Ubuntu": "https://ubuntu.com/security/CVE-2022-2663" } }, "CVE-2022-26878": { "affected_versions": "v5.13-rc1 to unk", "breaks": "afd2daa26c7abd734d78bd274fc6c59a15e61063", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Missing Release of Resource after Effective Lifetime", "fixes": "ad7cb5f6fa5f7ea37208c98a9457dd98025a89ca", "last_modified": "2023-12-06", "nvd_text": "drivers/bluetooth/virtio_bt.c in the Linux kernel before 5.16.3 has a memory leak (socket buffers have memory allocated but not freed).", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-26878", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-26878", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-26878", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-26878", "SUSE": "https://www.suse.com/security/cve/CVE-2022-26878", "Ubuntu": "https://ubuntu.com/security/CVE-2022-26878" } }, "CVE-2022-26966": { "affected_versions": "v3.12-rc1 to v5.17-rc6", "breaks": "c9b37458e95629b1d1171457afdcc1bf1eb7881d", "cmt_msg": "sr9700: sanity check for packet length", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.5 }, "cwe": "Unspecified", "fixes": "e9da0b56fe27206b49f39805f7dcda8a89379062", "last_affected_version": "5.16.11", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel before 5.16.12. drivers/net/usb/sr9700.c allows attackers to obtain sensitive information from heap memory via crafted frame lengths from a device.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-26966", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-26966", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-26966", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-26966", "SUSE": "https://www.suse.com/security/cve/CVE-2022-26966", "Ubuntu": "https://ubuntu.com/security/CVE-2022-26966" } }, "CVE-2022-27223": { "affected_versions": "v3.18-rc1 to v5.17-rc6", "breaks": "1f7c51660034091dc134fcc534b7f1fa86a6e823", "cmt_msg": "USB: gadget: validate endpoint index for xilinx udc", "cvss2": { "Access Complexity": "Low", "Access Vector": "Network Accessible", "Authentication": "Single", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "score": 6.5 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 8.8 }, "cwe": "Improper Validation of Array Index", "fixes": "7f14c7227f342d9932f9b918893c8814f86d2a0d", "last_affected_version": "5.16.11", "last_modified": "2023-12-06", "nvd_text": "In drivers/usb/gadget/udc/udc-xilinx.c in the Linux kernel before 5.16.12, the endpoint index is not validated and might be manipulated by the host for out-of-array access.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-27223", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-27223", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-27223", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-27223", "SUSE": "https://www.suse.com/security/cve/CVE-2022-27223", "Ubuntu": "https://ubuntu.com/security/CVE-2022-27223" } }, "CVE-2022-27666": { "affected_versions": "v4.11-rc1 to v5.17-rc8", "breaks": "cac2661c53f35cbe651bef9b07026a5a05ab8ce0", "cmt_msg": "esp: Fix possible buffer overflow in ESP transformation", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Out-of-bounds Write", "fixes": "ebe48d368e97d007bfeb76fcb065d6cfc4c96645", "last_affected_version": "5.16.14", "last_modified": "2023-12-06", "nvd_text": "A heap buffer overflow flaw was found in IPsec ESP transformation code in net/ipv4/esp4.c and net/ipv6/esp6.c. This flaw allows a local attacker with a normal user privilege to overwrite kernel heap objects and may cause a local privilege escalation threat.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-27666", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-27666", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-27666", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-27666", "SUSE": "https://www.suse.com/security/cve/CVE-2022-27666", "Ubuntu": "https://ubuntu.com/security/CVE-2022-27666" } }, "CVE-2022-27672": { "affected_versions": "v2.6.12-rc2 to v6.2", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "x86/speculation: Identify processors vulnerable to SMT RSB predictions", "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 4.7 }, "cwe": "Unspecified", "fixes": "be8de49bea505e7777a69ef63d60e02ac1712683", "last_affected_version": "6.1", "last_modified": "2023-12-06", "nvd_text": "\nWhen SMT is enabled, certain AMD processors may speculatively execute instructions using a target\nfrom the sibling thread after an SMT mode switch potentially resulting in information disclosure.\n\n\n", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-27672", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-27672", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-27672", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-27672", "SUSE": "https://www.suse.com/security/cve/CVE-2022-27672", "Ubuntu": "https://ubuntu.com/security/CVE-2022-27672" } }, "CVE-2022-2785": { "affected_versions": "v5.18-rc1 to v6.0-rc1", "breaks": "b1d18a7574d0df5eb4117c14742baf8bc2b9bb74", "cmt_msg": "bpf: Disallow bpf programs call prog_run command.", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.5 }, "cwe": "Out-of-bounds Read", "fixes": "86f44fcec22ce2979507742bc53db8400e454f46", "last_affected_version": "5.19.3", "last_modified": "2023-12-06", "nvd_text": "There exists an arbitrary memory read within the Linux Kernel BPF - Constants provided to fill pointers in structs passed in to bpf_sys_bpf are not verified and can point anywhere, including memory not owned by BPF. An attacker with CAP_BPF can arbitrarily read memory from anywhere on the system. We recommend upgrading past commit 86f44fcec22c", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-2785", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-2785", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-2785", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-2785", "SUSE": "https://www.suse.com/security/cve/CVE-2022-2785", "Ubuntu": "https://ubuntu.com/security/CVE-2022-2785" } }, "CVE-2022-27950": { "affected_versions": "v5.15-rc1 to v5.17-rc5", "breaks": "fbf42729d0e91332e8ce75a1ecce08b8a2dab9c1", "cmt_msg": "HID: elo: fix memory leak in elo_probe", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Missing Release of Memory after Effective Lifetime", "fixes": "817b8b9c5396d2b2d92311b46719aad5d3339dbe", "last_affected_version": "5.16.10", "last_modified": "2023-12-06", "nvd_text": "In drivers/hid/hid-elo.c in the Linux kernel before 5.16.11, a memory leak exists for a certain hid_parse error condition.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-27950", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-27950", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-27950", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-27950", "SUSE": "https://www.suse.com/security/cve/CVE-2022-27950", "Ubuntu": "https://ubuntu.com/security/CVE-2022-27950" } }, "CVE-2022-28356": { "affected_versions": "v2.6.12-rc2 to v5.18-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "llc: fix netdevice reference leaks in llc_ui_bind()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Unspecified", "fixes": "764f4eb6846f5475f1244767d24d25dd86528a4a", "last_affected_version": "5.17.0", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel before 5.17.1, a refcount leak bug was found in net/llc/af_llc.c.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-28356", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-28356", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-28356", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-28356", "SUSE": "https://www.suse.com/security/cve/CVE-2022-28356", "Ubuntu": "https://ubuntu.com/security/CVE-2022-28356" } }, "CVE-2022-28388": { "affected_versions": "v3.9-rc1 to v5.18-rc1", "breaks": "0024d8ad1639e32d717445c69ca813fd19c2a91c", "cmt_msg": "can: usb_8dev: usb_8dev_start_xmit(): fix double dev_kfree_skb() in error path", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Double Free", "fixes": "3d3925ff6433f98992685a9679613a2cc97f3ce2", "last_affected_version": "5.17.1", "last_modified": "2023-12-06", "nvd_text": "usb_8dev_start_xmit in drivers/net/can/usb/usb_8dev.c in the Linux kernel through 5.17.1 has a double free.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-28388", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-28388", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-28388", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-28388", "SUSE": "https://www.suse.com/security/cve/CVE-2022-28388", "Ubuntu": "https://ubuntu.com/security/CVE-2022-28388" } }, "CVE-2022-28389": { "affected_versions": "v4.12-rc1 to v5.18-rc1", "breaks": "51f3baad7de943780ce0c17bd7975df567dd6e14", "cmt_msg": "can: mcba_usb: mcba_usb_start_xmit(): fix double dev_kfree_skb in error path", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Double Free", "fixes": "04c9b00ba83594a29813d6b1fb8fdc93a3915174", "last_affected_version": "5.17.1", "last_modified": "2023-12-06", "nvd_text": "mcba_usb_start_xmit in drivers/net/can/usb/mcba_usb.c in the Linux kernel through 5.17.1 has a double free.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-28389", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-28389", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-28389", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-28389", "SUSE": "https://www.suse.com/security/cve/CVE-2022-28389", "Ubuntu": "https://ubuntu.com/security/CVE-2022-28389" } }, "CVE-2022-28390": { "affected_versions": "v2.6.32-rc1 to v5.18-rc1", "breaks": "702171adeed3607ee9603ec30ce081411e36ae42", "cmt_msg": "can: ems_usb: ems_usb_start_xmit(): fix double dev_kfree_skb() in error path", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Double Free", "fixes": "c70222752228a62135cee3409dccefd494a24646", "last_affected_version": "5.17.1", "last_modified": "2023-12-06", "nvd_text": "ems_usb_start_xmit in drivers/net/can/usb/ems_usb.c in the Linux kernel through 5.17.1 has a double free.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-28390", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-28390", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-28390", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-28390", "SUSE": "https://www.suse.com/security/cve/CVE-2022-28390", "Ubuntu": "https://ubuntu.com/security/CVE-2022-28390" } }, "CVE-2022-2873": { "affected_versions": "v5.11-rc1 to v5.19-rc1", "breaks": "5e9a97b1f4491b8b65874901ad084348fcaba327", "cmt_msg": "i2c: ismt: prevent memory corruption in ismt_access()", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Incorrect Calculation of Buffer Size", "fixes": "690b2549b19563ec5ad53e5c82f6a944d910086e", "last_affected_version": "5.18.1", "last_modified": "2023-12-06", "nvd_text": "An out-of-bounds memory access flaw was found in the Linux kernel Intel\u2019s iSMT SMBus host controller driver in the way a user triggers the I2C_SMBUS_BLOCK_DATA (with the ioctl I2C_SMBUS) with malicious input data. This flaw allows a local user to crash the system.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-2873", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-2873", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-2873", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-2873", "SUSE": "https://www.suse.com/security/cve/CVE-2022-2873", "Ubuntu": "https://ubuntu.com/security/CVE-2022-2873" } }, "CVE-2022-28796": { "affected_versions": "v5.17-rc3 to v5.18-rc1", "breaks": "4f98186848707f530669238d90e0562d92a78aab", "cmt_msg": "jbd2: fix use-after-free of transaction_t race", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "score": 6.9 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.0 }, "cwe": "Use After Free", "fixes": "cc16eecae687912238ee6efbff71ad31e2bc414e", "last_affected_version": "5.17.0", "last_modified": "2023-12-06", "nvd_text": "jbd2_journal_wait_updates in fs/jbd2/transaction.c in the Linux kernel before 5.17.1 has a use-after-free caused by a transaction_t race condition.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-28796", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-28796", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-28796", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-28796", "SUSE": "https://www.suse.com/security/cve/CVE-2022-28796", "Ubuntu": "https://ubuntu.com/security/CVE-2022-28796" } }, "CVE-2022-28893": { "affected_versions": "v5.1-rc1 to v5.18-rc2", "breaks": "a73881c96d73ee72b7dbbd38a6eeef66182a8ef7", "cmt_msg": "SUNRPC: Ensure we flush any closed sockets before xs_xprt_free()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Use After Free", "fixes": "f00432063db1a0db484e85193eccc6845435b80e", "last_affected_version": "5.17.2", "last_modified": "2023-12-06", "nvd_text": "The SUNRPC subsystem in the Linux kernel through 5.17.2 can call xs_xprt_free before ensuring that sockets are in the intended state.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-28893", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-28893", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-28893", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-28893", "SUSE": "https://www.suse.com/security/cve/CVE-2022-28893", "Ubuntu": "https://ubuntu.com/security/CVE-2022-28893" } }, "CVE-2022-2905": { "affected_versions": "v5.5-rc1 to v6.0-rc4", "breaks": "d2e4c1e6c2947269346054ac8937ccfe9e0bcc6b", "cmt_msg": "bpf: Don't use tnum_range on array range checking for poke descriptors", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.5 }, "cwe": "Out-of-bounds Read", "fixes": "a657182a5c5150cdfacb6640aad1d2712571a409", "last_affected_version": "5.19.5", "last_modified": "2023-12-06", "nvd_text": "An out-of-bounds memory read flaw was found in the Linux kernel's BPF subsystem in how a user calls the bpf_tail_call function with a key larger than the max_entries of the map. This flaw allows a local user to gain unauthorized access to data.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-2905", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-2905", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-2905", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-2905", "SUSE": "https://www.suse.com/security/cve/CVE-2022-2905", "Ubuntu": "https://ubuntu.com/security/CVE-2022-2905" } }, "CVE-2022-29156": { "affected_versions": "v5.12-rc1-dontuse to v5.17-rc6", "breaks": "eab098246625e91c1cbd6e8f75b09e4c9c28a9fc", "cmt_msg": "RDMA/rtrs-clt: Fix possible double free in error case", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Double Free", "fixes": "8700af2cc18c919b2a83e74e0479038fd113c15d", "last_affected_version": "5.16.11", "last_modified": "2023-12-06", "nvd_text": "drivers/infiniband/ulp/rtrs/rtrs-clt.c in the Linux kernel before 5.16.12 has a double free related to rtrs_clt_dev_release.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-29156", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-29156", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-29156", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-29156", "SUSE": "https://www.suse.com/security/cve/CVE-2022-29156", "Ubuntu": "https://ubuntu.com/security/CVE-2022-29156" } }, "CVE-2022-2938": { "affected_versions": "v5.2-rc1 to v5.17-rc2", "breaks": "0e94682b73bfa6c44c98af7a26771c9c08c055d5", "cmt_msg": "psi: Fix uaf issue when psi trigger is destroyed while being polled", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Use After Free", "fixes": "a06247c6804f1a7c86a2e5398a4c1f1db1471848", "last_affected_version": "5.16.4", "last_modified": "2023-12-06", "nvd_text": "A flaw was found in the Linux kernel's implementation of Pressure Stall Information. While the feature is disabled by default, it could allow an attacker to crash the system or have other memory-corruption side effects.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-2938", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-2938", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-2938", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-2938", "SUSE": "https://www.suse.com/security/cve/CVE-2022-2938", "Ubuntu": "https://ubuntu.com/security/CVE-2022-2938" } }, "CVE-2022-29581": { "affected_versions": "v4.14 to v5.18-rc4", "breaks": "35c55fc156d85a396a975fc17636f560fc02fd65", "cmt_msg": "net/sched: cls_u32: fix netns refcount changes in u32_change()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Unspecified", "fixes": "3db09e762dc79584a69c10d74a6b98f89a9979f8", "last_affected_version": "5.17.4", "last_modified": "2023-12-06", "nvd_text": "Improper Update of Reference Count vulnerability in net/sched of Linux Kernel allows local attacker to cause privilege escalation to root. This issue affects: Linux Kernel versions prior to 5.18; version 4.14 and later versions.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-29581", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-29581", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-29581", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-29581", "SUSE": "https://www.suse.com/security/cve/CVE-2022-29581", "Ubuntu": "https://ubuntu.com/security/CVE-2022-29581" } }, "CVE-2022-29582": { "affected_versions": "v5.5-rc1 to v5.18-rc2", "breaks": "2665abfd757fb35a241c6f0b1ebf620e3ffb36fb", "cmt_msg": "io_uring: fix race between timeout flush and removal", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "score": 6.9 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.0 }, "cwe": "Use After Free", "fixes": "e677edbcabee849bfdd43f1602bccbecf736a646", "last_affected_version": "5.17.2", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel before 5.17.3, fs/io_uring.c has a use-after-free due to a race condition in io_uring timeouts. This can be triggered by a local user who has no access to any user namespace; however, the race condition perhaps can only be exploited infrequently.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-29582", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-29582", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-29582", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-29582", "SUSE": "https://www.suse.com/security/cve/CVE-2022-29582", "Ubuntu": "https://ubuntu.com/security/CVE-2022-29582" } }, "CVE-2022-2959": { "affected_versions": "v5.8-rc1 to v5.19-rc1", "breaks": "c73be61cede5882f9605a852414db559c0ebedfd", "cmt_msg": "pipe: Fix missing lock in pipe_resize_ring()", "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.0 }, "cwe": "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", "fixes": "189b0ddc245139af81198d1a3637cac74f96e13a", "last_affected_version": "5.18.1", "last_modified": "2023-12-06", "nvd_text": "A race condition was found in the Linux kernel's watch queue due to a missing lock in pipe_resize_ring(). The specific flaw exists within the handling of pipe buffers. The issue results from the lack of proper locking when performing operations on an object. This flaw allows a local user to crash the system or escalate their privileges on the system.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-2959", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-2959", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-2959", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-2959", "SUSE": "https://www.suse.com/security/cve/CVE-2022-2959", "Ubuntu": "https://ubuntu.com/security/CVE-2022-2959" } }, "CVE-2022-2961": { "affected_versions": "unk to unk", "breaks": "", "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.0 }, "cwe": "Use After Free", "fixes": "", "last_modified": "2023-12-06", "nvd_text": "A use-after-free flaw was found in the Linux kernel\u2019s PLP Rose functionality in the way a user triggers a race condition by calling bind while simultaneously triggering the rose_bind() function. This flaw allows a local user to crash or potentially escalate their privileges on the system.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-2961", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-2961", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-2961", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-2961", "SUSE": "https://www.suse.com/security/cve/CVE-2022-2961", "Ubuntu": "https://ubuntu.com/security/CVE-2022-2961" } }, "CVE-2022-2964": { "affected_versions": "v3.9-rc2 to v5.17-rc4", "breaks": "e2ca90c276e1fc410d7cd3c1a4eee245ec902a20", "cmt_msg": "net: usb: ax88179_178a: Fix out-of-bounds accesses in RX fixup", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Out-of-bounds Write", "fixes": "57bc3d3ae8c14df3ceb4e17d26ddf9eeab304581", "last_affected_version": "5.16.9", "last_modified": "2023-12-06", "nvd_text": "A flaw was found in the Linux kernel\u2019s driver for the ASIX AX88179_178A-based USB 2.0/3.0 Gigabit Ethernet Devices. The vulnerability contains multiple out-of-bounds reads and possible out-of-bounds writes.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-2964", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-2964", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-2964", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-2964", "SUSE": "https://www.suse.com/security/cve/CVE-2022-2964", "Ubuntu": "https://ubuntu.com/security/CVE-2022-2964" } }, "CVE-2022-2977": { "affected_versions": "v4.12-rc1 to v5.18-rc1", "breaks": "fdc915f7f71939ad5a3dda3389b8d2d7a7c5ee66", "cmt_msg": "tpm: fix reference counting for struct tpm_chip", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Use After Free", "fixes": "7e0438f83dc769465ee663bb5dcf8cc154940712", "last_affected_version": "5.17.0", "last_modified": "2023-12-06", "nvd_text": "A flaw was found in the Linux kernel implementation of proxied virtualized TPM devices. On a system where virtualized TPM devices are configured (this is not the default) a local attacker can create a use-after-free and create a situation where it may be possible to escalate privileges on the system.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-2977", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-2977", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-2977", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-2977", "SUSE": "https://www.suse.com/security/cve/CVE-2022-2977", "Ubuntu": "https://ubuntu.com/security/CVE-2022-2977" } }, "CVE-2022-2978": { "affected_versions": "v2.6.12-rc2 to v6.1-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "fs: fix UAF/GPF bug in nilfs_mdt_destroy", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Use After Free", "fixes": "2e488f13755ffbb60f307e991b27024716a33b29", "last_affected_version": "6.0.0", "last_modified": "2023-12-06", "nvd_text": "A flaw use after free in the Linux kernel NILFS file system was found in the way user triggers function security_inode_alloc to fail with following call to function nilfs_mdt_destroy. A local user could use this flaw to crash the system or potentially escalate their privileges on the system.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-2978", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-2978", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-2978", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-2978", "SUSE": "https://www.suse.com/security/cve/CVE-2022-2978", "Ubuntu": "https://ubuntu.com/security/CVE-2022-2978" } }, "CVE-2022-29900": { "affected_versions": "v2.6.12-rc2 to v5.19-rc7", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "x86/kvm/vmx: Make noinstr clean", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Changed", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "score": 6.5 }, "cwe": "Exposure of Sensitive Information to an Unauthorized Actor", "fixes": "742ab6df974ae8384a2dd213db1a3a06cf6d8936", "last_affected_version": "5.18.13", "last_modified": "2023-12-06", "nvd_text": "Mis-trained branch predictions for return instructions may allow arbitrary speculative code execution under certain microarchitecture-dependent conditions.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-29900", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-29900", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-29900", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-29900", "SUSE": "https://www.suse.com/security/cve/CVE-2022-29900", "Ubuntu": "https://ubuntu.com/security/CVE-2022-29900" } }, "CVE-2022-29901": { "affected_versions": "v2.6.12-rc2 to v5.19-rc7", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "x86/kvm/vmx: Make noinstr clean", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "score": 1.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Changed", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "score": 6.5 }, "cwe": "Exposure of Resource to Wrong Sphere", "fixes": "742ab6df974ae8384a2dd213db1a3a06cf6d8936", "last_affected_version": "5.18.13", "last_modified": "2023-12-06", "nvd_text": "Intel microprocessor generations 6 to 8 are affected by a new Spectre variant that is able to bypass their retpoline mitigation in the kernel to leak arbitrary data. An attacker with unprivileged user access can hijack return instructions to achieve arbitrary speculative code execution under certain microarchitecture-dependent conditions.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-29901", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-29901", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-29901", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-29901", "SUSE": "https://www.suse.com/security/cve/CVE-2022-29901", "Ubuntu": "https://ubuntu.com/security/CVE-2022-29901" } }, "CVE-2022-2991": { "affected_versions": "v4.4-rc1 to v5.15-rc1", "breaks": "cd9e9808d18fe7107c306f6e71c8be7230ee42b4", "cmt_msg": "remove the lightnvm subsystem", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "score": 6.7 }, "cwe": "Out-of-bounds Write", "fixes": "9ea9b9c48387edc101d56349492ad9c0492ff78d", "last_modified": "2023-12-06", "nvd_text": "A heap-based buffer overflow was found in the Linux kernel's LightNVM subsystem. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. This vulnerability allows a local attacker to escalate privileges and execute arbitrary code in the context of the kernel. The attacker must first obtain the ability to execute high-privileged code on the target system to exploit this vulnerability.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-2991", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-2991", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-2991", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-2991", "SUSE": "https://www.suse.com/security/cve/CVE-2022-2991", "Ubuntu": "https://ubuntu.com/security/CVE-2022-2991" } }, "CVE-2022-29968": { "affected_versions": "v5.16-rc1 to v5.18-rc5", "breaks": "3e08773c3841e9db7a520908cc2b136a77d275ff", "cmt_msg": "io_uring: fix uninitialized field in rw io_kiocb", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Missing Initialization of Resource", "fixes": "32452a3eb8b64e01e2be717f518c0be046975b9d", "last_affected_version": "5.17.5", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel through 5.17.5. io_rw_init_file in fs/io_uring.c lacks initialization of kiocb->private.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-29968", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-29968", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-29968", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-29968", "SUSE": "https://www.suse.com/security/cve/CVE-2022-29968", "Ubuntu": "https://ubuntu.com/security/CVE-2022-29968" } }, "CVE-2022-3028": { "affected_versions": "v2.6.12-rc2 to v6.0-rc3", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "af_key: Do not call xfrm_probe_algs in parallel", "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.0 }, "cwe": "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", "fixes": "ba953a9d89a00c078b85f4b190bc1dde66fe16b5", "last_affected_version": "5.19.5", "last_modified": "2023-12-06", "nvd_text": "A race condition was found in the Linux kernel's IP framework for transforming packets (XFRM subsystem) when multiple calls to xfrm_probe_algs occurred simultaneously. This flaw could allow a local attacker to potentially trigger an out-of-bounds write or leak kernel heap memory by performing an out-of-bounds read and copying it into a socket.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-3028", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-3028", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-3028", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-3028", "SUSE": "https://www.suse.com/security/cve/CVE-2022-3028", "Ubuntu": "https://ubuntu.com/security/CVE-2022-3028" } }, "CVE-2022-30594": { "affected_versions": "v4.3-rc1 to v5.18-rc1", "breaks": "13c4a90119d28cfcb6b5bdd820c233b86c2b0237", "cmt_msg": "ptrace: Check PTRACE_O_SUSPEND_SECCOMP permission on PTRACE_SEIZE", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "score": 4.4 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Incorrect Default Permissions", "fixes": "ee1fee900537b5d9560e9f937402de5ddc8412f3", "last_affected_version": "5.17.1", "last_modified": "2023-12-06", "nvd_text": "The Linux kernel before 5.17.2 mishandles seccomp permissions. The PTRACE_SEIZE code path allows attackers to bypass intended restrictions on setting the PT_SUSPEND_SECCOMP flag.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-30594", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-30594", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-30594", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-30594", "SUSE": "https://www.suse.com/security/cve/CVE-2022-30594", "Ubuntu": "https://ubuntu.com/security/CVE-2022-30594" } }, "CVE-2022-3061": { "affected_versions": "v3.4-rc1 to v5.18-rc5", "breaks": "5350c65f4f15bbc111ffa629130d3f32cdd4ccf6", "cmt_msg": "video: fbdev: i740fb: Error out if 'pixclock' equals zero", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Divide By Zero", "fixes": "15cf0b82271b1823fb02ab8c377badba614d95d5", "last_affected_version": "5.15.69", "last_modified": "2023-12-06", "nvd_text": "Found Linux Kernel flaw in the i740 driver. The Userspace program could pass any values to the driver through ioctl() interface. The driver doesn't check the value of 'pixclock', so it may cause a divide by zero error.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-3061", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-3061", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-3061", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-3061", "SUSE": "https://www.suse.com/security/cve/CVE-2022-3061", "Ubuntu": "https://ubuntu.com/security/CVE-2022-3061" } }, "CVE-2022-3077": { "affected_versions": "v5.11-rc1 to v5.19-rc1", "breaks": "5e9a97b1f4491b8b65874901ad084348fcaba327", "cmt_msg": "i2c: ismt: prevent memory corruption in ismt_access()", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')", "fixes": "690b2549b19563ec5ad53e5c82f6a944d910086e", "last_affected_version": "5.18.1", "last_modified": "2023-12-06", "nvd_text": "A buffer overflow vulnerability was found in the Linux kernel Intel\u2019s iSMT SMBus host controller driver in the way it handled the I2C_SMBUS_BLOCK_PROC_CALL case (via the ioctl I2C_SMBUS) with malicious input data. This flaw could allow a local user to crash the system.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-3077", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-3077", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-3077", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-3077", "SUSE": "https://www.suse.com/security/cve/CVE-2022-3077", "Ubuntu": "https://ubuntu.com/security/CVE-2022-3077" } }, "CVE-2022-3078": { "affected_versions": "v5.10-rc1 to v5.18-rc1", "breaks": "f90cf6079bf67988f8b1ad1ade70fc89d0080905", "cmt_msg": "media: vidtv: Check for null return of vzalloc", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "NULL Pointer Dereference", "fixes": "e6a21a14106d9718aa4f8e115b1e474888eeba44", "last_affected_version": "5.17.1", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel through 5.16-rc6. There is a lack of check after calling vzalloc() and lack of free after allocation in drivers/media/test-drivers/vidtv/vidtv_s302m.c.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-3078", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-3078", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-3078", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-3078", "SUSE": "https://www.suse.com/security/cve/CVE-2022-3078", "Ubuntu": "https://ubuntu.com/security/CVE-2022-3078" } }, "CVE-2022-3103": { "affected_versions": "v6.0-rc1 to v6.0-rc3", "breaks": "78a861b9495920f8609dee5b670dacbff09d359f", "cmt_msg": "io_uring: fix off-by-one in sync cancelation file check", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Off-by-one Error", "fixes": "47abea041f897d64dbd5777f0cf7745148f85d75", "last_modified": "2023-12-06", "nvd_text": "off-by-one in io_uring module.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-3103", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-3103", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-3103", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-3103", "SUSE": "https://www.suse.com/security/cve/CVE-2022-3103", "Ubuntu": "https://ubuntu.com/security/CVE-2022-3103" } }, "CVE-2022-3104": { "affected_versions": "v5.7-rc1 to v5.19-rc1", "breaks": "ae2e1aad3e48e495878d9f149e437a308bfdaefa", "cmt_msg": "lkdtm/bugs: Check for the NULL pointer after calling kmalloc", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "NULL Pointer Dereference", "fixes": "4a9800c81d2f34afb66b4b42e0330ae8298019a2", "last_affected_version": "5.18.3", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel through 5.16-rc6. lkdtm_ARRAY_BOUNDS in drivers/misc/lkdtm/bugs.c lacks check of the return value of kmalloc() and will cause the null pointer dereference.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-3104", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-3104", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-3104", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-3104", "SUSE": "https://www.suse.com/security/cve/CVE-2022-3104", "Ubuntu": "https://ubuntu.com/security/CVE-2022-3104" } }, "CVE-2022-3105": { "affected_versions": "v5.0-rc1 to v5.16", "breaks": "6884c6c4bd09fb35b79a3967d15821cdfcbe77a3", "cmt_msg": "RDMA/uverbs: Check for null return of kmalloc_array", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "NULL Pointer Dereference", "fixes": "7694a7de22c53a312ea98960fcafc6ec62046531", "last_affected_version": "5.15", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel through 5.16-rc6. uapi_finalize in drivers/infiniband/core/uverbs_uapi.c lacks check of kmalloc_array().", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-3105", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-3105", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-3105", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-3105", "SUSE": "https://www.suse.com/security/cve/CVE-2022-3105", "Ubuntu": "https://ubuntu.com/security/CVE-2022-3105" } }, "CVE-2022-3106": { "affected_versions": "v5.9-rc1 to v5.16-rc6", "breaks": "b593b6f1b4921700c00394d35e098259e3d04913", "cmt_msg": "sfc_ef100: potential dereference of null pointer", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "NULL Pointer Dereference", "fixes": "407ecd1bd726f240123f704620d46e285ff30dd9", "last_affected_version": "5.15.10", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel through 5.16-rc6. ef100_update_stats in drivers/net/ethernet/sfc/ef100_nic.c lacks check of the return value of kmalloc().", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-3106", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-3106", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-3106", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-3106", "SUSE": "https://www.suse.com/security/cve/CVE-2022-3106", "Ubuntu": "https://ubuntu.com/security/CVE-2022-3106" } }, "CVE-2022-3107": { "affected_versions": "v4.19-rc1 to v5.17", "breaks": "6ae746711263bd6da45f709fdb9f12e4f57e22bd", "cmt_msg": "hv_netvsc: Add check for kvmalloc_array", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "NULL Pointer Dereference", "fixes": "886e44c9298a6b428ae046e2fa092ca52e822e6a", "last_affected_version": "5.16", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel through 5.16-rc6. netvsc_get_ethtool_stats in drivers/net/hyperv/netvsc_drv.c lacks check of the return value of kvmalloc_array() and will cause the null pointer dereference.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-3107", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-3107", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-3107", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-3107", "SUSE": "https://www.suse.com/security/cve/CVE-2022-3107", "Ubuntu": "https://ubuntu.com/security/CVE-2022-3107" } }, "CVE-2022-3108": { "affected_versions": "v4.16-rc1 to v5.17-rc1", "breaks": "3a87177eb14113bbe8cd95a276af2c412eced6ac", "cmt_msg": "drm/amdkfd: Check for null pointer after calling kmemdup", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Unchecked Return Value", "fixes": "abfaf0eee97925905e742aa3b0b72e04a918fa9e", "last_affected_version": "5.16.2", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel through 5.16-rc6. kfd_parse_subtype_iolink in drivers/gpu/drm/amd/amdkfd/kfd_crat.c lacks check of the return value of kmemdup().", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-3108", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-3108", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-3108", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-3108", "SUSE": "https://www.suse.com/security/cve/CVE-2022-3108", "Ubuntu": "https://ubuntu.com/security/CVE-2022-3108" } }, "CVE-2022-3110": { "affected_versions": "v5.15-rc1 to v5.19-rc1", "breaks": "15865124feed880978b79839c756ef6cbb4ec6b3", "cmt_msg": "staging: r8188eu: add check for kzalloc", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "NULL Pointer Dereference", "fixes": "f94b47c6bde624d6c07f43054087607c52054a95", "last_affected_version": "5.18.3", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel through 5.16-rc6. _rtw_init_xmit_priv in drivers/staging/r8188eu/core/rtw_xmit.c lacks check of the return value of rtw_alloc_hwxmits() and will cause the null pointer dereference.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-3110", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-3110", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-3110", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-3110", "SUSE": "https://www.suse.com/security/cve/CVE-2022-3110", "Ubuntu": "https://ubuntu.com/security/CVE-2022-3110" } }, "CVE-2022-3111": { "affected_versions": "v2.6.29-rc1 to v5.18-rc1", "breaks": "14431aa0c5a443d13d24e6f865a8838f97dab973", "cmt_msg": "power: supply: wm8350-power: Add missing free in free_charger_irq", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "NULL Pointer Dereference", "fixes": "6dee930f6f6776d1e5a7edf542c6863b47d9f078", "last_affected_version": "5.17.1", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel through 5.16-rc6. free_charger_irq() in drivers/power/supply/wm8350_power.c lacks free of WM8350_IRQ_CHG_FAST_RDY, which is registered in wm8350_init_charger().", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-3111", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-3111", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-3111", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-3111", "SUSE": "https://www.suse.com/security/cve/CVE-2022-3111", "Ubuntu": "https://ubuntu.com/security/CVE-2022-3111" } }, "CVE-2022-3112": { "affected_versions": "v5.7-rc1 to v5.18-rc1", "breaks": "876f123b8956b455a89a172b905f9ecbb6fc5b67", "cmt_msg": "media: meson: vdec: potential dereference of null pointer", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "NULL Pointer Dereference", "fixes": "c8c80c996182239ff9b05eda4db50184cf3b2e99", "last_affected_version": "5.17.1", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel through 5.16-rc6. amvdec_set_canvases in drivers/staging/media/meson/vdec/vdec_helpers.c lacks check of the return value of kzalloc() and will cause the null pointer dereference.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-3112", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-3112", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-3112", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-3112", "SUSE": "https://www.suse.com/security/cve/CVE-2022-3112", "Ubuntu": "https://ubuntu.com/security/CVE-2022-3112" } }, "CVE-2022-3113": { "affected_versions": "v5.10-rc6 to v5.18-rc1", "breaks": "46233e91fa24a91bffca0680b1c55282ba601918", "cmt_msg": "media: mtk-vcodec: potential dereference of null pointer", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "NULL Pointer Dereference", "fixes": "e25a89f743b18c029bfbe5e1663ae0c7190912b0", "last_affected_version": "5.17.1", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel through 5.16-rc6. mtk_vcodec_fw_vpu_init in drivers/media/platform/mtk-vcodec/mtk_vcodec_fw_vpu.c lacks check of the return value of devm_kzalloc() and will cause the null pointer dereference.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-3113", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-3113", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-3113", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-3113", "SUSE": "https://www.suse.com/security/cve/CVE-2022-3113", "Ubuntu": "https://ubuntu.com/security/CVE-2022-3113" } }, "CVE-2022-3114": { "affected_versions": "v5.13-rc1 to v5.19-rc1", "breaks": "379c9a24cc239000b1dec53db02fe17a86947423", "cmt_msg": "clk: imx: Add check for kcalloc", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "NULL Pointer Dereference", "fixes": "ed713e2bc093239ccd380c2ce8ae9e4162f5c037", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel through 5.16-rc6. imx_register_uart_clocks in drivers/clk/imx/clk.c lacks check of the return value of kcalloc() and will cause the null pointer dereference.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-3114", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-3114", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-3114", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-3114", "SUSE": "https://www.suse.com/security/cve/CVE-2022-3114", "Ubuntu": "https://ubuntu.com/security/CVE-2022-3114" } }, "CVE-2022-3115": { "affected_versions": "v4.12-rc1 to v5.19-rc1", "breaks": "99665d07218345647875fea9ad4979bbe297c104", "cmt_msg": "drm: mali-dp: potential dereference of null pointer", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "NULL Pointer Dereference", "fixes": "73c3ed7495c67b8fbdc31cf58e6ca8757df31a33", "last_affected_version": "5.18.2", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel through 5.16-rc6. malidp_crtc_reset in drivers/gpu/drm/arm/malidp_crtc.c lacks check of the return value of kzalloc() and will cause the null pointer dereference.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-3115", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-3115", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-3115", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-3115", "SUSE": "https://www.suse.com/security/cve/CVE-2022-3115", "Ubuntu": "https://ubuntu.com/security/CVE-2022-3115" } }, "CVE-2022-3169": { "affected_versions": "v2.6.12-rc2 to v6.1-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "nvme: ensure subsystem reset is single threaded", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Improper Input Validation", "fixes": "1e866afd4bcdd01a70a5eddb4371158d3035ce03", "last_affected_version": "6.0.9", "last_modified": "2023-12-06", "nvd_text": "A flaw was found in the Linux kernel. A denial of service flaw may occur if there is a consecutive request of the NVME_IOCTL_RESET and the NVME_IOCTL_SUBSYS_RESET through the device file of the driver, resulting in a PCIe link disconnect.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-3169", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-3169", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-3169", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-3169", "SUSE": "https://www.suse.com/security/cve/CVE-2022-3169", "Ubuntu": "https://ubuntu.com/security/CVE-2022-3169" } }, "CVE-2022-3170": { "affected_versions": "v6.0-rc1 to v6.0-rc4", "breaks": "c27e1efb61c545f36c450ef60862df9251d239a4", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Out-of-bounds Read", "fixes": "6ab55ec0a938c7f943a4edba3d6514f775983887", "last_modified": "2023-12-06", "nvd_text": "An out-of-bounds access issue was found in the Linux kernel sound subsystem. It could occur when the 'id->name' provided by the user did not end with '\\0'. A privileged local user could pass a specially crafted name through ioctl() interface and crash the system or potentially escalate their privileges on the system.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-3170", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-3170", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-3170", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-3170", "SUSE": "https://www.suse.com/security/cve/CVE-2022-3170", "Ubuntu": "https://ubuntu.com/security/CVE-2022-3170" } }, "CVE-2022-3176": { "affected_versions": "v5.1-rc1 to v5.17-rc1", "breaks": "221c5eb2338232f7340386de1c43decc32682e58", "cmt_msg": "io_uring: fix UAF due to missing POLLFREE handling", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Use After Free", "fixes": "791f3465c4afde02d7f16cf7424ca87070b69396", "last_affected_version": "5.15.64", "last_modified": "2023-12-06", "nvd_text": "There exists a use-after-free in io_uring in the Linux kernel. Signalfd_poll() and binder_poll() use a waitqueue whose lifetime is the current task. It will send a POLLFREE notification to all waiters before the queue is freed. Unfortunately, the io_uring poll doesn't handle POLLFREE. This allows a use-after-free to occur if a signalfd or binder fd is polled with io_uring poll, and the waitqueue gets freed. We recommend upgrading past commit fc78b2fc21f10c4c9c4d5d659a685710ffa63659", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-3176", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-3176", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-3176", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-3176", "SUSE": "https://www.suse.com/security/cve/CVE-2022-3176", "Ubuntu": "https://ubuntu.com/security/CVE-2022-3176" } }, "CVE-2022-3202": { "affected_versions": "v2.6.12-rc2 to v5.18-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "jfs: prevent NULL deref in diFree", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "score": 7.1 }, "cwe": "NULL Pointer Dereference", "fixes": "a53046291020ec41e09181396c1e829287b48d47", "last_affected_version": "5.17.2", "last_modified": "2023-12-06", "nvd_text": "A NULL pointer dereference flaw in diFree in fs/jfs/inode.c in Journaled File System (JFS)in the Linux kernel. This could allow a local attacker to crash the system or leak kernel internal information.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-3202", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-3202", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-3202", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-3202", "SUSE": "https://www.suse.com/security/cve/CVE-2022-3202", "Ubuntu": "https://ubuntu.com/security/CVE-2022-3202" } }, "CVE-2022-32250": { "affected_versions": "v4.1-rc1 to v5.19-rc1", "breaks": "0b2d8a7b638b5034d2d68f6add8af94daaa1d4cd", "cmt_msg": "netfilter: nf_tables: disallow non-stateful expression in sets earlier", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Use After Free", "fixes": "520778042ccca019f3ffa136dd0ca565c486cedd", "last_affected_version": "5.18.1", "last_modified": "2023-12-06", "nvd_text": "net/netfilter/nf_tables_api.c in the Linux kernel through 5.18.1 allows a local user (able to create user/net namespaces) to escalate privileges to root because an incorrect NFT_STATEFUL_EXPR check leads to a use-after-free.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-32250", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-32250", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-32250", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-32250", "SUSE": "https://www.suse.com/security/cve/CVE-2022-32250", "Ubuntu": "https://ubuntu.com/security/CVE-2022-32250" } }, "CVE-2022-32296": { "affected_versions": "v2.6.12-rc2 to v5.18-rc6", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "tcp: increase source port perturb table to 2^16", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "None", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "Low", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "score": 3.3 }, "cwe": "Observable Discrepancy", "fixes": "4c2c8f03a5ab7cb04ec64724d7d176d00bcc91e5", "last_affected_version": "5.17.8", "last_modified": "2023-12-06", "nvd_text": "The Linux kernel before 5.17.9 allows TCP servers to identify clients by observing what source ports are used. This occurs because of use of Algorithm 4 (\"Double-Hash Port Selection Algorithm\") of RFC 6056.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-32296", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-32296", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-32296", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-32296", "SUSE": "https://www.suse.com/security/cve/CVE-2022-32296", "Ubuntu": "https://ubuntu.com/security/CVE-2022-32296" } }, "CVE-2022-3238": { "affected_versions": "v5.15-rc6 to unk", "breaks": "610f8f5a7baf998e70a61c63e53869b676d9b04c", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Double Free", "fixes": "", "last_modified": "2023-12-06", "nvd_text": "A double-free flaw was found in the Linux kernel\u2019s NTFS3 subsystem in how a user triggers remount and umount simultaneously. This flaw allows a local user to crash or potentially escalate their privileges on the system.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-3238", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-3238", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-3238", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-3238", "SUSE": "https://www.suse.com/security/cve/CVE-2022-3238", "Ubuntu": "https://ubuntu.com/security/CVE-2022-3238" } }, "CVE-2022-3239": { "affected_versions": "v3.15-rc1 to v5.18-rc1", "breaks": "47677e51e2a4040c204d7971a5103592600185b1", "cmt_msg": "media: em28xx: initialize refcount before kref_get", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Use After Free", "fixes": "c08eadca1bdfa099e20a32f8fa4b52b2f672236d", "last_affected_version": "5.17.1", "last_modified": "2023-12-06", "nvd_text": "A flaw use after free in the Linux kernel video4linux driver was found in the way user triggers em28xx_usb_probe() for the Empia 28xx based TV cards. A local user could use this flaw to crash the system or potentially escalate their privileges on the system.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-3239", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-3239", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-3239", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-3239", "SUSE": "https://www.suse.com/security/cve/CVE-2022-3239", "Ubuntu": "https://ubuntu.com/security/CVE-2022-3239" } }, "CVE-2022-32981": { "affected_versions": "v3.13-rc1 to v5.19-rc2", "breaks": "87fec0514f613f8ac43c01b0bc0bc7072c5d10ae", "cmt_msg": "powerpc/32: Fix overread/overwrite of thread_struct via ptrace", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')", "fixes": "8e1278444446fc97778a5e5c99bca1ce0bbc5ec9", "last_affected_version": "5.18.3", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel through 5.18.3 on powerpc 32-bit platforms. There is a buffer overflow in ptrace PEEKUSER and POKEUSER (aka PEEKUSR and POKEUSR) when accessing floating point registers.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-32981", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-32981", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-32981", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-32981", "SUSE": "https://www.suse.com/security/cve/CVE-2022-32981", "Ubuntu": "https://ubuntu.com/security/CVE-2022-32981" } }, "CVE-2022-3303": { "affected_versions": "v2.6.12-rc2 to v6.0-rc5", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "ALSA: pcm: oss: Fix race at SNDCTL_DSP_SYNC", "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 4.7 }, "cwe": "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", "fixes": "8423f0b6d513b259fdab9c9bf4aaa6188d054c2d", "last_affected_version": "5.19.8", "last_modified": "2023-12-06", "nvd_text": "A race condition flaw was found in the Linux kernel sound subsystem due to improper locking. It could lead to a NULL pointer dereference while handling the SNDCTL_DSP_SYNC ioctl. A privileged local user (root or member of the audio group) could use this flaw to crash the system, resulting in a denial of service condition", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-3303", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-3303", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-3303", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-3303", "SUSE": "https://www.suse.com/security/cve/CVE-2022-3303", "Ubuntu": "https://ubuntu.com/security/CVE-2022-3303" } }, "CVE-2022-3344": { "affected_versions": "v2.6.12-rc2 to v6.1-rc7", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "KVM: x86: nSVM: harden svm_free_nested against freeing vmcb02 while still in use", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Expected Behavior Violation", "fixes": "16ae56d7e0528559bf8dc9070e3bfd8ba3de80df", "last_affected_version": "6.0.10", "last_modified": "2023-12-06", "nvd_text": "A flaw was found in the KVM's AMD nested virtualization (SVM). A malicious L1 guest could purposely fail to intercept the shutdown of a cooperative nested guest (L2), possibly leading to a page fault and kernel panic in the host (L0).", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-3344", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-3344", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-3344", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-3344", "SUSE": "https://www.suse.com/security/cve/CVE-2022-3344", "Ubuntu": "https://ubuntu.com/security/CVE-2022-3344" } }, "CVE-2022-33740": { "affected_versions": "v2.6.12-rc2 to v5.19-rc6", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "xen/netfront: fix leaking data in shared pages", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:P", "score": 3.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "score": 7.1 }, "cwe": "Exposure of Sensitive Information to an Unauthorized Actor", "fixes": "307c8de2b02344805ebead3440d8feed28f2f010", "last_affected_version": "5.18.9", "last_modified": "2023-12-06", "nvd_text": "Linux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740). Additionally the granularity of the grant table doesn't allow sharing less than a 4K page, leading to unrelated data residing in the same 4K page as data shared with a backend being accessible by such backend (CVE-2022-33741, CVE-2022-33742).", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-33740", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-33740", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-33740", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-33740", "SUSE": "https://www.suse.com/security/cve/CVE-2022-33740", "Ubuntu": "https://ubuntu.com/security/CVE-2022-33740" } }, "CVE-2022-33741": { "affected_versions": "v2.6.12-rc2 to v5.19-rc6", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "xen/netfront: force data bouncing when backend is untrusted", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:P", "score": 3.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "score": 7.1 }, "cwe": "Exposure of Sensitive Information to an Unauthorized Actor", "fixes": "4491001c2e0fa69efbb748c96ec96b100a5cdb7e", "last_affected_version": "5.18.9", "last_modified": "2023-12-06", "nvd_text": "Linux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740). Additionally the granularity of the grant table doesn't allow sharing less than a 4K page, leading to unrelated data residing in the same 4K page as data shared with a backend being accessible by such backend (CVE-2022-33741, CVE-2022-33742).", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-33741", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-33741", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-33741", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-33741", "SUSE": "https://www.suse.com/security/cve/CVE-2022-33741", "Ubuntu": "https://ubuntu.com/security/CVE-2022-33741" } }, "CVE-2022-33742": { "affected_versions": "v2.6.12-rc2 to v5.19-rc6", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "xen/blkfront: force data bouncing when backend is untrusted", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:P/I:N/A:P", "score": 3.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "score": 7.1 }, "cwe": "Exposure of Sensitive Information to an Unauthorized Actor", "fixes": "2400617da7eebf9167d71a46122828bc479d64c9", "last_affected_version": "5.18.9", "last_modified": "2023-12-06", "nvd_text": "Linux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740). Additionally the granularity of the grant table doesn't allow sharing less than a 4K page, leading to unrelated data residing in the same 4K page as data shared with a backend being accessible by such backend (CVE-2022-33741, CVE-2022-33742).", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-33742", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-33742", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-33742", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-33742", "SUSE": "https://www.suse.com/security/cve/CVE-2022-33742", "Ubuntu": "https://ubuntu.com/security/CVE-2022-33742" } }, "CVE-2022-33743": { "affected_versions": "v5.9-rc1 to v5.19-rc6", "breaks": "6c5aa6fc4defc2a0977a2c59e4710d50fa1e834c", "cmt_msg": "xen-netfront: restore __skb_queue_tail() positioning in xennet_get_responses()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "Partial", "Integrity Impact": "Partial", "raw": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "score": 4.6 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Unspecified", "fixes": "f63c2c2032c2e3caad9add3b82cc6e91c376fd26", "last_affected_version": "5.18.9", "last_modified": "2023-12-06", "nvd_text": "network backend may cause Linux netfront to use freed SKBs While adding logic to support XDP (eXpress Data Path), a code label was moved in a way allowing for SKBs having references (pointers) retained for further processing to nevertheless be freed.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-33743", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-33743", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-33743", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-33743", "SUSE": "https://www.suse.com/security/cve/CVE-2022-33743", "Ubuntu": "https://ubuntu.com/security/CVE-2022-33743" } }, "CVE-2022-33744": { "affected_versions": "v2.6.12-rc2 to v5.19-rc6", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "xen/arm: Fix race in RB-tree based P2M accounting", "cvss2": { "Access Complexity": "Medium", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:M/Au:N/C:N/I:N/A:P", "score": 1.9 }, "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 4.7 }, "cwe": "Unspecified", "fixes": "b75cd218274e01d026dc5240e86fdeb44bbed0c8", "last_affected_version": "5.18.9", "last_modified": "2023-12-06", "nvd_text": "Arm guests can cause Dom0 DoS via PV devices When mapping pages of guests on Arm, dom0 is using an rbtree to keep track of the foreign mappings. Updating of that rbtree is not always done completely with the related lock held, resulting in a small race window, which can be used by unprivileged guests via PV devices to cause inconsistencies of the rbtree. These inconsistencies can lead to Denial of Service (DoS) of dom0, e.g. by causing crashes or the inability to perform further mappings of other guests' memory pages.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-33744", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-33744", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-33744", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-33744", "SUSE": "https://www.suse.com/security/cve/CVE-2022-33744", "Ubuntu": "https://ubuntu.com/security/CVE-2022-33744" } }, "CVE-2022-33981": { "affected_versions": "v2.6.12-rc2 to v5.18-rc5", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "floppy: disable FDRAWCMD by default", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "score": 2.1 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "Low", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "score": 3.3 }, "cwe": "Use After Free", "fixes": "233087ca063686964a53c829d547c7571e3f67bf", "last_affected_version": "5.17.5", "last_modified": "2023-12-06", "nvd_text": "drivers/block/floppy.c in the Linux kernel before 5.17.6 is vulnerable to a denial of service, because of a concurrency use-after-free flaw after deallocating raw_cmd in the raw_cmd_ioctl function.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-33981", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-33981", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-33981", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-33981", "SUSE": "https://www.suse.com/security/cve/CVE-2022-33981", "Ubuntu": "https://ubuntu.com/security/CVE-2022-33981" } }, "CVE-2022-3424": { "affected_versions": "v2.6.33-rc1 to v6.2-rc1", "breaks": "55484c45dbeca2eec7642932ec3f60f8a2d4bdbf", "cmt_msg": "misc: sgi-gru: fix use-after-free error in gru_set_context_option, gru_fault and gru_handle_user_call_os", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "fixes": "643a16a0eb1d6ac23744bb6e90a00fc21148a9dc", "last_affected_version": "6.1.1", "last_modified": "2023-12-06", "nvd_text": "A use-after-free flaw was found in the Linux kernel\u2019s SGI GRU driver in the way the first gru_file_unlocked_ioctl function is called by the user, where a fail pass occurs in the gru_check_chiplet_assignment function. This flaw allows a local user to crash or potentially escalate their privileges on the system.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-3424", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-3424", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-3424", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-3424", "SUSE": "https://www.suse.com/security/cve/CVE-2022-3424", "Ubuntu": "https://ubuntu.com/security/CVE-2022-3424" } }, "CVE-2022-3435": { "affected_versions": "v5.18-rc2 to v6.1-rc1", "breaks": "6bf92d70e690b7ff12b24f4bfff5e5434d019b82", "cmt_msg": "ipv4: Handle attempt to delete multipath route when fib_info contains an nh reference", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "None", "Confidentiality": "Low", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "score": 4.3 }, "cwe": "Improper Restriction of Operations within the Bounds of a Memory Buffer", "fixes": "61b91eb33a69c3be11b259c5ea484505cd79f883", "last_affected_version": "6.0.11", "last_modified": "2023-12-06", "nvd_text": "A vulnerability classified as problematic has been found in Linux Kernel. This affects the function fib_nh_match of the file net/ipv4/fib_semantics.c of the component IPv4 Handler. The manipulation leads to out-of-bounds read. It is possible to initiate the attack remotely. It is recommended to apply a patch to fix this issue. The identifier VDB-210357 was assigned to this vulnerability.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-3435", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-3435", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-3435", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-3435", "SUSE": "https://www.suse.com/security/cve/CVE-2022-3435", "Ubuntu": "https://ubuntu.com/security/CVE-2022-3435" } }, "CVE-2022-34494": { "affected_versions": "v5.13-rc1 to v5.19-rc1", "breaks": "c486682ae1e2b149add22f44cf413b3103e3ef39", "cmt_msg": "rpmsg: virtio: Fix possible double free in rpmsg_virtio_add_ctrl_dev()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Double Free", "fixes": "1680939e9ecf7764fba8689cfb3429c2fe2bb23c", "last_affected_version": "5.18.3", "last_modified": "2023-12-06", "nvd_text": "rpmsg_virtio_add_ctrl_dev in drivers/rpmsg/virtio_rpmsg_bus.c in the Linux kernel before 5.18.4 has a double free.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-34494", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-34494", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-34494", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-34494", "SUSE": "https://www.suse.com/security/cve/CVE-2022-34494", "Ubuntu": "https://ubuntu.com/security/CVE-2022-34494" } }, "CVE-2022-34495": { "affected_versions": "v5.13-rc1 to v5.19-rc1", "breaks": "c486682ae1e2b149add22f44cf413b3103e3ef39", "cmt_msg": "rpmsg: virtio: Fix possible double free in rpmsg_probe()", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "score": 4.9 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Double Free", "fixes": "c2eecefec5df1306eafce28ccdf1ca159a552ecc", "last_affected_version": "5.18.3", "last_modified": "2023-12-06", "nvd_text": "rpmsg_probe in drivers/rpmsg/virtio_rpmsg_bus.c in the Linux kernel before 5.18.4 has a double free.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-34495", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-34495", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-34495", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-34495", "SUSE": "https://www.suse.com/security/cve/CVE-2022-34495", "Ubuntu": "https://ubuntu.com/security/CVE-2022-34495" } }, "CVE-2022-34918": { "affected_versions": "v4.1-rc1 to v5.19-rc6", "breaks": "7d7402642eaf385aef0772eff5a35e34fc4995d7", "cmt_msg": "netfilter: nf_tables: stricter validation of element data", "cvss2": { "Access Complexity": "Low", "Access Vector": "Local Access", "Authentication": "None", "Availability Impact": "Complete", "Confidentiality Impact": "Complete", "Integrity Impact": "Complete", "raw": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "score": 7.2 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Access of Resource Using Incompatible Type ('Type Confusion')", "fixes": "7e6bc1f6cabcd30aba0b11219d8e01b952eacbb6", "last_affected_version": "5.18.10", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel through 5.18.9. A type confusion bug in nft_set_elem_init (leading to a buffer overflow) could be used by a local attacker to escalate privileges, a different vulnerability than CVE-2022-32250. (The attacker can obtain root access, but must start with an unprivileged user namespace to obtain CAP_NET_ADMIN access.) This can be fixed in nft_setelem_parse_data in net/netfilter/nf_tables_api.c.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-34918", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-34918", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-34918", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-34918", "SUSE": "https://www.suse.com/security/cve/CVE-2022-34918", "Ubuntu": "https://ubuntu.com/security/CVE-2022-34918" } }, "CVE-2022-3521": { "affected_versions": "v4.6-rc1 to v6.1-rc1", "breaks": "ab7ac4eb9832e32a09f4e8042705484d2fb0aad3", "cmt_msg": "kcm: avoid potential race in kcm_tx_work", "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "Low", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L", "score": 2.5 }, "cwe": "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", "fixes": "ec7eede369fe5b0d085ac51fdbb95184f87bfc6c", "last_affected_version": "6.0.9", "last_modified": "2023-12-06", "nvd_text": "A vulnerability has been found in Linux Kernel and classified as problematic. This vulnerability affects the function kcm_tx_work of the file net/kcm/kcmsock.c of the component kcm. The manipulation leads to race condition. It is recommended to apply a patch to fix this issue. VDB-211018 is the identifier assigned to this vulnerability.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-3521", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-3521", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-3521", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-3521", "SUSE": "https://www.suse.com/security/cve/CVE-2022-3521", "Ubuntu": "https://ubuntu.com/security/CVE-2022-3521" } }, "CVE-2022-3522": { "affected_versions": "v2.6.12-rc2 to v6.1-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "mm/hugetlb: use hugetlb_pte_stable in migration race check", "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.0 }, "cwe": "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", "fixes": "f9bf6c03eca1077cae8de0e6d86427656fa42a9b", "last_modified": "2023-12-06", "nvd_text": "Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-3522", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-3522", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-3522", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-3522", "SUSE": "https://www.suse.com/security/cve/CVE-2022-3522", "Ubuntu": "https://ubuntu.com/security/CVE-2022-3522" }, "rejected": true }, "CVE-2022-3523": { "affected_versions": "v2.6.12-rc2 to v6.1-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "mm/memory.c: fix race when faulting a device private page", "cvss3": { "Attack Complexity": "High", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.3 }, "cwe": "Use After Free", "fixes": "16ce101db85db694a91380aa4c89b25530871d33", "last_modified": "2023-12-06", "nvd_text": "A vulnerability was found in Linux Kernel. It has been classified as problematic. Affected is an unknown function of the file mm/memory.c of the component Driver Handler. The manipulation leads to use after free. It is possible to launch the attack remotely. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211020.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-3523", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-3523", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-3523", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-3523", "SUSE": "https://www.suse.com/security/cve/CVE-2022-3523", "Ubuntu": "https://ubuntu.com/security/CVE-2022-3523" } }, "CVE-2022-3524": { "affected_versions": "v2.6.12-rc2 to v6.1-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "tcp/udp: Fix memory leak in ipv6_renew_options().", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Improper Resource Shutdown or Release", "fixes": "3c52c6bb831f6335c176a0fc7214e26f43adbd11", "last_affected_version": "6.0.6", "last_modified": "2023-12-06", "nvd_text": "A vulnerability was found in Linux Kernel. It has been declared as problematic. Affected by this vulnerability is the function ipv6_renew_options of the component IPv6 Handler. The manipulation leads to memory leak. The attack can be launched remotely. It is recommended to apply a patch to fix this issue. The identifier VDB-211021 was assigned to this vulnerability.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-3524", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-3524", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-3524", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-3524", "SUSE": "https://www.suse.com/security/cve/CVE-2022-3524", "Ubuntu": "https://ubuntu.com/security/CVE-2022-3524" } }, "CVE-2022-3526": { "affected_versions": "v5.13-rc1 to v5.18-rc3", "breaks": "427f0c8c194b22edcafef1b0a42995ddc5c2227d", "cmt_msg": "macvlan: Fix leaking skb in source mode with nodst option", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 7.5 }, "cwe": "Missing Release of Memory after Effective Lifetime", "fixes": "e16b859872b87650bb55b12cca5a5fcdc49c1442", "last_affected_version": "5.17.3", "last_modified": "2023-12-06", "nvd_text": "A vulnerability classified as problematic was found in Linux Kernel. This vulnerability affects the function macvlan_handle_frame of the file drivers/net/macvlan.c of the component skb. The manipulation leads to memory leak. The attack can be initiated remotely. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211024.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-3526", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-3526", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-3526", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-3526", "SUSE": "https://www.suse.com/security/cve/CVE-2022-3526", "Ubuntu": "https://ubuntu.com/security/CVE-2022-3526" } }, "CVE-2022-3531": { "affected_versions": "v5.19-rc1 to v6.2-rc1", "breaks": "5b6c7e5c44349b29c614e1b61f80c6849fc72ccf", "cmt_msg": "selftest/bpf: Fix memory leak in kprobe_multi_test", "fixes": "6d2e21dc4db3933db65293552ecc1ede26febeca", "last_affected_version": "6.1.1", "last_modified": "2023-12-06", "nvd_text": "Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-3531", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-3531", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-3531", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-3531", "SUSE": "https://www.suse.com/security/cve/CVE-2022-3531", "Ubuntu": "https://ubuntu.com/security/CVE-2022-3531" }, "rejected": true }, "CVE-2022-3532": { "affected_versions": "v6.1-rc1 to v6.2-rc1", "breaks": "1642a3945e223a922312fab2401ecdf58b3825b9", "cmt_msg": "selftests/bpf: Fix memory leak caused by not destroying skeleton", "fixes": "6e8280b958c5d7edc514cf347a800b23b7732b2b", "last_affected_version": "6.1.1", "last_modified": "2023-12-06", "nvd_text": "Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-3532", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-3532", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-3532", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-3532", "SUSE": "https://www.suse.com/security/cve/CVE-2022-3532", "Ubuntu": "https://ubuntu.com/security/CVE-2022-3532" }, "rejected": true }, "CVE-2022-3533": { "affected_versions": "unk to unk", "breaks": "", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Adjacent", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.7 }, "fixes": "", "last_modified": "2023-12-06", "nvd_text": "A vulnerability was found in Linux Kernel. It has been rated as problematic. This issue affects the function parse_usdt_arg of the file tools/lib/bpf/usdt.c of the component BPF. The manipulation of the argument reg_name leads to memory leak. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-211031.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-3533", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-3533", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-3533", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-3533", "SUSE": "https://www.suse.com/security/cve/CVE-2022-3533", "Ubuntu": "https://ubuntu.com/security/CVE-2022-3533" } }, "CVE-2022-3534": { "affected_versions": "unk to v6.2-rc1", "breaks": "", "cmt_msg": "libbpf: Fix use-after-free in btf_dump_name_dups", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Adjacent", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 8.0 }, "cwe": "Use After Free", "fixes": "93c660ca40b5d2f7c1b1626e955a8e9fa30e0749", "last_affected_version": "6.1.1", "last_modified": "2023-12-06", "nvd_text": "A vulnerability classified as critical has been found in Linux Kernel. Affected is the function btf_dump_name_dups of the file tools/lib/bpf/btf_dump.c of the component libbpf. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211032.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-3534", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-3534", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-3534", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-3534", "SUSE": "https://www.suse.com/security/cve/CVE-2022-3534", "Ubuntu": "https://ubuntu.com/security/CVE-2022-3534" } }, "CVE-2022-3535": { "affected_versions": "v4.19-rc1 to v6.1-rc1", "breaks": "21da57a23125a072e6ab2bb6c9bea5e02e01d1f5", "cmt_msg": "net: mvpp2: fix mvpp2 debugfs leak", "fixes": "0152dfee235e87660f52a117fc9f70dc55956bb4", "last_affected_version": "6.0.2", "last_modified": "2023-12-06", "nvd_text": "Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-3535", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-3535", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-3535", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-3535", "SUSE": "https://www.suse.com/security/cve/CVE-2022-3535", "Ubuntu": "https://ubuntu.com/security/CVE-2022-3535" }, "rejected": true }, "CVE-2022-3541": { "affected_versions": "v5.19-rc1 to v6.1-rc1", "breaks": "fd3040b9394c58bcedb83554bcf1a073021d6b36", "cmt_msg": "eth: sp7021: fix use after free bug in spl2sw_nvmem_get_mac_address", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Improper Restriction of Operations within the Bounds of a Memory Buffer", "fixes": "12aece8b01507a2d357a1861f470e83621fbb6f2", "last_affected_version": "6.0.2", "last_modified": "2023-12-06", "nvd_text": "A vulnerability classified as critical has been found in Linux Kernel. This affects the function spl2sw_nvmem_get_mac_address of the file drivers/net/ethernet/sunplus/spl2sw_driver.c of the component BPF. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. The identifier VDB-211041 was assigned to this vulnerability.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-3541", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-3541", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-3541", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-3541", "SUSE": "https://www.suse.com/security/cve/CVE-2022-3541", "Ubuntu": "https://ubuntu.com/security/CVE-2022-3541" } }, "CVE-2022-3542": { "affected_versions": "v3.16-rc6 to v6.1-rc1", "breaks": "07b0f00964def8af9321cfd6c4a7e84f6362f728", "cmt_msg": "bnx2x: fix potential memory leak in bnx2x_tpa_stop()", "fixes": "b43f9acbb8942b05252be83ac25a81cec70cc192", "last_affected_version": "6.0.2", "last_modified": "2023-12-06", "nvd_text": "Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-3542", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-3542", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-3542", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-3542", "SUSE": "https://www.suse.com/security/cve/CVE-2022-3542", "Ubuntu": "https://ubuntu.com/security/CVE-2022-3542" }, "rejected": true }, "CVE-2022-3543": { "affected_versions": "v5.15-rc1 to v6.1-rc1", "breaks": "314001f0bf927015e459c9d387d62a231fe93af3", "cmt_msg": "af_unix: Fix memory leaks of the whole sk due to OOB skb.", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Improper Resource Shutdown or Release", "fixes": "7a62ed61367b8fd01bae1e18e30602c25060d824", "last_affected_version": "6.0.2", "last_modified": "2023-12-06", "nvd_text": "A vulnerability, which was classified as problematic, has been found in Linux Kernel. This issue affects the function unix_sock_destructor/unix_release_sock of the file net/unix/af_unix.c of the component BPF. The manipulation leads to memory leak. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-211043.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-3543", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-3543", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-3543", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-3543", "SUSE": "https://www.suse.com/security/cve/CVE-2022-3543", "Ubuntu": "https://ubuntu.com/security/CVE-2022-3543" } }, "CVE-2022-3544": { "affected_versions": "v5.18-rc1 to unk", "breaks": "a61ea561c87139992fe32afdee48a6f6b85d824a", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Improper Resource Shutdown or Release", "fixes": "damon/sysfs: fix possible memleak on damon_sysfs_add_target", "last_modified": "2023-12-06", "nvd_text": "A vulnerability, which was classified as problematic, was found in Linux Kernel. Affected is the function damon_sysfs_add_target of the file mm/damon/sysfs.c of the component Netfilter. The manipulation leads to memory leak. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211044.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-3544", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-3544", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-3544", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-3544", "SUSE": "https://www.suse.com/security/cve/CVE-2022-3544", "Ubuntu": "https://ubuntu.com/security/CVE-2022-3544" } }, "CVE-2022-3545": { "affected_versions": "v2.6.12-rc2 to v6.0-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "nfp: fix use-after-free in area_cache_get()", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Improper Restriction of Operations within the Bounds of a Memory Buffer", "fixes": "02e1a114fdb71e59ee6770294166c30d437bf86a", "last_affected_version": "5.15.83", "last_modified": "2023-12-06", "nvd_text": "A vulnerability has been found in Linux Kernel and classified as critical. Affected by this vulnerability is the function area_cache_get of the file drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c of the component IPsec. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. The identifier VDB-211045 was assigned to this vulnerability.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-3545", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-3545", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-3545", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-3545", "SUSE": "https://www.suse.com/security/cve/CVE-2022-3545", "Ubuntu": "https://ubuntu.com/security/CVE-2022-3545" } }, "CVE-2022-3564": { "affected_versions": "v3.6-rc1 to v6.1-rc4", "breaks": "4b51dae96731c9d82f5634e75ac7ffd3b9c1b060", "cmt_msg": "Bluetooth: L2CAP: Fix use-after-free caused by l2cap_reassemble_sdu", "cvss3": { "Attack Complexity": "High", "Attack Vector": "Adjacent", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.1 }, "cwe": "Improper Restriction of Operations within the Bounds of a Memory Buffer", "fixes": "3aff8aaca4e36dc8b17eaa011684881a80238966", "last_affected_version": "6.0.7", "last_modified": "2023-12-06", "nvd_text": "A vulnerability classified as critical was found in Linux Kernel. Affected by this vulnerability is the function l2cap_reassemble_sdu of the file net/bluetooth/l2cap_core.c of the component Bluetooth. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-211087.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-3564", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-3564", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-3564", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-3564", "SUSE": "https://www.suse.com/security/cve/CVE-2022-3564", "Ubuntu": "https://ubuntu.com/security/CVE-2022-3564" } }, "CVE-2022-3565": { "affected_versions": "v2.6.27-rc1 to v6.1-rc1", "breaks": "3712b42d4b1bec29a4232a6673bf2e6dcc5faa68", "cmt_msg": "mISDN: fix use-after-free bugs in l1oip timer handlers", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Improper Restriction of Operations within the Bounds of a Memory Buffer", "fixes": "2568a7e0832ee30b0a351016d03062ab4e0e0a3f", "last_affected_version": "6.0.2", "last_modified": "2023-12-06", "nvd_text": "A vulnerability, which was classified as critical, has been found in Linux Kernel. Affected by this issue is the function del_timer of the file drivers/isdn/mISDN/l1oip_core.c of the component Bluetooth. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211088.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-3565", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-3565", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-3565", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-3565", "SUSE": "https://www.suse.com/security/cve/CVE-2022-3565", "Ubuntu": "https://ubuntu.com/security/CVE-2022-3565" } }, "CVE-2022-3566": { "affected_versions": "v2.6.12-rc2 to v6.1-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "tcp: Fix data races around icsk->icsk_af_ops.", "cvss3": { "Attack Complexity": "High", "Attack Vector": "Adjacent", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.1 }, "cwe": "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", "fixes": "f49cd2f4d6170d27a2c61f1fecb03d8a70c91f57", "last_modified": "2023-12-06", "nvd_text": "A vulnerability, which was classified as problematic, was found in Linux Kernel. This affects the function tcp_getsockopt/tcp_setsockopt of the component TCP Handler. The manipulation leads to race condition. It is recommended to apply a patch to fix this issue. The identifier VDB-211089 was assigned to this vulnerability.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-3566", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-3566", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-3566", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-3566", "SUSE": "https://www.suse.com/security/cve/CVE-2022-3566", "Ubuntu": "https://ubuntu.com/security/CVE-2022-3566" } }, "CVE-2022-3567": { "affected_versions": "v2.6.12-rc2 to v6.1-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "ipv6: Fix data races around sk->sk_prot.", "cvss3": { "Attack Complexity": "High", "Attack Vector": "Adjacent", "Availability": "High", "Confidentiality": "Low", "Integrity": "Low", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H", "score": 6.4 }, "cwe": "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", "fixes": "364f997b5cfe1db0d63a390fe7c801fa2b3115f6", "last_modified": "2023-12-06", "nvd_text": "A vulnerability has been found in Linux Kernel and classified as problematic. This vulnerability affects the function inet6_stream_ops/inet6_dgram_ops of the component IPv6 Handler. The manipulation leads to race condition. It is recommended to apply a patch to fix this issue. VDB-211090 is the identifier assigned to this vulnerability.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-3567", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-3567", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-3567", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-3567", "SUSE": "https://www.suse.com/security/cve/CVE-2022-3567", "Ubuntu": "https://ubuntu.com/security/CVE-2022-3567" } }, "CVE-2022-3577": { "affected_versions": "v4.20-rc1 to v5.19-rc1", "breaks": "256a90ed9e46b270bbc4e15ef05216ff049c3721", "cmt_msg": "HID: bigben: fix slab-out-of-bounds Write in bigben_probe", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Out-of-bounds Write", "fixes": "fc4ef9d5724973193bfa5ebed181dba6de3a56db", "last_affected_version": "5.18.2", "last_modified": "2023-12-06", "nvd_text": "An out-of-bounds memory write flaw was found in the Linux kernel\u2019s Kid-friendly Wired Controller driver. This flaw allows a local user to crash or potentially escalate their privileges on the system. It is in bigben_probe of drivers/hid/hid-bigbenff.c. The reason is incorrect assumption - bigben devices all have inputs. However, malicious devices can break this assumption, leaking to out-of-bound write.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-3577", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-3577", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-3577", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-3577", "SUSE": "https://www.suse.com/security/cve/CVE-2022-3577", "Ubuntu": "https://ubuntu.com/security/CVE-2022-3577" } }, "CVE-2022-3586": { "affected_versions": "v2.6.39-rc1 to v6.0-rc5", "breaks": "e13e02a3c68d899169c78d9a18689bd73491d59a", "cmt_msg": "sch_sfb: Don't assume the skb is still around after enqueueing to child", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Use After Free", "fixes": "9efd23297cca530bb35e1848665805d3fcdd7889", "last_affected_version": "5.19.8", "last_modified": "2023-12-06", "nvd_text": "A flaw was found in the Linux kernel\u2019s networking code. A use-after-free was found in the way the sch_sfb enqueue function used the socket buffer (SKB) cb field after the same SKB had been enqueued (and freed) into a child qdisc. This flaw allows a local, unprivileged user to crash the system, causing a denial of service.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-3586", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-3586", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-3586", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-3586", "SUSE": "https://www.suse.com/security/cve/CVE-2022-3586", "Ubuntu": "https://ubuntu.com/security/CVE-2022-3586" } }, "CVE-2022-3594": { "affected_versions": "v3.12-rc1 to v6.1-rc1", "breaks": "40a82917b1d3a8aecedee6b64949795b75359731", "cmt_msg": "r8152: Rate limit overflow messages", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "Low", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "score": 5.3 }, "cwe": "Improper Resource Shutdown or Release", "fixes": "93e2be344a7db169b7119de21ac1bf253b8c6907", "last_affected_version": "6.0.2", "last_modified": "2023-12-06", "nvd_text": "A vulnerability was found in Linux Kernel. It has been declared as problematic. Affected by this vulnerability is the function intr_callback of the file drivers/net/usb/r8152.c of the component BPF. The manipulation leads to logging of excessive data. The attack can be launched remotely. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-211363.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-3594", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-3594", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-3594", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-3594", "SUSE": "https://www.suse.com/security/cve/CVE-2022-3594", "Ubuntu": "https://ubuntu.com/security/CVE-2022-3594" } }, "CVE-2022-3595": { "affected_versions": "unk to v6.1-rc1", "backport": true, "breaks": "a4e430c8c8ba96be8c6ec4f2eb108bb8bcbee069", "cmt_msg": "cifs: fix double-fault crash during ntlmssp", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Double Free", "fixes": "b854b4ee66437e6e1622fda90529c814978cb4ca", "last_affected_version": "6.0.15", "last_modified": "2023-12-06", "nvd_text": "A vulnerability was found in Linux Kernel. It has been rated as problematic. Affected by this issue is the function sess_free_buffer of the file fs/cifs/sess.c of the component CIFS Handler. The manipulation leads to double free. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211364.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-3595", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-3595", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-3595", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-3595", "SUSE": "https://www.suse.com/security/cve/CVE-2022-3595", "Ubuntu": "https://ubuntu.com/security/CVE-2022-3595" } }, "CVE-2022-3606": { "affected_versions": "unk to unk", "breaks": "", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "fixes": "", "last_modified": "2023-12-06", "nvd_text": "A vulnerability was found in Linux Kernel. It has been classified as problematic. This affects the function find_prog_by_sec_insn of the file tools/lib/bpf/libbpf.c of the component BPF. The manipulation leads to null pointer dereference. It is recommended to apply a patch to fix this issue. The identifier VDB-211749 was assigned to this vulnerability.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-3606", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-3606", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-3606", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-3606", "SUSE": "https://www.suse.com/security/cve/CVE-2022-3606", "Ubuntu": "https://ubuntu.com/security/CVE-2022-3606" } }, "CVE-2022-36123": { "affected_versions": "v2.6.12-rc2 to v5.19-rc6", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "x86: Clear .brk area at early boot", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Unspecified", "fixes": "38fa5479b41376dc9d7f57e71c83514285a25ca0", "last_affected_version": "5.18.12", "last_modified": "2023-12-06", "nvd_text": "The Linux kernel before 5.18.13 lacks a certain clear operation for the block starting symbol (.bss). This allows Xen PV guest OS users to cause a denial of service or gain privileges.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-36123", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-36123", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-36123", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-36123", "SUSE": "https://www.suse.com/security/cve/CVE-2022-36123", "Ubuntu": "https://ubuntu.com/security/CVE-2022-36123" } }, "CVE-2022-3619": { "affected_versions": "v5.12-rc1-dontuse to v6.1-rc4", "breaks": "4d7ea8ee90e42fc75995f6fb24032d3233314528", "cmt_msg": "Bluetooth: L2CAP: Fix memory leak in vhci_write", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Adjacent", "Availability": "Low", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "score": 4.3 }, "cwe": "Missing Release of Memory after Effective Lifetime", "fixes": "7c9524d929648935bac2bbb4c20437df8f9c3f42", "last_affected_version": "6.0.7", "last_modified": "2023-12-06", "nvd_text": "A vulnerability has been found in Linux Kernel and classified as problematic. This vulnerability affects the function l2cap_recv_acldata of the file net/bluetooth/l2cap_core.c of the component Bluetooth. The manipulation leads to memory leak. It is recommended to apply a patch to fix this issue. VDB-211918 is the identifier assigned to this vulnerability.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-3619", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-3619", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-3619", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-3619", "SUSE": "https://www.suse.com/security/cve/CVE-2022-3619", "Ubuntu": "https://ubuntu.com/security/CVE-2022-3619" } }, "CVE-2022-3621": { "affected_versions": "v2.6.30-rc1 to v6.1-rc1", "breaks": "05fe58fdc10df9ebea04c0eaed57adc47af5c184", "cmt_msg": "nilfs2: fix NULL pointer dereference at nilfs_bmap_lookup_at_level()", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 6.5 }, "cwe": "NULL Pointer Dereference", "fixes": "21a87d88c2253350e115029f14fe2a10a7e6c856", "last_affected_version": "6.0.1", "last_modified": "2023-12-06", "nvd_text": "A vulnerability was found in Linux Kernel. It has been classified as problematic. Affected is the function nilfs_bmap_lookup_at_level of the file fs/nilfs2/inode.c of the component nilfs2. The manipulation leads to null pointer dereference. It is possible to launch the attack remotely. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211920.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-3621", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-3621", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-3621", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-3621", "SUSE": "https://www.suse.com/security/cve/CVE-2022-3621", "Ubuntu": "https://ubuntu.com/security/CVE-2022-3621" } }, "CVE-2022-3623": { "affected_versions": "v5.1-rc1 to v6.1-rc1", "breaks": "5480280d3f2d11d47f9be59d49b20a8d7d1b33e8", "cmt_msg": "mm/hugetlb: fix races when looking up a CONT-PTE/PMD size hugetlb page", "cvss3": { "Attack Complexity": "High", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.5 }, "cwe": "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", "fixes": "fac35ba763ed07ba93154c95ffc0c4a55023707f", "last_affected_version": "6.0.2", "last_modified": "2023-12-06", "nvd_text": "A vulnerability was found in Linux Kernel. It has been declared as problematic. Affected by this vulnerability is the function follow_page_pte of the file mm/gup.c of the component BPF. The manipulation leads to race condition. The attack can be launched remotely. It is recommended to apply a patch to fix this issue. The identifier VDB-211921 was assigned to this vulnerability.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-3623", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-3623", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-3623", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-3623", "SUSE": "https://www.suse.com/security/cve/CVE-2022-3623", "Ubuntu": "https://ubuntu.com/security/CVE-2022-3623" } }, "CVE-2022-3624": { "affected_versions": "unk to v6.0-rc1", "backport": true, "breaks": "d5410ac7b0baeca91cf73ff5241d35998ecc8c9e", "cmt_msg": "bonding: fix reference count leak in balance-alb mode", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "Low", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "score": 3.3 }, "cwe": "Missing Release of Memory after Effective Lifetime", "fixes": "4f5d33f4f798b1c6d92b613f0087f639d9836971", "last_modified": "2023-12-06", "nvd_text": "A vulnerability was found in Linux Kernel and classified as problematic. Affected by this issue is the function rlb_arp_xmit of the file drivers/net/bonding/bond_alb.c of the component IPsec. The manipulation leads to memory leak. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211928.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-3624", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-3624", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-3624", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-3624", "SUSE": "https://www.suse.com/security/cve/CVE-2022-3624", "Ubuntu": "https://ubuntu.com/security/CVE-2022-3624" } }, "CVE-2022-3625": { "affected_versions": "v4.19-rc1 to v6.0-rc1", "breaks": "45f05def5c44c806f094709f1c9b03dcecdd54f0", "cmt_msg": "devlink: Fix use-after-free after a failed reload", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Improper Restriction of Operations within the Bounds of a Memory Buffer", "fixes": "6b4db2e528f650c7fb712961aac36455468d5902", "last_affected_version": "5.19.3", "last_modified": "2023-12-06", "nvd_text": "A vulnerability was found in Linux Kernel. It has been classified as critical. This affects the function devlink_param_set/devlink_param_get of the file net/core/devlink.c of the component IPsec. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. The identifier VDB-211929 was assigned to this vulnerability.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-3625", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-3625", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-3625", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-3625", "SUSE": "https://www.suse.com/security/cve/CVE-2022-3625", "Ubuntu": "https://ubuntu.com/security/CVE-2022-3625" } }, "CVE-2022-3628": { "affected_versions": "v3.8-rc1 to v6.1-rc5", "breaks": "5c36b99add5c3212b6cdb97cc206e1e3e0fa1e3c", "cmt_msg": "wifi: brcmfmac: Fix potential buffer overflow in brcmf_fweh_event_worker()", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Physical", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 6.6 }, "cwe": "Improper Restriction of Operations within the Bounds of a Memory Buffer", "fixes": "6788ba8aed4e28e90f72d68a9d794e34eac17295", "last_affected_version": "6.0.7", "last_modified": "2023-12-06", "nvd_text": "A buffer overflow flaw was found in the Linux kernel Broadcom Full MAC Wi-Fi driver. This issue occurs when a user connects to a malicious USB device. This can allow a local user to crash the system or escalate their privileges.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-3628", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-3628", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-3628", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-3628", "SUSE": "https://www.suse.com/security/cve/CVE-2022-3628", "Ubuntu": "https://ubuntu.com/security/CVE-2022-3628" } }, "CVE-2022-36280": { "affected_versions": "v3.2-rc1 to v6.2-rc1", "breaks": "2ac863719e518ae1a8f328849e64ea26a222f079", "cmt_msg": "drm/vmwgfx: Validate the box size for the snooped cursor", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Out-of-bounds Write", "fixes": "4cf949c7fafe21e085a4ee386bb2dade9067316e", "last_affected_version": "6.1.3", "last_modified": "2023-12-06", "nvd_text": "An out-of-bounds(OOB) memory access vulnerability was found in vmwgfx driver in drivers/gpu/vmxgfx/vmxgfx_kms.c in GPU component in the Linux kernel with device file '/dev/dri/renderD128 (or Dxxx)'. This flaw allows a local attacker with a user account on the system to gain privilege, causing a denial of service(DoS).", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-36280", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-36280", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-36280", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-36280", "SUSE": "https://www.suse.com/security/cve/CVE-2022-36280", "Ubuntu": "https://ubuntu.com/security/CVE-2022-36280" } }, "CVE-2022-3629": { "affected_versions": "v3.9-rc1 to v6.0-rc1", "breaks": "d021c344051af91f42c5ba9fdedc176740cbd238", "cmt_msg": "vsock: Fix memory leak in vsock_connect()", "cvss2": { "Access Complexity": "High", "Access Vector": "Adjacent Network", "Authentication": "Single", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:A/AC:H/Au:S/C:N/I:N/A:P", "score": 1.4 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "Low", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "score": 3.3 }, "cwe": "Improper Resource Shutdown or Release", "fixes": "7e97cfed9929eaabc41829c395eb0d1350fccb9d", "last_affected_version": "5.19.3", "last_modified": "2023-12-06", "nvd_text": "A vulnerability was found in Linux Kernel. It has been declared as problematic. This vulnerability affects the function vsock_connect of the file net/vmw_vsock/af_vsock.c. The manipulation leads to memory leak. The complexity of an attack is rather high. The exploitation appears to be difficult. It is recommended to apply a patch to fix this issue. VDB-211930 is the identifier assigned to this vulnerability.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-3629", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-3629", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-3629", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-3629", "SUSE": "https://www.suse.com/security/cve/CVE-2022-3629", "Ubuntu": "https://ubuntu.com/security/CVE-2022-3629" } }, "CVE-2022-3630": { "affected_versions": "v5.19-rc6 to v6.0-rc1", "breaks": "85e4ea1049c70fb99de5c6057e835d151fb647da", "cmt_msg": "fscache: don't leak cookie access refs if invalidation is in progress or failed", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Missing Release of Memory after Effective Lifetime", "fixes": "fb24771faf72a2fd62b3b6287af3c610c3ec9cf1", "last_affected_version": "5.19.3", "last_modified": "2023-12-27", "nvd_text": "A vulnerability was found in Linux Kernel. It has been rated as problematic. This issue affects some unknown processing of the file fs/fscache/cookie.c of the component IPsec. The manipulation leads to memory leak. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-211931.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-3630", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-3630", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-3630", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-3630", "SUSE": "https://www.suse.com/security/cve/CVE-2022-3630", "Ubuntu": "https://ubuntu.com/security/CVE-2022-3630" } }, "CVE-2022-3633": { "affected_versions": "v5.4-rc1 to v6.0-rc1", "breaks": "9d71dd0c70099914fcd063135da3c580865e924c", "cmt_msg": "can: j1939: j1939_session_destroy(): fix memory leak of skbs", "cvss2": { "Access Complexity": "Low", "Access Vector": "Adjacent Network", "Authentication": "Single", "Availability Impact": "Partial", "Confidentiality Impact": "None", "Integrity Impact": "None", "raw": "AV:A/AC:L/Au:S/C:N/I:N/A:P", "score": 2.7 }, "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "Low", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "score": 3.3 }, "cwe": "Improper Resource Shutdown or Release", "fixes": "8c21c54a53ab21842f5050fa090f26b03c0313d6", "last_affected_version": "5.15.62", "last_modified": "2023-12-06", "nvd_text": "A vulnerability classified as problematic has been found in Linux Kernel. Affected is the function j1939_session_destroy of the file net/can/j1939/transport.c. The manipulation leads to memory leak. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211932.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-3633", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-3633", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-3633", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-3633", "SUSE": "https://www.suse.com/security/cve/CVE-2022-3633", "Ubuntu": "https://ubuntu.com/security/CVE-2022-3633" } }, "CVE-2022-3635": { "affected_versions": "v2.6.12-rc2 to v6.0-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "atm: idt77252: fix use-after-free bugs caused by tst_timer", "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.0 }, "cwe": "Improper Restriction of Operations within the Bounds of a Memory Buffer", "fixes": "3f4093e2bf4673f218c0bf17d8362337c400e77b", "last_affected_version": "5.19.3", "last_modified": "2023-12-06", "nvd_text": "A vulnerability, which was classified as critical, has been found in Linux Kernel. Affected by this issue is the function tst_timer of the file drivers/atm/idt77252.c of the component IPsec. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. VDB-211934 is the identifier assigned to this vulnerability.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-3635", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-3635", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-3635", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-3635", "SUSE": "https://www.suse.com/security/cve/CVE-2022-3635", "Ubuntu": "https://ubuntu.com/security/CVE-2022-3635" } }, "CVE-2022-3636": { "affected_versions": "unk to v5.19-rc1", "backport": true, "breaks": "33fc42de33278b2b3ec6f3390512987bc29a62b7", "cmt_msg": "net: ethernet: mtk_eth_soc: use after free in __mtk_ppe_check_skb()", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Use After Free", "fixes": "17a5f6a78dc7b8db385de346092d7d9f9dc24df6", "last_modified": "2023-12-06", "nvd_text": "A vulnerability, which was classified as critical, was found in Linux Kernel. This affects the function __mtk_ppe_check_skb of the file drivers/net/ethernet/mediatek/mtk_ppe.c of the component Ethernet Handler. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-211935.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-3636", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-3636", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-3636", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-3636", "SUSE": "https://www.suse.com/security/cve/CVE-2022-3636", "Ubuntu": "https://ubuntu.com/security/CVE-2022-3636" } }, "CVE-2022-3640": { "affected_versions": "v5.19 to v6.1-rc4", "breaks": "d0be8347c623e0ac4202a1d4e0373882821f56b0", "cmt_msg": "Bluetooth: L2CAP: fix use-after-free in l2cap_conn_del()", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Adjacent", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "score": 8.8 }, "cwe": "Improper Restriction of Operations within the Bounds of a Memory Buffer", "fixes": "0d0e2d032811280b927650ff3c15fe5020e82533", "last_affected_version": "6.0.7", "last_modified": "2023-12-06", "nvd_text": "A vulnerability, which was classified as critical, was found in Linux Kernel. Affected is the function l2cap_conn_del of the file net/bluetooth/l2cap_core.c of the component Bluetooth. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211944.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-3640", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-3640", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-3640", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-3640", "SUSE": "https://www.suse.com/security/cve/CVE-2022-3640", "Ubuntu": "https://ubuntu.com/security/CVE-2022-3640" } }, "CVE-2022-36402": { "affected_versions": "v4.3-rc1 to v6.5", "breaks": "d80efd5cb3dec16a8d1aea9b8a4a7921972dba65", "cmt_msg": "drm/vmwgfx: Fix shader stage validation", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Integer Overflow or Wraparound", "fixes": "14abdfae508228a7307f7491b5c4215ae70c6542", "last_affected_version": "6.4", "last_modified": "2024-02-02", "nvd_text": "An integer overflow vulnerability was found in vmwgfx driver in drivers/gpu/vmxgfx/vmxgfx_execbuf.c in GPU component of Linux kernel with device file '/dev/dri/renderD128 (or Dxxx)'. This flaw allows a local attacker with a user account on the system to gain privilege, causing a denial of service(DoS).", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-36402", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-36402", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-36402", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-36402", "SUSE": "https://www.suse.com/security/cve/CVE-2022-36402", "Ubuntu": "https://ubuntu.com/security/CVE-2022-36402" } }, "CVE-2022-3642": { "affected_versions": "unk to unk", "breaks": "", "fixes": "", "last_modified": "2023-12-06", "nvd_text": "Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-3642", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-3642", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-3642", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-3642", "SUSE": "https://www.suse.com/security/cve/CVE-2022-3642", "Ubuntu": "https://ubuntu.com/security/CVE-2022-3642" }, "rejected": true }, "CVE-2022-3643": { "affected_versions": "v3.19-rc1 to v6.1", "breaks": "7e5d7753956b374516530e156c5e8aa19652398d", "cmt_msg": "xen/netback: Ensure protocol headers don't fall in the non-linear area", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Changed", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H", "score": 6.5 }, "cwe": "Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')", "fixes": "ad7f402ae4f466647c3a669b8a6f3e5d4271c84a", "last_affected_version": "6.0", "last_modified": "2023-12-06", "nvd_text": "Guests can trigger NIC interface reset/abort/crash via netback It is possible for a guest to trigger a NIC interface reset/abort/crash in a Linux based network backend by sending certain kinds of packets. It appears to be an (unwritten?) assumption in the rest of the Linux network stack that packet protocol headers are all contained within the linear section of the SKB and some NICs behave badly if this is not the case. This has been reported to occur with Cisco (enic) and Broadcom NetXtrem II BCM5780 (bnx2x) though it may be an issue with other NICs/drivers as well. In case the frontend is sending requests with split headers, netback will forward those violating above mentioned assumption to the networking core, resulting in said misbehavior.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-3643", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-3643", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-3643", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-3643", "SUSE": "https://www.suse.com/security/cve/CVE-2022-3643", "Ubuntu": "https://ubuntu.com/security/CVE-2022-3643" } }, "CVE-2022-3646": { "affected_versions": "v2.6.30-rc1 to v6.1-rc1", "breaks": "9ff05123e3bfbb1d2b68ba1d9bf1f7d1dffc1453", "cmt_msg": "nilfs2: fix leak of nilfs_root in case of writer thread creation failure", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "Low", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "score": 4.3 }, "cwe": "Improper Resource Shutdown or Release", "fixes": "d0d51a97063db4704a5ef6bc978dddab1636a306", "last_affected_version": "6.0.1", "last_modified": "2023-12-06", "nvd_text": "A vulnerability, which was classified as problematic, has been found in Linux Kernel. This issue affects the function nilfs_attach_log_writer of the file fs/nilfs2/segment.c of the component BPF. The manipulation leads to memory leak. The attack may be initiated remotely. It is recommended to apply a patch to fix this issue. The identifier VDB-211961 was assigned to this vulnerability.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-3646", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-3646", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-3646", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-3646", "SUSE": "https://www.suse.com/security/cve/CVE-2022-3646", "Ubuntu": "https://ubuntu.com/security/CVE-2022-3646" } }, "CVE-2022-3649": { "affected_versions": "v2.6.12-rc2 to v6.1-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "nilfs2: fix use-after-free bug of struct nilfs_root", "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.0 }, "cwe": "Improper Restriction of Operations within the Bounds of a Memory Buffer", "fixes": "d325dc6eb763c10f591c239550b8c7e5466a5d09", "last_affected_version": "6.0.1", "last_modified": "2023-12-06", "nvd_text": "A vulnerability was found in Linux Kernel. It has been classified as problematic. Affected is the function nilfs_new_inode of the file fs/nilfs2/inode.c of the component BPF. The manipulation leads to use after free. It is possible to launch the attack remotely. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211992.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-3649", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-3649", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-3649", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-3649", "SUSE": "https://www.suse.com/security/cve/CVE-2022-3649", "Ubuntu": "https://ubuntu.com/security/CVE-2022-3649" } }, "CVE-2022-36879": { "affected_versions": "v2.6.35-rc1 to v5.19-rc8", "breaks": "80c802f3073e84c956846e921e8a0b02dfa3755f", "cmt_msg": "xfrm: xfrm_policy: fix a possible double xfrm_pols_put() in xfrm_bundle_lookup()", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Unspecified", "fixes": "f85daf0e725358be78dfd208dea5fd665d8cb901", "last_affected_version": "5.18.14", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel through 5.18.14. xfrm_expand_policies in net/xfrm/xfrm_policy.c can cause a refcount to be dropped twice.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-36879", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-36879", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-36879", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-36879", "SUSE": "https://www.suse.com/security/cve/CVE-2022-36879", "Ubuntu": "https://ubuntu.com/security/CVE-2022-36879" } }, "CVE-2022-36946": { "affected_versions": "v2.6.14-rc1 to v5.19", "breaks": "7af4cc3fa158ff1dda6e7451c7e6afa6b0bb85cb", "cmt_msg": "netfilter: nf_queue: do not allow packet truncation below transport header offset", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 7.5 }, "cwe": "Unspecified", "fixes": "99a63d36cb3ed5ca3aa6fcb64cffbeaf3b0fb164", "last_affected_version": "5.18", "last_modified": "2023-12-06", "nvd_text": "nfqnl_mangle in net/netfilter/nfnetlink_queue.c in the Linux kernel through 5.18.14 allows remote attackers to cause a denial of service (panic) because, in the case of an nf_queue verdict with a one-byte nfta_payload attribute, an skb_pull can encounter a negative skb->len.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-36946", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-36946", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-36946", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-36946", "SUSE": "https://www.suse.com/security/cve/CVE-2022-36946", "Ubuntu": "https://ubuntu.com/security/CVE-2022-36946" } }, "CVE-2022-3707": { "affected_versions": "v4.19-rc1 to v6.2-rc3", "breaks": "b901b252b6cf5cecc612059ccf05d974a9085c58", "cmt_msg": "drm/i915/gvt: fix double free bug in split_2MB_gtt_entry", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "fixes": "4a61648af68f5ba4884f0e3b494ee1cabc4b6620", "last_affected_version": "6.1.4", "last_modified": "2023-12-06", "nvd_text": "A double-free memory flaw was found in the Linux kernel. The Intel GVT-g graphics driver triggers VGA card system resource overload, causing a fail in the intel_gvt_dma_map_guest_page function. This issue could allow a local user to crash the system.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-3707", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-3707", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-3707", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-3707", "SUSE": "https://www.suse.com/security/cve/CVE-2022-3707", "Ubuntu": "https://ubuntu.com/security/CVE-2022-3707" } }, "CVE-2022-38096": { "affected_versions": "unk to unk", "breaks": "", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "NULL Pointer Dereference", "fixes": "", "last_modified": "2023-12-06", "nvd_text": "A NULL pointer dereference vulnerability was found in vmwgfx driver in drivers/gpu/vmxgfx/vmxgfx_execbuf.c in GPU component of Linux kernel with device file '/dev/dri/renderD128 (or Dxxx)'. This flaw allows a local attacker with a user account on the system to gain privilege, causing a denial of service(DoS).", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-38096", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-38096", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-38096", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-38096", "SUSE": "https://www.suse.com/security/cve/CVE-2022-38096", "Ubuntu": "https://ubuntu.com/security/CVE-2022-38096" } }, "CVE-2022-38457": { "affected_versions": "v4.20-rc1 to v6.2-rc4", "breaks": "e8c66efbfe3a2e3cbc573f2474a3d51690f1b857", "cmt_msg": "drm/vmwgfx: Remove rcu locks from user resources", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Use After Free", "fixes": "a309c7194e8a2f8bd4539b9449917913f6c2cd50", "last_affected_version": "6.1.6", "last_modified": "2023-12-06", "nvd_text": "A use-after-free(UAF) vulnerability was found in function 'vmw_cmd_res_check' in drivers/gpu/vmxgfx/vmxgfx_execbuf.c in Linux kernel's vmwgfx driver with device file '/dev/dri/renderD128 (or Dxxx)'. This flaw allows a local attacker with a user account on the system to gain privilege, causing a denial of service(DoS).", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-38457", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-38457", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-38457", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-38457", "SUSE": "https://www.suse.com/security/cve/CVE-2022-38457", "Ubuntu": "https://ubuntu.com/security/CVE-2022-38457" } }, "CVE-2022-3903": { "affected_versions": "v2.6.12-rc2 to v6.1-rc2", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "media: mceusb: Use new usb_control_msg_*() routines", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Physical", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 4.6 }, "cwe": "Access of Resource Using Incompatible Type ('Type Confusion')", "fixes": "41fd1cb6151439b205ac7611883d85ae14250172", "last_modified": "2023-12-06", "nvd_text": "An incorrect read request flaw was found in the Infrared Transceiver USB driver in the Linux kernel. This issue occurs when a user attaches a malicious USB device. A local user could use this flaw to starve the resources, causing denial of service or potentially crashing the system.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-3903", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-3903", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-3903", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-3903", "SUSE": "https://www.suse.com/security/cve/CVE-2022-3903", "Ubuntu": "https://ubuntu.com/security/CVE-2022-3903" } }, "CVE-2022-3910": { "affected_versions": "v5.18 to v6.0-rc6", "breaks": "aa184e8671f0f911fc2fb3f68cd506e4d7838faa", "cmt_msg": "io_uring/msg_ring: check file type before putting", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Unspecified", "fixes": "fc7222c3a9f56271fba02aabbfbae999042f1679", "last_affected_version": "5.19.10", "last_modified": "2023-12-06", "nvd_text": "Use After Free vulnerability in Linux Kernel allows Privilege Escalation. An improper Update of Reference Count in io_uring leads to Use-After-Free and Local Privilege Escalation.\nWhen io_msg_ring was invoked with a fixed file, it called io_fput_file() which improperly decreased its reference count (leading to Use-After-Free and Local Privilege Escalation). Fixed files are permanently registered to the ring, and should not be put separately.\n\nWe recommend upgrading past commit https://github.com/torvalds/linux/commit/fc7222c3a9f56271fba02aabbfbae999042f1679 https://github.com/torvalds/linux/commit/fc7222c3a9f56271fba02aabbfbae999042f1679 \n", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-3910", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-3910", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-3910", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-3910", "SUSE": "https://www.suse.com/security/cve/CVE-2022-3910", "Ubuntu": "https://ubuntu.com/security/CVE-2022-3910" } }, "CVE-2022-39188": { "affected_versions": "v2.6.12-rc2 to v5.19-rc8", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "mmu_gather: Force tlb-flush VM_PFNMAP vmas", "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 4.7 }, "cwe": "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", "fixes": "b67fbebd4cf980aecbcc750e1462128bffe8ae15", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in include/asm-generic/tlb.h in the Linux kernel before 5.19. Because of a race condition (unmap_mapping_range versus munmap), a device driver can free a page while it still has stale TLB entries. This only occurs in situations with VM_PFNMAP VMAs.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-39188", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-39188", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-39188", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-39188", "SUSE": "https://www.suse.com/security/cve/CVE-2022-39188", "Ubuntu": "https://ubuntu.com/security/CVE-2022-39188" } }, "CVE-2022-39189": { "affected_versions": "v4.16-rc1 to v5.19-rc2", "breaks": "f38a7b75267f1fb240a8178cbcb16d66dd37aac8", "cmt_msg": "KVM: x86: do not report a vCPU as preempted outside instruction boundaries", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Unspecified", "fixes": "6cd88243c7e03845a450795e134b488fc2afb736", "last_affected_version": "5.18.16", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered the x86 KVM subsystem in the Linux kernel before 5.18.17. Unprivileged guest users can compromise the guest kernel because TLB flush operations are mishandled in certain KVM_VCPU_PREEMPTED situations.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-39189", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-39189", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-39189", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-39189", "SUSE": "https://www.suse.com/security/cve/CVE-2022-39189", "Ubuntu": "https://ubuntu.com/security/CVE-2022-39189" } }, "CVE-2022-39190": { "affected_versions": "v5.9-rc1 to v6.0-rc3", "breaks": "d0e2c7de92c7f2b3d355ad76b0bb9fc43d1beb87", "cmt_msg": "netfilter: nf_tables: disallow binding to already bound chain", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Unspecified", "fixes": "e02f0d3970404bfea385b6edb86f2d936db0ea2b", "last_affected_version": "5.19.5", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in net/netfilter/nf_tables_api.c in the Linux kernel before 5.19.6. A denial of service can occur upon binding to an already bound chain.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-39190", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-39190", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-39190", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-39190", "SUSE": "https://www.suse.com/security/cve/CVE-2022-39190", "Ubuntu": "https://ubuntu.com/security/CVE-2022-39190" } }, "CVE-2022-3977": { "affected_versions": "v5.18-rc1 to v6.1-rc1", "breaks": "63ed1aab3d40aa61aaa66819bdce9377ac7f40fa", "cmt_msg": "mctp: prevent double key removal and unref", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Use After Free", "fixes": "3a732b46736cd8a29092e4b0b1a9ba83e672bf89", "last_affected_version": "6.0.1", "last_modified": "2023-12-06", "nvd_text": "A use-after-free flaw was found in the Linux kernel MCTP (Management Component Transport Protocol) functionality. This issue occurs when a user simultaneously calls DROPTAG ioctl and socket close happens, which could allow a local user to crash the system or potentially escalate their privileges on the system.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-3977", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-3977", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-3977", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-3977", "SUSE": "https://www.suse.com/security/cve/CVE-2022-3977", "Ubuntu": "https://ubuntu.com/security/CVE-2022-3977" } }, "CVE-2022-39842": { "affected_versions": "v2.6.38-rc1 to v5.19-rc4", "breaks": "364dbdf3b6c31a4a5fb7a6d479e7aafb4a7a10b6", "cmt_msg": "video: fbdev: pxa3xx-gcu: Fix integer overflow in pxa3xx_gcu_write", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "Low", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H", "score": 6.1 }, "cwe": "Integer Overflow or Wraparound", "fixes": "a09d2d00af53b43c6f11e6ab3cb58443c2cac8a7", "last_affected_version": "5.15.69", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel before 5.19. In pxa3xx_gcu_write in drivers/video/fbdev/pxa3xx-gcu.c, the count parameter has a type conflict of size_t versus int, causing an integer overflow and bypassing the size check. After that, because it is used as the third argument to copy_from_user(), a heap overflow may occur. NOTE: the original discoverer disputes that the overflow can actually happen.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-39842", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-39842", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-39842", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-39842", "SUSE": "https://www.suse.com/security/cve/CVE-2022-39842", "Ubuntu": "https://ubuntu.com/security/CVE-2022-39842" } }, "CVE-2022-40133": { "affected_versions": "v4.20-rc1 to v6.2-rc4", "breaks": "e8c66efbfe3a2e3cbc573f2474a3d51690f1b857", "cmt_msg": "drm/vmwgfx: Remove rcu locks from user resources", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Use After Free", "fixes": "a309c7194e8a2f8bd4539b9449917913f6c2cd50", "last_affected_version": "6.1.6", "last_modified": "2023-12-06", "nvd_text": "A use-after-free(UAF) vulnerability was found in function 'vmw_execbuf_tie_context' in drivers/gpu/vmxgfx/vmxgfx_execbuf.c in Linux kernel's vmwgfx driver with device file '/dev/dri/renderD128 (or Dxxx)'. This flaw allows a local attacker with a user account on the system to gain privilege, causing a denial of service(DoS).", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-40133", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-40133", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-40133", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-40133", "SUSE": "https://www.suse.com/security/cve/CVE-2022-40133", "Ubuntu": "https://ubuntu.com/security/CVE-2022-40133" } }, "CVE-2022-40307": { "affected_versions": "v4.7-rc1 to v6.0-rc5", "breaks": "65117f1aa1b2d145fd5ca376bde642794d0aae1b", "cmt_msg": "efi: capsule-loader: Fix use-after-free in efi_capsule_write", "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 4.7 }, "cwe": "Use After Free", "fixes": "9cb636b5f6a8cc6d1b50809ec8f8d33ae0c84c95", "last_affected_version": "5.19.8", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel through 5.19.8. drivers/firmware/efi/capsule-loader.c has a race condition with a resultant use-after-free.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-40307", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-40307", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-40307", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-40307", "SUSE": "https://www.suse.com/security/cve/CVE-2022-40307", "Ubuntu": "https://ubuntu.com/security/CVE-2022-40307" } }, "CVE-2022-40476": { "affected_versions": "v5.19-rc1 to v5.19-rc4", "breaks": "9cae36a094e7e9d6e5fe8b6dcd4642138b3eb0c7", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "NULL Pointer Dereference", "fixes": "386e4fb6962b9f248a80f8870aea0870ca603e89", "last_modified": "2023-12-06", "nvd_text": "A null pointer dereference issue was discovered in fs/io_uring.c in the Linux kernel before 5.15.62. A local user could use this flaw to crash the system or potentially cause a denial of service.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-40476", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-40476", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-40476", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-40476", "SUSE": "https://www.suse.com/security/cve/CVE-2022-40476", "Ubuntu": "https://ubuntu.com/security/CVE-2022-40476" } }, "CVE-2022-40768": { "affected_versions": "v2.6.19-rc1 to v6.1-rc1", "breaks": "5a25ba1677ab8d63890016a8c1bca68a3e0fbc7d", "cmt_msg": "scsi: stex: Properly zero out the passthrough command structure", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.5 }, "cwe": "Exposure of Resource to Wrong Sphere", "fixes": "6022f210461fef67e6e676fd8544ca02d1bcfa7a", "last_affected_version": "6.0.1", "last_modified": "2023-12-06", "nvd_text": "drivers/scsi/stex.c in the Linux kernel through 5.19.9 allows local users to obtain sensitive information from kernel memory because stex_queuecommand_lck lacks a memset for the PASSTHRU_CMD case.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-40768", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-40768", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-40768", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-40768", "SUSE": "https://www.suse.com/security/cve/CVE-2022-40768", "Ubuntu": "https://ubuntu.com/security/CVE-2022-40768" } }, "CVE-2022-4095": { "affected_versions": "v2.6.37-rc1 to v6.0-rc4", "breaks": "2865d42c78a9121caad52cb02d1fbb7f5cdbc4ef", "cmt_msg": "staging: rtl8712: fix use after free bugs", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "fixes": "e230a4455ac3e9b112f0367d1b8e255e141afae0", "last_affected_version": "5.19.7", "last_modified": "2023-12-06", "nvd_text": "A use-after-free flaw was found in Linux kernel before 5.19.2. This issue occurs in cmd_hdl_filter in drivers/staging/rtl8712/rtl8712_cmd.c, allowing an attacker to launch a local denial of service attack and gain escalation of privileges.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-4095", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-4095", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-4095", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-4095", "SUSE": "https://www.suse.com/security/cve/CVE-2022-4095", "Ubuntu": "https://ubuntu.com/security/CVE-2022-4095" } }, "CVE-2022-40982": { "affected_versions": "v2.6.12-rc2 to v6.5-rc6", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "x86/speculation: Add Gather Data Sampling mitigation", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Changed", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "score": 6.5 }, "fixes": "8974eb588283b7d44a7c91fa09fcbaf380339f3a", "last_affected_version": "6.4.8", "last_modified": "2023-12-06", "nvd_text": "Information exposure through microarchitectural state after transient execution in certain vector execution units for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-40982", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-40982", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-40982", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-40982", "SUSE": "https://www.suse.com/security/cve/CVE-2022-40982", "Ubuntu": "https://ubuntu.com/security/CVE-2022-40982" } }, "CVE-2022-41218": { "affected_versions": "v2.6.22-rc1 to v6.2-rc1", "breaks": "57861b432bda77f8bfafda2fb6f5a922d5f3aef1", "cmt_msg": "media: dvb-core: Fix UAF due to refcount races at releasing", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Use After Free", "fixes": "fd3d91ab1c6ab0628fe642dd570b56302c30a792", "last_affected_version": "6.1.3", "last_modified": "2023-12-06", "nvd_text": "In drivers/media/dvb-core/dmxdev.c in the Linux kernel through 5.19.10, there is a use-after-free caused by refcount races, affecting dvb_demux_open and dvb_dmxdev_release.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-41218", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-41218", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-41218", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-41218", "SUSE": "https://www.suse.com/security/cve/CVE-2022-41218", "Ubuntu": "https://ubuntu.com/security/CVE-2022-41218" } }, "CVE-2022-41222": { "affected_versions": "v2.6.12-rc2 to v5.14-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "mm/mremap: hold the rmap lock in write mode when moving page table entries.", "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.0 }, "cwe": "Use After Free", "fixes": "97113eb39fa7972722ff490b947d8af023e1f6a2", "last_affected_version": "5.13.2", "last_modified": "2023-12-06", "nvd_text": "mm/mremap.c in the Linux kernel before 5.13.3 has a use-after-free via a stale TLB because an rmap lock is not held during a PUD move.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-41222", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-41222", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-41222", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-41222", "SUSE": "https://www.suse.com/security/cve/CVE-2022-41222", "Ubuntu": "https://ubuntu.com/security/CVE-2022-41222" } }, "CVE-2022-4127": { "affected_versions": "v5.19-rc1 to v5.19-rc6", "breaks": "a7c41b4687f5902af70cd559806990930c8a307b", "cmt_msg": "io_uring: check that we have a file table when allocating update slots", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "NULL Pointer Dereference", "fixes": "d785a773bed966a75ca1f11d108ae1897189975b", "last_modified": "2023-12-06", "nvd_text": "A NULL pointer dereference issue was discovered in the Linux kernel in io_files_update_with_index_alloc. A local user could use this flaw to potentially crash the system causing a denial of service.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-4127", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-4127", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-4127", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-4127", "SUSE": "https://www.suse.com/security/cve/CVE-2022-4127", "Ubuntu": "https://ubuntu.com/security/CVE-2022-4127" } }, "CVE-2022-4128": { "affected_versions": "v5.17-rc1 to v5.19-rc7", "breaks": "b29fcfb54cd70caca5b11c80d8d238854938884a", "cmt_msg": "mptcp: fix subflow traversal at disconnect time", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "NULL Pointer Dereference", "fixes": "5c835bb142d4013c2ab24bff5ae9f6709a39cbcf", "last_affected_version": "5.18.12", "last_modified": "2023-12-06", "nvd_text": "A NULL pointer dereference issue was discovered in the Linux kernel in the MPTCP protocol when traversing the subflow list at disconnect time. A local user could use this flaw to potentially crash the system causing a denial of service.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-4128", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-4128", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-4128", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-4128", "SUSE": "https://www.suse.com/security/cve/CVE-2022-4128", "Ubuntu": "https://ubuntu.com/security/CVE-2022-4128" } }, "CVE-2022-4129": { "affected_versions": "v2.6.23-rc1 to v6.1-rc6", "breaks": "3557baabf28088f49bdf72a048fd33ab62e205b1", "cmt_msg": "l2tp: Serialize access to sk_user_data with sk_callback_lock", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", "fixes": "b68777d54fac21fc833ec26ea1a2a84f975ab035", "last_affected_version": "5.15.90", "last_modified": "2023-12-06", "nvd_text": "A flaw was found in the Linux kernel's Layer 2 Tunneling Protocol (L2TP). A missing lock when clearing sk_user_data can lead to a race condition and NULL pointer dereference. A local user could use this flaw to potentially crash the system causing a denial of service.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-4129", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-4129", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-4129", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-4129", "SUSE": "https://www.suse.com/security/cve/CVE-2022-4129", "Ubuntu": "https://ubuntu.com/security/CVE-2022-4129" } }, "CVE-2022-4139": { "affected_versions": "v5.17-rc2 to v6.1-rc8", "breaks": "7938d61591d33394a21bdd7797a245b65428f44c", "cmt_msg": "drm/i915: fix TLB invalidation for Gen12 video and compute engines", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "fixes": "04aa64375f48a5d430b5550d9271f8428883e550", "last_affected_version": "6.0.10", "last_modified": "2023-12-06", "nvd_text": "An incorrect TLB flush issue was found in the Linux kernel\u2019s GPU i915 kernel driver, potentially leading to random memory corruption or data leaks. This flaw could allow a local user to crash the system or escalate their privileges on the system.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-4139", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-4139", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-4139", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-4139", "SUSE": "https://www.suse.com/security/cve/CVE-2022-4139", "Ubuntu": "https://ubuntu.com/security/CVE-2022-4139" } }, "CVE-2022-41674": { "affected_versions": "v5.1-rc1 to v6.1-rc1", "breaks": "0b8fb8235be8be99a197e8d948fc0a2df8dc261a", "cmt_msg": "wifi: cfg80211: fix u8 overflow in cfg80211_update_notlisted_nontrans()", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Adjacent", "Availability": "High", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "score": 8.1 }, "cwe": "Out-of-bounds Write", "fixes": "aebe9f4639b13a1f4e9a6b42cdd2e38c617b442d", "last_affected_version": "6.0.1", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel before 5.19.16. Attackers able to inject WLAN frames could cause a buffer overflow in the ieee80211_bss_info_update function in net/mac80211/scan.c.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-41674", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-41674", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-41674", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-41674", "SUSE": "https://www.suse.com/security/cve/CVE-2022-41674", "Ubuntu": "https://ubuntu.com/security/CVE-2022-41674" } }, "CVE-2022-41848": { "affected_versions": "unk to unk", "breaks": "", "cvss3": { "Attack Complexity": "High", "Attack Vector": "Physical", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 4.2 }, "cwe": "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", "fixes": "", "last_modified": "2023-12-06", "nvd_text": "drivers/char/pcmcia/synclink_cs.c in the Linux kernel through 5.19.12 has a race condition and resultant use-after-free if a physically proximate attacker removes a PCMCIA device while calling ioctl, aka a race condition between mgslpc_ioctl and mgslpc_detach.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-41848", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-41848", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-41848", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-41848", "SUSE": "https://www.suse.com/security/cve/CVE-2022-41848", "Ubuntu": "https://ubuntu.com/security/CVE-2022-41848" } }, "CVE-2022-41849": { "affected_versions": "v2.6.12-rc2 to v6.1-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "fbdev: smscufx: Fix use-after-free in ufx_ops_open()", "cvss3": { "Attack Complexity": "High", "Attack Vector": "Physical", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 4.2 }, "cwe": "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", "fixes": "5610bcfe8693c02e2e4c8b31427f1bdbdecc839c", "last_affected_version": "6.0.2", "last_modified": "2023-12-06", "nvd_text": "drivers/video/fbdev/smscufx.c in the Linux kernel through 5.19.12 has a race condition and resultant use-after-free if a physically proximate attacker removes a USB device while calling open(), aka a race condition between ufx_ops_open and ufx_usb_disconnect.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-41849", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-41849", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-41849", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-41849", "SUSE": "https://www.suse.com/security/cve/CVE-2022-41849", "Ubuntu": "https://ubuntu.com/security/CVE-2022-41849" } }, "CVE-2022-41850": { "affected_versions": "v2.6.12-rc2 to v6.1-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "HID: roccat: Fix use-after-free in roccat_read()", "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 4.7 }, "cwe": "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", "fixes": "cacdb14b1c8d3804a3a7d31773bc7569837b71a4", "last_affected_version": "6.0.2", "last_modified": "2024-04-06", "nvd_text": "roccat_report_event in drivers/hid/hid-roccat.c in the Linux kernel through 5.19.12 has a race condition and resultant use-after-free in certain situations where a report is received while copying a report->value is in progress.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-41850", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-41850", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-41850", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-41850", "SUSE": "https://www.suse.com/security/cve/CVE-2022-41850", "Ubuntu": "https://ubuntu.com/security/CVE-2022-41850" } }, "CVE-2022-41858": { "affected_versions": "v2.6.12-rc2 to v5.18-rc2", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "drivers: net: slip: fix NPD bug in sl_tx_timeout()", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "score": 7.1 }, "cwe": "Use After Free", "fixes": "ec4eb8a86ade4d22633e1da2a7d85a846b7d1798", "last_affected_version": "5.17.3", "last_modified": "2023-12-06", "nvd_text": "A flaw was found in the Linux kernel. A NULL pointer dereference may occur while a slip driver is in progress to detach in sl_tx_timeout in drivers/net/slip/slip.c. This issue could allow an attacker to crash the system or leak internal kernel information.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-41858", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-41858", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-41858", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-41858", "SUSE": "https://www.suse.com/security/cve/CVE-2022-41858", "Ubuntu": "https://ubuntu.com/security/CVE-2022-41858" } }, "CVE-2022-42328": { "affected_versions": "v5.16-rc7 to v6.1", "breaks": "be81992f9086b230623ae3ebbc85ecee4d00a3d3", "cmt_msg": "xen/netback: don't call kfree_skb() with interrupts disabled", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Improper Locking", "fixes": "74e7e1efdad45580cc3839f2a155174cf158f9b5", "last_affected_version": "6.0", "last_modified": "2023-12-06", "nvd_text": "Guests can trigger deadlock in Linux netback driver T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] The patch for XSA-392 introduced another issue which might result in a deadlock when trying to free the SKB of a packet dropped due to the XSA-392 handling (CVE-2022-42328). Additionally when dropping packages for other reasons the same deadlock could occur in case of netpoll being active for the interface the xen-netback driver is connected to (CVE-2022-42329).", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-42328", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-42328", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-42328", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-42328", "SUSE": "https://www.suse.com/security/cve/CVE-2022-42328", "Ubuntu": "https://ubuntu.com/security/CVE-2022-42328" } }, "CVE-2022-42329": { "affected_versions": "v5.16-rc7 to v6.1", "breaks": "be81992f9086b230623ae3ebbc85ecee4d00a3d3", "cmt_msg": "xen/netback: don't call kfree_skb() with interrupts disabled", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Improper Locking", "fixes": "74e7e1efdad45580cc3839f2a155174cf158f9b5", "last_affected_version": "6.0", "last_modified": "2023-12-06", "nvd_text": "Guests can trigger deadlock in Linux netback driver T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] The patch for XSA-392 introduced another issue which might result in a deadlock when trying to free the SKB of a packet dropped due to the XSA-392 handling (CVE-2022-42328). Additionally when dropping packages for other reasons the same deadlock could occur in case of netpoll being active for the interface the xen-netback driver is connected to (CVE-2022-42329).", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-42329", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-42329", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-42329", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-42329", "SUSE": "https://www.suse.com/security/cve/CVE-2022-42329", "Ubuntu": "https://ubuntu.com/security/CVE-2022-42329" } }, "CVE-2022-42432": { "affected_versions": "v5.2-rc1 to v6.0-rc7", "breaks": "22c7652cdaa8cd33ce78bacceb4e826a3f795873", "cmt_msg": "netfilter: nfnetlink_osf: fix possible bogus match in nf_osf_find()", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "score": 4.4 }, "fixes": "559c36c5a8d730c49ef805a72b213d3bba155cc8", "last_affected_version": "5.19.11", "last_modified": "2023-12-06", "nvd_text": "This vulnerability allows local attackers to disclose sensitive information on affected installations of the Linux Kernel 6.0-rc2. An attacker must first obtain the ability to execute high-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the nft_osf_eval function. The issue results from the lack of proper initialization of memory prior to accessing it. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the kernel. Was ZDI-CAN-18540.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-42432", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-42432", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-42432", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-42432", "SUSE": "https://www.suse.com/security/cve/CVE-2022-42432", "Ubuntu": "https://ubuntu.com/security/CVE-2022-42432" } }, "CVE-2022-4269": { "affected_versions": "v4.10-rc1 to v6.3-rc1", "breaks": "53592b3640019f2834701093e38272fdfd367ad8", "cmt_msg": "act_mirred: use the backlog for nested calls to mirred ingress", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Deadlock", "fixes": "ca22da2fbd693b54dc8e3b7b54ccc9f7e9ba3640", "last_affected_version": "6.2.8", "last_modified": "2023-12-06", "nvd_text": "A flaw was found in the Linux kernel Traffic Control (TC) subsystem. Using a specific networking configuration (redirecting egress packets to ingress using TC action \"mirred\") a local unprivileged user could trigger a CPU soft lockup (ABBA deadlock) when the transport protocol in use (TCP or SCTP) does a retransmission, resulting in a denial of service condition.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-4269", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-4269", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-4269", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-4269", "SUSE": "https://www.suse.com/security/cve/CVE-2022-4269", "Ubuntu": "https://ubuntu.com/security/CVE-2022-4269" } }, "CVE-2022-42703": { "affected_versions": "v3.19-rc4 to v6.0-rc4", "breaks": "7a3ef208e662f4b63d43a23f61a64a129c525bbc", "cmt_msg": "mm/rmap: Fix anon_vma->degree ambiguity leading to double-reuse", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Use After Free", "fixes": "2555283eb40df89945557273121e9393ef9b542b", "last_affected_version": "5.19.6", "last_modified": "2023-12-06", "nvd_text": "mm/rmap.c in the Linux kernel before 5.19.7 has a use-after-free related to leaf anon_vma double reuse.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-42703", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-42703", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-42703", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-42703", "SUSE": "https://www.suse.com/security/cve/CVE-2022-42703", "Ubuntu": "https://ubuntu.com/security/CVE-2022-42703" } }, "CVE-2022-42719": { "affected_versions": "v5.2-rc1 to v6.1-rc1", "breaks": "5023b14cf4df4d22e1a80738167f3438c9e62e5f", "cmt_msg": "wifi: mac80211: fix MBSSID parsing use-after-free", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Adjacent", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "score": 8.8 }, "cwe": "Use After Free", "fixes": "ff05d4b45dd89b922578dac497dcabf57cf771c6", "last_affected_version": "6.0.1", "last_modified": "2023-12-06", "nvd_text": "A use-after-free in the mac80211 stack when parsing a multi-BSSID element in the Linux kernel 5.2 through 5.19.x before 5.19.16 could be used by attackers (able to inject WLAN frames) to crash the kernel and potentially execute code.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-42719", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-42719", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-42719", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-42719", "SUSE": "https://www.suse.com/security/cve/CVE-2022-42719", "Ubuntu": "https://ubuntu.com/security/CVE-2022-42719" } }, "CVE-2022-42720": { "affected_versions": "v5.1-rc1 to v6.1-rc1", "breaks": "a3584f56de1c808d4383a275b4a74467b19e5645", "cmt_msg": "wifi: cfg80211: fix BSS refcounting bugs", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Use After Free", "fixes": "0b7808818cb9df6680f98996b8e9a439fa7bcc2f", "last_affected_version": "6.0.1", "last_modified": "2023-12-06", "nvd_text": "Various refcounting bugs in the multi-BSS handling in the mac80211 stack in the Linux kernel 5.1 through 5.19.x before 5.19.16 could be used by local attackers (able to inject WLAN frames) to trigger use-after-free conditions to potentially execute code.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-42720", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-42720", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-42720", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-42720", "SUSE": "https://www.suse.com/security/cve/CVE-2022-42720", "Ubuntu": "https://ubuntu.com/security/CVE-2022-42720" } }, "CVE-2022-42721": { "affected_versions": "v5.1-rc1 to v6.1-rc1", "breaks": "0b8fb8235be8be99a197e8d948fc0a2df8dc261a", "cmt_msg": "wifi: cfg80211: avoid nontransmitted BSS list corruption", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Loop with Unreachable Exit Condition ('Infinite Loop')", "fixes": "bcca852027e5878aec911a347407ecc88d6fff7f", "last_affected_version": "6.0.1", "last_modified": "2023-12-06", "nvd_text": "A list management bug in BSS handling in the mac80211 stack in the Linux kernel 5.1 through 5.19.x before 5.19.16 could be used by local attackers (able to inject WLAN frames) to corrupt a linked list and, in turn, potentially execute code.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-42721", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-42721", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-42721", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-42721", "SUSE": "https://www.suse.com/security/cve/CVE-2022-42721", "Ubuntu": "https://ubuntu.com/security/CVE-2022-42721" } }, "CVE-2022-42722": { "affected_versions": "v5.8-rc1 to v6.1-rc1", "breaks": "9eaf183af741e3d8393eb571ac8aec9ee7d6530e", "cmt_msg": "wifi: mac80211: fix crash in beacon protection for P2P-device", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "NULL Pointer Dereference", "fixes": "b2d03cabe2b2e150ff5a381731ea0355459be09f", "last_affected_version": "6.0.1", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel 5.8 through 5.19.x before 5.19.16, local attackers able to inject WLAN frames into the mac80211 stack could cause a NULL pointer dereference denial-of-service attack against the beacon protection of P2P devices.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-42722", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-42722", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-42722", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-42722", "SUSE": "https://www.suse.com/security/cve/CVE-2022-42722", "Ubuntu": "https://ubuntu.com/security/CVE-2022-42722" } }, "CVE-2022-42895": { "affected_versions": "v2.6.12-rc2 to v6.1-rc4", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "Bluetooth: L2CAP: Fix attempting to access uninitialized memory", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Adjacent", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "score": 6.5 }, "cwe": "Access of Uninitialized Pointer", "fixes": "b1a2cd50c0357f243b7435a732b4e62ba3157a2e", "last_affected_version": "6.0.7", "last_modified": "2023-12-06", "nvd_text": "There is an infoleak vulnerability in the Linux kernel's net/bluetooth/l2cap_core.c's l2cap_parse_conf_req function which can be used to leak kernel pointers remotely.\nWe recommend upgrading past commit\u00a0 https://github.com/torvalds/linux/commit/b1a2cd50c0357f243b7435a732b4e62ba3157a2e https://www.google.com/url \n\n", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-42895", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-42895", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-42895", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-42895", "SUSE": "https://www.suse.com/security/cve/CVE-2022-42895", "Ubuntu": "https://ubuntu.com/security/CVE-2022-42895" } }, "CVE-2022-42896": { "affected_versions": "v2.6.12-rc2 to v6.1-rc4", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "Bluetooth: L2CAP: Fix accepting connection request for invalid SPSM", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Adjacent", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "score": 8.8 }, "cwe": "Use After Free", "fixes": "711f8c3fb3db61897080468586b970c87c61d9e4", "last_affected_version": "6.0.7", "last_modified": "2023-12-06", "nvd_text": "There are use-after-free vulnerabilities in the Linux kernel's net/bluetooth/l2cap_core.c's l2cap_connect and l2cap_le_connect_req functions which may allow code execution and leaking kernel memory (respectively) remotely via Bluetooth.\u00a0A remote attacker could execute code leaking kernel memory via Bluetooth if within proximity of the victim.\n\nWe recommend upgrading past commit\u00a0 https://www.google.com/url https://github.com/torvalds/linux/commit/711f8c3fb3db61897080468586b970c87c61d9e4 https://www.google.com/url \n\n", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-42896", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-42896", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-42896", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-42896", "SUSE": "https://www.suse.com/security/cve/CVE-2022-42896", "Ubuntu": "https://ubuntu.com/security/CVE-2022-42896" } }, "CVE-2022-43750": { "affected_versions": "v2.6.21-rc1 to v6.1-rc1", "breaks": "6f23ee1fefdc1f80bd8a3ab04a1c41ab2dec14c9", "cmt_msg": "usb: mon: make mmapped memory read only", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "score": 6.7 }, "cwe": "Out-of-bounds Write", "fixes": "a659daf63d16aa883be42f3f34ff84235c302198", "last_affected_version": "6.0.0", "last_modified": "2023-12-06", "nvd_text": "drivers/usb/mon/mon_bin.c in usbmon in the Linux kernel before 5.19.15 and 6.x before 6.0.1 allows a user-space client to corrupt the monitor's internal memory.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-43750", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-43750", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-43750", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-43750", "SUSE": "https://www.suse.com/security/cve/CVE-2022-43750", "Ubuntu": "https://ubuntu.com/security/CVE-2022-43750" } }, "CVE-2022-4378": { "affected_versions": "v5.8-rc1 to v6.1", "breaks": "32927393dc1ccd60fb2bdc05b9e8e88753761469", "cmt_msg": "proc: proc_skip_spaces() shouldn't think it is working on C strings", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')", "fixes": "bce9332220bd677d83b19d21502776ad555a0e73", "last_affected_version": "6.0", "last_modified": "2023-12-06", "nvd_text": "A stack overflow flaw was found in the Linux kernel's SYSCTL subsystem in how a user changes certain kernel parameters and variables. This flaw allows a local user to crash or potentially escalate their privileges on the system.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-4378", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-4378", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-4378", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-4378", "SUSE": "https://www.suse.com/security/cve/CVE-2022-4378", "Ubuntu": "https://ubuntu.com/security/CVE-2022-4378" } }, "CVE-2022-4379": { "affected_versions": "v5.6-rc1 to v6.2-rc1", "breaks": "ce0887ac96d35c7105090e166bb0807dc0a0e838", "cmt_msg": "NFSD: fix use-after-free in __nfs42_ssc_open()", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 7.5 }, "cwe": "Use After Free", "fixes": "75333d48f92256a0dec91dbf07835e804fc411c0", "last_affected_version": "6.1.2", "last_modified": "2023-12-06", "nvd_text": "A use-after-free vulnerability was found in __nfs42_ssc_open() in fs/nfs/nfs4file.c in the Linux kernel. This flaw allows an attacker to conduct a remote denial", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-4379", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-4379", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-4379", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-4379", "SUSE": "https://www.suse.com/security/cve/CVE-2022-4379", "Ubuntu": "https://ubuntu.com/security/CVE-2022-4379" } }, "CVE-2022-4382": { "affected_versions": "v5.3-rc1 to v6.2-rc5", "breaks": "e5d82a7360d124ae1a38c2a5eac92ba49b125191", "cmt_msg": "USB: gadgetfs: Fix race between mounting and unmounting", "cvss3": { "Attack Complexity": "High", "Attack Vector": "Physical", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "score": 6.4 }, "cwe": "Use After Free", "fixes": "d18dcfe9860e842f394e37ba01ca9440ab2178f4", "last_affected_version": "6.1.7", "last_modified": "2023-12-06", "nvd_text": "A use-after-free flaw caused by a race among the superblock operations in the gadgetfs Linux driver was found. It could be triggered by yanking out a device that is running the gadgetfs side.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-4382", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-4382", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-4382", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-4382", "SUSE": "https://www.suse.com/security/cve/CVE-2022-4382", "Ubuntu": "https://ubuntu.com/security/CVE-2022-4382" } }, "CVE-2022-43945": { "affected_versions": "v5.11-rc1 to v6.1-rc1", "breaks": "5191955d6fc65e6d4efe8f4f10a6028298f57281", "cmt_msg": "NFSD: Protect against send buffer overflow in NFSv2 READDIR", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 7.5 }, "cwe": "Allocation of Resources Without Limits or Throttling", "fixes": "00b4492686e0497fdb924a9d4c8f6f99377e176c", "last_affected_version": "6.0.2", "last_modified": "2023-12-06", "nvd_text": "The Linux kernel NFSD implementation prior to versions 5.19.17 and 6.0.2 are vulnerable to buffer overflow. NFSD tracks the number of pages held by each NFSD thread by combining the receive and send buffers of a remote procedure call (RPC) into a single array of pages. A client can force the send buffer to shrink by sending an RPC message over TCP with garbage data added at the end of the message. The RPC message with garbage data is still correctly formed according to the specification and is passed forward to handlers. Vulnerable code in NFSD is not expecting the oversized request and writes beyond the allocated buffer space. CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-43945", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-43945", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-43945", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-43945", "SUSE": "https://www.suse.com/security/cve/CVE-2022-43945", "Ubuntu": "https://ubuntu.com/security/CVE-2022-43945" } }, "CVE-2022-44032": { "affected_versions": "v2.6.12-rc2 to v6.4-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "char: pcmcia: remove all the drivers", "cvss3": { "Attack Complexity": "High", "Attack Vector": "Physical", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "score": 6.4 }, "cwe": "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", "fixes": "9b12f050c76f090cc6d0aebe0ef76fed79ec3f15", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel through 6.0.6. drivers/char/pcmcia/cm4000_cs.c has a race condition and resultant use-after-free if a physically proximate attacker removes a PCMCIA device while calling open(), aka a race condition between cmm_open() and cm4000_detach().", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-44032", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-44032", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-44032", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-44032", "SUSE": "https://www.suse.com/security/cve/CVE-2022-44032", "Ubuntu": "https://ubuntu.com/security/CVE-2022-44032" } }, "CVE-2022-44033": { "affected_versions": "v2.6.12-rc2 to v6.4-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "char: pcmcia: remove all the drivers", "cvss3": { "Attack Complexity": "High", "Attack Vector": "Physical", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "score": 6.4 }, "cwe": "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", "fixes": "9b12f050c76f090cc6d0aebe0ef76fed79ec3f15", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel through 6.0.6. drivers/char/pcmcia/cm4040_cs.c has a race condition and resultant use-after-free if a physically proximate attacker removes a PCMCIA device while calling open(), aka a race condition between cm4040_open() and reader_detach().", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-44033", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-44033", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-44033", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-44033", "SUSE": "https://www.suse.com/security/cve/CVE-2022-44033", "Ubuntu": "https://ubuntu.com/security/CVE-2022-44033" } }, "CVE-2022-44034": { "affected_versions": "v4.10-rc1 to v6.4-rc1", "breaks": "f2ed287bcc9073d8edbf6561c389b282163edc78", "cmt_msg": "char: pcmcia: remove all the drivers", "cvss3": { "Attack Complexity": "High", "Attack Vector": "Physical", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "score": 6.4 }, "cwe": "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", "fixes": "9b12f050c76f090cc6d0aebe0ef76fed79ec3f15", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel through 6.0.6. drivers/char/pcmcia/scr24x_cs.c has a race condition and resultant use-after-free if a physically proximate attacker removes a PCMCIA device while calling open(), aka a race condition between scr24x_open() and scr24x_remove().", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-44034", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-44034", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-44034", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-44034", "SUSE": "https://www.suse.com/security/cve/CVE-2022-44034", "Ubuntu": "https://ubuntu.com/security/CVE-2022-44034" } }, "CVE-2022-4543": { "affected_versions": "unk to unk", "breaks": "", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.5 }, "cwe": "Exposure of Sensitive Information to an Unauthorized Actor", "fixes": "", "last_modified": "2023-12-06", "nvd_text": "A flaw named \"EntryBleed\" was found in the Linux Kernel Page Table Isolation (KPTI). This issue could allow a local attacker to leak KASLR base via prefetch side-channels based on TLB timing for Intel systems.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-4543", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-4543", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-4543", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-4543", "SUSE": "https://www.suse.com/security/cve/CVE-2022-4543", "Ubuntu": "https://ubuntu.com/security/CVE-2022-4543" } }, "CVE-2022-45869": { "affected_versions": "v5.12-rc1-dontuse to v6.1-rc7", "breaks": "a2855afc7ee88475e8feb16840b23f787bfc994d", "cmt_msg": "KVM: x86/mmu: Fix race condition in direct_page_fault", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", "fixes": "47b0c2e4c220f2251fd8dcfbb44479819c715e15", "last_affected_version": "6.0.10", "last_modified": "2023-12-06", "nvd_text": "A race condition in the x86 KVM subsystem in the Linux kernel through 6.1-rc6 allows guest OS users to cause a denial of service (host OS crash or host OS memory corruption) when nested virtualisation and the TDP MMU are enabled.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-45869", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-45869", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-45869", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-45869", "SUSE": "https://www.suse.com/security/cve/CVE-2022-45869", "Ubuntu": "https://ubuntu.com/security/CVE-2022-45869" } }, "CVE-2022-45884": { "affected_versions": "v2.6.21-rc2 to unk", "breaks": "b61901024776b25ce7b8edc31bb1757c7382a88e", "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.0 }, "cwe": "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", "fixes": "", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel through 6.0.9. drivers/media/dvb-core/dvbdev.c has a use-after-free, related to dvb_register_device dynamically allocating fops.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-45884", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-45884", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-45884", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-45884", "SUSE": "https://www.suse.com/security/cve/CVE-2022-45884", "Ubuntu": "https://ubuntu.com/security/CVE-2022-45884" } }, "CVE-2022-45885": { "affected_versions": "unk to unk", "breaks": "", "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.0 }, "cwe": "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", "fixes": "", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel through 6.0.9. drivers/media/dvb-core/dvb_frontend.c has a race condition that can cause a use-after-free when a device is disconnected.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-45885", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-45885", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-45885", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-45885", "SUSE": "https://www.suse.com/security/cve/CVE-2022-45885", "Ubuntu": "https://ubuntu.com/security/CVE-2022-45885" } }, "CVE-2022-45886": { "affected_versions": "v2.6.12-rc2 to v6.4-rc3", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "media: dvb-core: Fix use-after-free due on race condition at dvb_net", "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.0 }, "cwe": "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", "fixes": "4172385b0c9ac366dcab78eda48c26814b87ed1a", "last_affected_version": "6.3.6", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel through 6.0.9. drivers/media/dvb-core/dvb_net.c has a .disconnect versus dvb_device_open race condition that leads to a use-after-free.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-45886", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-45886", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-45886", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-45886", "SUSE": "https://www.suse.com/security/cve/CVE-2022-45886", "Ubuntu": "https://ubuntu.com/security/CVE-2022-45886" } }, "CVE-2022-45887": { "affected_versions": "v2.6.12-rc2 to v6.4-rc3", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "media: ttusb-dec: fix memory leak in ttusb_dec_exit_dvb()", "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 4.7 }, "cwe": "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", "fixes": "517a281338322ff8293f988771c98aaa7205e457", "last_affected_version": "6.3.6", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel through 6.0.9. drivers/media/usb/ttusb-dec/ttusb_dec.c has a memory leak because of the lack of a dvb_frontend_detach call.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-45887", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-45887", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-45887", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-45887", "SUSE": "https://www.suse.com/security/cve/CVE-2022-45887", "Ubuntu": "https://ubuntu.com/security/CVE-2022-45887" } }, "CVE-2022-45888": { "affected_versions": "v5.14-rc1 to v6.2-rc1", "breaks": "a53d1202aef122894b6e46116a92174a9123db5d", "cmt_msg": "char: xillybus: Prevent use-after-free due to race condition", "cvss3": { "Attack Complexity": "High", "Attack Vector": "Physical", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "score": 6.4 }, "cwe": "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", "fixes": "282a4b71816b6076029017a7bab3a9dcee12a920", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel through 6.0.9. drivers/char/xillybus/xillyusb.c has a race condition and use-after-free during physical removal of a USB device.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-45888", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-45888", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-45888", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-45888", "SUSE": "https://www.suse.com/security/cve/CVE-2022-45888", "Ubuntu": "https://ubuntu.com/security/CVE-2022-45888" } }, "CVE-2022-45919": { "affected_versions": "v2.6.12-rc2 to v6.4-rc3", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "media: dvb-core: Fix use-after-free due to race condition at dvb_ca_en50221", "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.0 }, "cwe": "Use After Free", "fixes": "280a8ab81733da8bc442253c700a52c4c0886ffd", "last_affected_version": "6.3.6", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel through 6.0.10. In drivers/media/dvb-core/dvb_ca_en50221.c, a use-after-free can occur is there is a disconnect after an open, because of the lack of a wait_event.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-45919", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-45919", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-45919", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-45919", "SUSE": "https://www.suse.com/security/cve/CVE-2022-45919", "Ubuntu": "https://ubuntu.com/security/CVE-2022-45919" } }, "CVE-2022-45934": { "affected_versions": "v2.6.12-rc2 to v6.1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "Bluetooth: L2CAP: Fix u8 overflow", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Integer Overflow or Wraparound", "fixes": "bcd70260ef56e0aee8a4fc6cd214a419900b0765", "last_affected_version": "6.0", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel through 6.0.10. l2cap_config_req in net/bluetooth/l2cap_core.c has an integer wraparound via L2CAP_CONF_REQ packets.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-45934", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-45934", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-45934", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-45934", "SUSE": "https://www.suse.com/security/cve/CVE-2022-45934", "Ubuntu": "https://ubuntu.com/security/CVE-2022-45934" } }, "CVE-2022-4662": { "affected_versions": "v2.6.12-rc2 to v6.0-rc4", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "USB: core: Prevent nested device-reset calls", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Non-exit on Failed Initialization", "fixes": "9c6d778800b921bde3bff3cff5003d1650f942d1", "last_affected_version": "5.19.7", "last_modified": "2023-12-06", "nvd_text": "A flaw incorrect access control in the Linux kernel USB core subsystem was found in the way user attaches usb device. A local user could use this flaw to crash the system.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-4662", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-4662", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-4662", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-4662", "SUSE": "https://www.suse.com/security/cve/CVE-2022-4662", "Ubuntu": "https://ubuntu.com/security/CVE-2022-4662" } }, "CVE-2022-4696": { "affected_versions": "v5.10-rc1 to v5.12-rc1-dontuse", "breaks": "0f203765880c4416675726be558b65da4a7604e2", "cmt_msg": "io_uring: remove any grabbing of context", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Use After Free", "fixes": "44526bedc2ff8fcd58552e3c5bae928524b6f13c", "last_modified": "2023-12-06", "nvd_text": "There exists a use-after-free vulnerability in the Linux kernel through io_uring and the\u00a0IORING_OP_SPLICE operation. If\u00a0IORING_OP_SPLICE is\u00a0missing the IO_WQ_WORK_FILES flag, which signals that the operation won't use current->nsproxy, so its reference counter is not increased. This assumption is not always true as calling io_splice on specific files will call the get_uts function which will use current->nsproxy leading to invalidly decreasing its reference counter later causing the use-after-free vulnerability. We recommend upgrading to version 5.10.160 or above\n", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-4696", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-4696", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-4696", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-4696", "SUSE": "https://www.suse.com/security/cve/CVE-2022-4696", "Ubuntu": "https://ubuntu.com/security/CVE-2022-4696" } }, "CVE-2022-4744": { "affected_versions": "v2.6.12-rc2 to v5.16-rc7", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "tun: avoid double free in tun_free_netdev", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "fixes": "158b515f703e75e7d68289bf4d98c664e1d632df", "last_affected_version": "5.15.11", "last_modified": "2023-12-06", "nvd_text": "A double-free flaw was found in the Linux kernel\u2019s TUN/TAP device driver functionality in how a user registers the device when the register_netdevice function fails (NETDEV_REGISTER notifier). This flaw allows a local user to crash or potentially escalate their privileges on the system.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-4744", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-4744", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-4744", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-4744", "SUSE": "https://www.suse.com/security/cve/CVE-2022-4744", "Ubuntu": "https://ubuntu.com/security/CVE-2022-4744" } }, "CVE-2022-47518": { "affected_versions": "v5.7-rc1 to v6.1-rc8", "breaks": "4fb8b5aa2a1126783ae00bae544d6f3c519408ef", "cmt_msg": "wifi: wilc1000: validate number of channels", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Out-of-bounds Write", "fixes": "0cdfa9e6f0915e3d243e2393bfa8a22e12d553b0", "last_affected_version": "6.0.10", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel before 6.0.11. Missing validation of the number of channels in drivers/net/wireless/microchip/wilc1000/cfg80211.c in the WILC1000 wireless driver can trigger a heap-based buffer overflow when copying the list of operating channels from Wi-Fi management frames.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-47518", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-47518", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-47518", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-47518", "SUSE": "https://www.suse.com/security/cve/CVE-2022-47518", "Ubuntu": "https://ubuntu.com/security/CVE-2022-47518" } }, "CVE-2022-47519": { "affected_versions": "v5.7-rc1 to v6.1-rc8", "breaks": "4fb8b5aa2a1126783ae00bae544d6f3c519408ef", "cmt_msg": "wifi: wilc1000: validate length of IEEE80211_P2P_ATTR_OPER_CHANNEL attribute", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Out-of-bounds Write", "fixes": "051ae669e4505abbe05165bebf6be7922de11f41", "last_affected_version": "6.0.10", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel before 6.0.11. Missing validation of IEEE80211_P2P_ATTR_OPER_CHANNEL in drivers/net/wireless/microchip/wilc1000/cfg80211.c in the WILC1000 wireless driver can trigger an out-of-bounds write when parsing the channel list attribute from Wi-Fi management frames.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-47519", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-47519", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-47519", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-47519", "SUSE": "https://www.suse.com/security/cve/CVE-2022-47519", "Ubuntu": "https://ubuntu.com/security/CVE-2022-47519" } }, "CVE-2022-47520": { "affected_versions": "v4.2-rc1 to v6.1-rc8", "breaks": "c5c77ba18ea66aa05441c71e38473efb787705a4", "cmt_msg": "wifi: wilc1000: validate pairwise and authentication suite offsets", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "score": 7.1 }, "cwe": "Out-of-bounds Read", "fixes": "cd21d99e595ec1d8721e1058dcdd4f1f7de1d793", "last_affected_version": "6.0.10", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel before 6.0.11. Missing offset validation in drivers/net/wireless/microchip/wilc1000/hif.c in the WILC1000 wireless driver can trigger an out-of-bounds read when parsing a Robust Security Network (RSN) information element from a Netlink packet.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-47520", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-47520", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-47520", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-47520", "SUSE": "https://www.suse.com/security/cve/CVE-2022-47520", "Ubuntu": "https://ubuntu.com/security/CVE-2022-47520" } }, "CVE-2022-47521": { "affected_versions": "v5.7-rc1 to v6.1-rc8", "breaks": "4fb8b5aa2a1126783ae00bae544d6f3c519408ef", "cmt_msg": "wifi: wilc1000: validate length of IEEE80211_P2P_ATTR_CHANNEL_LIST attribute", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Out-of-bounds Write", "fixes": "f9b62f9843c7b0afdaecabbcebf1dbba18599408", "last_affected_version": "6.0.10", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel before 6.0.11. Missing validation of IEEE80211_P2P_ATTR_CHANNEL_LIST in drivers/net/wireless/microchip/wilc1000/cfg80211.c in the WILC1000 wireless driver can trigger a heap-based buffer overflow when parsing the operating channel attribute from Wi-Fi management frames.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-47521", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-47521", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-47521", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-47521", "SUSE": "https://www.suse.com/security/cve/CVE-2022-47521", "Ubuntu": "https://ubuntu.com/security/CVE-2022-47521" } }, "CVE-2022-47929": { "affected_versions": "v4.3-rc1 to v6.2-rc4", "breaks": "d66d6c3152e8d5a6db42a56bf7ae1c6cae87ba48", "cmt_msg": "net: sched: disallow noqueue for qdisc classes", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "NULL Pointer Dereference", "fixes": "96398560f26aa07e8f2969d73c8197e6a6d10407", "last_affected_version": "6.1.5", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel before 6.1.6, a NULL pointer dereference bug in the traffic control subsystem allows an unprivileged user to trigger a denial of service (system crash) via a crafted traffic control configuration that is set up with \"tc qdisc\" and \"tc class\" commands. This affects qdisc_graft in net/sched/sch_api.c.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-47929", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-47929", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-47929", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-47929", "SUSE": "https://www.suse.com/security/cve/CVE-2022-47929", "Ubuntu": "https://ubuntu.com/security/CVE-2022-47929" } }, "CVE-2022-47938": { "affected_versions": "v5.15-rc1 to v6.0-rc1", "breaks": "e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9", "cmt_msg": "ksmbd: prevent out of bound read for SMB2_TREE_CONNNECT", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 6.5 }, "cwe": "Out-of-bounds Read", "fixes": "824d4f64c20093275f72fc8101394d75ff6a249e", "last_affected_version": "5.19.1", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in ksmbd in the Linux kernel 5.15 through 5.19 before 5.19.2. fs/ksmbd/smb2misc.c has an out-of-bounds read and OOPS for SMB2_TREE_CONNECT.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-47938", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-47938", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-47938", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-47938", "SUSE": "https://www.suse.com/security/cve/CVE-2022-47938", "Ubuntu": "https://ubuntu.com/security/CVE-2022-47938" } }, "CVE-2022-47939": { "affected_versions": "v5.15-rc1 to v6.0-rc1", "breaks": "e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9", "cmt_msg": "ksmbd: fix use-after-free bug in smb2_tree_disconect", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "score": 9.8 }, "cwe": "Use After Free", "fixes": "cf6531d98190fa2cf92a6d8bbc8af0a4740a223c", "last_affected_version": "5.19.1", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in ksmbd in the Linux kernel 5.15 through 5.19 before 5.19.2. fs/ksmbd/smb2pdu.c has a use-after-free and OOPS for SMB2_TREE_DISCONNECT.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-47939", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-47939", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-47939", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-47939", "SUSE": "https://www.suse.com/security/cve/CVE-2022-47939", "Ubuntu": "https://ubuntu.com/security/CVE-2022-47939" } }, "CVE-2022-47940": { "affected_versions": "v5.15-rc1 to v5.19-rc1", "breaks": "e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9", "cmt_msg": "ksmbd: validate length in smb2_write()", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "score": 8.1 }, "cwe": "Out-of-bounds Read", "fixes": "158a66b245739e15858de42c0ba60fcf3de9b8e6", "last_affected_version": "5.18.17", "last_modified": "2023-12-27", "nvd_text": "An issue was discovered in ksmbd in the Linux kernel 5.15 through 5.18 before 5.18.18. fs/ksmbd/smb2pdu.c lacks length validation in the non-padding case in smb2_write.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-47940", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-47940", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-47940", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-47940", "SUSE": "https://www.suse.com/security/cve/CVE-2022-47940", "Ubuntu": "https://ubuntu.com/security/CVE-2022-47940" } }, "CVE-2022-47941": { "affected_versions": "v5.15-rc1 to v6.0-rc1", "breaks": "e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9", "cmt_msg": "ksmbd: fix memory leak in smb2_handle_negotiate", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 7.5 }, "cwe": "Missing Release of Memory after Effective Lifetime", "fixes": "aa7253c2393f6dcd6a1468b0792f6da76edad917", "last_affected_version": "5.19.1", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in ksmbd in the Linux kernel 5.15 through 5.19 before 5.19.2. fs/ksmbd/smb2pdu.c omits a kfree call in certain smb2_handle_negotiate error conditions, aka a memory leak.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-47941", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-47941", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-47941", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-47941", "SUSE": "https://www.suse.com/security/cve/CVE-2022-47941", "Ubuntu": "https://ubuntu.com/security/CVE-2022-47941" } }, "CVE-2022-47942": { "affected_versions": "v5.15-rc1 to v6.0-rc1", "breaks": "e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9", "cmt_msg": "ksmbd: fix heap-based overflow in set_ntacl_dacl()", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 8.8 }, "cwe": "Out-of-bounds Write", "fixes": "8f0541186e9ad1b62accc9519cc2b7a7240272a7", "last_affected_version": "5.19.1", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in ksmbd in the Linux kernel 5.15 through 5.19 before 5.19.2. There is a heap-based buffer overflow in set_ntacl_dacl, related to use of SMB2_QUERY_INFO_HE after a malformed SMB2_SET_INFO_HE command.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-47942", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-47942", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-47942", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-47942", "SUSE": "https://www.suse.com/security/cve/CVE-2022-47942", "Ubuntu": "https://ubuntu.com/security/CVE-2022-47942" } }, "CVE-2022-47943": { "affected_versions": "v5.15-rc1 to v6.0-rc1", "breaks": "e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9", "cmt_msg": "ksmbd: prevent out of bound read for SMB2_WRITE", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "score": 8.1 }, "cwe": "Out-of-bounds Read", "fixes": "ac60778b87e45576d7bfdbd6f53df902654e6f09", "last_affected_version": "5.19.1", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in ksmbd in the Linux kernel 5.15 through 5.19 before 5.19.2. There is an out-of-bounds read and OOPS for SMB2_WRITE, when there is a large length in the zero DataOffset case.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-47943", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-47943", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-47943", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-47943", "SUSE": "https://www.suse.com/security/cve/CVE-2022-47943", "Ubuntu": "https://ubuntu.com/security/CVE-2022-47943" } }, "CVE-2022-47946": { "affected_versions": "v5.1-rc1 to v5.12-rc2", "breaks": "2b188cc1bb857a9d4701ae59aa7768b5124e262e", "cmt_msg": "io_uring: kill sqo_dead and sqo submission halting", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Use After Free", "fixes": "70aacfe66136809d7f080f89c492c278298719f4", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel 5.10.x before 5.10.155. A use-after-free in io_sqpoll_wait_sq in fs/io_uring.c allows an attacker to crash the kernel, resulting in denial of service. finish_wait can be skipped. An attack can occur in some situations by forking a process and then quickly terminating it. NOTE: later kernel versions, such as the 5.15 longterm series, substantially changed the implementation of io_sqpoll_wait_sq.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-47946", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-47946", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-47946", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-47946", "SUSE": "https://www.suse.com/security/cve/CVE-2022-47946", "Ubuntu": "https://ubuntu.com/security/CVE-2022-47946" } }, "CVE-2022-4842": { "affected_versions": "v5.15-rc1 to v6.2-rc1", "breaks": "be71b5cba2e6485e8959da7a9f9a44461a1bb074", "cmt_msg": "fs/ntfs3: Fix attr_punch_hole() null pointer derenference", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "NULL Pointer Dereference", "fixes": "6d5c9e79b726cc473d40e9cb60976dbe8e669624", "last_affected_version": "6.1.7", "last_modified": "2023-12-06", "nvd_text": "A flaw NULL Pointer Dereference in the Linux kernel NTFS3 driver function attr_punch_hole() was found. A local user could use this flaw to crash the system.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-4842", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-4842", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-4842", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-4842", "SUSE": "https://www.suse.com/security/cve/CVE-2022-4842", "Ubuntu": "https://ubuntu.com/security/CVE-2022-4842" } }, "CVE-2022-48423": { "affected_versions": "v5.15-rc1 to v6.2-rc1", "breaks": "12dad495eaab95e0bb784c43869073617c513ea4", "cmt_msg": "fs/ntfs3: Validate resident attribute name", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Unspecified", "fixes": "54e45702b648b7c0000e90b3e9b890e367e16ea8", "last_affected_version": "6.1.2", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel before 6.1.3, fs/ntfs3/record.c does not validate resident attribute names. An out-of-bounds write may occur.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-48423", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-48423", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-48423", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-48423", "SUSE": "https://www.suse.com/security/cve/CVE-2022-48423", "Ubuntu": "https://ubuntu.com/security/CVE-2022-48423" } }, "CVE-2022-48424": { "affected_versions": "v5.15-rc1 to v6.2-rc1", "breaks": "12dad495eaab95e0bb784c43869073617c513ea4", "cmt_msg": "fs/ntfs3: Validate attribute name offset", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Unspecified", "fixes": "4f1dc7d9756e66f3f876839ea174df2e656b7f79", "last_affected_version": "6.1.2", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel before 6.1.3, fs/ntfs3/inode.c does not validate the attribute name offset. An unhandled page fault may occur.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-48424", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-48424", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-48424", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-48424", "SUSE": "https://www.suse.com/security/cve/CVE-2022-48424", "Ubuntu": "https://ubuntu.com/security/CVE-2022-48424" } }, "CVE-2022-48425": { "affected_versions": "v5.15-rc1 to v6.4-rc1", "breaks": "12dad495eaab95e0bb784c43869073617c513ea4", "cmt_msg": "fs/ntfs3: Validate MFT flags before replaying logs", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "fixes": "98bea253aa28ad8be2ce565a9ca21beb4a9419e5", "last_affected_version": "6.3.3", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel through 6.2.7, fs/ntfs3/inode.c has an invalid kfree because it does not validate MFT flags before replaying logs.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-48425", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-48425", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-48425", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-48425", "SUSE": "https://www.suse.com/security/cve/CVE-2022-48425", "Ubuntu": "https://ubuntu.com/security/CVE-2022-48425" } }, "CVE-2022-48502": { "affected_versions": "v5.15-rc1 to v6.2-rc1", "breaks": "f7464060f7ab9a2424428008f0ee9f1e267e410f", "cmt_msg": "fs/ntfs3: Check fields while reading", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "score": 7.1 }, "fixes": "0e8235d28f3a0e9eda9f02ff67ee566d5f42b66b", "last_affected_version": "6.1.39", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel before 6.2. The ntfs3 subsystem does not properly check for correctness during disk reads, leading to an out-of-bounds read in ntfs_set_ea in fs/ntfs3/xattr.c.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-48502", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-48502", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-48502", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-48502", "SUSE": "https://www.suse.com/security/cve/CVE-2022-48502", "Ubuntu": "https://ubuntu.com/security/CVE-2022-48502" } }, "CVE-2022-48619": { "affected_versions": "v2.6.12-rc2 to v5.18-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "Input: add bounds checking to input_set_capability()", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Unspecified", "fixes": "409353cbe9fe48f6bc196114c442b1cff05a39bc", "last_affected_version": "5.17.9", "last_modified": "2024-02-02", "nvd_text": "An issue was discovered in drivers/input/input.c in the Linux kernel before 5.17.10. An attacker can cause a denial of service (panic) because input_set_capability mishandles the situation in which an event code falls outside of a bitmap.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-48619", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-48619", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-48619", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-48619", "SUSE": "https://www.suse.com/security/cve/CVE-2022-48619", "Ubuntu": "https://ubuntu.com/security/CVE-2022-48619" } }, "CVE-2022-48626": { "affected_versions": "unk to v5.17-rc4", "breaks": "", "cmt_msg": "moxart: fix potential use-after-free on remove path", "fixes": "bd2db32e7c3e35bd4d9b8bbff689434a50893546", "last_affected_version": "5.16.8", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nmoxart: fix potential use-after-free on remove path\n\nIt was reported that the mmc host structure could be accessed after it\nwas freed in moxart_remove(), so fix this by saving the base register of\nthe device and using it instead of the pointer dereference.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-48626", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-48626", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-48626", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-48626", "SUSE": "https://www.suse.com/security/cve/CVE-2022-48626", "Ubuntu": "https://ubuntu.com/security/CVE-2022-48626" } }, "CVE-2022-48627": { "affected_versions": "v3.7-rc1 to v5.19-rc7", "breaks": "81732c3b2fede049a692e58a7ceabb6d18ffb18c", "cmt_msg": "vt: fix memory overlapping when deleting chars in the buffer", "fixes": "39cdb68c64d84e71a4a717000b6e5de208ee60cc", "last_affected_version": "5.18.12", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nvt: fix memory overlapping when deleting chars in the buffer\n\nA memory overlapping copy occurs when deleting a long line. This memory\noverlapping copy can cause data corruption when scr_memcpyw is optimized\nto memcpy because memcpy does not ensure its behavior if the destination\nbuffer overlaps with the source buffer. The line buffer is not always\nbroken, because the memcpy utilizes the hardware acceleration, whose\nresult is not deterministic.\n\nFix this problem by using replacing the scr_memcpyw with scr_memmovew.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-48627", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-48627", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-48627", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-48627", "SUSE": "https://www.suse.com/security/cve/CVE-2022-48627", "Ubuntu": "https://ubuntu.com/security/CVE-2022-48627" } }, "CVE-2022-48628": { "affected_versions": "v2.6.12-rc2 to v6.6-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "ceph: drop messages from MDS when unmounting", "fixes": "e3dfcab2080dc1f9a4b09cc1327361bc2845bfcd", "last_affected_version": "6.5.5", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nceph: drop messages from MDS when unmounting\n\nWhen unmounting all the dirty buffers will be flushed and after\nthe last osd request is finished the last reference of the i_count\nwill be released. Then it will flush the dirty cap/snap to MDSs,\nand the unmounting won't wait the possible acks, which will ihold\nthe inodes when updating the metadata locally but makes no sense\nany more, of this. This will make the evict_inodes() to skip these\ninodes.\n\nIf encrypt is enabled the kernel generate a warning when removing\nthe encrypt keys when the skipped inodes still hold the keyring:\n\nWARNING: CPU: 4 PID: 168846 at fs/crypto/keyring.c:242 fscrypt_destroy_keyring+0x7e/0xd0\nCPU: 4 PID: 168846 Comm: umount Tainted: G S 6.1.0-rc5-ceph-g72ead199864c #1\nHardware name: Supermicro SYS-5018R-WR/X10SRW-F, BIOS 2.0 12/17/2015\nRIP: 0010:fscrypt_destroy_keyring+0x7e/0xd0\nRSP: 0018:ffffc9000b277e28 EFLAGS: 00010202\nRAX: 0000000000000002 RBX: ffff88810d52ac00 RCX: ffff88810b56aa00\nRDX: 0000000080000000 RSI: ffffffff822f3a09 RDI: ffff888108f59000\nRBP: ffff8881d394fb88 R08: 0000000000000028 R09: 0000000000000000\nR10: 0000000000000001 R11: 11ff4fe6834fcd91 R12: ffff8881d394fc40\nR13: ffff888108f59000 R14: ffff8881d394f800 R15: 0000000000000000\nFS: 00007fd83f6f1080(0000) GS:ffff88885fd00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f918d417000 CR3: 000000017f89a005 CR4: 00000000003706e0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n\ngeneric_shutdown_super+0x47/0x120\nkill_anon_super+0x14/0x30\nceph_kill_sb+0x36/0x90 [ceph]\ndeactivate_locked_super+0x29/0x60\ncleanup_mnt+0xb8/0x140\ntask_work_run+0x67/0xb0\nexit_to_user_mode_prepare+0x23d/0x240\nsyscall_exit_to_user_mode+0x25/0x60\ndo_syscall_64+0x40/0x80\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\nRIP: 0033:0x7fd83dc39e9b\n\nLater the kernel will crash when iput() the inodes and dereferencing\nthe \"sb->s_master_keys\", which has been released by the\ngeneric_shutdown_super().", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-48628", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-48628", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-48628", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-48628", "SUSE": "https://www.suse.com/security/cve/CVE-2022-48628", "Ubuntu": "https://ubuntu.com/security/CVE-2022-48628" } }, "CVE-2022-48629": { "affected_versions": "v4.19-rc1 to v5.17", "breaks": "ceec5f5b59882b871a722ca4d49b767a09a4bde9", "cmt_msg": "crypto: qcom-rng - ensure buffer for generate is completely filled", "fixes": "a680b1832ced3b5fa7c93484248fd221ea0d614b", "last_affected_version": "5.16", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: qcom-rng - ensure buffer for generate is completely filled\n\nThe generate function in struct rng_alg expects that the destination\nbuffer is completely filled if the function returns 0. qcom_rng_read()\ncan run into a situation where the buffer is partially filled with\nrandomness and the remaining part of the buffer is zeroed since\nqcom_rng_generate() doesn't check the return value. This issue can\nbe reproduced by running the following from libkcapi:\n\n kcapi-rng -b 9000000 > OUTFILE\n\nThe generated OUTFILE will have three huge sections that contain all\nzeros, and this is caused by the code where the test\n'val & PRNG_STATUS_DATA_AVAIL' fails.\n\nLet's fix this issue by ensuring that qcom_rng_read() always returns\nwith a full buffer if the function returns success. Let's also have\nqcom_rng_generate() return the correct value.\n\nHere's some statistics from the ent project\n(https://www.fourmilab.ch/random/) that shows information about the\nquality of the generated numbers:\n\n $ ent -c qcom-random-before\n Value Char Occurrences Fraction\n 0 606748 0.067416\n 1 33104 0.003678\n 2 33001 0.003667\n ...\n 253 ? 32883 0.003654\n 254 ? 33035 0.003671\n 255 ? 33239 0.003693\n\n Total: 9000000 1.000000\n\n Entropy = 7.811590 bits per byte.\n\n Optimum compression would reduce the size\n of this 9000000 byte file by 2 percent.\n\n Chi square distribution for 9000000 samples is 9329962.81, and\n randomly would exceed this value less than 0.01 percent of the\n times.\n\n Arithmetic mean value of data bytes is 119.3731 (127.5 = random).\n Monte Carlo value for Pi is 3.197293333 (error 1.77 percent).\n Serial correlation coefficient is 0.159130 (totally uncorrelated =\n 0.0).\n\nWithout this patch, the results of the chi-square test is 0.01%, and\nthe numbers are certainly not random according to ent's project page.\nThe results improve with this patch:\n\n $ ent -c qcom-random-after\n Value Char Occurrences Fraction\n 0 35432 0.003937\n 1 35127 0.003903\n 2 35424 0.003936\n ...\n 253 ? 35201 0.003911\n 254 ? 34835 0.003871\n 255 ? 35368 0.003930\n\n Total: 9000000 1.000000\n\n Entropy = 7.999979 bits per byte.\n\n Optimum compression would reduce the size\n of this 9000000 byte file by 0 percent.\n\n Chi square distribution for 9000000 samples is 258.77, and randomly\n would exceed this value 42.24 percent of the times.\n\n Arithmetic mean value of data bytes is 127.5006 (127.5 = random).\n Monte Carlo value for Pi is 3.141277333 (error 0.01 percent).\n Serial correlation coefficient is 0.000468 (totally uncorrelated =\n 0.0).\n\nThis change was tested on a Nexus 5 phone (msm8974 SoC).", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-48629", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-48629", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-48629", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-48629", "SUSE": "https://www.suse.com/security/cve/CVE-2022-48629", "Ubuntu": "https://ubuntu.com/security/CVE-2022-48629" } }, "CVE-2022-48630": { "affected_versions": "v5.17 to v5.18", "breaks": "a680b1832ced3b5fa7c93484248fd221ea0d614b", "cmt_msg": "crypto: qcom-rng - fix infinite loop on requests not multiple of WORD_SZ", "fixes": "16287397ec5c08aa58db6acf7dbc55470d78087d", "last_affected_version": "5.17", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: qcom-rng - fix infinite loop on requests not multiple of WORD_SZ\n\nThe commit referenced in the Fixes tag removed the 'break' from the else\nbranch in qcom_rng_read(), causing an infinite loop whenever 'max' is\nnot a multiple of WORD_SZ. This can be reproduced e.g. by running:\n\n kcapi-rng -b 67 >/dev/null\n\nThere are many ways to fix this without adding back the 'break', but\nthey all seem more awkward than simply adding it back, so do just that.\n\nTested on a machine with Qualcomm Amberwing processor.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2022-48630", "ExploitDB": "https://www.exploit-db.com/search?cve=2022-48630", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2022-48630", "Red Hat": "https://access.redhat.com/security/cve/CVE-2022-48630", "SUSE": "https://www.suse.com/security/cve/CVE-2022-48630", "Ubuntu": "https://ubuntu.com/security/CVE-2022-48630" } }, "CVE-2023-0030": { "affected_versions": "v2.6.12-rc2 to v5.0-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "drm/nouveau/mmu: add more general vmm free/node handling functions", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "fixes": "729eba3355674f2d9524629b73683ba1d1cd3f10", "last_modified": "2023-12-06", "nvd_text": "A use-after-free flaw was found in the Linux kernel\u2019s nouveau driver in how a user triggers a memory overflow that causes the nvkm_vma_tail function to fail. This flaw allows a local user to crash or potentially escalate their privileges on the system.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-0030", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-0030", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-0030", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-0030", "SUSE": "https://www.suse.com/security/cve/CVE-2023-0030", "Ubuntu": "https://ubuntu.com/security/CVE-2023-0030" } }, "CVE-2023-0045": { "affected_versions": "v4.20-rc5 to v6.2-rc3", "breaks": "9137bb27e60e554dab694eafa4cca241fa3a694f", "cmt_msg": "x86/bugs: Flush IBP in ib_prctl_set()", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "score": 7.5 }, "fixes": "a664ec9158eeddd75121d39c9a0758016097fa96", "last_affected_version": "6.1.4", "last_modified": "2023-12-06", "nvd_text": "The current implementation of the prctl syscall does not issue an IBPB immediately during the syscall. The ib_prctl_set \u00a0function updates the Thread Information Flags (TIFs) for the task and updates the SPEC_CTRL MSR on the function __speculation_ctrl_update, but the IBPB is only issued on the next schedule, when the TIF bits are checked. This leaves the victim vulnerable to values already injected on the BTB, prior to the prctl syscall. \u00a0The patch that added the support for the conditional mitigation via prctl (ib_prctl_set) dates back to the kernel 4.9.176.\n\nWe recommend upgrading past commit\u00a0a664ec9158eeddd75121d39c9a0758016097fa96\n\n", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-0045", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-0045", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-0045", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-0045", "SUSE": "https://www.suse.com/security/cve/CVE-2023-0045", "Ubuntu": "https://ubuntu.com/security/CVE-2023-0045" } }, "CVE-2023-0047": { "affected_versions": "v2.6.12-rc2 to v5.16-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "mm, oom: do not trigger out_of_memory from the #PF", "fixes": "60e2793d440a3ec95abb5d6d4fc034a4b480472d", "last_affected_version": "5.15.2", "last_modified": "2023-12-06", "nvd_text": "Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2023. Notes: none.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-0047", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-0047", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-0047", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-0047", "SUSE": "https://www.suse.com/security/cve/CVE-2023-0047", "Ubuntu": "https://ubuntu.com/security/CVE-2023-0047" }, "rejected": true }, "CVE-2023-0122": { "affected_versions": "v6.0-rc1 to v6.0-rc4", "breaks": "db1312dd95488b5e6ff362ff66fcf953a46b1821", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 7.5 }, "cwe": "NULL Pointer Dereference", "fixes": "da0342a3aa0357795224e6283df86444e1117168", "last_modified": "2023-12-06", "nvd_text": "A NULL pointer dereference vulnerability in the Linux kernel NVMe functionality, in nvmet_setup_auth(), allows an attacker to perform a Pre-Auth Denial of Service (DoS) attack on a remote machine. Affected versions v6.0-rc1 to v6.0-rc3, fixed in v6.0-rc4.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-0122", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-0122", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-0122", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-0122", "SUSE": "https://www.suse.com/security/cve/CVE-2023-0122", "Ubuntu": "https://ubuntu.com/security/CVE-2023-0122" } }, "CVE-2023-0160": { "affected_versions": "v4.20-rc1 to v6.4-rc1", "breaks": "604326b41a6fb9b4a78b6179335decee0365cd8c", "cmt_msg": "bpf, sockmap: fix deadlocks in the sockhash and sockmap", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "fixes": "ed17aa92dc56b6d8883e4b7a8f1c6fbf5ed6cd29", "last_affected_version": "6.3.1", "last_modified": "2023-12-06", "nvd_text": "A deadlock flaw was found in the Linux kernel\u2019s BPF subsystem. This flaw allows a local user to potentially crash the system.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-0160", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-0160", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-0160", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-0160", "SUSE": "https://www.suse.com/security/cve/CVE-2023-0160", "Ubuntu": "https://ubuntu.com/security/CVE-2023-0160" } }, "CVE-2023-0179": { "affected_versions": "v5.5-rc1 to v6.2-rc5", "breaks": "f6ae9f120dada00abfb47313364c35118469455f", "cmt_msg": "netfilter: nft_payload: incorrect arithmetics when fetching VLAN header bits", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "fixes": "696e1a48b1a1b01edad542a1ef293665864a4dd0", "last_affected_version": "6.1.6", "last_modified": "2023-12-06", "nvd_text": "A buffer overflow vulnerability was found in the Netfilter subsystem in the Linux Kernel. This issue could allow the leakage of both stack and heap addresses, and potentially allow Local Privilege Escalation to the root user via arbitrary code execution.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-0179", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-0179", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-0179", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-0179", "SUSE": "https://www.suse.com/security/cve/CVE-2023-0179", "Ubuntu": "https://ubuntu.com/security/CVE-2023-0179" } }, "CVE-2023-0210": { "affected_versions": "v5.15-rc1 to v6.2-rc4", "breaks": "e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9", "cmt_msg": "ksmbd: check nt_len to be at least CIFS_ENCPWD_SIZE in ksmbd_decode_ntlmssp_auth_blob", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 7.5 }, "fixes": "797805d81baa814f76cf7bdab35f86408a79d707", "last_affected_version": "6.1.4", "last_modified": "2023-12-06", "nvd_text": "A bug affects the Linux kernel\u2019s ksmbd NTLMv2 authentication and is known to crash the OS immediately in Linux-based systems.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-0210", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-0210", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-0210", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-0210", "SUSE": "https://www.suse.com/security/cve/CVE-2023-0210", "Ubuntu": "https://ubuntu.com/security/CVE-2023-0210" } }, "CVE-2023-0240": { "affected_versions": "v5.1-rc1 to v5.10-rc1", "breaks": "2b188cc1bb857a9d4701ae59aa7768b5124e262e", "cmt_msg": "io_uring: COW io_identity on mismatch", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "fixes": "1e6fa5216a0e59ef02e8b6b40d553238a3b81d49", "last_modified": "2023-12-06", "nvd_text": "There is a logic error in io_uring's implementation which can be used to trigger a use-after-free vulnerability leading to privilege escalation.\n\nIn the io_prep_async_work function the assumption that the last io_grab_identity call cannot return false is not true, and in this case the function will use the init_cred or the previous linked requests identity to do operations instead of using the current identity. This can lead to reference counting issues causing use-after-free. We recommend upgrading past version 5.10.161.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-0240", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-0240", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-0240", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-0240", "SUSE": "https://www.suse.com/security/cve/CVE-2023-0240", "Ubuntu": "https://ubuntu.com/security/CVE-2023-0240" } }, "CVE-2023-0266": { "affected_versions": "v2.6.12-rc2 to v6.2-rc4", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "ALSA: pcm: Move rwsem lock inside snd_ctl_elem_read to prevent UAF", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "fixes": "56b88b50565cd8b946a2d00b0c83927b7ebb055e", "last_affected_version": "6.1.5", "last_modified": "2023-12-06", "nvd_text": "A use after free vulnerability exists in the ALSA PCM package in the Linux Kernel.\u00a0SNDRV_CTL_IOCTL_ELEM_{READ|WRITE}32 is missing locks that can be used in a use-after-free that can result in a priviledge escalation to gain ring0 access from the system user. We recommend upgrading past commit\u00a056b88b50565cd8b946a2d00b0c83927b7ebb055e\n", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-0266", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-0266", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-0266", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-0266", "SUSE": "https://www.suse.com/security/cve/CVE-2023-0266", "Ubuntu": "https://ubuntu.com/security/CVE-2023-0266" } }, "CVE-2023-0386": { "affected_versions": "v2.6.12-rc2 to v6.2-rc6", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "ovl: fail on invalid uid/gid mapping at copy up", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Unspecified", "fixes": "4f11ada10d0ad3fd53e2bd67806351de63a4f9c3", "last_affected_version": "6.1.8", "last_modified": "2023-12-06", "nvd_text": "A flaw was found in the Linux kernel, where unauthorized access to the execution of the setuid file with capabilities was found in the Linux kernel\u2019s OverlayFS subsystem in how a user copies a capable file from a nosuid mount into another mount. This uid mapping bug allows a local user to escalate their privileges on the system.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-0386", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-0386", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-0386", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-0386", "SUSE": "https://www.suse.com/security/cve/CVE-2023-0386", "Ubuntu": "https://ubuntu.com/security/CVE-2023-0386" } }, "CVE-2023-0394": { "affected_versions": "v2.6.12-rc3 to v6.2-rc4", "breaks": "357b40a18b04c699da1d45608436e9b76b50e251", "cmt_msg": "ipv6: raw: Deduct extension header length in rawv6_push_pending_frames", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "NULL Pointer Dereference", "fixes": "cb3e9864cdbe35ff6378966660edbcbac955fe17", "last_affected_version": "6.1.6", "last_modified": "2023-12-06", "nvd_text": "A NULL pointer dereference flaw was found in rawv6_push_pending_frames in net/ipv6/raw.c in the network subcomponent in the Linux kernel. This flaw causes the system to crash.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-0394", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-0394", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-0394", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-0394", "SUSE": "https://www.suse.com/security/cve/CVE-2023-0394", "Ubuntu": "https://ubuntu.com/security/CVE-2023-0394" } }, "CVE-2023-0458": { "affected_versions": "v2.6.12-rc2 to v6.2-rc5", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "prlimit: do_prlimit needs to have a speculation check", "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 4.7 }, "fixes": "739790605705ddcf18f21782b9c99ad7d53a8c11", "last_affected_version": "6.1.7", "last_modified": "2023-12-06", "nvd_text": "A speculative pointer dereference problem exists in the Linux Kernel on the do_prlimit() function. The resource argument value is controlled and is used in pointer arithmetic for the 'rlim' variable and can be used to leak the contents. We recommend upgrading past version 6.1.8 or commit\u00a0739790605705ddcf18f21782b9c99ad7d53a8c11", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-0458", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-0458", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-0458", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-0458", "SUSE": "https://www.suse.com/security/cve/CVE-2023-0458", "Ubuntu": "https://ubuntu.com/security/CVE-2023-0458" } }, "CVE-2023-0459": { "affected_versions": "v2.6.12-rc2 to v6.3-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "uaccess: Add speculation barrier to copy_from_user()", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.5 }, "fixes": "74e19ef0ff8061ef55957c3abd71614ef0f42f47", "last_affected_version": "6.2.0", "last_modified": "2023-12-06", "nvd_text": "Copy_from_user on 64-bit versions of the Linux kernel does not implement the __uaccess_begin_nospec allowing a user to bypass the \"access_ok\" check and pass a kernel pointer to copy_from_user(). This would allow an attacker to leak information. We recommend upgrading beyond commit\u00a074e19ef0ff8061ef55957c3abd71614ef0f42f47", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-0459", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-0459", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-0459", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-0459", "SUSE": "https://www.suse.com/security/cve/CVE-2023-0459", "Ubuntu": "https://ubuntu.com/security/CVE-2023-0459" } }, "CVE-2023-0461": { "affected_versions": "v4.13-rc1 to v6.2-rc3", "breaks": "734942cc4ea6478eed125af258da1bdbb4afe578", "cmt_msg": "net/ulp: prevent ULP without clone op from entering the LISTEN status", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "fixes": "2c02d41d71f90a5168391b6a5f2954112ba2307c", "last_affected_version": "6.1.4", "last_modified": "2023-12-06", "nvd_text": "There is a use-after-free vulnerability in the Linux Kernel which can be exploited to achieve local privilege escalation. To reach the vulnerability kernel configuration flag CONFIG_TLS\u00a0or CONFIG_XFRM_ESPINTCP\u00a0has to be configured, but the operation does not require any privilege.\n\nThere is a use-after-free bug of icsk_ulp_data\u00a0of a struct inet_connection_sock.\n\nWhen CONFIG_TLS\u00a0is enabled, user can install a tls context (struct tls_context) on a connected tcp socket. The context is not cleared if this socket is disconnected and reused as a listener. If a new socket is created from the listener, the context is inherited and vulnerable.\n\nThe setsockopt\u00a0TCP_ULP\u00a0operation does not require any privilege.\n\nWe recommend upgrading past commit\u00a02c02d41d71f90a5168391b6a5f2954112ba2307c", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-0461", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-0461", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-0461", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-0461", "SUSE": "https://www.suse.com/security/cve/CVE-2023-0461", "Ubuntu": "https://ubuntu.com/security/CVE-2023-0461" } }, "CVE-2023-0468": { "affected_versions": "v5.17-rc1 to v6.1-rc7", "breaks": "aa43477b040251f451db0d844073ac00a8ab66ee", "cmt_msg": "io_uring: make poll refs more robust", "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 4.7 }, "fixes": "a26a35e9019fd70bf3cf647dcfdae87abc7bacea", "last_affected_version": "6.0.10", "last_modified": "2023-12-06", "nvd_text": "A use-after-free flaw was found in io_uring/poll.c in io_poll_check_events in the io_uring subcomponent in the Linux Kernel due to a race condition of poll_refs. This flaw may cause a NULL pointer dereference.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-0468", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-0468", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-0468", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-0468", "SUSE": "https://www.suse.com/security/cve/CVE-2023-0468", "Ubuntu": "https://ubuntu.com/security/CVE-2023-0468" } }, "CVE-2023-0469": { "affected_versions": "v5.19-rc1 to v6.1-rc7", "breaks": "61c1b44a21d70d4783db02198fbf68b132f4953c", "cmt_msg": "io_uring/filetable: fix file reference underflow", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Integer Underflow (Wrap or Wraparound)", "fixes": "9d94c04c0db024922e886c9fd429659f22f48ea4", "last_affected_version": "6.0.10", "last_modified": "2023-12-06", "nvd_text": "A use-after-free flaw was found in io_uring/filetable.c in io_install_fixed_file in the io_uring subcomponent in the Linux Kernel during call cleanup. This flaw may lead to a denial of service.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-0469", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-0469", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-0469", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-0469", "SUSE": "https://www.suse.com/security/cve/CVE-2023-0469", "Ubuntu": "https://ubuntu.com/security/CVE-2023-0469" } }, "CVE-2023-0590": { "affected_versions": "v2.6.32-rc1 to v6.1-rc2", "breaks": "af356afa010f3cd2c8b8fcc3bce90f7a7b7ec02a", "cmt_msg": "net: sched: fix race condition in qdisc_graft()", "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 4.7 }, "fixes": "ebda44da44f6f309d302522b049f43d6f829f7aa", "last_affected_version": "6.0.5", "last_modified": "2023-12-06", "nvd_text": "A use-after-free flaw was found in qdisc_graft in net/sched/sch_api.c in the Linux Kernel due to a race problem. This flaw leads to a denial of service issue. If patch ebda44da44f6 (\"net: sched: fix race condition in qdisc_graft()\") not applied yet, then kernel could be affected.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-0590", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-0590", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-0590", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-0590", "SUSE": "https://www.suse.com/security/cve/CVE-2023-0590", "Ubuntu": "https://ubuntu.com/security/CVE-2023-0590" } }, "CVE-2023-0597": { "affected_versions": "v2.6.12-rc2 to v6.2-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "x86/mm: Randomize per-cpu entry area", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.5 }, "fixes": "97e3d26b5e5f371b3ee223d94dd123e6c442ba80", "last_modified": "2023-12-06", "nvd_text": "A flaw possibility of memory leak in the Linux kernel cpu_entry_area mapping of X86 CPU data to memory was found in the way user can guess location of exception stack(s) or other important data. A local user could use this flaw to get access to some important data with expected location in memory.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-0597", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-0597", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-0597", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-0597", "SUSE": "https://www.suse.com/security/cve/CVE-2023-0597", "Ubuntu": "https://ubuntu.com/security/CVE-2023-0597" } }, "CVE-2023-0615": { "affected_versions": "v3.18-rc1 to v6.1-rc3", "breaks": "ef834f7836ec0502f49f20bbc42f1240577a9c83", "cmt_msg": "media: vivid: dev->bitmap_cap wasn't freed in all cases", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "fixes": "1f65ea411cc7b6ff128d82a3493d7b5648054e6f", "last_affected_version": "6.0.6", "last_modified": "2023-12-06", "nvd_text": "A memory leak flaw and potential divide by zero and Integer overflow was found in the Linux kernel V4L2 and vivid test code functionality. This issue occurs when a user triggers ioctls, such as VIDIOC_S_DV_TIMINGS ioctl. This could allow a local user to crash the system if vivid test code enabled.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-0615", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-0615", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-0615", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-0615", "SUSE": "https://www.suse.com/security/cve/CVE-2023-0615", "Ubuntu": "https://ubuntu.com/security/CVE-2023-0615" } }, "CVE-2023-1032": { "affected_versions": "v5.19-rc1 to v6.3-rc2", "breaks": "da214a475f8bd1d3e9e7a19ddfeb4d1617551bab", "cmt_msg": "net: avoid double iput when sock_alloc_file fails", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "fixes": "649c15c7691e9b13cbe9bf6c65c365350e056067", "last_affected_version": "6.2.2", "last_modified": "2024-01-12", "nvd_text": "The Linux kernel io_uring IORING_OP_SOCKET operation contained a double free in function __sys_socket_file() in file net/socket.c. This issue was introduced in da214a475f8bd1d3e9e7a19ddfeb4d1617551bab and fixed in 649c15c7691e9b13cbe9bf6c65c365350e056067.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-1032", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-1032", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-1032", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-1032", "SUSE": "https://www.suse.com/security/cve/CVE-2023-1032", "Ubuntu": "https://ubuntu.com/security/CVE-2023-1032" } }, "CVE-2023-1073": { "affected_versions": "v3.16-rc1 to v6.2-rc5", "breaks": "1b15d2e5b8077670b1e6a33250a0d9577efff4a5", "cmt_msg": "HID: check empty report_list in hid_validate_values()", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Physical", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 6.6 }, "fixes": "b12fece4c64857e5fab4290bf01b2e0317a88456", "last_affected_version": "6.1.8", "last_modified": "2023-12-06", "nvd_text": "A memory corruption flaw was found in the Linux kernel\u2019s human interface device (HID) subsystem in how a user inserts a malicious USB device. This flaw allows a local user to crash or potentially escalate their privileges on the system.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-1073", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-1073", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-1073", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-1073", "SUSE": "https://www.suse.com/security/cve/CVE-2023-1073", "Ubuntu": "https://ubuntu.com/security/CVE-2023-1073" } }, "CVE-2023-1074": { "affected_versions": "v2.6.12-rc2 to v6.2-rc6", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "sctp: fail if no bound addresses can be used for a given scope", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "fixes": "458e279f861d3f61796894cd158b780765a1569f", "last_affected_version": "6.1.8", "last_modified": "2023-12-06", "nvd_text": "A memory leak flaw was found in the Linux kernel's Stream Control Transmission Protocol. This issue may occur when a user starts a malicious networking service and someone connects to this service. This could allow a local user to starve resources, causing a denial of service.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-1074", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-1074", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-1074", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-1074", "SUSE": "https://www.suse.com/security/cve/CVE-2023-1074", "Ubuntu": "https://ubuntu.com/security/CVE-2023-1074" } }, "CVE-2023-1075": { "affected_versions": "v4.20-rc1 to v6.2-rc7", "breaks": "a42055e8d2c30d4decfc13ce943d09c7b9dad221", "cmt_msg": "net/tls: tls_is_tx_ready() checked list_entry", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "Low", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "score": 3.3 }, "fixes": "ffe2a22562444720b05bdfeb999c03e810d84cbb", "last_affected_version": "6.1.10", "last_modified": "2023-12-06", "nvd_text": "A flaw was found in the Linux Kernel. The tls_is_tx_ready() incorrectly checks for list emptiness, potentially accessing a type confused entry to the list_head, leaking the last byte of the confused field that overlaps with rec->tx_ready.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-1075", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-1075", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-1075", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-1075", "SUSE": "https://www.suse.com/security/cve/CVE-2023-1075", "Ubuntu": "https://ubuntu.com/security/CVE-2023-1075" } }, "CVE-2023-1076": { "affected_versions": "v4.10-rc1 to v6.3-rc1", "breaks": "86741ec25462e4c8cdce6df2f41ead05568c7d5e", "cmt_msg": "tun: tun_chr_open(): correctly initialize socket uid", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "None", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "score": 5.5 }, "fixes": "a096ccca6e503a5c575717ff8a36ace27510ab0a", "last_affected_version": "6.2.2", "last_modified": "2023-12-06", "nvd_text": "A flaw was found in the Linux Kernel. The tun/tap sockets have their socket UID hardcoded to 0 due to a type confusion in their initialization function. While it will be often correct, as tuntap devices require CAP_NET_ADMIN, it may not always be the case, e.g., a non-root user only having that capability. This would make tun/tap sockets being incorrectly treated in filtering/routing decisions, possibly bypassing network filters.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-1076", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-1076", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-1076", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-1076", "SUSE": "https://www.suse.com/security/cve/CVE-2023-1076", "Ubuntu": "https://ubuntu.com/security/CVE-2023-1076" } }, "CVE-2023-1077": { "affected_versions": "v2.6.25-rc1 to v6.3-rc1", "breaks": "326587b840785c60f5dc18557235a23bafefd620", "cmt_msg": "sched/rt: pick_next_rt_entity(): check list_entry", "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.0 }, "fixes": "7c4a5b89a0b5a57a64b601775b296abf77a9fe97", "last_affected_version": "6.2.2", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel, pick_next_rt_entity() may return a type confused entry, not detected by the BUG_ON condition, as the confused entry will not be NULL, but list_head.The buggy error condition would lead to a type confused entry with the list head,which would then be used as a type confused sched_rt_entity,causing memory corruption.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-1077", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-1077", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-1077", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-1077", "SUSE": "https://www.suse.com/security/cve/CVE-2023-1077", "Ubuntu": "https://ubuntu.com/security/CVE-2023-1077" } }, "CVE-2023-1078": { "affected_versions": "v4.17-rc1 to v6.2-rc8", "breaks": "9426bbc6de99b8649d897b94e8f5916b58195643", "cmt_msg": "rds: rds_rm_zerocopy_callback() use list_first_entry()", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "fixes": "f753a68980cf4b59a80fe677619da2b1804f526d", "last_affected_version": "6.1.11", "last_modified": "2023-12-06", "nvd_text": "A flaw was found in the Linux Kernel in RDS (Reliable Datagram Sockets) protocol. The rds_rm_zerocopy_callback() uses list_entry() on the head of a list causing a type confusion. Local user can trigger this with rds_message_put(). Type confusion leads to `struct rds_msg_zcopy_info *info` actually points to something else that is potentially controlled by local user. It is known how to trigger this, which causes an out of bounds access, and a lock corruption.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-1078", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-1078", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-1078", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-1078", "SUSE": "https://www.suse.com/security/cve/CVE-2023-1078", "Ubuntu": "https://ubuntu.com/security/CVE-2023-1078" } }, "CVE-2023-1079": { "affected_versions": "v4.12-rc1 to v6.3-rc1", "breaks": "af22a610bc38508d5ea760507d31be6b6983dfa8", "cmt_msg": "HID: asus: use spinlock to safely schedule workers", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Physical", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "score": 6.8 }, "fixes": "4ab3a086d10eeec1424f2e8a968827a6336203df", "last_affected_version": "6.2.2", "last_modified": "2023-12-06", "nvd_text": "A flaw was found in the Linux kernel. A use-after-free may be triggered in asus_kbd_backlight_set when plugging/disconnecting in a malicious USB device, which advertises itself as an Asus device. Similarly to the previous known CVE-2023-25012, but in asus devices, the work_struct may be scheduled by the LED controller while the device is disconnecting, triggering a use-after-free on the struct asus_kbd_leds *led structure. A malicious USB device may exploit the issue to cause memory corruption with controlled data.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-1079", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-1079", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-1079", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-1079", "SUSE": "https://www.suse.com/security/cve/CVE-2023-1079", "Ubuntu": "https://ubuntu.com/security/CVE-2023-1079" } }, "CVE-2023-1095": { "affected_versions": "v3.16-rc1 to v6.0-rc1", "breaks": "55dd6f93076bb82aa8911191125418dcfcbf2c9b", "cmt_msg": "netfilter: nf_tables: fix null deref due to zeroed list head", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "fixes": "580077855a40741cf511766129702d97ff02f4d9", "last_affected_version": "5.19.1", "last_modified": "2023-12-27", "nvd_text": "In nf_tables_updtable, if nf_tables_table_enable returns an error, nft_trans_destroy is called to free the transaction object. nft_trans_destroy() calls list_del(), but the transaction was never placed on a list -- the list head is all zeroes, this results in a NULL pointer dereference.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-1095", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-1095", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-1095", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-1095", "SUSE": "https://www.suse.com/security/cve/CVE-2023-1095", "Ubuntu": "https://ubuntu.com/security/CVE-2023-1095" } }, "CVE-2023-1118": { "affected_versions": "v2.6.36-rc1 to v6.3-rc1", "breaks": "9ea53b74df9c4681f5bb2da6b2e10e37d87ea6d6", "cmt_msg": "media: rc: Fix use-after-free bugs caused by ene_tx_irqsim()", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "fixes": "29b0589a865b6f66d141d79b2dd1373e4e50fe17", "last_affected_version": "6.2.2", "last_modified": "2023-12-06", "nvd_text": "A flaw use after free in the Linux kernel integrated infrared receiver/transceiver driver was found in the way user detaching rc device. A local user could use this flaw to crash the system or potentially escalate their privileges on the system.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-1118", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-1118", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-1118", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-1118", "SUSE": "https://www.suse.com/security/cve/CVE-2023-1118", "Ubuntu": "https://ubuntu.com/security/CVE-2023-1118" } }, "CVE-2023-1192": { "affected_versions": "v5.15-rc1 to v6.4-rc1", "breaks": "a848c4f15ab6d5d405dbee7de5da71839b2bf35e", "cmt_msg": "fs/ntfs3: Validate MFT flags before replaying logs", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 6.5 }, "fixes": "98bea253aa28ad8be2ce565a9ca21beb4a9419e5", "last_affected_version": "6.3.3", "last_modified": "2023-12-06", "nvd_text": "A use-after-free flaw was found in smb2_is_status_io_timeout() in CIFS in the Linux Kernel. After CIFS transfers response data to a system call, there are still local variable points to the memory region, and if the system call frees it faster than CIFS uses it, CIFS will access a free memory region, leading to a denial of service.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-1192", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-1192", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-1192", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-1192", "SUSE": "https://www.suse.com/security/cve/CVE-2023-1192", "Ubuntu": "https://ubuntu.com/security/CVE-2023-1192" } }, "CVE-2023-1193": { "affected_versions": "v5.15-rc1 to v6.3-rc6", "breaks": "a848c4f15ab6d5d405dbee7de5da71839b2bf35e", "cmt_msg": "ksmbd: delete asynchronous work from list", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 6.5 }, "fixes": "3a9b557f44ea8f216aab515a7db20e23f0eb51b9", "last_affected_version": "6.1.70", "last_modified": "2024-01-12", "nvd_text": "A use-after-free flaw was found in setup_async_work in the KSMBD implementation of the in-kernel samba server and CIFS in the Linux kernel. This issue could allow an attacker to crash the system by accessing freed work.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-1193", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-1193", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-1193", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-1193", "SUSE": "https://www.suse.com/security/cve/CVE-2023-1193", "Ubuntu": "https://ubuntu.com/security/CVE-2023-1193" } }, "CVE-2023-1194": { "affected_versions": "v5.15-rc1 to v6.4-rc6", "breaks": "a848c4f15ab6d5d405dbee7de5da71839b2bf35e", "cmt_msg": "ksmbd: fix out-of-bound read in parse_lease_state()", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "score": 8.1 }, "fixes": "fc6c6a3c324c1b3e93a03d0cfa3749c781f23de0", "last_affected_version": "6.3.7", "last_modified": "2023-12-27", "nvd_text": "An out-of-bounds (OOB) memory read flaw was found in parse_lease_state in the KSMBD implementation of the in-kernel samba server and CIFS in the Linux kernel. When an attacker sends the CREATE command with a malformed payload to KSMBD, due to a missing check of `NameOffset` in the `parse_lease_state()` function, the `create_context` object can access invalid memory.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-1194", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-1194", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-1194", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-1194", "SUSE": "https://www.suse.com/security/cve/CVE-2023-1194", "Ubuntu": "https://ubuntu.com/security/CVE-2023-1194" } }, "CVE-2023-1195": { "affected_versions": "v5.16-rc1 to v6.1-rc3", "breaks": "7be3248f313930ff3d3436d4e9ddbe9fccc1f541", "cmt_msg": "cifs: fix use-after-free caused by invalid pointer `hostname`", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "fixes": "153695d36ead0ccc4d0256953c751cabf673e621", "last_modified": "2023-12-06", "nvd_text": "A use-after-free flaw was found in reconn_set_ipaddr_from_hostname in fs/cifs/connect.c in the Linux kernel. The issue occurs when it forgets to set the free pointer server->hostname to NULL, leading to an invalid pointer request.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-1195", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-1195", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-1195", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-1195", "SUSE": "https://www.suse.com/security/cve/CVE-2023-1195", "Ubuntu": "https://ubuntu.com/security/CVE-2023-1195" } }, "CVE-2023-1206": { "affected_versions": "v2.6.12-rc2 to v6.5-rc4", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "tcp: Reduce chance of collisions in inet6_hashfn().", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Adjacent", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.7 }, "fixes": "d11b0df7ddf1831f3e170972f43186dad520bfcc", "last_affected_version": "6.4.7", "last_modified": "2023-12-06", "nvd_text": "A hash collision flaw was found in the IPv6 connection lookup table in the Linux kernel\u2019s IPv6 functionality when a user makes a new kind of SYN flood attack. A user located in the local network or with a high bandwidth connection can increase the CPU usage of the server that accepts IPV6 connections up to 95%.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-1206", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-1206", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-1206", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-1206", "SUSE": "https://www.suse.com/security/cve/CVE-2023-1206", "Ubuntu": "https://ubuntu.com/security/CVE-2023-1206" } }, "CVE-2023-1249": { "affected_versions": "v3.7-rc1 to v5.18-rc1", "breaks": "2aa362c49c314a98fb9aebbd7760a461667bac05", "cmt_msg": "coredump: Use the vma snapshot in fill_files_note", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "fixes": "390031c942116d4733310f0684beb8db19885fe6", "last_affected_version": "5.17.1", "last_modified": "2023-12-06", "nvd_text": "A use-after-free flaw was found in the Linux kernel\u2019s core dump subsystem. This flaw allows a local user to crash the system. Only if patch 390031c94211 (\"coredump: Use the vma snapshot in fill_files_note\") not applied yet, then kernel could be affected.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-1249", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-1249", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-1249", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-1249", "SUSE": "https://www.suse.com/security/cve/CVE-2023-1249", "Ubuntu": "https://ubuntu.com/security/CVE-2023-1249" } }, "CVE-2023-1252": { "affected_versions": "v5.6-rc1 to v5.16-rc1", "breaks": "2406a307ac7ddfd7effeeaff6947149ec6a95b4e", "cmt_msg": "ovl: fix use after free in struct ovl_aio_req", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "fixes": "9a254403760041528bc8f69fe2f5e1ef86950991", "last_affected_version": "5.15.2", "last_modified": "2023-12-06", "nvd_text": "A use-after-free flaw was found in the Linux kernel\u2019s Ext4 File System in how a user triggers several file operations simultaneously with the overlay FS usage. This flaw allows a local user to crash or potentially escalate their privileges on the system. Only if patch 9a2544037600 (\"ovl: fix use after free in struct ovl_aio_req\") not applied yet, the kernel could be affected.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-1252", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-1252", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-1252", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-1252", "SUSE": "https://www.suse.com/security/cve/CVE-2023-1252", "Ubuntu": "https://ubuntu.com/security/CVE-2023-1252" } }, "CVE-2023-1281": { "affected_versions": "v4.14-rc1 to v6.2", "breaks": "9b0d4446b56904b59ae3809913b0ac760fa941a6", "cmt_msg": "net/sched: tcindex: update imperfect hash filters respecting rcu", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "fixes": "ee059170b1f7e94e55fa6cadee544e176a6e59c2", "last_affected_version": "6.1", "last_modified": "2023-12-06", "nvd_text": "Use After Free vulnerability in Linux kernel traffic control index filter (tcindex) allows Privilege Escalation.\u00a0The imperfect hash area can be updated while packets are traversing, which will cause a use-after-free when 'tcf_exts_exec()' is called with the destroyed tcf_ext.\u00a0A local attacker user can use this vulnerability to elevate its privileges to root.\nThis issue affects Linux Kernel: from 4.14 before git commit ee059170b1f7e94e55fa6cadee544e176a6e59c2.\n\n", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-1281", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-1281", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-1281", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-1281", "SUSE": "https://www.suse.com/security/cve/CVE-2023-1281", "Ubuntu": "https://ubuntu.com/security/CVE-2023-1281" } }, "CVE-2023-1295": { "affected_versions": "v5.6-rc1 to v5.12-rc1-dontuse", "breaks": "b5dba59e0cf7e2cc4d3b3b1ac5fe81ddf21959eb", "cmt_msg": "io_uring: get rid of intermediate IORING_OP_CLOSE stage", "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.0 }, "fixes": "9eac1904d3364254d622bf2c771c4f85cd435fc2", "last_affected_version": "5.11.5", "last_modified": "2023-12-06", "nvd_text": "A time-of-check to time-of-use issue exists in io_uring subsystem's IORING_OP_CLOSE operation in the Linux kernel's versions 5.6 - 5.11 (inclusive), which allows a local user to elevate their privileges to root. Introduced in b5dba59e0cf7e2cc4d3b3b1ac5fe81ddf21959eb, patched in 9eac1904d3364254d622bf2c771c4f85cd435fc2, backported to stable in 788d0824269bef539fe31a785b1517882eafed93.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-1295", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-1295", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-1295", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-1295", "SUSE": "https://www.suse.com/security/cve/CVE-2023-1295", "Ubuntu": "https://ubuntu.com/security/CVE-2023-1295" } }, "CVE-2023-1380": { "affected_versions": "v3.2-rc1 to v6.4-rc1", "breaks": "5b435de0d786869c95d1962121af0d7df2542009", "cmt_msg": "wifi: brcmfmac: slab-out-of-bounds read in brcmf_get_assoc_ies()", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "score": 7.1 }, "fixes": "0da40e018fd034d87c9460123fa7f897b69fdee7", "last_affected_version": "6.3.0", "last_modified": "2023-12-06", "nvd_text": "A slab-out-of-bound read problem was found in brcmf_get_assoc_ies in drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c in the Linux Kernel. This issue could occur when assoc_info->req_len data is bigger than the size of the buffer, defined as WL_EXTRA_BUF_MAX, leading to a denial of service.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-1380", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-1380", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-1380", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-1380", "SUSE": "https://www.suse.com/security/cve/CVE-2023-1380", "Ubuntu": "https://ubuntu.com/security/CVE-2023-1380" } }, "CVE-2023-1382": { "affected_versions": "v3.11-rc1 to v6.1-rc7", "breaks": "c5fa7b3cf3cb22e4ac60485fc2dc187fe012910f", "cmt_msg": "tipc: set con sock in tipc_conn_alloc", "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 4.7 }, "fixes": "0e5d56c64afcd6fd2d132ea972605b66f8a7d3c4", "last_affected_version": "6.0.10", "last_modified": "2023-12-06", "nvd_text": "A data race flaw was found in the Linux kernel, between where con is allocated and con->sock is set. This issue leads to a NULL pointer dereference when accessing con->sock->sk in net/tipc/topsrv.c in the tipc protocol in the Linux kernel.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-1382", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-1382", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-1382", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-1382", "SUSE": "https://www.suse.com/security/cve/CVE-2023-1382", "Ubuntu": "https://ubuntu.com/security/CVE-2023-1382" } }, "CVE-2023-1390": { "affected_versions": "v4.3-rc1 to v5.11-rc4", "breaks": "af9b028e270fda6fb812d70d17d902297df1ceb5", "cmt_msg": "tipc: fix NULL deref in tipc_link_xmit()", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 7.5 }, "cwe": "Unspecified", "fixes": "b77413446408fdd256599daf00d5be72b5f3e7c6", "last_affected_version": "5.10.9", "last_modified": "2023-12-06", "nvd_text": "A remote denial of service vulnerability was found in the Linux kernel\u2019s TIPC kernel module. The while loop in tipc_link_xmit() hits an unknown state while attempting to parse SKBs, which are not in the queue. Sending two small UDP packets to a system with a UDP bearer results in the CPU utilization for the system to instantly spike to 100%, causing a denial of service condition.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-1390", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-1390", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-1390", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-1390", "SUSE": "https://www.suse.com/security/cve/CVE-2023-1390", "Ubuntu": "https://ubuntu.com/security/CVE-2023-1390" } }, "CVE-2023-1476": { "affected_versions": "unk to unk", "breaks": "", "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.0 }, "fixes": "", "last_modified": "2024-01-15", "nvd_text": "A use-after-free flaw was found in the Linux kernel\u2019s mm/mremap memory address space accounting source code. This issue occurs due to a race condition between rmap walk and mremap, allowing a local user to crash the system or potentially escalate their privileges on the system.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-1476", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-1476", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-1476", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-1476", "SUSE": "https://www.suse.com/security/cve/CVE-2023-1476", "Ubuntu": "https://ubuntu.com/security/CVE-2023-1476" } }, "CVE-2023-1513": { "affected_versions": "v2.6.12-rc2 to v6.2", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "kvm: initialize all of the kvm_debugregs structure before sending it to userspace", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "Low", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "score": 3.3 }, "fixes": "2c10b61421a28e95a46ab489fd56c0f442ff6952", "last_affected_version": "6.1", "last_modified": "2023-12-06", "nvd_text": "A flaw was found in KVM. When calling the KVM_GET_DEBUGREGS ioctl, on 32-bit systems, there might be some uninitialized portions of the kvm_debugregs structure that could be copied to userspace, causing an information leak.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-1513", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-1513", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-1513", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-1513", "SUSE": "https://www.suse.com/security/cve/CVE-2023-1513", "Ubuntu": "https://ubuntu.com/security/CVE-2023-1513" } }, "CVE-2023-1582": { "affected_versions": "v4.5-rc1 to v5.17-rc4", "breaks": "e9b61f19858a5d6c42ce2298cf138279375d0d9b", "cmt_msg": "fs/proc: task_mmu.c: don't read mapcount for migration entry", "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 4.7 }, "fixes": "24d7275ce2791829953ed4e72f68277ceb2571c6", "last_affected_version": "5.16.9", "last_modified": "2023-12-06", "nvd_text": "A race problem was found in fs/proc/task_mmu.c in the memory management sub-component in the Linux kernel. This issue may allow a local attacker with user privilege to cause a denial of service.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-1582", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-1582", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-1582", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-1582", "SUSE": "https://www.suse.com/security/cve/CVE-2023-1582", "Ubuntu": "https://ubuntu.com/security/CVE-2023-1582" } }, "CVE-2023-1583": { "affected_versions": "v5.19-rc1 to v6.3-rc4", "breaks": "4278a0deb1f6cac40ded3362fe2a9827d7efee3d", "cmt_msg": "io_uring/rsrc: fix null-ptr-deref in io_file_bitmap_get()", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "fixes": "02a4d923e4400a36d340ea12d8058f69ebf3a383", "last_affected_version": "6.2.8", "last_modified": "2023-12-06", "nvd_text": "A NULL pointer dereference was found in io_file_bitmap_get in io_uring/filetable.c in the io_uring sub-component in the Linux Kernel. When fixed files are unregistered, some context information (file_alloc_{start,end} and alloc_hint) is not cleared. A subsequent request that has auto index selection enabled via IORING_FILE_INDEX_ALLOC can cause a NULL pointer dereference. An unprivileged user can use the flaw to cause a system crash.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-1583", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-1583", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-1583", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-1583", "SUSE": "https://www.suse.com/security/cve/CVE-2023-1583", "Ubuntu": "https://ubuntu.com/security/CVE-2023-1583" } }, "CVE-2023-1611": { "affected_versions": "v2.6.12-rc2 to v6.3-rc5", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "btrfs: fix race between quota disable and quota assign ioctls", "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:H", "score": 6.3 }, "fixes": "2f1a6be12ab6c8470d5776e68644726c94257c54", "last_affected_version": "6.2.9", "last_modified": "2023-12-06", "nvd_text": "A use-after-free flaw was found in btrfs_search_slot in fs/btrfs/ctree.c in btrfs in the Linux Kernel.This flaw allows an attacker to crash the system and possibly cause a kernel information lea", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-1611", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-1611", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-1611", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-1611", "SUSE": "https://www.suse.com/security/cve/CVE-2023-1611", "Ubuntu": "https://ubuntu.com/security/CVE-2023-1611" } }, "CVE-2023-1637": { "affected_versions": "v4.17-rc7 to v5.18-rc2", "breaks": "772439717dbf703b39990be58d8d4e3e4ad0598a", "cmt_msg": "x86/speculation: Restore speculation related MSRs during S3 resume", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.5 }, "fixes": "e2a1256b17b16f9b9adf1b6fea56819e7b68e463", "last_affected_version": "5.17.2", "last_modified": "2023-12-06", "nvd_text": "A flaw that boot CPU could be vulnerable for the speculative execution behavior kind of attacks in the Linux kernel X86 CPU Power management options functionality was found in the way user resuming CPU from suspend-to-RAM. A local user could use this flaw to potentially get unauthorized access to some memory of the CPU similar to the speculative execution behavior kind of attacks.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-1637", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-1637", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-1637", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-1637", "SUSE": "https://www.suse.com/security/cve/CVE-2023-1637", "Ubuntu": "https://ubuntu.com/security/CVE-2023-1637" } }, "CVE-2023-1652": { "affected_versions": "v5.14-rc1 to v6.2-rc5", "breaks": "f4e44b393389c77958f7c58bf4415032b4cda15b", "cmt_msg": "NFSD: fix use-after-free in nfsd4_ssc_setup_dul()", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "score": 7.1 }, "fixes": "e6cf91b7b47ff82b624bdfe2fdcde32bb52e71dd", "last_affected_version": "6.1.8", "last_modified": "2023-12-06", "nvd_text": "A use-after-free flaw was found in nfsd4_ssc_setup_dul in fs/nfsd/nfs4proc.c in the NFS filesystem in the Linux Kernel. This issue could allow a local attacker to crash the system or it may lead to a kernel information leak problem.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-1652", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-1652", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-1652", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-1652", "SUSE": "https://www.suse.com/security/cve/CVE-2023-1652", "Ubuntu": "https://ubuntu.com/security/CVE-2023-1652" } }, "CVE-2023-1670": { "affected_versions": "v2.6.12-rc2 to v6.3-rc4", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "xirc2ps_cs: Fix use after free bug in xirc2ps_detach", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "fixes": "e8d20c3ded59a092532513c9bd030d1ea66f5f44", "last_affected_version": "6.2.8", "last_modified": "2023-12-06", "nvd_text": "A flaw use after free in the Linux kernel Xircom 16-bit PCMCIA (PC-card) Ethernet driver was found.A local user could use this flaw to crash the system or potentially escalate their privileges on the system.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-1670", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-1670", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-1670", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-1670", "SUSE": "https://www.suse.com/security/cve/CVE-2023-1670", "Ubuntu": "https://ubuntu.com/security/CVE-2023-1670" } }, "CVE-2023-1829": { "affected_versions": "v2.6.12-rc2 to v6.3-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "net/sched: Retire tcindex classifier", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "fixes": "8c710f75256bb3cf05ac7b1672c82b92c43f3d28", "last_affected_version": "6.2.4", "last_modified": "2023-12-06", "nvd_text": "A use-after-free vulnerability in the Linux Kernel traffic control index filter (tcindex) can be exploited to achieve local privilege escalation.\u00a0The tcindex_delete function which does not properly deactivate filters in case of a perfect hashes while deleting the underlying structure which can later lead to double freeing the structure.\u00a0A local attacker user can use this vulnerability to elevate its privileges to root.\nWe recommend upgrading past commit 8c710f75256bb3cf05ac7b1672c82b92c43f3d28.\n\n", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-1829", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-1829", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-1829", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-1829", "SUSE": "https://www.suse.com/security/cve/CVE-2023-1829", "Ubuntu": "https://ubuntu.com/security/CVE-2023-1829" } }, "CVE-2023-1838": { "affected_versions": "v2.6.12-rc2 to v5.18", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "Fix double fget() in vhost_net_set_backend()", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "score": 7.1 }, "fixes": "fb4554c2232e44d595920f4d5c66cf8f7d13f9bc", "last_affected_version": "5.17", "last_modified": "2023-12-06", "nvd_text": "A use-after-free flaw was found in vhost_net_set_backend in drivers/vhost/net.c in virtio network subcomponent in the Linux kernel due to a double fget. This flaw could allow a local attacker to crash the system, and could even lead to a kernel information leak problem.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-1838", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-1838", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-1838", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-1838", "SUSE": "https://www.suse.com/security/cve/CVE-2023-1838", "Ubuntu": "https://ubuntu.com/security/CVE-2023-1838" } }, "CVE-2023-1855": { "affected_versions": "v4.9-rc1 to v6.3-rc3", "breaks": "2ca492e22cb70a001749377506bd22eb06f60ecc", "cmt_msg": "hwmon: (xgene) Fix use after free bug in xgene_hwmon_remove due to race condition", "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:H", "score": 6.3 }, "fixes": "cb090e64cf25602b9adaf32d5dfc9c8bec493cd1", "last_affected_version": "6.2.7", "last_modified": "2023-12-06", "nvd_text": "A use-after-free flaw was found in xgene_hwmon_remove in drivers/hwmon/xgene-hwmon.c in the Hardware Monitoring Linux Kernel Driver (xgene-hwmon). This flaw could allow a local attacker to crash the system due to a race problem. This vulnerability could even lead to a kernel information leak problem.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-1855", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-1855", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-1855", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-1855", "SUSE": "https://www.suse.com/security/cve/CVE-2023-1855", "Ubuntu": "https://ubuntu.com/security/CVE-2023-1855" } }, "CVE-2023-1859": { "affected_versions": "v4.12-rc1 to v6.3-rc7", "breaks": "71ebd71921e451f0f942ddfe85d01e31ddc6eb88", "cmt_msg": "9p/xen : Fix use after free bug in xen_9pfs_front_remove due to race condition", "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 4.7 }, "fixes": "ea4f1009408efb4989a0f139b70fb338e7f687d0", "last_affected_version": "6.2.11", "last_modified": "2023-12-06", "nvd_text": "A use-after-free flaw was found in xen_9pfs_front_removet in net/9p/trans_xen.c in Xen transport for 9pfs in the Linux Kernel. This flaw could allow a local attacker to crash the system due to a race problem, possibly leading to a kernel information leak.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-1859", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-1859", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-1859", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-1859", "SUSE": "https://www.suse.com/security/cve/CVE-2023-1859", "Ubuntu": "https://ubuntu.com/security/CVE-2023-1859" } }, "CVE-2023-1872": { "affected_versions": "v5.7-rc1 to v5.18-rc2", "breaks": "7d67af2c013402537385dae343a2d0f6a4cb3bfd", "cmt_msg": "io_uring: propagate issue_flags state down to file assignment", "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.0 }, "fixes": "5106dd6e74ab6c94daac1c357094f11e6934b36f", "last_affected_version": "5.17.2", "last_modified": "2023-12-06", "nvd_text": "A use-after-free vulnerability in the Linux Kernel io_uring system can be exploited to achieve local privilege escalation.\n\nThe io_file_get_fixed function lacks the presence of ctx->uring_lock which can lead to a Use-After-Free vulnerability due a race condition with fixed files getting unregistered.\n\nWe recommend upgrading past commit da24142b1ef9fd5d36b76e36bab328a5b27523e8.\n\n", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-1872", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-1872", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-1872", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-1872", "SUSE": "https://www.suse.com/security/cve/CVE-2023-1872", "Ubuntu": "https://ubuntu.com/security/CVE-2023-1872" } }, "CVE-2023-1989": { "affected_versions": "v2.6.24-rc1 to v6.3-rc4", "breaks": "ddbaf13e3609442b64abb931ac21527772d87980", "cmt_msg": "Bluetooth: btsdio: fix use after free bug in btsdio_remove due to unfinished work", "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.0 }, "fixes": "1e9ac114c4428fdb7ff4635b45d4f46017e8916f", "last_affected_version": "6.2.8", "last_modified": "2023-12-06", "nvd_text": "A use-after-free flaw was found in btsdio_remove in drivers\\bluetooth\\btsdio.c in the Linux Kernel. In this flaw, a call to btsdio_remove with an unfinished job, may cause a race problem leading to a UAF on hdev devices.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-1989", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-1989", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-1989", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-1989", "SUSE": "https://www.suse.com/security/cve/CVE-2023-1989", "Ubuntu": "https://ubuntu.com/security/CVE-2023-1989" } }, "CVE-2023-1990": { "affected_versions": "v3.17-rc1 to v6.3-rc3", "breaks": "35630df68d6030daf12dde12ed07bbe26324e6ac", "cmt_msg": "nfc: st-nci: Fix use after free bug in ndlc_remove due to race condition", "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 4.7 }, "fixes": "5000fe6c27827a61d8250a7e4a1d26c3298ef4f6", "last_affected_version": "6.2.7", "last_modified": "2023-12-06", "nvd_text": "A use-after-free flaw was found in ndlc_remove in drivers/nfc/st-nci/ndlc.c in the Linux Kernel. This flaw could allow an attacker to crash the system due to a race problem.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-1990", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-1990", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-1990", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-1990", "SUSE": "https://www.suse.com/security/cve/CVE-2023-1990", "Ubuntu": "https://ubuntu.com/security/CVE-2023-1990" } }, "CVE-2023-1998": { "affected_versions": "v5.19-rc7 to v6.3-rc1", "breaks": "7c693f54c873691a4b7da05c7e0f74e67745d144", "cmt_msg": "x86/speculation: Allow enabling STIBP with legacy IBRS", "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Changed", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N", "score": 5.6 }, "fixes": "6921ed9049bc7457f66c1596c5b78aec0dae4a9d", "last_affected_version": "6.2.2", "last_modified": "2023-12-06", "nvd_text": "The Linux kernel allows userspace processes to enable mitigations by calling prctl with PR_SET_SPECULATION_CTRL which disables the speculation feature as well as by using seccomp. We had noticed that on VMs of at least one major cloud provider, the kernel still left the victim process exposed to attacks in some cases even after enabling the spectre-BTI mitigation with prctl. The same behavior can be observed on a bare-metal machine when forcing the mitigation to IBRS on boot command line.\n\nThis happened because when plain IBRS was enabled (not enhanced IBRS), the kernel had some logic that determined that STIBP was not needed. The IBRS bit implicitly protects against cross-thread branch target injection. However, with legacy IBRS, the IBRS bit was cleared on returning to userspace, due to performance reasons, which disabled the implicit STIBP and left userspace threads vulnerable to cross-thread branch target injection against which STIBP protects.\n\n\n", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-1998", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-1998", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-1998", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-1998", "SUSE": "https://www.suse.com/security/cve/CVE-2023-1998", "Ubuntu": "https://ubuntu.com/security/CVE-2023-1998" } }, "CVE-2023-2002": { "affected_versions": "v4.9-rc1 to v6.4-rc1", "breaks": "f81f5b2db8692ff1d2d5f4db1fde58e67aa976a3", "cmt_msg": "bluetooth: Perform careful capability checks in hci_sock_ioctl()", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Adjacent", "Availability": "High", "Confidentiality": "Low", "Integrity": "Low", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H", "score": 6.8 }, "fixes": "25c150ac103a4ebeed0319994c742a90634ddf18", "last_affected_version": "6.3.0", "last_modified": "2023-12-06", "nvd_text": "A vulnerability was found in the HCI sockets implementation due to a missing capability check in net/bluetooth/hci_sock.c in the Linux Kernel. This flaw allows an attacker to unauthorized execution of management commands, compromising the confidentiality, integrity, and availability of Bluetooth communication.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-2002", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-2002", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-2002", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-2002", "SUSE": "https://www.suse.com/security/cve/CVE-2023-2002", "Ubuntu": "https://ubuntu.com/security/CVE-2023-2002" } }, "CVE-2023-2006": { "affected_versions": "v5.10-rc1 to v6.1-rc7", "breaks": "245500d853e9f20036cec7df4f6984ece4c6bf26", "cmt_msg": "rxrpc: Fix race between conn bundle lookup and bundle removal [ZDI-CAN-15975]", "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.0 }, "fixes": "3bcd6c7eaa53b56c3f584da46a1f7652e759d0e5", "last_affected_version": "6.0.10", "last_modified": "2023-12-06", "nvd_text": "A race condition was found in the Linux kernel's RxRPC network protocol, within the processing of RxRPC bundles. This issue results from the lack of proper locking when performing operations on an object. This may allow an attacker to escalate privileges and execute arbitrary code in the context of the kernel.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-2006", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-2006", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-2006", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-2006", "SUSE": "https://www.suse.com/security/cve/CVE-2023-2006", "Ubuntu": "https://ubuntu.com/security/CVE-2023-2006" } }, "CVE-2023-2007": { "affected_versions": "v2.6.12-rc2 to v6.0-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "scsi: dpt_i2o: Remove obsolete driver", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "fixes": "b04e75a4a8a81887386a0d2dbf605a48e779d2a0", "last_modified": "2023-12-06", "nvd_text": "The specific flaw exists within the DPT I2O Controller driver. The issue results from the lack of proper locking when performing operations on an object. An attacker can leverage this in conjunction with other vulnerabilities to escalate privileges and execute arbitrary code in the context of the kernel.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-2007", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-2007", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-2007", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-2007", "SUSE": "https://www.suse.com/security/cve/CVE-2023-2007", "Ubuntu": "https://ubuntu.com/security/CVE-2023-2007" } }, "CVE-2023-2008": { "affected_versions": "v4.20-rc1 to v5.19-rc4", "breaks": "7b26e4e2119d0c5ede1282b22ce2af22835ff4b5", "cmt_msg": "udmabuf: add back sanity check", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "fixes": "05b252cccb2e5c3f56119d25de684b4f810ba40a", "last_affected_version": "5.18.7", "last_modified": "2023-12-06", "nvd_text": "A flaw was found in the Linux kernel's udmabuf device driver. The specific flaw exists within a fault handler. The issue results from the lack of proper validation of user-supplied data, which can result in a memory access past the end of an array. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the kernel.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-2008", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-2008", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-2008", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-2008", "SUSE": "https://www.suse.com/security/cve/CVE-2023-2008", "Ubuntu": "https://ubuntu.com/security/CVE-2023-2008" } }, "CVE-2023-2019": { "affected_versions": "v5.12-rc1-dontuse to v6.0-rc1", "breaks": "0ae3eb7b4611207e140e9772398b9f88b72d6839", "cmt_msg": "netdevsim: fib: Fix reference count leak on route deletion failure", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "score": 4.4 }, "cwe": "Unspecified", "fixes": "180a6a3ee60a7cb69ed1232388460644f6a21f00", "last_affected_version": "5.19.1", "last_modified": "2023-12-06", "nvd_text": "A flaw was found in the Linux kernel's netdevsim device driver, within the scheduling of events. This issue results from the improper management of a reference count. This may allow an attacker to create a denial of service condition on the system.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-2019", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-2019", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-2019", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-2019", "SUSE": "https://www.suse.com/security/cve/CVE-2023-2019", "Ubuntu": "https://ubuntu.com/security/CVE-2023-2019" } }, "CVE-2023-20569": { "affected_versions": "v2.6.12-rc2 to v6.5-rc6", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "x86/bugs: Increase the x86 bugs vector size to two u32s", "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 4.7 }, "fixes": "0e52740ffd10c6c316837c6c128f460f1aaba1ea", "last_affected_version": "6.4.8", "last_modified": "2023-12-06", "nvd_text": "\n\n\nA side channel vulnerability on some of the AMD CPUs may allow an attacker to influence the return address prediction. This may result in speculative execution at an attacker-controlled?address, potentially leading to information disclosure.\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-20569", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-20569", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-20569", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-20569", "SUSE": "https://www.suse.com/security/cve/CVE-2023-20569", "Ubuntu": "https://ubuntu.com/security/CVE-2023-20569" } }, "CVE-2023-20588": { "affected_versions": "v2.6.12-rc2 to v6.5-rc6", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "x86/CPU/AMD: Do not leak quotient data after a division by 0", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.5 }, "fixes": "77245f1c3c6495521f6a3af082696ee2f8ce3921", "last_affected_version": "6.4.9", "last_modified": "2023-12-06", "nvd_text": "\nA division-by-zero error on some AMD processors can potentially return speculative data resulting in loss of confidentiality.\u00a0\n\n\n\n\n\n\n\n", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-20588", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-20588", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-20588", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-20588", "SUSE": "https://www.suse.com/security/cve/CVE-2023-20588", "Ubuntu": "https://ubuntu.com/security/CVE-2023-20588" } }, "CVE-2023-20593": { "affected_versions": "v2.6.12-rc2 to v6.5-rc4", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "x86/cpu/amd: Add a Zenbleed fix", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.5 }, "cwe": "Unspecified", "fixes": "522b1d69219d8f083173819fde04f994aa051a98", "last_affected_version": "6.4.5", "last_modified": "2023-12-06", "nvd_text": "\nAn issue in \u201cZen 2\u201d CPUs, under specific microarchitectural circumstances, may allow an attacker to potentially access sensitive information.\n\n\n\n\n\n\n", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-20593", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-20593", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-20593", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-20593", "SUSE": "https://www.suse.com/security/cve/CVE-2023-20593", "Ubuntu": "https://ubuntu.com/security/CVE-2023-20593" } }, "CVE-2023-20928": { "affected_versions": "v4.20-rc1 to v6.0-rc1", "breaks": "dd2283f2605e3b3e9c61bcae844b34f2afa4813f", "cmt_msg": "android: binder: stop saving a pointer to the VMA", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "fixes": "a43cfc87caaf46710c8027a8c23b8a55f1078f19", "last_affected_version": "5.18.17", "last_modified": "2023-12-06", "nvd_text": "In binder_vma_close of binder.c, there is a possible use after free due to improper locking. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-254837884References: Upstream kernel", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-20928", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-20928", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-20928", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-20928", "SUSE": "https://www.suse.com/security/cve/CVE-2023-20928", "Ubuntu": "https://ubuntu.com/security/CVE-2023-20928" } }, "CVE-2023-20937": { "affected_versions": "unk to unk", "breaks": "", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "fixes": "", "last_modified": "2023-12-06", "nvd_text": "In several functions of the Android Linux kernel, there is a possible way to corrupt memory due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-257443051References: Upstream kernel", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-20937", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-20937", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-20937", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-20937", "SUSE": "https://www.suse.com/security/cve/CVE-2023-20937", "Ubuntu": "https://ubuntu.com/security/CVE-2023-20937" }, "vendor_specific": true }, "CVE-2023-20938": { "affected_versions": "v5.17-rc1 to v5.18-rc5", "breaks": "09184ae9b5756cc469db6fd1d1cfdcffbf627c2d", "cmt_msg": "binder: Gracefully handle BINDER_TYPE_FDA objects with num_fds=0", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "fixes": "ef38de9217a04c9077629a24652689d8fdb4c6c6", "last_affected_version": "5.17.5", "last_modified": "2023-12-06", "nvd_text": "In binder_transaction_buffer_release of binder.c, there is a possible use after free due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-257685302References: Upstream kernel", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-20938", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-20938", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-20938", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-20938", "SUSE": "https://www.suse.com/security/cve/CVE-2023-20938", "Ubuntu": "https://ubuntu.com/security/CVE-2023-20938" } }, "CVE-2023-20941": { "affected_versions": "unk to unk", "breaks": "", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Physical", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "raw": "CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "score": 6.6 }, "fixes": "", "last_modified": "2023-12-06", "nvd_text": "In acc_ctrlrequest_composite of f_accessory.c, there is a possible out of bounds write due to a missing bounds check. This could lead to physical escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-264029575References: Upstream kernel", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-20941", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-20941", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-20941", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-20941", "SUSE": "https://www.suse.com/security/cve/CVE-2023-20941", "Ubuntu": "https://ubuntu.com/security/CVE-2023-20941" } }, "CVE-2023-21102": { "affected_versions": "v5.14-rc1 to v6.2-rc4", "breaks": "cefc7ca46235f01d5233e3abd4b79452af01d9e9", "cmt_msg": "efi: rt-wrapper: Add missing include", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Unspecified", "fixes": "18bba1843fc7f264f58c9345d00827d082f9c558", "last_affected_version": "6.1.7", "last_modified": "2023-12-06", "nvd_text": "In __efi_rt_asm_wrapper of efi-rt-wrapper.S, there is a possible bypass of shadow stack protection due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-260821414References: Upstream kernel", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-21102", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-21102", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-21102", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-21102", "SUSE": "https://www.suse.com/security/cve/CVE-2023-21102", "Ubuntu": "https://ubuntu.com/security/CVE-2023-21102" } }, "CVE-2023-21106": { "affected_versions": "v5.19-rc1 to v6.2-rc5", "breaks": "d4726d7700688835f4784d3b94de6fff2cbe16c2", "cmt_msg": "drm/msm/gpu: Fix potential double-free", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "fixes": "a66f1efcf748febea7758c4c3c8b5bc5294949ef", "last_affected_version": "6.1.8", "last_modified": "2023-12-06", "nvd_text": "In adreno_set_param of adreno_gpu.c, there is a possible memory corruption due to a double free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-265016072References: Upstream kernel", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-21106", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-21106", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-21106", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-21106", "SUSE": "https://www.suse.com/security/cve/CVE-2023-21106", "Ubuntu": "https://ubuntu.com/security/CVE-2023-21106" } }, "CVE-2023-2124": { "affected_versions": "v3.12-rc1 to v6.4-rc1", "breaks": "50d5c8d8e938e3c4c0d21db9fc7d64282dc7be20", "cmt_msg": "xfs: verify buffer contents when we skip log replay", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "fixes": "22ed903eee23a5b174e240f1cdfa9acf393a5210", "last_affected_version": "6.3.6", "last_modified": "2023-12-06", "nvd_text": "An out-of-bounds memory access flaw was found in the Linux kernel\u2019s XFS file system in how a user restores an XFS image after failure (with a dirty log journal). This flaw allows a local user to crash or potentially escalate their privileges on the system.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-2124", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-2124", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-2124", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-2124", "SUSE": "https://www.suse.com/security/cve/CVE-2023-2124", "Ubuntu": "https://ubuntu.com/security/CVE-2023-2124" } }, "CVE-2023-21255": { "affected_versions": "v5.16-rc1 to v6.4-rc4", "breaks": "32e9f56a96d8d0f23cb2aeb2a3cd18d40393e787", "cmt_msg": "binder: fix UAF caused by faulty buffer cleanup", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "fixes": "bdc1c5fac982845a58d28690cdb56db8c88a530d", "last_affected_version": "6.3.4", "last_modified": "2023-12-06", "nvd_text": "In multiple functions of binder.c, there is a possible memory corruption due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.\n\n", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-21255", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-21255", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-21255", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-21255", "SUSE": "https://www.suse.com/security/cve/CVE-2023-21255", "Ubuntu": "https://ubuntu.com/security/CVE-2023-21255" } }, "CVE-2023-21264": { "affected_versions": "v5.17-rc1 to v6.4-rc5", "breaks": "e82edcc75c4e2389a3d7223c4ef1737bd9a07e5d", "cmt_msg": "KVM: arm64: Prevent unconditional donation of unmapped regions from the host", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "score": 6.7 }, "fixes": "09cce60bddd6461a93a5bf434265a47827d1bc6f", "last_affected_version": "6.3.6", "last_modified": "2023-12-06", "nvd_text": "In multiple functions of mem_protect.c, there is a possible way to access hypervisor memory due to a memory access check in the wrong place. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.\n\n", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-21264", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-21264", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-21264", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-21264", "SUSE": "https://www.suse.com/security/cve/CVE-2023-21264", "Ubuntu": "https://ubuntu.com/security/CVE-2023-21264" } }, "CVE-2023-21400": { "affected_versions": "v5.1-rc1 to unk", "breaks": "2b188cc1bb857a9d4701ae59aa7768b5124e262e", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "score": 6.7 }, "fixes": "fb348857e7b67eefe365052f1423427b66dedbf3", "last_modified": "2023-12-06", "nvd_text": "In multiple functions of io_uring.c, there is a possible kernel memory corruption due to improper locking. This could lead to local escalation of privilege in the kernel with System execution privileges needed. User interaction is not needed for exploitation.\n\n", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-21400", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-21400", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-21400", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-21400", "SUSE": "https://www.suse.com/security/cve/CVE-2023-21400", "Ubuntu": "https://ubuntu.com/security/CVE-2023-21400" } }, "CVE-2023-2156": { "affected_versions": "v5.7-rc1 to v6.3", "breaks": "8610c7c6e3bd647ff98d21c8bc0580e77bc2f8b3", "cmt_msg": "net: rpl: fix rpl header size calculation", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 7.5 }, "fixes": "4e006c7a6dac0ead4c1bf606000aa90a372fc253", "last_affected_version": "6.2", "last_modified": "2023-12-06", "nvd_text": "A flaw was found in the networking subsystem of the Linux kernel within the handling of the RPL protocol. This issue results from the lack of proper handling of user-supplied data, which can lead to an assertion failure. This may allow an unauthenticated remote attacker to create a denial of service condition on the system.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-2156", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-2156", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-2156", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-2156", "SUSE": "https://www.suse.com/security/cve/CVE-2023-2156", "Ubuntu": "https://ubuntu.com/security/CVE-2023-2156" } }, "CVE-2023-2162": { "affected_versions": "v2.6.12-rc2 to v6.2-rc6", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "scsi: iscsi_tcp: Fix UAF during login when accessing the shost ipaddress", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.5 }, "fixes": "f484a794e4ee2a9ce61f52a78e810ac45f3fe3b3", "last_affected_version": "6.1.10", "last_modified": "2023-12-06", "nvd_text": "A use-after-free vulnerability was found in iscsi_sw_tcp_session_create in drivers/scsi/iscsi_tcp.c in SCSI sub-component in the Linux Kernel. In this flaw an attacker could leak kernel internal information.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-2162", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-2162", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-2162", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-2162", "SUSE": "https://www.suse.com/security/cve/CVE-2023-2162", "Ubuntu": "https://ubuntu.com/security/CVE-2023-2162" } }, "CVE-2023-2163": { "affected_versions": "v5.3-rc1 to v6.3", "breaks": "b5dc0163d8fd78e64a7e21f309cf932fda34353e", "cmt_msg": "bpf: Fix incorrect verifier pruning due to missing register precision taints", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Changed", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "score": 8.8 }, "fixes": "71b547f561247897a0a14f3082730156c0533fed", "last_affected_version": "6.2", "last_modified": "2023-12-06", "nvd_text": "Incorrect verifier pruning\u00a0in BPF in Linux Kernel\u00a0>=5.4\u00a0leads to unsafe\ncode paths being incorrectly marked as safe, resulting in\u00a0arbitrary read/write in\nkernel memory, lateral privilege escalation, and container escape.\n", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-2163", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-2163", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-2163", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-2163", "SUSE": "https://www.suse.com/security/cve/CVE-2023-2163", "Ubuntu": "https://ubuntu.com/security/CVE-2023-2163" } }, "CVE-2023-2166": { "affected_versions": "v5.12-rc1-dontuse to v6.1", "breaks": "4e096a18867a5a989b510f6999d9c6b6622e8f7b", "cmt_msg": "can: af_can: fix NULL pointer dereference in can_rcv_filter", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "fixes": "0acc442309a0a1b01bcdaa135e56e6398a49439c", "last_affected_version": "6.0", "last_modified": "2023-12-06", "nvd_text": "A null pointer dereference issue was found in can protocol in net/can/af_can.c in the Linux before Linux. ml_priv may not be initialized in the receive path of CAN frames. A local user could use this flaw to crash the system or potentially cause a denial of service.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-2166", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-2166", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-2166", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-2166", "SUSE": "https://www.suse.com/security/cve/CVE-2023-2166", "Ubuntu": "https://ubuntu.com/security/CVE-2023-2166" } }, "CVE-2023-2176": { "affected_versions": "v2.6.12-rc2 to v6.3-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "RDMA/core: Refactor rdma_bind_addr", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "fixes": "8d037973d48c026224ab285e6a06985ccac6f7bf", "last_affected_version": "6.1.80", "last_modified": "2024-04-06", "nvd_text": "A vulnerability was found in compare_netdev_and_ip in drivers/infiniband/core/cma.c in RDMA in the Linux Kernel. The improper cleanup results in out-of-boundary read, where a local user can utilize this problem to crash the system or escalation of privilege.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-2176", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-2176", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-2176", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-2176", "SUSE": "https://www.suse.com/security/cve/CVE-2023-2176", "Ubuntu": "https://ubuntu.com/security/CVE-2023-2176" } }, "CVE-2023-2177": { "affected_versions": "v4.15-rc1 to v5.19", "breaks": "5bbbbe32a43199c2b9ea5ea66fab6241c64beb51", "cmt_msg": "sctp: leave the err path free in sctp_stream_init to sctp_stream_free", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "fixes": "181d8d2066c000ba0a0e6940a7ad80f1a0e68e9d", "last_affected_version": "5.18", "last_modified": "2024-02-02", "nvd_text": "A null pointer dereference issue was found in the sctp network protocol in net/sctp/stream_sched.c in Linux Kernel. If stream_in allocation is failed, stream_out is freed which would further be accessed. A local user could use this flaw to crash the system or potentially cause a denial of service.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-2177", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-2177", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-2177", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-2177", "SUSE": "https://www.suse.com/security/cve/CVE-2023-2177", "Ubuntu": "https://ubuntu.com/security/CVE-2023-2177" } }, "CVE-2023-2194": { "affected_versions": "v4.2-rc1 to v6.3-rc4", "breaks": "f6505fbabc426b9e293da5bb702ace2eb1ccf87d", "cmt_msg": "i2c: xgene-slimpro: Fix out-of-bounds bug in xgene_slimpro_i2c_xfer()", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "score": 6.7 }, "fixes": "92fbb6d1296f81f41f65effd7f5f8c0f74943d15", "last_affected_version": "6.2.8", "last_modified": "2023-12-06", "nvd_text": "An out-of-bounds write vulnerability was found in the Linux kernel's SLIMpro I2C device driver. The userspace \"data->block[0]\" variable was not capped to a number between 0-255 and was used as the size of a memcpy, possibly writing beyond the end of dma_buffer. This flaw could allow a local privileged user to crash the system or potentially achieve code execution.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-2194", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-2194", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-2194", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-2194", "SUSE": "https://www.suse.com/security/cve/CVE-2023-2194", "Ubuntu": "https://ubuntu.com/security/CVE-2023-2194" } }, "CVE-2023-2235": { "affected_versions": "v5.13-rc1 to v6.3-rc3", "breaks": "2e498d0a74e5b88a6689ae1b811f247f91ff188e", "cmt_msg": "perf: Fix check before add_event_to_groups() in perf_group_detach()", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "fixes": "fd0815f632c24878e325821943edccc7fde947a2", "last_affected_version": "6.2.7", "last_modified": "2023-12-06", "nvd_text": "A use-after-free vulnerability in the Linux Kernel Performance Events system can be exploited to achieve local privilege escalation.\n\nThe perf_group_detach function did not check the event's siblings' attach_state before calling add_event_to_groups(), but\u00a0remove_on_exec made it possible to call list_del_event() on before detaching from their group, making it possible to use a dangling pointer causing a use-after-free vulnerability.\n\nWe recommend upgrading past commit fd0815f632c24878e325821943edccc7fde947a2.\n\n", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-2235", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-2235", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-2235", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-2235", "SUSE": "https://www.suse.com/security/cve/CVE-2023-2235", "Ubuntu": "https://ubuntu.com/security/CVE-2023-2235" } }, "CVE-2023-2236": { "affected_versions": "v5.19-rc1 to v6.1-rc7", "breaks": "61c1b44a21d70d4783db02198fbf68b132f4953c", "cmt_msg": "io_uring/filetable: fix file reference underflow", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "fixes": "9d94c04c0db024922e886c9fd429659f22f48ea4", "last_affected_version": "6.0.10", "last_modified": "2023-12-06", "nvd_text": "A use-after-free vulnerability in the Linux Kernel io_uring subsystem can be exploited to achieve local privilege escalation.\n\nBoth\u00a0io_install_fixed_file\u00a0and its callers call fput in a file in case of an error, causing a reference underflow which leads to a use-after-free vulnerability.\n\nWe recommend upgrading past commit 9d94c04c0db024922e886c9fd429659f22f48ea4.\n\n", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-2236", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-2236", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-2236", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-2236", "SUSE": "https://www.suse.com/security/cve/CVE-2023-2236", "Ubuntu": "https://ubuntu.com/security/CVE-2023-2236" } }, "CVE-2023-2248": { "affected_versions": "v3.7-rc5 to v6.3", "breaks": "3015f3d2a3cd9614294025849d3ed89fd2f3a7f5", "cmt_msg": "net: sched: sch_qfq: prevent slab-out-of-bounds in qfq_activate_agg", "fixes": "3037933448f60f9acb705997eae62013ecb81e0d", "last_affected_version": "6.2", "last_modified": "2023-12-06", "nvd_text": "Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority because it was the duplicate of CVE-2023-31436.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-2248", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-2248", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-2248", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-2248", "SUSE": "https://www.suse.com/security/cve/CVE-2023-2248", "Ubuntu": "https://ubuntu.com/security/CVE-2023-2248" }, "rejected": true }, "CVE-2023-2269": { "affected_versions": "v2.6.33-rc1 to v6.4-rc1", "breaks": "1d0f3ce83200edc5d43723c77c62b09ad6560294", "cmt_msg": "dm ioctl: fix nested locking in table_clear() to remove deadlock concern", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "score": 4.4 }, "fixes": "3d32aaa7e66d5c1479a3c31d6c2c5d45dd0d3b89", "last_affected_version": "6.3.1", "last_modified": "2023-12-06", "nvd_text": "A denial of service problem was found, due to a possible recursive locking scenario, resulting in a deadlock in table_clear in drivers/md/dm-ioctl.c in the Linux Kernel Device Mapper-Multipathing sub-component.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-2269", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-2269", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-2269", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-2269", "SUSE": "https://www.suse.com/security/cve/CVE-2023-2269", "Ubuntu": "https://ubuntu.com/security/CVE-2023-2269" } }, "CVE-2023-22995": { "affected_versions": "v2.6.12-rc2 to v5.17-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "usb: dwc3: dwc3-qcom: Add missing platform_device_put() in dwc3_qcom_acpi_register_core", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Unspecified", "fixes": "fa0ef93868a6062babe1144df2807a8b1d4924d2", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel before 5.17, an error path in dwc3_qcom_acpi_register_core in drivers/usb/dwc3/dwc3-qcom.c lacks certain platform_device_put and kfree calls.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-22995", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-22995", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-22995", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-22995", "SUSE": "https://www.suse.com/security/cve/CVE-2023-22995", "Ubuntu": "https://ubuntu.com/security/CVE-2023-22995" } }, "CVE-2023-22996": { "affected_versions": "v5.16-rc1 to v5.18-rc1", "breaks": "8c75d585b931ac874fbe4ee5a8f1811d20c2817f", "cmt_msg": "soc: qcom: aoss: Fix missing put_device call in qmp_get", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "fixes": "4b41a9d0fe3db5f91078a380f62f0572c3ecf2dd", "last_affected_version": "5.17.1", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel before 5.17.2, drivers/soc/qcom/qcom_aoss.c does not release an of_find_device_by_node reference after use, e.g., with put_device.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-22996", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-22996", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-22996", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-22996", "SUSE": "https://www.suse.com/security/cve/CVE-2023-22996", "Ubuntu": "https://ubuntu.com/security/CVE-2023-22996" } }, "CVE-2023-22997": { "affected_versions": "v5.17-rc1 to v6.2-rc1", "breaks": "b1ae6dc41eaaa98bb75671e0f3665bfda248c3e7", "cmt_msg": "module: Fix NULL vs IS_ERR checking for module_get_next_page", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "fixes": "45af1d7aae7d5520d2858f8517a1342646f015db", "last_affected_version": "6.1.1", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel before 6.1.2, kernel/module/decompress.c misinterprets the module_get_next_page return value (expects it to be NULL in the error case, whereas it is actually an error pointer).", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-22997", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-22997", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-22997", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-22997", "SUSE": "https://www.suse.com/security/cve/CVE-2023-22997", "Ubuntu": "https://ubuntu.com/security/CVE-2023-22997" } }, "CVE-2023-22998": { "affected_versions": "v5.7-rc1 to v6.0-rc1", "breaks": "2f2aa13724d56829d910b2fa8e80c502d388f106", "cmt_msg": "drm/virtio: Fix NULL vs IS_ERR checking in virtio_gpu_object_shmem_init", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "fixes": "c24968734abfed81c8f93dc5f44a7b7a9aecadfa", "last_affected_version": "5.19.1", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel before 6.0.3, drivers/gpu/drm/virtio/virtgpu_object.c misinterprets the drm_gem_shmem_get_sg_table return value (expects it to be NULL in the error case, whereas it is actually an error pointer).", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-22998", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-22998", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-22998", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-22998", "SUSE": "https://www.suse.com/security/cve/CVE-2023-22998", "Ubuntu": "https://ubuntu.com/security/CVE-2023-22998" } }, "CVE-2023-22999": { "affected_versions": "v5.12-rc1-dontuse to v5.17-rc1", "breaks": "c25c210f590e7a37eecd865d84f97d1f40e39786", "cmt_msg": "usb: dwc3: qcom: Fix NULL vs IS_ERR checking in dwc3_qcom_probe", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "fixes": "b52fe2dbb3e655eb1483000adfab68a219549e13", "last_affected_version": "5.16.2", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel before 5.16.3, drivers/usb/dwc3/dwc3-qcom.c misinterprets the dwc3_qcom_create_urs_usb_platdev return value (expects it to be NULL in the error case, whereas it is actually an error pointer).", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-22999", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-22999", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-22999", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-22999", "SUSE": "https://www.suse.com/security/cve/CVE-2023-22999", "Ubuntu": "https://ubuntu.com/security/CVE-2023-22999" } }, "CVE-2023-23000": { "affected_versions": "v4.14-rc6 to v5.17-rc1", "breaks": "1df79cb3bae754e4a42240f9851ed82549a44f1a", "cmt_msg": "phy: tegra: xusb: Fix return value of tegra_xusb_find_port_node function", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "fixes": "045a31b95509c8f25f5f04ec5e0dec5cd09f2c5f", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel before 5.17, drivers/phy/tegra/xusb.c mishandles the tegra_xusb_find_port_node return value. Callers expect NULL in the error case, but an error pointer is used.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-23000", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-23000", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-23000", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-23000", "SUSE": "https://www.suse.com/security/cve/CVE-2023-23000", "Ubuntu": "https://ubuntu.com/security/CVE-2023-23000" } }, "CVE-2023-23001": { "affected_versions": "v5.11-rc1 to v5.17-rc1", "breaks": "cf137b3ea49a04e0c843b12674afa4b1d23e827f", "cmt_msg": "scsi: ufs: ufs-mediatek: Fix error checking in ufs_mtk_init_va09_pwr_ctrl()", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "fixes": "3ba880a12df5aa4488c18281701b5b1bc3d4531a", "last_affected_version": "5.16.2", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel before 5.16.3, drivers/scsi/ufs/ufs-mediatek.c misinterprets the regulator_get return value (expects it to be NULL in the error case, whereas it is actually an error pointer).", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-23001", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-23001", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-23001", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-23001", "SUSE": "https://www.suse.com/security/cve/CVE-2023-23001", "Ubuntu": "https://ubuntu.com/security/CVE-2023-23001" } }, "CVE-2023-23002": { "affected_versions": "v5.7-rc1 to v5.17-rc1", "breaks": "77131dfec6af114efd32610b4a6bbecd934e37d5", "cmt_msg": "Bluetooth: hci_qca: Fix NULL vs IS_ERR_OR_NULL check in qca_serdev_probe", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "fixes": "6845667146a28c09b5dfc401c1ad112374087944", "last_affected_version": "5.16.2", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel before 5.16.3, drivers/bluetooth/hci_qca.c misinterprets the devm_gpiod_get_index_optional return value (expects it to be NULL in the error case, whereas it is actually an error pointer).", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-23002", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-23002", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-23002", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-23002", "SUSE": "https://www.suse.com/security/cve/CVE-2023-23002", "Ubuntu": "https://ubuntu.com/security/CVE-2023-23002" } }, "CVE-2023-23003": { "affected_versions": "v5.16-rc1 to v5.16-rc6", "breaks": "cb94a02e7494c001fa8b5a4c5e16693fafd98530", "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "Required", "raw": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H", "score": 4.0 }, "fixes": "0a515a06c5ebfa46fee3ac519e418f801e718da4", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel before 5.16, tools/perf/util/expr.c lacks a check for the hashmap__new return value.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-23003", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-23003", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-23003", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-23003", "SUSE": "https://www.suse.com/security/cve/CVE-2023-23003", "Ubuntu": "https://ubuntu.com/security/CVE-2023-23003" } }, "CVE-2023-23004": { "affected_versions": "v4.20-rc1 to v5.19-rc1", "breaks": "1f23a56a46b81de50eb8b898f06296ca06720a99", "cmt_msg": "malidp: Fix NULL vs IS_ERR() checking", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "fixes": "15342f930ebebcfe36f2415049736a77d7d2e045", "last_affected_version": "5.15.99", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel before 5.19, drivers/gpu/drm/arm/malidp_planes.c misinterprets the get_sg_table return value (expects it to be NULL in the error case, whereas it is actually an error pointer).", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-23004", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-23004", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-23004", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-23004", "SUSE": "https://www.suse.com/security/cve/CVE-2023-23004", "Ubuntu": "https://ubuntu.com/security/CVE-2023-23004" } }, "CVE-2023-23005": { "affected_versions": "v6.1-rc1 to v6.2-rc1", "breaks": "7b88bda3761b95856cf97822efe8281c8100067b", "cmt_msg": "mm/demotion: fix NULL vs IS_ERR checking in memory_tier_init", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "fixes": "4a625ceee8a0ab0273534cb6b432ce6b331db5ee", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel before 6.2, mm/memory-tiers.c misinterprets the alloc_memory_type return value (expects it to be NULL in the error case, whereas it is actually an error pointer). NOTE: this is disputed by third parties because there are no realistic cases in which a user can cause the alloc_memory_type error case to be reached.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-23005", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-23005", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-23005", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-23005", "SUSE": "https://www.suse.com/security/cve/CVE-2023-23005", "Ubuntu": "https://ubuntu.com/security/CVE-2023-23005" } }, "CVE-2023-23006": { "affected_versions": "v5.4-rc1 to v5.16-rc8", "breaks": "4ec9e7b02697eca8dc9853ea559c18029c38da36", "cmt_msg": "net/mlx5: DR, Fix NULL vs IS_ERR checking in dr_domain_init_resources", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "fixes": "6b8b42585886c59a008015083282aae434349094", "last_affected_version": "5.15.12", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel before 5.15.13, drivers/net/ethernet/mellanox/mlx5/core/steering/dr_domain.c misinterprets the mlx5_get_uars_page return value (expects it to be NULL in the error case, whereas it is actually an error pointer).", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-23006", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-23006", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-23006", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-23006", "SUSE": "https://www.suse.com/security/cve/CVE-2023-23006", "Ubuntu": "https://ubuntu.com/security/CVE-2023-23006" } }, "CVE-2023-23039": { "affected_versions": "unk to unk", "breaks": "", "cvss3": { "Attack Complexity": "High", "Attack Vector": "Physical", "Availability": "High", "Confidentiality": "None", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H", "score": 5.7 }, "fixes": "", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel through 6.2.0-rc2. drivers/tty/vcc.c has a race condition and resultant use-after-free if a physically proximate attacker removes a VCC device while calling open(), aka a race condition between vcc_open() and vcc_remove().", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-23039", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-23039", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-23039", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-23039", "SUSE": "https://www.suse.com/security/cve/CVE-2023-23039", "Ubuntu": "https://ubuntu.com/security/CVE-2023-23039" } }, "CVE-2023-23454": { "affected_versions": "v2.6.12-rc2 to v6.2-rc3", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "net: sched: cbq: dont intepret cls results when asked to drop", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Access of Resource Using Incompatible Type ('Type Confusion')", "fixes": "caa4b35b4317d5147b3ab0fbdc9c075c7d2e9c12", "last_affected_version": "6.1.4", "last_modified": "2023-12-06", "nvd_text": "cbq_classify in net/sched/sch_cbq.c in the Linux kernel through 6.1.4 allows attackers to cause a denial of service (slab-out-of-bounds read) because of type confusion (non-negative numbers can sometimes indicate a TC_ACT_SHOT condition rather than valid classification results).", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-23454", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-23454", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-23454", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-23454", "SUSE": "https://www.suse.com/security/cve/CVE-2023-23454", "Ubuntu": "https://ubuntu.com/security/CVE-2023-23454" } }, "CVE-2023-23455": { "affected_versions": "v2.6.23-rc1 to v6.2-rc3", "breaks": "b0188d4dbe5f4285372dd033acf7c92a97006629", "cmt_msg": "net: sched: atm: dont intepret cls results when asked to drop", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Access of Resource Using Incompatible Type ('Type Confusion')", "fixes": "a2965c7be0522eaa18808684b7b82b248515511b", "last_affected_version": "6.1.4", "last_modified": "2023-12-06", "nvd_text": "atm_tc_enqueue in net/sched/sch_atm.c in the Linux kernel through 6.1.4 allows attackers to cause a denial of service because of type confusion (non-negative numbers can sometimes indicate a TC_ACT_SHOT condition rather than valid classification results).", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-23455", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-23455", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-23455", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-23455", "SUSE": "https://www.suse.com/security/cve/CVE-2023-23455", "Ubuntu": "https://ubuntu.com/security/CVE-2023-23455" } }, "CVE-2023-23559": { "affected_versions": "v2.6.35-rc1 to v6.2-rc5", "breaks": "80f8c5b434f94926c6489d7350d58aecb53ab70f", "cmt_msg": "wifi: rndis_wlan: Prevent buffer overflow in rndis_query_oid", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "cwe": "Integer Overflow or Wraparound", "fixes": "b870e73a56c4cccbec33224233eaf295839f228c", "last_affected_version": "6.1.8", "last_modified": "2023-12-06", "nvd_text": "In rndis_query_oid in drivers/net/wireless/rndis_wlan.c in the Linux kernel through 6.1.5, there is an integer overflow in an addition.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-23559", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-23559", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-23559", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-23559", "SUSE": "https://www.suse.com/security/cve/CVE-2023-23559", "Ubuntu": "https://ubuntu.com/security/CVE-2023-23559" } }, "CVE-2023-23586": { "affected_versions": "v5.10-rc1 to v5.12-rc1-dontuse", "breaks": "500a373d731ac506612db12631ec21295c1ff360", "cmt_msg": "io_uring: remove io_identity", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.5 }, "fixes": "4379bf8bd70b5de6bba7d53015b0c36c57a634ee", "last_modified": "2023-12-06", "nvd_text": "Due to a vulnerability in the io_uring subsystem, it is possible to leak kernel memory information to the user process.\u00a0timens_install calls current_is_single_threaded to determine if the current process is single-threaded, but this call does not consider io_uring's io_worker threads, thus it is possible to insert a time namespace's vvar page to process's memory space via a page fault. When this time namespace is destroyed, the vvar page is also freed, but not removed from the process' memory, and a next page allocated by the kernel will be still available from the user-space process and can leak memory contents via this (read-only) use-after-free vulnerability. We recommend upgrading past version 5.10.161 or commit\u00a0 788d0824269bef539fe31a785b1517882eafed93 https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/io_uring \n", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-23586", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-23586", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-23586", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-23586", "SUSE": "https://www.suse.com/security/cve/CVE-2023-23586", "Ubuntu": "https://ubuntu.com/security/CVE-2023-23586" } }, "CVE-2023-2430": { "affected_versions": "v5.18-rc1 to v6.2-rc5", "breaks": "4f57f06ce2186c31c3da52386125dc57b1cd6f96", "cmt_msg": "io_uring/msg_ring: fix missing lock on overflow for IOPOLL", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "fixes": "e12d7a46f65ae4b7d58a5e0c1cbfa825cf8d830d", "last_affected_version": "6.1.49", "last_modified": "2024-01-15", "nvd_text": "A vulnerability was found due to missing lock for IOPOLL flaw in io_cqring_event_overflow() in io_uring.c in Linux Kernel. This flaw allows a local attacker with user privilege to trigger a Denial of Service threat.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-2430", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-2430", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-2430", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-2430", "SUSE": "https://www.suse.com/security/cve/CVE-2023-2430", "Ubuntu": "https://ubuntu.com/security/CVE-2023-2430" } }, "CVE-2023-2483": { "affected_versions": "v4.9-rc1 to v6.3-rc4", "breaks": "b9b17debc69d27cd55e21ee51a5ba7fc50a426cf", "cmt_msg": "net: qcom/emac: Fix use after free bug in emac_remove due to race condition", "fixes": "6b6bc5b8bd2d4ca9e1efa9ae0f98a0b0687ace75", "last_affected_version": "6.2.8", "last_modified": "2023-12-06", "nvd_text": "Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2023-33203. Reason: This candidate is a reservation duplicate of CVE-2023-33203. Notes: All CVE users should reference CVE-2023-33203 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-2483", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-2483", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-2483", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-2483", "SUSE": "https://www.suse.com/security/cve/CVE-2023-2483", "Ubuntu": "https://ubuntu.com/security/CVE-2023-2483" }, "rejected": true }, "CVE-2023-25012": { "affected_versions": "v5.6-rc4 to v6.3-rc1", "breaks": "4eb1b01de5b9d8596d6c103efcf1a15cfc1bedf7", "cmt_msg": "HID: bigben: use spinlock to safely schedule workers", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Physical", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 4.6 }, "fixes": "76ca8da989c7d97a7f76c75d475fe95a584439d7", "last_affected_version": "6.2.2", "last_modified": "2023-12-06", "nvd_text": "The Linux kernel through 6.1.9 has a Use-After-Free in bigben_remove in drivers/hid/hid-bigbenff.c via a crafted USB device because the LED controllers remain registered for too long.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-25012", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-25012", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-25012", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-25012", "SUSE": "https://www.suse.com/security/cve/CVE-2023-25012", "Ubuntu": "https://ubuntu.com/security/CVE-2023-25012" } }, "CVE-2023-2513": { "affected_versions": "v2.6.19-rc2 to v6.0-rc1", "breaks": "ac27a0ec112a089f1a5102bc8dffc79c8c815571", "cmt_msg": "ext4: fix use-after-free in ext4_xattr_set_entry", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "score": 6.7 }, "fixes": "67d7d8ad99beccd9fe92d585b87f1760dc9018e3", "last_affected_version": "5.19.1", "last_modified": "2023-12-06", "nvd_text": "A use-after-free vulnerability was found in the Linux kernel's ext4 filesystem in the way it handled the extra inode size for extended attributes. This flaw could allow a privileged local user to cause a system crash or other undefined behaviors.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-2513", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-2513", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-2513", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-2513", "SUSE": "https://www.suse.com/security/cve/CVE-2023-2513", "Ubuntu": "https://ubuntu.com/security/CVE-2023-2513" } }, "CVE-2023-25775": { "affected_versions": "v5.14-rc1 to v6.6-rc1", "breaks": "b48c24c2d710cf34810c555dcef883a3d35a9c08", "cmt_msg": "RDMA/irdma: Prevent zero-length STAG registration", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "score": 9.8 }, "cwe": "Unspecified", "fixes": "bb6d73d9add68ad270888db327514384dfa44958", "last_affected_version": "6.5.2", "last_modified": "2023-12-27", "nvd_text": "Improper access control in the Intel(R) Ethernet Controller RDMA driver for linux before version 1.9.30 may allow an unauthenticated user to potentially enable escalation of privilege via network access.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-25775", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-25775", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-25775", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-25775", "SUSE": "https://www.suse.com/security/cve/CVE-2023-25775", "Ubuntu": "https://ubuntu.com/security/CVE-2023-25775" } }, "CVE-2023-2598": { "affected_versions": "v6.3-rc1 to v6.4-rc1", "breaks": "57bebf807e2abcf87d96b9de1266104ee2d8fc2f", "cmt_msg": "io_uring/rsrc: check for nonconsecutive pages", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "fixes": "776617db78c6d208780e7c69d4d68d1fa82913de", "last_affected_version": "6.3.1", "last_modified": "2023-12-06", "nvd_text": "A flaw was found in the fixed buffer registration code for io_uring (io_sqe_buffer_register in io_uring/rsrc.c) in the Linux kernel that allows out-of-bounds access to physical memory beyond the end of the buffer. This flaw enables full local privilege escalation.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-2598", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-2598", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-2598", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-2598", "SUSE": "https://www.suse.com/security/cve/CVE-2023-2598", "Ubuntu": "https://ubuntu.com/security/CVE-2023-2598" } }, "CVE-2023-26242": { "affected_versions": "v4.19-rc1 to unk", "breaks": "857a26222ff75eecf7d701ef0e91e4fbf6efa663", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "fixes": "", "last_modified": "2023-12-06", "nvd_text": "afu_mmio_region_get_by_offset in drivers/fpga/dfl-afu-region.c in the Linux kernel through 6.1.12 has an integer overflow.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-26242", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-26242", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-26242", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-26242", "SUSE": "https://www.suse.com/security/cve/CVE-2023-26242", "Ubuntu": "https://ubuntu.com/security/CVE-2023-26242" } }, "CVE-2023-2640": { "affected_versions": "v5.19-rc1 to unk", "breaks": "c914c0e27eb0843b7cf3bec71d6f34d53a3a671e", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "fixes": "", "last_modified": "2023-12-06", "nvd_text": "On Ubuntu kernels carrying both c914c0e27eb0 and \"UBUNTU: SAUCE: overlayfs: Skip permission checking for trusted.overlayfs.* xattrs\", an unprivileged user may set privileged extended attributes on the mounted files, leading them to be set on the upper files without the appropriate security checks.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-2640", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-2640", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-2640", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-2640", "SUSE": "https://www.suse.com/security/cve/CVE-2023-2640", "Ubuntu": "https://ubuntu.com/security/CVE-2023-2640" } }, "CVE-2023-26544": { "affected_versions": "v5.15-rc1 to v6.2-rc1", "breaks": "4342306f0f0d5ff4315a204d315c1b51b914fca5", "cmt_msg": "fs/ntfs3: Fix slab-out-of-bounds read in run_unpack", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "fixes": "887bfc546097fbe8071dac13b2fef73b77920899", "last_affected_version": "6.1.2", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel 6.0.8, there is a use-after-free in run_unpack in fs/ntfs3/run.c, related to a difference between NTFS sector size and media sector size.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-26544", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-26544", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-26544", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-26544", "SUSE": "https://www.suse.com/security/cve/CVE-2023-26544", "Ubuntu": "https://ubuntu.com/security/CVE-2023-26544" } }, "CVE-2023-26545": { "affected_versions": "v4.1-rc8 to v6.2", "breaks": "0fae3bf018d97b210051c8797a49d66d31071847", "cmt_msg": "net: mpls: fix stale pointer if allocation fails during device rename", "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 4.7 }, "fixes": "fda6c89fe3d9aca073495a664e1d5aea28cd4377", "last_affected_version": "6.1", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel before 6.1.13, there is a double free in net/mpls/af_mpls.c upon an allocation failure (for registering the sysctl table under a new location) during the renaming of a device.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-26545", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-26545", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-26545", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-26545", "SUSE": "https://www.suse.com/security/cve/CVE-2023-26545", "Ubuntu": "https://ubuntu.com/security/CVE-2023-26545" } }, "CVE-2023-26605": { "affected_versions": "v6.1-rc1 to v6.1-rc7", "breaks": "cbfecb927f429a6fa613d74b998496bd71e4438a", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "fixes": "4e3c51f4e805291b057d12f5dda5aeb50a538dc4", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel 6.0.8, there is a use-after-free in inode_cgwb_move_to_attached in fs/fs-writeback.c, related to __list_del_entry_valid.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-26605", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-26605", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-26605", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-26605", "SUSE": "https://www.suse.com/security/cve/CVE-2023-26605", "Ubuntu": "https://ubuntu.com/security/CVE-2023-26605" } }, "CVE-2023-26606": { "affected_versions": "v5.15-rc1 to v6.2-rc1", "breaks": "3f3b442b5ad2455507c9bfdacf39a3792eb3a6d0", "cmt_msg": "fs/ntfs3: Fix slab-out-of-bounds read in ntfs_trim_fs", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "fixes": "557d19675a470bb0a98beccec38c5dc3735c20fa", "last_affected_version": "6.1.1", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel 6.0.8, there is a use-after-free in ntfs_trim_fs in fs/ntfs3/bitmap.c.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-26606", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-26606", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-26606", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-26606", "SUSE": "https://www.suse.com/security/cve/CVE-2023-26606", "Ubuntu": "https://ubuntu.com/security/CVE-2023-26606" } }, "CVE-2023-26607": { "affected_versions": "v2.6.12-rc2 to v6.1-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "ntfs: fix out-of-bounds read in ntfs_attr_find()", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "score": 7.1 }, "fixes": "36a4d82dddbbd421d2b8e79e1cab68c8126d5075", "last_affected_version": "6.0.9", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel 6.0.8, there is an out-of-bounds read in ntfs_attr_find in fs/ntfs/attrib.c.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-26607", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-26607", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-26607", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-26607", "SUSE": "https://www.suse.com/security/cve/CVE-2023-26607", "Ubuntu": "https://ubuntu.com/security/CVE-2023-26607" } }, "CVE-2023-28327": { "affected_versions": "v5.3-rc1 to v6.1", "breaks": "cae9910e73446cac68a54e3a7b02aaa12b689026", "cmt_msg": "af_unix: Get user_ns from in_skb in unix_diag_get_exact().", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "fixes": "b3abe42e94900bdd045c472f9c9be620ba5ce553", "last_affected_version": "6.0", "last_modified": "2023-12-06", "nvd_text": "A NULL pointer dereference flaw was found in the UNIX protocol in net/unix/diag.c In unix_diag_get_exact in the Linux Kernel. The newly allocated skb does not have sk, leading to a NULL pointer. This flaw allows a local user to crash or potentially cause a denial of service.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-28327", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-28327", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-28327", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-28327", "SUSE": "https://www.suse.com/security/cve/CVE-2023-28327", "Ubuntu": "https://ubuntu.com/security/CVE-2023-28327" } }, "CVE-2023-28328": { "affected_versions": "v2.6.34-rc1 to v6.2-rc1", "breaks": "76f9a820c8672ada12ffa0903652c9e6f2429462", "cmt_msg": "media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "fixes": "0ed554fd769a19ea8464bb83e9ac201002ef74ad", "last_affected_version": "6.1.1", "last_modified": "2023-12-06", "nvd_text": "A NULL pointer dereference flaw was found in the az6027 driver in drivers/media/usb/dev-usb/az6027.c in the Linux Kernel. The message from user space is not checked properly before transferring into the device. This flaw allows a local user to crash the system or potentially cause a denial of service.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-28328", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-28328", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-28328", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-28328", "SUSE": "https://www.suse.com/security/cve/CVE-2023-28328", "Ubuntu": "https://ubuntu.com/security/CVE-2023-28328" } }, "CVE-2023-28410": { "affected_versions": "v5.8-rc1 to v5.19-rc1", "breaks": "9f909e215fea0652023b9ed09d3d7bfe10386423", "cmt_msg": "drm/i915/gem: add missing boundary check in vm_access", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "fixes": "661412e301e2ca86799aa4f400d1cf0bd38c57c6", "last_affected_version": "None", "last_modified": "2023-12-06", "nvd_text": "Improper restriction of operations within the bounds of a memory buffer in some Intel(R) i915 Graphics drivers for linux before kernel version 6.2.10 may allow an authenticated user to potentially enable escalation of privilege via local access.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-28410", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-28410", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-28410", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-28410", "SUSE": "https://www.suse.com/security/cve/CVE-2023-28410", "Ubuntu": "https://ubuntu.com/security/CVE-2023-28410" } }, "CVE-2023-28464": { "affected_versions": "v6.3-rc1 to v6.3-rc7", "breaks": "0f00cd322d22d4441de51aa80bcce5bb6a8cbb44", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "fixes": "5dc7d23e167e2882ef118456ceccd57873e876d8", "last_modified": "2023-12-06", "nvd_text": "hci_conn_cleanup in net/bluetooth/hci_conn.c in the Linux kernel through 6.2.9 has a use-after-free (observed in hci_conn_hash_flush) because of calls to hci_dev_put and hci_conn_put. There is a double free that may lead to privilege escalation.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-28464", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-28464", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-28464", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-28464", "SUSE": "https://www.suse.com/security/cve/CVE-2023-28464", "Ubuntu": "https://ubuntu.com/security/CVE-2023-28464" } }, "CVE-2023-28466": { "affected_versions": "v4.13-rc1 to v6.3-rc2", "breaks": "3c4d7559159bfe1e3b94df3a657b2cda3a34e218", "cmt_msg": "net: tls: fix possible race condition between do_tls_getsockopt_conf() and do_tls_setsockopt_conf()", "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.0 }, "fixes": "49c47cc21b5b7a3d8deb18fc57b0aa2ab1286962", "last_affected_version": "6.2.6", "last_modified": "2023-12-06", "nvd_text": "do_tls_getsockopt in net/tls/tls_main.c in the Linux kernel through 6.2.6 lacks a lock_sock call, leading to a race condition (with a resultant use-after-free or NULL pointer dereference).", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-28466", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-28466", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-28466", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-28466", "SUSE": "https://www.suse.com/security/cve/CVE-2023-28466", "Ubuntu": "https://ubuntu.com/security/CVE-2023-28466" } }, "CVE-2023-2860": { "affected_versions": "v4.10-rc1 to v6.0-rc5", "breaks": "4f4853dc1c9c1994f6f756eabdcc25374ff271d9", "cmt_msg": "ipv6: sr: fix out-of-bounds read when setting HMAC data.", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "score": 4.4 }, "fixes": "84a53580c5d2138c7361c7c3eea5b31827e63b35", "last_affected_version": "5.15.67", "last_modified": "2023-12-06", "nvd_text": "An out-of-bounds read vulnerability was found in the SR-IPv6 implementation in the Linux kernel. The flaw exists within the processing of seg6 attributes. The issue results from the improper validation of user-supplied data, which can result in a read past the end of an allocated buffer. This flaw allows a privileged local user to disclose sensitive information on affected installations of the Linux kernel.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-2860", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-2860", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-2860", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-2860", "SUSE": "https://www.suse.com/security/cve/CVE-2023-2860", "Ubuntu": "https://ubuntu.com/security/CVE-2023-2860" } }, "CVE-2023-28746": { "affected_versions": "unk to v6.9-rc1", "breaks": "", "cmt_msg": "x86/mmio: Disable KVM mitigation when X86_FEATURE_CLEAR_CPU_BUF is set", "fixes": "e95df4ec0c0c9791941f112db699fae794b9862a", "last_affected_version": "6.7.9", "last_modified": "2024-04-09", "nvd_text": "Information exposure through microarchitectural state after transient execution from some register files for some Intel(R) Atom(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-28746", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-28746", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-28746", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-28746", "SUSE": "https://www.suse.com/security/cve/CVE-2023-28746", "Ubuntu": "https://ubuntu.com/security/CVE-2023-28746" } }, "CVE-2023-28772": { "affected_versions": "v2.6.27-rc1 to v5.14-rc1", "breaks": "5e3ca0ec76fce92daa4eed0d02de9c79b1fe3920", "cmt_msg": "seq_buf: Fix overflow in seq_buf_putmem_hex()", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "score": 6.7 }, "fixes": "d3b16034a24a112bb83aeb669ac5b9b01f744bb7", "last_affected_version": "5.13.2", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel before 5.13.3. lib/seq_buf.c has a seq_buf_putmem_hex buffer overflow.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-28772", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-28772", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-28772", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-28772", "SUSE": "https://www.suse.com/security/cve/CVE-2023-28772", "Ubuntu": "https://ubuntu.com/security/CVE-2023-28772" } }, "CVE-2023-28866": { "affected_versions": "v5.17-rc1 to v6.3-rc4", "breaks": "d0b137062b2de75b264b84143d21c98abc5f5ad2", "cmt_msg": "Bluetooth: HCI: Fix global-out-of-bounds", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "None", "Confidentiality": "Low", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "score": 5.3 }, "fixes": "bce56405201111807cc8e4f47c6de3e10b17c1ac", "last_affected_version": "6.2.8", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel through 6.2.8, net/bluetooth/hci_sync.c allows out-of-bounds access because amp_init1[] and amp_init2[] are supposed to have an intentionally invalid element, but do not.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-28866", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-28866", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-28866", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-28866", "SUSE": "https://www.suse.com/security/cve/CVE-2023-28866", "Ubuntu": "https://ubuntu.com/security/CVE-2023-28866" } }, "CVE-2023-2898": { "affected_versions": "v5.8-rc1 to v6.5-rc1", "breaks": "b4b10061ef98c583bcf82a4200703fbaa98c18dc", "cmt_msg": "f2fs: fix to avoid NULL pointer dereference f2fs_write_end_io()", "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 4.7 }, "fixes": "d8189834d4348ae608083e1f1f53792cfcc2a9bc", "last_affected_version": "6.4.3", "last_modified": "2023-12-06", "nvd_text": "There is a null-pointer-dereference flaw found in f2fs_write_end_io in fs/f2fs/data.c in the Linux kernel. This flaw allows a local privileged user to cause a denial of service problem.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-2898", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-2898", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-2898", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-2898", "SUSE": "https://www.suse.com/security/cve/CVE-2023-2898", "Ubuntu": "https://ubuntu.com/security/CVE-2023-2898" } }, "CVE-2023-2985": { "affected_versions": "v2.6.12-rc2 to v6.3-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "fs: hfsplus: fix UAF issue in hfsplus_put_super", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "fixes": "07db5e247ab5858439b14dd7cc1fe538b9efcf32", "last_affected_version": "6.2.2", "last_modified": "2023-12-06", "nvd_text": "A use after free flaw was found in hfsplus_put_super in fs/hfsplus/super.c in the Linux Kernel. This flaw could allow a local user to cause a denial of service problem.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-2985", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-2985", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-2985", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-2985", "SUSE": "https://www.suse.com/security/cve/CVE-2023-2985", "Ubuntu": "https://ubuntu.com/security/CVE-2023-2985" } }, "CVE-2023-3006": { "affected_versions": "v2.6.12-rc2 to v6.1-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "arm64: Add AMPERE1 to the Spectre-BHB affected list", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.5 }, "fixes": "0e5d5ae837c8ce04d2ddb874ec5f920118bd9d31", "last_affected_version": "6.0.6", "last_modified": "2023-12-06", "nvd_text": "A known cache speculation vulnerability, known as Branch History Injection (BHI) or Spectre-BHB, becomes actual again for the new hw AmpereOne. Spectre-BHB is similar to Spectre v2, except that malicious code uses the shared branch history (stored in the CPU Branch History Buffer, or BHB) to influence mispredicted branches within the victim's hardware context. Once that occurs, speculation caused by the mispredicted branches can cause cache allocation. This issue leads to obtaining information that should not be accessible.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-3006", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-3006", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-3006", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-3006", "SUSE": "https://www.suse.com/security/cve/CVE-2023-3006", "Ubuntu": "https://ubuntu.com/security/CVE-2023-3006" } }, "CVE-2023-3022": { "backport": true, "breaks": "effda4dd97e878ab83336bec7411cc41b5cc6d37", "cmt_msg": "ipv6: Use result arg in fib_lookup_arg consistently", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "fixes": "a65120bae4b7425a39c5783aa3d4fc29677eef0e", "last_modified": "2023-12-06", "nvd_text": "A flaw was found in the IPv6 module of the Linux kernel. The arg.result was not used consistently in fib6_rule_lookup, sometimes holding rt6_info and other times fib6_info. This was not accounted for in other parts of the code where rt6_info was expected unconditionally, potentially leading to a kernel panic in fib6_rule_suppress.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-3022", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-3022", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-3022", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-3022", "SUSE": "https://www.suse.com/security/cve/CVE-2023-3022", "Ubuntu": "https://ubuntu.com/security/CVE-2023-3022" } }, "CVE-2023-30456": { "affected_versions": "v2.6.12-rc2 to v6.3-rc3", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "KVM: nVMX: add missing consistency checks for CR0 and CR4", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Changed", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H", "score": 6.5 }, "cwe": "Unspecified", "fixes": "112e66017bff7f2837030f34c2bc19501e9212d5", "last_affected_version": "6.2.7", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in arch/x86/kvm/vmx/nested.c in the Linux kernel before 6.2.8. nVMX on x86_64 lacks consistency checks for CR0 and CR4.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-30456", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-30456", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-30456", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-30456", "SUSE": "https://www.suse.com/security/cve/CVE-2023-30456", "Ubuntu": "https://ubuntu.com/security/CVE-2023-30456" } }, "CVE-2023-30772": { "affected_versions": "v4.1-rc1 to v6.3-rc4", "breaks": "c1a281e34dae41379af86b95592a5ae8e9e3af67", "cmt_msg": "power: supply: da9150: Fix use after free bug in da9150_charger_remove due to race condition", "cvss3": { "Attack Complexity": "High", "Attack Vector": "Physical", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "score": 6.4 }, "fixes": "06615d11cc78162dfd5116efb71f29eb29502d37", "last_affected_version": "6.2.8", "last_modified": "2023-12-06", "nvd_text": "The Linux kernel before 6.2.9 has a race condition and resultant use-after-free in drivers/power/supply/da9150-charger.c if a physically proximate attacker unplugs a device.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-30772", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-30772", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-30772", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-30772", "SUSE": "https://www.suse.com/security/cve/CVE-2023-30772", "Ubuntu": "https://ubuntu.com/security/CVE-2023-30772" } }, "CVE-2023-3090": { "affected_versions": "v3.19-rc1 to v6.4-rc2", "breaks": "2ad7bf3638411cb547f2823df08166c13ab04269", "cmt_msg": "ipvlan:Fix out-of-bounds caused by unclear skb->cb", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "fixes": "90cbed5247439a966b645b34eb0a2e037836ea8e", "last_affected_version": "6.3.3", "last_modified": "2023-12-06", "nvd_text": "A heap out-of-bounds write vulnerability in the Linux Kernel ipvlan network driver can be exploited to achieve local privilege escalation.\n\nThe out-of-bounds write is caused by missing skb->cb initialization in the ipvlan network driver. The vulnerability is reachable if\u00a0CONFIG_IPVLAN is enabled.\n\n\nWe recommend upgrading past commit 90cbed5247439a966b645b34eb0a2e037836ea8e.\n\n", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-3090", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-3090", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-3090", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-3090", "SUSE": "https://www.suse.com/security/cve/CVE-2023-3090", "Ubuntu": "https://ubuntu.com/security/CVE-2023-3090" } }, "CVE-2023-3106": { "affected_versions": "v3.15-rc1 to v4.8-rc7", "breaks": "d3623099d3509fa68fa28235366049dd3156c63a", "cmt_msg": "xfrm: fix crash in XFRM_MSG_GETSA netlink handler", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "fixes": "1ba5bf993c6a3142e18e68ea6452b347f9cb5635", "last_affected_version": "4.4.222", "last_modified": "2023-12-06", "nvd_text": "A NULL pointer dereference vulnerability was found in netlink_dump. This issue can occur when the Netlink socket receives the message(sendmsg) for the XFRM_MSG_GETSA, XFRM_MSG_GETPOLICY type message, and the DUMP flag is set and can cause a denial of service or possibly another unspecified impact. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although it is unlikely.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-3106", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-3106", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-3106", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-3106", "SUSE": "https://www.suse.com/security/cve/CVE-2023-3106", "Ubuntu": "https://ubuntu.com/security/CVE-2023-3106" } }, "CVE-2023-3108": { "backport": true, "breaks": "1d10eb2f156f5fc83cf6c7ce60441592e66eadb3", "cmt_msg": "crypto: fix af_alg_make_sg() conversion to iov_iter", "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 4.7 }, "fixes": "9399f0c51489ae8c16d6559b82a452fdc1895e91", "last_modified": "2023-12-06", "nvd_text": "A flaw was found in the subsequent get_user_pages_fast in the Linux kernel\u2019s interface for symmetric key cipher algorithms in the skcipher_recvmsg of crypto/algif_skcipher.c function. This flaw allows a local user to crash the system.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-3108", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-3108", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-3108", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-3108", "SUSE": "https://www.suse.com/security/cve/CVE-2023-3108", "Ubuntu": "https://ubuntu.com/security/CVE-2023-3108" } }, "CVE-2023-31081": { "affected_versions": "unk to unk", "breaks": "", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "fixes": "", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in drivers/media/test-drivers/vidtv/vidtv_bridge.c in the Linux kernel 6.2. There is a NULL pointer dereference in vidtv_mux_stop_thread. In vidtv_stop_streaming, after dvb->mux=NULL occurs, it executes vidtv_mux_stop_thread(dvb->mux).", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-31081", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-31081", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-31081", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-31081", "SUSE": "https://www.suse.com/security/cve/CVE-2023-31081", "Ubuntu": "https://ubuntu.com/security/CVE-2023-31081" } }, "CVE-2023-31082": { "affected_versions": "unk to unk", "breaks": "", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "fixes": "", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in drivers/tty/n_gsm.c in the Linux kernel 6.2. There is a sleeping function called from an invalid context in gsmld_write, which will block the kernel.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-31082", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-31082", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-31082", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-31082", "SUSE": "https://www.suse.com/security/cve/CVE-2023-31082", "Ubuntu": "https://ubuntu.com/security/CVE-2023-31082" } }, "CVE-2023-31083": { "affected_versions": "v2.6.12-rc2 to v6.6-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "Bluetooth: hci_ldisc: check HCI_UART_PROTO_READY flag in HCIUARTGETPROTO", "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 4.7 }, "fixes": "9c33663af9ad115f90c076a1828129a3fbadea98", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in drivers/bluetooth/hci_ldisc.c in the Linux kernel 6.2. In hci_uart_tty_ioctl, there is a race condition between HCIUARTSETPROTO and HCIUARTGETPROTO. HCI_UART_PROTO_SET is set before hu->proto is set. A NULL pointer dereference may occur.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-31083", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-31083", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-31083", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-31083", "SUSE": "https://www.suse.com/security/cve/CVE-2023-31083", "Ubuntu": "https://ubuntu.com/security/CVE-2023-31083" } }, "CVE-2023-31084": { "affected_versions": "v2.6.12-rc2 to v6.4-rc3", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "media: dvb-core: Fix kernel WARNING for blocking operation in wait_event*()", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Unspecified", "fixes": "b8c75e4a1b325ea0a9433fa8834be97b5836b946", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in drivers/media/dvb-core/dvb_frontend.c in the Linux kernel 6.2. There is a blocking operation when a task is in !TASK_RUNNING. In dvb_frontend_get_event, wait_event_interruptible is called; the condition is dvb_frontend_test_event(fepriv,events). In dvb_frontend_test_event, down(&fepriv->sem) is called. However, wait_event_interruptible would put the process to sleep, and down(&fepriv->sem) may block the process.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-31084", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-31084", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-31084", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-31084", "SUSE": "https://www.suse.com/security/cve/CVE-2023-31084", "Ubuntu": "https://ubuntu.com/security/CVE-2023-31084" } }, "CVE-2023-31085": { "affected_versions": "v2.6.22-rc1 to v6.6-rc5", "breaks": "801c135ce73d5df1caf3eca35b66a10824ae0707", "cmt_msg": "ubi: Refuse attaching if mtd's erasesize is 0", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "fixes": "017c73a34a661a861712f7cc1393a123e5b2208c", "last_affected_version": "6.5.6", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in drivers/mtd/ubi/cdev.c in the Linux kernel 6.2. There is a divide-by-zero error in do_div(sz,mtd->erasesize), used indirectly by ctrl_cdev_ioctl, when mtd->erasesize is 0.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-31085", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-31085", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-31085", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-31085", "SUSE": "https://www.suse.com/security/cve/CVE-2023-31085", "Ubuntu": "https://ubuntu.com/security/CVE-2023-31085" } }, "CVE-2023-3111": { "affected_versions": "v2.6.31-rc1 to v6.0-rc2", "breaks": "5d4f98a28c7d334091c1b7744f48a1acdd2a4ae0", "cmt_msg": "btrfs: unset reloc control if transaction commit fails in prepare_to_relocate()", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "fixes": "85f02d6c856b9f3a0acf5219de6e32f58b9778eb", "last_affected_version": "5.19.3", "last_modified": "2023-12-06", "nvd_text": "A use after free vulnerability was found in prepare_to_relocate in fs/btrfs/relocation.c in btrfs in the Linux Kernel. This possible flaw can be triggered by calling btrfs_ioctl_balance() before calling btrfs_ioctl_defrag().", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-3111", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-3111", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-3111", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-3111", "SUSE": "https://www.suse.com/security/cve/CVE-2023-3111", "Ubuntu": "https://ubuntu.com/security/CVE-2023-3111" } }, "CVE-2023-3117": { "affected_versions": "v3.16-rc1 to v6.4-rc7", "breaks": "958bee14d0718ca7a5002c0f48a099d1d345812a", "cmt_msg": "netfilter: nf_tables: incorrect error path handling with NFT_MSG_NEWRULE", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "fixes": "1240eb93f0616b21c675416516ff3d74798fdc97", "last_affected_version": "6.3.8", "last_modified": "2023-12-06", "nvd_text": "Rejected reason: Duplicate of CVE-2023-3390.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-3117", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-3117", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-3117", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-3117", "SUSE": "https://www.suse.com/security/cve/CVE-2023-3117", "Ubuntu": "https://ubuntu.com/security/CVE-2023-3117" }, "rejected": true }, "CVE-2023-31248": { "affected_versions": "v5.9-rc1 to v6.5-rc2", "breaks": "837830a4b439bfeb86c70b0115c280377c84714b", "cmt_msg": "netfilter: nf_tables: do not ignore genmask when looking up chain by id", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "fixes": "515ad530795c118f012539ed76d02bacfd426d89", "last_affected_version": "6.4.3", "last_modified": "2023-12-06", "nvd_text": "Linux Kernel nftables Use-After-Free Local Privilege Escalation Vulnerability; `nft_chain_lookup_byid()` failed to check whether a chain was active and CAP_NET_ADMIN is in any user or network namespace", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-31248", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-31248", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-31248", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-31248", "SUSE": "https://www.suse.com/security/cve/CVE-2023-31248", "Ubuntu": "https://ubuntu.com/security/CVE-2023-31248" } }, "CVE-2023-3141": { "affected_versions": "v2.6.39-rc1 to v6.4-rc1", "breaks": "9263412501022fecef844907129ee2513b5a89de", "cmt_msg": "memstick: r592: Fix UAF bug in r592_remove due to race condition", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "score": 7.1 }, "fixes": "63264422785021704c39b38f65a78ab9e4a186d7", "last_affected_version": "6.3.3", "last_modified": "2023-12-06", "nvd_text": "A use-after-free flaw was found in r592_remove in drivers/memstick/host/r592.c in media access in the Linux Kernel. This flaw allows a local attacker to crash the system at device disconnect, possibly leading to a kernel information leak.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-3141", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-3141", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-3141", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-3141", "SUSE": "https://www.suse.com/security/cve/CVE-2023-3141", "Ubuntu": "https://ubuntu.com/security/CVE-2023-3141" } }, "CVE-2023-31436": { "affected_versions": "v3.7-rc5 to v6.3", "breaks": "3015f3d2a3cd9614294025849d3ed89fd2f3a7f5", "cmt_msg": "net: sched: sch_qfq: prevent slab-out-of-bounds in qfq_activate_agg", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "fixes": "3037933448f60f9acb705997eae62013ecb81e0d", "last_affected_version": "6.2", "last_modified": "2023-12-06", "nvd_text": "qfq_change_class in net/sched/sch_qfq.c in the Linux kernel before 6.2.13 allows an out-of-bounds write because lmax can exceed QFQ_MIN_LMAX.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-31436", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-31436", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-31436", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-31436", "SUSE": "https://www.suse.com/security/cve/CVE-2023-31436", "Ubuntu": "https://ubuntu.com/security/CVE-2023-31436" } }, "CVE-2023-3159": { "affected_versions": "v2.6.36-rc1 to v5.18-rc6", "breaks": "850bb6f23b93c04ce1e4509a87fa607dc17d97c1", "cmt_msg": "firewire: fix potential uaf in outbound_phy_packet_callback()", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "score": 6.7 }, "fixes": "b7c81f80246fac44077166f3e07103affe6db8ff", "last_affected_version": "5.17.6", "last_modified": "2023-12-06", "nvd_text": "A use after free issue was discovered in driver/firewire in outbound_phy_packet_callback in the Linux Kernel. In this flaw a local attacker with special privilege may cause a use after free problem when queue_event() fails.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-3159", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-3159", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-3159", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-3159", "SUSE": "https://www.suse.com/security/cve/CVE-2023-3159", "Ubuntu": "https://ubuntu.com/security/CVE-2023-3159" } }, "CVE-2023-3161": { "affected_versions": "v2.6.22-rc1 to v6.2-rc7", "breaks": "2d2699d984924890f6dac8cf51c3b6311f56816c", "cmt_msg": "fbcon: Check font dimension limits", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "fixes": "2b09d5d364986f724f17001ccfe4126b9b43a0be", "last_affected_version": "6.1.10", "last_modified": "2023-12-06", "nvd_text": "A flaw was found in the Framebuffer Console (fbcon) in the Linux Kernel. When providing font->width and font->height greater than 32 to fbcon_set_font, since there are no checks in place, a shift-out-of-bounds occurs leading to undefined behavior and possible denial of service.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-3161", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-3161", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-3161", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-3161", "SUSE": "https://www.suse.com/security/cve/CVE-2023-3161", "Ubuntu": "https://ubuntu.com/security/CVE-2023-3161" } }, "CVE-2023-3212": { "affected_versions": "v2.6.24-rc1 to v6.4-rc2", "breaks": "16615be18cadf53ee6f8a4f0bdd647f0753421b1", "cmt_msg": "gfs2: Don't deref jdesc in evict", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "score": 4.4 }, "fixes": "504a10d9e46bc37b23d0a1ae2f28973c8516e636", "last_affected_version": "6.3.6", "last_modified": "2023-12-06", "nvd_text": "A NULL pointer dereference issue was found in the gfs2 file system in the Linux kernel. It occurs on corrupt gfs2 file systems when the evict code tries to reference the journal descriptor structure after it has been freed and set to NULL. A privileged local user could use this flaw to cause a kernel panic.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-3212", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-3212", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-3212", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-3212", "SUSE": "https://www.suse.com/security/cve/CVE-2023-3212", "Ubuntu": "https://ubuntu.com/security/CVE-2023-3212" } }, "CVE-2023-3220": { "affected_versions": "v4.19-rc1 to v6.3-rc1", "breaks": "25fdd5933e4c0f5fe2ea5cd59994f8ac5fbe90ef", "cmt_msg": "drm/msm/dpu: Add check for pstates", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "fixes": "93340e10b9c5fc86730d149636e0aa8b47bb5a34", "last_affected_version": "6.2.2", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel through 6.1-rc8. dpu_crtc_atomic_check in drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c lacks check of the return value of kzalloc() and will cause the NULL Pointer Dereference.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-3220", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-3220", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-3220", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-3220", "SUSE": "https://www.suse.com/security/cve/CVE-2023-3220", "Ubuntu": "https://ubuntu.com/security/CVE-2023-3220" } }, "CVE-2023-32233": { "affected_versions": "v2.6.12-rc2 to v6.4-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "netfilter: nf_tables: deactivate anonymous set from preparation phase", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "fixes": "c1592a89942e9678f7d9c8030efa777c0d57edab", "last_affected_version": "6.3.1", "last_modified": "2023-12-06", "nvd_text": "In the Linux kernel through 6.3.1, a use-after-free in Netfilter nf_tables when processing batch requests can be abused to perform arbitrary read and write operations on kernel memory. Unprivileged local users can obtain root privileges. This occurs because anonymous sets are mishandled.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-32233", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-32233", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-32233", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-32233", "SUSE": "https://www.suse.com/security/cve/CVE-2023-32233", "Ubuntu": "https://ubuntu.com/security/CVE-2023-32233" } }, "CVE-2023-32247": { "affected_versions": "v5.15-rc1 to v6.4-rc1", "breaks": "0626e6641f6b467447c81dd7678a69c66f7746cf", "cmt_msg": "ksmbd: destroy expired sessions", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 7.5 }, "fixes": "ea174a91893956450510945a0c5d1a10b5323656", "last_affected_version": "6.3.1", "last_modified": "2023-12-27", "nvd_text": "A flaw was found in the Linux kernel's ksmbd, a high-performance in-kernel SMB server. The specific flaw exists within the handling of SMB2_SESSION_SETUP commands. The issue results from the lack of control of resource consumption. An attacker can leverage this vulnerability to create a denial-of-service condition on the system.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-32247", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-32247", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-32247", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-32247", "SUSE": "https://www.suse.com/security/cve/CVE-2023-32247", "Ubuntu": "https://ubuntu.com/security/CVE-2023-32247" } }, "CVE-2023-32248": { "affected_versions": "v5.15-rc1 to v6.4-rc1", "breaks": "0626e6641f6b467447c81dd7678a69c66f7746cf", "cmt_msg": "ksmbd: fix NULL pointer dereference in smb2_get_info_filesystem()", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 7.5 }, "fixes": "3ac00a2ab69b34189942afa9e862d5170cdcb018", "last_affected_version": "6.3.1", "last_modified": "2023-12-06", "nvd_text": "A flaw was found in the Linux kernel's ksmbd, a high-performance in-kernel SMB server. The specific flaw exists within the handling of SMB2_TREE_CONNECT and SMB2_QUERY_INFO commands. The issue results from the lack of proper validation of a pointer prior to accessing it. An attacker can leverage this vulnerability to create a denial-of-service condition on the system.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-32248", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-32248", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-32248", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-32248", "SUSE": "https://www.suse.com/security/cve/CVE-2023-32248", "Ubuntu": "https://ubuntu.com/security/CVE-2023-32248" } }, "CVE-2023-32250": { "affected_versions": "v5.15-rc1 to v6.4-rc1", "breaks": "0626e6641f6b467447c81dd7678a69c66f7746cf", "cmt_msg": "ksmbd: fix racy issue from session setup and logoff", "cvss3": { "Attack Complexity": "High", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "score": 8.1 }, "fixes": "f5c779b7ddbda30866cf2a27c63e34158f858c73", "last_affected_version": "6.3.1", "last_modified": "2023-12-27", "nvd_text": "A flaw was found in the Linux kernel's ksmbd, a high-performance in-kernel SMB server. The specific flaw exists within the processing of SMB2_SESSION_SETUP commands. The issue results from the lack of proper locking when performing operations on an object. An attacker can leverage this vulnerability to execute code in the context of the kernel.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-32250", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-32250", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-32250", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-32250", "SUSE": "https://www.suse.com/security/cve/CVE-2023-32250", "Ubuntu": "https://ubuntu.com/security/CVE-2023-32250" } }, "CVE-2023-32252": { "affected_versions": "v5.15-rc1 to v6.4-rc1", "breaks": "0626e6641f6b467447c81dd7678a69c66f7746cf", "cmt_msg": "ksmbd: fix racy issue from session setup and logoff", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 7.5 }, "fixes": "f5c779b7ddbda30866cf2a27c63e34158f858c73", "last_affected_version": "6.3.1", "last_modified": "2023-12-27", "nvd_text": "A flaw was found in the Linux kernel's ksmbd, a high-performance in-kernel SMB server. The specific flaw exists within the handling of SMB2_LOGOFF commands. The issue results from the lack of proper validation of a pointer prior to accessing it. An attacker can leverage this vulnerability to create a denial-of-service condition on the system.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-32252", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-32252", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-32252", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-32252", "SUSE": "https://www.suse.com/security/cve/CVE-2023-32252", "Ubuntu": "https://ubuntu.com/security/CVE-2023-32252" } }, "CVE-2023-32254": { "affected_versions": "v5.15-rc1 to v6.4-rc1", "breaks": "0626e6641f6b467447c81dd7678a69c66f7746cf", "cmt_msg": "ksmbd: fix racy issue under cocurrent smb2 tree disconnect", "cvss3": { "Attack Complexity": "High", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "score": 8.1 }, "fixes": "30210947a343b6b3ca13adc9bfc88e1543e16dd5", "last_affected_version": "6.3.1", "last_modified": "2023-12-27", "nvd_text": "A flaw was found in the Linux kernel's ksmbd, a high-performance in-kernel SMB server. The specific flaw exists within the processing of SMB2_TREE_DISCONNECT commands. The issue results from the lack of proper locking when performing operations on an object. An attacker can leverage this vulnerability to execute code in the context of the kernel.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-32254", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-32254", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-32254", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-32254", "SUSE": "https://www.suse.com/security/cve/CVE-2023-32254", "Ubuntu": "https://ubuntu.com/security/CVE-2023-32254" } }, "CVE-2023-32257": { "affected_versions": "v5.15-rc1 to v6.4-rc1", "breaks": "0626e6641f6b467447c81dd7678a69c66f7746cf", "cmt_msg": "ksmbd: fix racy issue from session setup and logoff", "cvss3": { "Attack Complexity": "High", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "score": 8.1 }, "fixes": "f5c779b7ddbda30866cf2a27c63e34158f858c73", "last_affected_version": "6.3.1", "last_modified": "2023-12-27", "nvd_text": "A flaw was found in the Linux kernel's ksmbd, a high-performance in-kernel SMB server. The specific flaw exists within the processing of SMB2_SESSION_SETUP and SMB2_LOGOFF commands. The issue results from the lack of proper locking when performing operations on an object. An attacker can leverage this vulnerability to execute code in the context of the kernel.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-32257", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-32257", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-32257", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-32257", "SUSE": "https://www.suse.com/security/cve/CVE-2023-32257", "Ubuntu": "https://ubuntu.com/security/CVE-2023-32257" } }, "CVE-2023-32258": { "affected_versions": "v5.15-rc1 to v6.4-rc1", "breaks": "0626e6641f6b467447c81dd7678a69c66f7746cf", "cmt_msg": "ksmbd: fix racy issue from smb2 close and logoff with multichannel", "cvss3": { "Attack Complexity": "High", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "score": 8.1 }, "fixes": "abcc506a9a71976a8b4c9bf3ee6efd13229c1e19", "last_affected_version": "6.3.1", "last_modified": "2023-12-27", "nvd_text": "A flaw was found in the Linux kernel's ksmbd, a high-performance in-kernel SMB server. The specific flaw exists within the processing of SMB2_LOGOFF and SMB2_CLOSE commands. The issue results from the lack of proper locking when performing operations on an object. An attacker can leverage this vulnerability to execute code in the context of the kernel.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-32258", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-32258", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-32258", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-32258", "SUSE": "https://www.suse.com/security/cve/CVE-2023-32258", "Ubuntu": "https://ubuntu.com/security/CVE-2023-32258" } }, "CVE-2023-32269": { "affected_versions": "v2.6.12-rc2 to v6.2-rc7", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "netrom: Fix use-after-free caused by accept on already connected socket", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "score": 6.7 }, "fixes": "611792920925fb088ddccbe2783c7f92fdfb6b64", "last_affected_version": "6.1.10", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel before 6.1.11. In net/netrom/af_netrom.c, there is a use-after-free because accept is also allowed for a successfully connected AF_NETROM socket. However, in order for an attacker to exploit this, the system must have netrom routing configured or the attacker must have the CAP_NET_ADMIN capability.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-32269", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-32269", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-32269", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-32269", "SUSE": "https://www.suse.com/security/cve/CVE-2023-32269", "Ubuntu": "https://ubuntu.com/security/CVE-2023-32269" } }, "CVE-2023-32629": { "affected_versions": "v5.19-rc1 to unk", "breaks": "c914c0e27eb0843b7cf3bec71d6f34d53a3a671e", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "fixes": "", "last_modified": "2023-12-06", "nvd_text": "Local privilege escalation vulnerability in Ubuntu Kernels overlayfs ovl_copy_up_meta_inode_data skip permission checks when calling ovl_do_setxattr on Ubuntu kernels", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-32629", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-32629", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-32629", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-32629", "SUSE": "https://www.suse.com/security/cve/CVE-2023-32629", "Ubuntu": "https://ubuntu.com/security/CVE-2023-32629" } }, "CVE-2023-3268": { "affected_versions": "v2.6.22-rc7 to v6.4-rc1", "breaks": "8d62fdebdaf9b866c7e236a8f5cfe90e6dba5773", "cmt_msg": "relayfs: fix out-of-bounds access in relay_file_read", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "score": 7.1 }, "fixes": "43ec16f1450f4936025a9bdf1a273affdb9732c1", "last_affected_version": "6.3.1", "last_modified": "2023-12-06", "nvd_text": "An out of bounds (OOB) memory access flaw was found in the Linux kernel in relay_file_read_start_pos in kernel/relay.c in the relayfs. This flaw could allow a local attacker to crash the system or leak kernel internal information.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-3268", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-3268", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-3268", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-3268", "SUSE": "https://www.suse.com/security/cve/CVE-2023-3268", "Ubuntu": "https://ubuntu.com/security/CVE-2023-3268" } }, "CVE-2023-3269": { "affected_versions": "v6.1-rc1 to v6.5-rc1", "breaks": "54a611b605901c7d5d05b6b8f5d04a6ceb0962aa", "cmt_msg": "mm: introduce new 'lock_mm_and_find_vma()' page fault helper", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "fixes": "c2508ec5a58db67093f4fb8bf89a9a7c53a109e9", "last_affected_version": "6.4.0", "last_modified": "2023-12-06", "name": "StackRot", "nvd_text": "A vulnerability exists in the memory management subsystem of the Linux kernel. The lock handling for accessing and updating virtual memory areas (VMAs) is incorrect, leading to use-after-free problems. This issue can be successfully exploited to execute arbitrary kernel code, escalate containers, and gain root privileges.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-3269", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-3269", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-3269", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-3269", "SUSE": "https://www.suse.com/security/cve/CVE-2023-3269", "Ubuntu": "https://ubuntu.com/security/CVE-2023-3269" } }, "CVE-2023-3312": { "affected_versions": "v6.2-rc1 to v6.4-rc1", "breaks": "054a3ef683a176a509cc9b37f762029aae942495", "cmt_msg": "cpufreq: qcom-cpufreq-hw: fix double IO unmap and resource release on exit", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 7.5 }, "fixes": "ba5e770c9698782bc203bbf5cf3b36a77720bdbe", "last_affected_version": "6.3.1", "last_modified": "2023-12-06", "nvd_text": "A vulnerability was found in drivers/cpufreq/qcom-cpufreq-hw.c in cpufreq subsystem in the Linux Kernel. This flaw, during device unbind will lead to double release problem leading to denial of service.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-3312", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-3312", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-3312", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-3312", "SUSE": "https://www.suse.com/security/cve/CVE-2023-3312", "Ubuntu": "https://ubuntu.com/security/CVE-2023-3312" } }, "CVE-2023-3317": { "affected_versions": "v6.2-rc1 to v6.3-rc6", "breaks": "034ae28b56f13dc1f2beb3fa294b455f57ede9cb", "cmt_msg": "wifi: mt76: mt7921: Fix use-after-free in fw features query.", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "score": 7.1 }, "fixes": "2ceb76f734e37833824b7fab6af17c999eb48d2b", "last_affected_version": "6.2.14", "last_modified": "2023-12-06", "nvd_text": "A use-after-free flaw was found in mt7921_check_offload_capability in drivers/net/wireless/mediatek/mt76/mt7921/init.c in wifi mt76/mt7921 sub-component in the Linux Kernel. This flaw could allow an attacker to crash the system after 'features' memory release. This vulnerability could even lead to a kernel information leak problem.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-3317", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-3317", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-3317", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-3317", "SUSE": "https://www.suse.com/security/cve/CVE-2023-3317", "Ubuntu": "https://ubuntu.com/security/CVE-2023-3317" } }, "CVE-2023-33203": { "affected_versions": "v4.9-rc1 to v6.3-rc4", "breaks": "b9b17debc69d27cd55e21ee51a5ba7fc50a426cf", "cmt_msg": "net: qcom/emac: Fix use after free bug in emac_remove due to race condition", "cvss3": { "Attack Complexity": "High", "Attack Vector": "Physical", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "score": 6.4 }, "fixes": "6b6bc5b8bd2d4ca9e1efa9ae0f98a0b0687ace75", "last_affected_version": "6.2.8", "last_modified": "2023-12-06", "nvd_text": "The Linux kernel before 6.2.9 has a race condition and resultant use-after-free in drivers/net/ethernet/qualcomm/emac/emac.c if a physically proximate attacker unplugs an emac based device.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-33203", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-33203", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-33203", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-33203", "SUSE": "https://www.suse.com/security/cve/CVE-2023-33203", "Ubuntu": "https://ubuntu.com/security/CVE-2023-33203" } }, "CVE-2023-33250": { "affected_versions": "v6.2-rc1 to v6.5-rc1", "breaks": "2ff4bed7fee72ba1abfcff5f11ae8f8e570353f2", "cmt_msg": "iommufd: Call iopt_area_contig_done() under the lock", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "score": 4.4 }, "fixes": "dbe245cdf5189e88d680379ed13901356628b650", "last_affected_version": "6.4.3", "last_modified": "2023-12-06", "nvd_text": "The Linux kernel 6.3 has a use-after-free in iopt_unmap_iova_range in drivers/iommu/iommufd/io_pagetable.c.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-33250", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-33250", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-33250", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-33250", "SUSE": "https://www.suse.com/security/cve/CVE-2023-33250", "Ubuntu": "https://ubuntu.com/security/CVE-2023-33250" } }, "CVE-2023-33288": { "affected_versions": "v2.6.39-rc1 to v6.3-rc4", "breaks": "97774672573ac4355bd12cf84b202555c1131b69", "cmt_msg": "power: supply: bq24190: Fix use after free bug in bq24190_remove due to race condition", "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 4.7 }, "fixes": "47c29d69212911f50bdcdd0564b5999a559010d4", "last_affected_version": "6.2.8", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel before 6.2.9. A use-after-free was found in bq24190_remove in drivers/power/supply/bq24190_charger.c. It could allow a local attacker to crash the system due to a race condition.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-33288", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-33288", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-33288", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-33288", "SUSE": "https://www.suse.com/security/cve/CVE-2023-33288", "Ubuntu": "https://ubuntu.com/security/CVE-2023-33288" } }, "CVE-2023-3338": { "affected_versions": "v2.6.12-rc2 to v6.1-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "Remove DECnet support from kernel", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 6.5 }, "fixes": "1202cdd665315c525b5237e96e0bedc76d7e754f", "last_affected_version": "5.15.117", "last_modified": "2023-12-06", "nvd_text": "A null pointer dereference flaw was found in the Linux kernel's DECnet networking protocol. This issue could allow a remote user to crash the system.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-3338", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-3338", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-3338", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-3338", "SUSE": "https://www.suse.com/security/cve/CVE-2023-3338", "Ubuntu": "https://ubuntu.com/security/CVE-2023-3338" } }, "CVE-2023-3355": { "affected_versions": "v5.11-rc1 to v6.3-rc1", "breaks": "20224d715a882210428ea62bba93f1bc4a0afe23", "cmt_msg": "drm/msm/gem: Add check for kmalloc", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "fixes": "d839f0811a31322c087a859c2b181e2383daa7be", "last_affected_version": "6.2.2", "last_modified": "2023-12-06", "nvd_text": "A NULL pointer dereference flaw was found in the Linux kernel's drivers/gpu/drm/msm/msm_gem_submit.c code in the submit_lookup_cmds function, which fails because it lacks a check of the return value of kmalloc(). This issue allows a local user to crash the system.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-3355", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-3355", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-3355", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-3355", "SUSE": "https://www.suse.com/security/cve/CVE-2023-3355", "Ubuntu": "https://ubuntu.com/security/CVE-2023-3355" } }, "CVE-2023-3357": { "affected_versions": "v5.11-rc1 to v6.2-rc1", "breaks": "4b2c53d93a4bc9d52cc0ec354629cfc9dc217f93", "cmt_msg": "HID: amd_sfh: Add missing check for dma_alloc_coherent", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "fixes": "53ffa6a9f83b2170c60591da1ead8791d5a42e81", "last_affected_version": "6.1.1", "last_modified": "2023-12-06", "nvd_text": "A NULL pointer dereference flaw was found in the Linux kernel AMD Sensor Fusion Hub driver. This flaw allows a local user to crash the system.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-3357", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-3357", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-3357", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-3357", "SUSE": "https://www.suse.com/security/cve/CVE-2023-3357", "Ubuntu": "https://ubuntu.com/security/CVE-2023-3357" } }, "CVE-2023-3358": { "affected_versions": "v4.9-rc1 to v6.2-rc5", "breaks": "3703f53b99e4a7c373ce3568dd3f91f175ebb626", "cmt_msg": "HID: intel_ish-hid: Add check for ishtp_dma_tx_map", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "fixes": "b3d40c3ec3dc4ad78017de6c3a38979f57aaaab8", "last_affected_version": "6.1.8", "last_modified": "2023-12-06", "nvd_text": "A null pointer dereference was found in the Linux kernel's Integrated Sensor Hub (ISH) driver. This issue could allow a local user to crash the system.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-3358", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-3358", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-3358", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-3358", "SUSE": "https://www.suse.com/security/cve/CVE-2023-3358", "Ubuntu": "https://ubuntu.com/security/CVE-2023-3358" } }, "CVE-2023-3359": { "affected_versions": "v5.18-rc1 to v6.2-rc7", "breaks": "6e977eaa8280e957b87904b536661550f2a6b3e8", "cmt_msg": "nvmem: brcm_nvram: Add check for kzalloc", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "fixes": "b0576ade3aaf24b376ea1a4406ae138e2a22b0c0", "last_affected_version": "6.1.10", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel brcm_nvram_parse in drivers/nvmem/brcm_nvram.c. Lacks for the check of the return value of kzalloc() can cause the NULL Pointer Dereference.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-3359", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-3359", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-3359", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-3359", "SUSE": "https://www.suse.com/security/cve/CVE-2023-3359", "Ubuntu": "https://ubuntu.com/security/CVE-2023-3359" } }, "CVE-2023-3389": { "affected_versions": "v5.1-rc1 to v6.0-rc1", "breaks": "2b188cc1bb857a9d4701ae59aa7768b5124e262e", "cmt_msg": "io_uring: mutex locked poll hashing", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "fixes": "9ca9fb24d5febccea354089c41f96a8ad0d853f8", "last_modified": "2023-12-06", "nvd_text": "A use-after-free vulnerability in the Linux Kernel io_uring subsystem can be exploited to achieve local privilege escalation.\n\nRacing a io_uring cancel poll request with a linked timeout can cause a UAF in a hrtimer.\n\nWe recommend upgrading past commit ef7dfac51d8ed961b742218f526bd589f3900a59 (4716c73b188566865bdd79c3a6709696a224ac04 for 5.10 stable and\u00a00e388fce7aec40992eadee654193cad345d62663 for 5.15 stable).\n\n", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-3389", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-3389", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-3389", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-3389", "SUSE": "https://www.suse.com/security/cve/CVE-2023-3389", "Ubuntu": "https://ubuntu.com/security/CVE-2023-3389" } }, "CVE-2023-3390": { "affected_versions": "v3.16-rc1 to v6.4-rc7", "breaks": "958bee14d0718ca7a5002c0f48a099d1d345812a", "cmt_msg": "netfilter: nf_tables: incorrect error path handling with NFT_MSG_NEWRULE", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "fixes": "1240eb93f0616b21c675416516ff3d74798fdc97", "last_affected_version": "6.3.8", "last_modified": "2023-12-06", "nvd_text": "A use-after-free vulnerability was found in the Linux kernel's netfilter subsystem in net/netfilter/nf_tables_api.c.\n\nMishandled error handling with NFT_MSG_NEWRULE makes it possible to use a dangling pointer in the same transaction causing a use-after-free vulnerability. This flaw allows a local attacker with user access to cause a privilege escalation issue.\n\nWe recommend upgrading past commit\u00a01240eb93f0616b21c675416516ff3d74798fdc97.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-3390", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-3390", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-3390", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-3390", "SUSE": "https://www.suse.com/security/cve/CVE-2023-3390", "Ubuntu": "https://ubuntu.com/security/CVE-2023-3390" } }, "CVE-2023-33951": { "affected_versions": "v5.17-rc1 to v6.4-rc1", "breaks": "8afa13a0583f94c14607e3041c02f068ac8fb628", "cmt_msg": "drm/vmwgfx: Do not drop the reference to the handle too soon", "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "High", "Scope": "Changed", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N", "score": 5.3 }, "fixes": "9ef8d83e8e25d5f1811b3a38eb1484f85f64296c", "last_affected_version": "None", "last_modified": "2023-12-06", "nvd_text": "A race condition vulnerability was found in the vmwgfx driver in the Linux kernel. The flaw exists within the handling of GEM objects. The issue results from improper locking when performing operations on an object. This flaw allows a local privileged user to disclose information in the context of the kernel.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-33951", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-33951", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-33951", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-33951", "SUSE": "https://www.suse.com/security/cve/CVE-2023-33951", "Ubuntu": "https://ubuntu.com/security/CVE-2023-33951" } }, "CVE-2023-33952": { "affected_versions": "v5.17-rc1 to v6.4-rc1", "breaks": "8afa13a0583f94c14607e3041c02f068ac8fb628", "cmt_msg": "drm/vmwgfx: Do not drop the reference to the handle too soon", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "score": 6.7 }, "fixes": "9ef8d83e8e25d5f1811b3a38eb1484f85f64296c", "last_affected_version": "None", "last_modified": "2024-01-12", "nvd_text": "A double-free vulnerability was found in handling vmw_buffer_object objects in the vmwgfx driver in the Linux kernel. This issue occurs due to the lack of validating the existence of an object prior to performing further free operations on the object, which may allow a local privileged user to escalate privileges and execute code in the context of the kernel.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-33952", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-33952", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-33952", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-33952", "SUSE": "https://www.suse.com/security/cve/CVE-2023-33952", "Ubuntu": "https://ubuntu.com/security/CVE-2023-33952" } }, "CVE-2023-3397": { "affected_versions": "unk to unk", "breaks": "", "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:H", "score": 6.3 }, "fixes": "", "last_modified": "2023-12-06", "nvd_text": "A race condition occurred between the functions lmLogClose and txEnd in JFS, in the Linux Kernel, executed in different threads. This flaw allows a local attacker with normal user privileges to crash the system or leak internal kernel information.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-3397", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-3397", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-3397", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-3397", "SUSE": "https://www.suse.com/security/cve/CVE-2023-3397", "Ubuntu": "https://ubuntu.com/security/CVE-2023-3397" } }, "CVE-2023-34255": { "affected_versions": "v2.6.12-rc2 to v6.4-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "xfs: verify buffer contents when we skip log replay", "fixes": "22ed903eee23a5b174e240f1cdfa9acf393a5210", "last_affected_version": "6.3.6", "last_modified": "2023-12-06", "nvd_text": "Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2023-2124. Reason: This candidate is a duplicate of CVE-2023-2124. Notes: All CVE users should reference CVE-2023-2124 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-34255", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-34255", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-34255", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-34255", "SUSE": "https://www.suse.com/security/cve/CVE-2023-34255", "Ubuntu": "https://ubuntu.com/security/CVE-2023-34255" }, "rejected": true }, "CVE-2023-34256": { "affected_versions": "v2.6.24-rc1 to v6.4-rc2", "breaks": "717d50e4971b81b96c0199c91cdf0039a8cb181a", "cmt_msg": "ext4: avoid a potential slab-out-of-bounds in ext4_group_desc_csum", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "fixes": "4f04351888a83e595571de672e0a4a8b74f4fb31", "last_affected_version": "6.3.2", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel before 6.3.3. There is an out-of-bounds read in crc16 in lib/crc16.c when called from fs/ext4/super.c because ext4_group_desc_csum does not properly check an offset. NOTE: this is disputed by third parties because the kernel is not intended to defend against attackers with the stated \"When modifying the block device while it is mounted by the filesystem\" access.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-34256", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-34256", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-34256", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-34256", "SUSE": "https://www.suse.com/security/cve/CVE-2023-34256", "Ubuntu": "https://ubuntu.com/security/CVE-2023-34256" } }, "CVE-2023-34319": { "affected_versions": "v6.1 to v6.5-rc6", "breaks": "ad7f402ae4f466647c3a669b8a6f3e5d4271c84a", "cmt_msg": "xen/netback: Fix buffer overrun triggered by unusual packet", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "fixes": "534fc31d09b706a16d83533e16b5dc855caf7576", "last_affected_version": "6.4.8", "last_modified": "2023-12-06", "nvd_text": "The fix for XSA-423 added logic to Linux'es netback driver to deal with\na frontend splitting a packet in a way such that not all of the headers\nwould come in one piece. Unfortunately the logic introduced there\ndidn't account for the extreme case of the entire packet being split\ninto as many pieces as permitted by the protocol, yet still being\nsmaller than the area that's specially dealt with to keep all (possible)\nheaders together. Such an unusual packet would therefore trigger a\nbuffer overrun in the driver.\n", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-34319", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-34319", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-34319", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-34319", "SUSE": "https://www.suse.com/security/cve/CVE-2023-34319", "Ubuntu": "https://ubuntu.com/security/CVE-2023-34319" } }, "CVE-2023-34324": { "affected_versions": "v5.10-rc1 to v6.6-rc6", "breaks": "54c9de89895e0a36047fcc4ae754ea5b8655fb9d", "cmt_msg": "xen/events: replace evtchn_rwlock with RCU", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "score": 4.9 }, "fixes": "87797fad6cce28ec9be3c13f031776ff4f104cfc", "last_affected_version": "6.5.6", "last_modified": "2024-01-12", "nvd_text": "Closing of an event channel in the Linux kernel can result in a deadlock.\nThis happens when the close is being performed in parallel to an unrelated\nXen console action and the handling of a Xen console interrupt in an\nunprivileged guest.\n\nThe closing of an event channel is e.g. triggered by removal of a\nparavirtual device on the other side. As this action will cause console\nmessages to be issued on the other side quite often, the chance of\ntriggering the deadlock is not neglectable.\n\nNote that 32-bit Arm-guests are not affected, as the 32-bit Linux kernel\non Arm doesn't use queued-RW-locks, which are required to trigger the\nissue (on Arm32 a waiting writer doesn't block further readers to get\nthe lock).\n", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-34324", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-34324", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-34324", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-34324", "SUSE": "https://www.suse.com/security/cve/CVE-2023-34324", "Ubuntu": "https://ubuntu.com/security/CVE-2023-34324" } }, "CVE-2023-3439": { "affected_versions": "v5.15-rc1 to v5.18-rc5", "breaks": "583be982d93479ea3d85091b0fd0b01201ede87d", "cmt_msg": "mctp: defer the kfree of object mdev->addrs", "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 4.7 }, "fixes": "b561275d633bcd8e0e8055ab86f1a13df75a0269", "last_affected_version": "5.17.5", "last_modified": "2023-12-06", "nvd_text": "A flaw was found in the MCTP protocol in the Linux kernel. The function mctp_unregister() reclaims the device's relevant resource when a netcard detaches. However, a running routine may be unaware of this and cause the use-after-free of the mdev->addrs object, potentially leading to a denial of service.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-3439", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-3439", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-3439", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-3439", "SUSE": "https://www.suse.com/security/cve/CVE-2023-3439", "Ubuntu": "https://ubuntu.com/security/CVE-2023-3439" } }, "CVE-2023-35001": { "affected_versions": "v3.13-rc1 to v6.5-rc2", "breaks": "96518518cc417bb0a8c80b9fb736202e28acdf96", "cmt_msg": "netfilter: nf_tables: prevent OOB access in nft_byteorder_eval", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "fixes": "caf3ef7468f7534771b5c44cd8dbd6f7f87c2cbd", "last_affected_version": "6.4.3", "last_modified": "2023-12-06", "nvd_text": "Linux Kernel nftables Out-Of-Bounds Read/Write Vulnerability; nft_byteorder poorly handled vm register contents when CAP_NET_ADMIN is in any user or network namespace", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-35001", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-35001", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-35001", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-35001", "SUSE": "https://www.suse.com/security/cve/CVE-2023-35001", "Ubuntu": "https://ubuntu.com/security/CVE-2023-35001" } }, "CVE-2023-3567": { "affected_versions": "v2.6.38-rc3 to v6.2-rc7", "breaks": "ac751efa6a0d70f2c9daef5c7e3a92270f5c2dff", "cmt_msg": "vc_screen: move load of struct vc_data pointer in vcs_read() to avoid UAF", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "score": 7.1 }, "fixes": "226fae124b2dac217ea5436060d623ff3385bc34", "last_affected_version": "6.1.10", "last_modified": "2023-12-06", "nvd_text": "A use-after-free flaw was found in vcs_read in drivers/tty/vt/vc_screen.c in vc_screen in the Linux Kernel. This issue may allow an attacker with local user access to cause a system crash or leak internal kernel information.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-3567", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-3567", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-3567", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-3567", "SUSE": "https://www.suse.com/security/cve/CVE-2023-3567", "Ubuntu": "https://ubuntu.com/security/CVE-2023-3567" } }, "CVE-2023-35693": { "affected_versions": "unk to unk", "breaks": "", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "score": 6.7 }, "fixes": "", "last_modified": "2023-12-06", "nvd_text": "In incfs_kill_sb of fs/incfs/vfs.c, there is a possible memory corruption due to a use after free. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.\n\n", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-35693", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-35693", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-35693", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-35693", "SUSE": "https://www.suse.com/security/cve/CVE-2023-35693", "Ubuntu": "https://ubuntu.com/security/CVE-2023-35693" }, "vendor_specific": true }, "CVE-2023-35788": { "affected_versions": "v4.19-rc1 to v6.4-rc5", "breaks": "0a6e77784f490912d81b92cfd48424541c04691e", "cmt_msg": "net/sched: flower: fix possible OOB write in fl_set_geneve_opt()", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "fixes": "4d56304e5827c8cc8cc18c75343d283af7c4825c", "last_affected_version": "6.3.6", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in fl_set_geneve_opt in net/sched/cls_flower.c in the Linux kernel before 6.3.7. It allows an out-of-bounds write in the flower classifier code via TCA_FLOWER_KEY_ENC_OPTS_GENEVE packets. This may result in denial of service or privilege escalation.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-35788", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-35788", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-35788", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-35788", "SUSE": "https://www.suse.com/security/cve/CVE-2023-35788", "Ubuntu": "https://ubuntu.com/security/CVE-2023-35788" } }, "CVE-2023-35823": { "affected_versions": "v4.15-rc1 to v6.4-rc1", "breaks": "1e7126b4a86ad69e870099fb6b922a3b6e29598b", "cmt_msg": "media: saa7134: fix use after free bug in saa7134_finidev due to race condition", "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.0 }, "fixes": "30cf57da176cca80f11df0d9b7f71581fe601389", "last_affected_version": "6.3.1", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel before 6.3.2. A use-after-free was found in saa7134_finidev in drivers/media/pci/saa7134/saa7134-core.c.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-35823", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-35823", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-35823", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-35823", "SUSE": "https://www.suse.com/security/cve/CVE-2023-35823", "Ubuntu": "https://ubuntu.com/security/CVE-2023-35823" } }, "CVE-2023-35824": { "affected_versions": "v2.6.34-rc1 to v6.4-rc1", "breaks": "34d2f9bf189c36ef8642cf6b64e80dfb756d888f", "cmt_msg": "media: dm1105: Fix use after free bug in dm1105_remove due to race condition", "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.0 }, "fixes": "5abda7a16698d4d1f47af1168d8fa2c640116b4a", "last_affected_version": "6.3.1", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel before 6.3.2. A use-after-free was found in dm1105_remove in drivers/media/pci/dm1105/dm1105.c.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-35824", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-35824", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-35824", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-35824", "SUSE": "https://www.suse.com/security/cve/CVE-2023-35824", "Ubuntu": "https://ubuntu.com/security/CVE-2023-35824" } }, "CVE-2023-35826": { "affected_versions": "v5.18-rc1 to v6.4-rc1", "breaks": "7c38a551bda1b7adea7e98e5c6786f5bee7100b8", "cmt_msg": "media: cedrus: fix use after free bug in cedrus_remove due to race condition", "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.0 }, "fixes": "50d0a7aea4809cef87979d4669911276aa23b71f", "last_affected_version": "6.3.1", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel before 6.3.2. A use-after-free was found in cedrus_remove in drivers/staging/media/sunxi/cedrus/cedrus.c.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-35826", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-35826", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-35826", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-35826", "SUSE": "https://www.suse.com/security/cve/CVE-2023-35826", "Ubuntu": "https://ubuntu.com/security/CVE-2023-35826" } }, "CVE-2023-35827": { "affected_versions": "v4.2-rc1 to v6.6-rc6", "breaks": "c156633f1353264634135dea86ffcae74f2122fc", "cmt_msg": "ravb: Fix use-after-free issue in ravb_tx_timeout_work()", "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.0 }, "fixes": "3971442870713de527684398416970cf025b4f89", "last_affected_version": "6.5.7", "last_modified": "2024-02-02", "nvd_text": "An issue was discovered in the Linux kernel through 6.3.8. A use-after-free was found in ravb_remove in drivers/net/ethernet/renesas/ravb_main.c.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-35827", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-35827", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-35827", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-35827", "SUSE": "https://www.suse.com/security/cve/CVE-2023-35827", "Ubuntu": "https://ubuntu.com/security/CVE-2023-35827" } }, "CVE-2023-35828": { "affected_versions": "v4.19-rc1 to v6.4-rc1", "breaks": "39facfa01c9fc64f90233d1734882f0a0cafe36a", "cmt_msg": "usb: gadget: udc: renesas_usb3: Fix use after free bug in renesas_usb3_remove due to race condition", "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.0 }, "fixes": "2b947f8769be8b8181dc795fd292d3e7120f5204", "last_affected_version": "6.3.1", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel before 6.3.2. A use-after-free was found in renesas_usb3_remove in drivers/usb/gadget/udc/renesas_usb3.c.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-35828", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-35828", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-35828", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-35828", "SUSE": "https://www.suse.com/security/cve/CVE-2023-35828", "Ubuntu": "https://ubuntu.com/security/CVE-2023-35828" } }, "CVE-2023-35829": { "affected_versions": "v5.8-rc1 to v6.4-rc1", "breaks": "cd33c830448baf7b1e94da72eca069e3e1d050c9", "cmt_msg": "media: rkvdec: fix use after free bug in rkvdec_remove", "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.0 }, "fixes": "3228cec23b8b29215e18090c6ba635840190993d", "last_affected_version": "6.3.1", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel before 6.3.2. A use-after-free was found in rkvdec_remove in drivers/staging/media/rkvdec/rkvdec.c.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-35829", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-35829", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-35829", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-35829", "SUSE": "https://www.suse.com/security/cve/CVE-2023-35829", "Ubuntu": "https://ubuntu.com/security/CVE-2023-35829" } }, "CVE-2023-3609": { "affected_versions": "v4.14-rc1 to v6.4-rc7", "breaks": "705c7091262d02b09eb686c24491de61bf42fdb2", "cmt_msg": "net/sched: cls_u32: Fix reference counter leak leading to overflow", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "fixes": "04c55383fa5689357bcdd2c8036725a55ed632bc", "last_affected_version": "6.3.8", "last_modified": "2023-12-06", "nvd_text": "A use-after-free vulnerability in the Linux kernel's net/sched: cls_u32 component can be exploited to achieve local privilege escalation.\n\nIf tcf_change_indev() fails, u32_set_parms() will immediately return an error after incrementing or decrementing the reference counter in tcf_bind_filter(). If an attacker can control the reference counter and set it to zero, they can cause the reference to be freed, leading to a use-after-free vulnerability.\n\nWe recommend upgrading past commit 04c55383fa5689357bcdd2c8036725a55ed632bc.\n\n", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-3609", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-3609", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-3609", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-3609", "SUSE": "https://www.suse.com/security/cve/CVE-2023-3609", "Ubuntu": "https://ubuntu.com/security/CVE-2023-3609" } }, "CVE-2023-3610": { "affected_versions": "v5.9-rc1 to v6.4", "breaks": "d0e2c7de92c7f2b3d355ad76b0bb9fc43d1beb87", "cmt_msg": "netfilter: nf_tables: fix chain binding transaction logic", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "fixes": "4bedf9eee016286c835e3d8fa981ddece5338795", "last_affected_version": "6.3", "last_modified": "2023-12-06", "nvd_text": "A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation.\n\nFlaw in the error handling of bound chains causes a use-after-free in the abort path of NFT_MSG_NEWRULE. The vulnerability requires CAP_NET_ADMIN to be triggered.\n\nWe recommend upgrading past commit 4bedf9eee016286c835e3d8fa981ddece5338795.\n\n", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-3610", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-3610", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-3610", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-3610", "SUSE": "https://www.suse.com/security/cve/CVE-2023-3610", "Ubuntu": "https://ubuntu.com/security/CVE-2023-3610" } }, "CVE-2023-3611": { "affected_versions": "v3.8-rc1 to v6.5-rc2", "breaks": "462dbc9101acd38e92eda93c0726857517a24bbd", "cmt_msg": "net/sched: sch_qfq: account for stab overhead in qfq_enqueue", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "fixes": "3e337087c3b5805fe0b8a46ba622a962880b5d64", "last_affected_version": "6.4.4", "last_modified": "2023-12-06", "nvd_text": "An out-of-bounds write vulnerability in the Linux kernel's net/sched: sch_qfq component can be exploited to achieve local privilege escalation.\n\nThe qfq_change_agg() function in net/sched/sch_qfq.c allows an out-of-bounds write because lmax is updated according to packet sizes without bounds checks.\n\nWe recommend upgrading past commit 3e337087c3b5805fe0b8a46ba622a962880b5d64.\n\n", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-3611", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-3611", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-3611", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-3611", "SUSE": "https://www.suse.com/security/cve/CVE-2023-3611", "Ubuntu": "https://ubuntu.com/security/CVE-2023-3611" } }, "CVE-2023-3640": { "affected_versions": "unk to unk", "breaks": "", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "fixes": "", "last_modified": "2023-12-06", "nvd_text": "A possible unauthorized memory access flaw was found in the Linux kernel's cpu_entry_area mapping of X86 CPU data to memory, where a user may guess the location of exception stacks or other important data. Based on the previous CVE-2023-0597, the 'Randomize per-cpu entry area' feature was implemented in /arch/x86/mm/cpu_entry_area.c, which works through the init_cea_offsets() function when KASLR is enabled. However, despite this feature, there is still a risk of per-cpu entry area leaks. This issue could allow a local user to gain access to some important data with memory in an expected location and potentially escalate their privileges on the system.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-3640", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-3640", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-3640", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-3640", "SUSE": "https://www.suse.com/security/cve/CVE-2023-3640", "Ubuntu": "https://ubuntu.com/security/CVE-2023-3640" } }, "CVE-2023-37453": { "affected_versions": "v6.3-rc1 to v6.6-rc1", "breaks": "45bf39f8df7f05efb83b302c65ae3b9bc92b7065", "cmt_msg": "USB: core: Fix race by not overwriting udev->descriptor in hub_port_init()", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Physical", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 4.6 }, "fixes": "ff33299ec8bb80cdcc073ad9c506bd79bb2ed20b", "last_affected_version": "6.5.2", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the USB subsystem in the Linux kernel through 6.4.2. There is an out-of-bounds and crash in read_descriptors in drivers/usb/core/sysfs.c.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-37453", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-37453", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-37453", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-37453", "SUSE": "https://www.suse.com/security/cve/CVE-2023-37453", "Ubuntu": "https://ubuntu.com/security/CVE-2023-37453" } }, "CVE-2023-37454": { "affected_versions": "unk to unk", "breaks": "", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "fixes": "", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel through 6.4.2. A crafted UDF filesystem image causes a use-after-free write operation in the udf_put_super and udf_close_lvid functions in fs/udf/super.c. NOTE: the suse.com reference has a different perspective about this.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-37454", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-37454", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-37454", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-37454", "SUSE": "https://www.suse.com/security/cve/CVE-2023-37454", "Ubuntu": "https://ubuntu.com/security/CVE-2023-37454" } }, "CVE-2023-3772": { "affected_versions": "v2.6.39-rc1 to v6.5-rc7", "breaks": "d8647b79c3b7e223ac051439d165bc8e7bbb832f", "cmt_msg": "xfrm: add NULL check in xfrm_update_ae_params", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "score": 4.4 }, "fixes": "00374d9b6d9f932802b55181be9831aa948e5b7c", "last_affected_version": "6.4.11", "last_modified": "2023-12-06", "nvd_text": "A flaw was found in the Linux kernel\u2019s IP framework for transforming packets (XFRM subsystem). This issue may allow a malicious user with CAP_NET_ADMIN privileges to directly dereference a NULL pointer in xfrm_update_ae_params(), leading to a possible kernel crash and denial of service.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-3772", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-3772", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-3772", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-3772", "SUSE": "https://www.suse.com/security/cve/CVE-2023-3772", "Ubuntu": "https://ubuntu.com/security/CVE-2023-3772" } }, "CVE-2023-3773": { "affected_versions": "v5.17-rc1 to v6.5-rc7", "breaks": "4e484b3e969b52effd95c17f7a86f39208b2ccf4", "cmt_msg": "xfrm: add forgotten nla_policy for XFRMA_MTIMER_THRESH", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "score": 4.4 }, "fixes": "5e2424708da7207087934c5c75211e8584d553a0", "last_affected_version": "6.4.11", "last_modified": "2023-12-06", "nvd_text": "A flaw was found in the Linux kernel\u2019s IP framework for transforming packets (XFRM subsystem). This issue may allow a malicious user with CAP_NET_ADMIN privileges to cause a 4 byte out-of-bounds read of XFRMA_MTIMER_THRESH when parsing netlink attributes, leading to potential leakage of sensitive heap data to userspace.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-3773", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-3773", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-3773", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-3773", "SUSE": "https://www.suse.com/security/cve/CVE-2023-3773", "Ubuntu": "https://ubuntu.com/security/CVE-2023-3773" } }, "CVE-2023-3776": { "affected_versions": "v2.6.12-rc2 to v6.5-rc2", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "net/sched: cls_fw: Fix improper refcount update leads to use-after-free", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "fixes": "0323bce598eea038714f941ce2b22541c46d488f", "last_affected_version": "6.4.4", "last_modified": "2023-12-06", "nvd_text": "A use-after-free vulnerability in the Linux kernel's net/sched: cls_fw component can be exploited to achieve local privilege escalation.\n\nIf tcf_change_indev() fails, fw_set_parms() will immediately return an error after incrementing or decrementing the reference counter in tcf_bind_filter(). If an attacker can control the reference counter and set it to zero, they can cause the reference to be freed, leading to a use-after-free vulnerability.\n\nWe recommend upgrading past commit 0323bce598eea038714f941ce2b22541c46d488f.\n\n", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-3776", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-3776", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-3776", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-3776", "SUSE": "https://www.suse.com/security/cve/CVE-2023-3776", "Ubuntu": "https://ubuntu.com/security/CVE-2023-3776" } }, "CVE-2023-3777": { "affected_versions": "v5.9-rc1 to v6.5-rc3", "breaks": "d0e2c7de92c7f2b3d355ad76b0bb9fc43d1beb87", "cmt_msg": "netfilter: nf_tables: skip bound chain on rule flush", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "fixes": "6eaf41e87a223ae6f8e7a28d6e78384ad7e407f8", "last_affected_version": "6.4.6", "last_modified": "2023-12-06", "nvd_text": "A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation.\n\nWhen nf_tables_delrule() is flushing table rules, it is not checked whether the chain is bound and the chain's owner rule can also release the objects in certain circumstances.\n\nWe recommend upgrading past commit 6eaf41e87a223ae6f8e7a28d6e78384ad7e407f8.\n\n", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-3777", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-3777", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-3777", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-3777", "SUSE": "https://www.suse.com/security/cve/CVE-2023-3777", "Ubuntu": "https://ubuntu.com/security/CVE-2023-3777" } }, "CVE-2023-3812": { "affected_versions": "v4.15-rc1 to v6.1-rc4", "breaks": "90e33d45940793def6f773b2d528e9f3c84ffdc7", "cmt_msg": "net: tun: fix bugs for oversize packet when napi frags enabled", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "fixes": "363a5328f4b0517e59572118ccfb7c626d81dca9", "last_affected_version": "6.0.7", "last_modified": "2023-12-06", "nvd_text": "An out-of-bounds memory access flaw was found in the Linux kernel\u2019s TUN/TAP device driver functionality in how a user generates a malicious (too big) networking packet when napi frags is enabled. This flaw allows a local user to crash or potentially escalate their privileges on the system.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-3812", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-3812", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-3812", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-3812", "SUSE": "https://www.suse.com/security/cve/CVE-2023-3812", "Ubuntu": "https://ubuntu.com/security/CVE-2023-3812" } }, "CVE-2023-38409": { "affected_versions": "v5.19-rc1 to v6.3-rc7", "breaks": "d443d93864726ad68c0a741d1e7b03934a9af143", "cmt_msg": "fbcon: set_con2fb_map needs to set con2fb_map!", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Unspecified", "fixes": "fffb0b52d5258554c645c966c6cbef7de50b851d", "last_affected_version": "6.2.11", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in set_con2fb_map in drivers/video/fbdev/core/fbcon.c in the Linux kernel before 6.2.12. Because an assignment occurs only for the first vc, the fbcon_registered_fb and fbcon_display arrays can be desynchronized in fbcon_mode_deleted (the con2fb_map points at the old fb_info).", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-38409", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-38409", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-38409", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-38409", "SUSE": "https://www.suse.com/security/cve/CVE-2023-38409", "Ubuntu": "https://ubuntu.com/security/CVE-2023-38409" } }, "CVE-2023-38426": { "affected_versions": "v5.15-rc1 to v6.4-rc3", "breaks": "0626e6641f6b467447c81dd7678a69c66f7746cf", "cmt_msg": "ksmbd: fix global-out-of-bounds in smb2_find_context_vals", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "score": 9.1 }, "fixes": "02f76c401d17e409ed45bf7887148fcc22c93c85", "last_affected_version": "6.3.3", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel before 6.3.4. ksmbd has an out-of-bounds read in smb2_find_context_vals when create_context's name_len is larger than the tag length.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-38426", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-38426", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-38426", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-38426", "SUSE": "https://www.suse.com/security/cve/CVE-2023-38426", "Ubuntu": "https://ubuntu.com/security/CVE-2023-38426" } }, "CVE-2023-38427": { "affected_versions": "v5.15-rc1 to v6.4-rc6", "breaks": "0626e6641f6b467447c81dd7678a69c66f7746cf", "cmt_msg": "ksmbd: fix out-of-bound read in deassemble_neg_contexts()", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "score": 9.8 }, "fixes": "f1a411873c85b642f13b01f21b534c2bab81fc1b", "last_affected_version": "6.3.7", "last_modified": "2023-12-27", "nvd_text": "An issue was discovered in the Linux kernel before 6.3.8. fs/smb/server/smb2pdu.c in ksmbd has an integer underflow and out-of-bounds read in deassemble_neg_contexts.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-38427", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-38427", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-38427", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-38427", "SUSE": "https://www.suse.com/security/cve/CVE-2023-38427", "Ubuntu": "https://ubuntu.com/security/CVE-2023-38427" } }, "CVE-2023-38428": { "affected_versions": "v5.15-rc1 to v6.4-rc3", "breaks": "0626e6641f6b467447c81dd7678a69c66f7746cf", "cmt_msg": "ksmbd: fix wrong UserName check in session_user", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "score": 9.1 }, "fixes": "f0a96d1aafd8964e1f9955c830a3e5cb3c60a90f", "last_affected_version": "6.3.3", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel before 6.3.4. fs/ksmbd/smb2pdu.c in ksmbd does not properly check the UserName value because it does not consider the address of security buffer, leading to an out-of-bounds read.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-38428", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-38428", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-38428", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-38428", "SUSE": "https://www.suse.com/security/cve/CVE-2023-38428", "Ubuntu": "https://ubuntu.com/security/CVE-2023-38428" } }, "CVE-2023-38429": { "affected_versions": "v5.15-rc1 to v6.4-rc3", "breaks": "0626e6641f6b467447c81dd7678a69c66f7746cf", "cmt_msg": "ksmbd: allocate one more byte for implied bcc[0]", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "score": 9.8 }, "fixes": "443d61d1fa9faa60ef925513d83742902390100f", "last_affected_version": "6.3.3", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel before 6.3.4. fs/ksmbd/connection.c in ksmbd has an off-by-one error in memory allocation (because of ksmbd_smb2_check_message) that may lead to out-of-bounds access.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-38429", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-38429", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-38429", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-38429", "SUSE": "https://www.suse.com/security/cve/CVE-2023-38429", "Ubuntu": "https://ubuntu.com/security/CVE-2023-38429" } }, "CVE-2023-38430": { "affected_versions": "v5.15-rc1 to v6.4-rc6", "breaks": "0626e6641f6b467447c81dd7678a69c66f7746cf", "cmt_msg": "ksmbd: validate smb request protocol id", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "score": 9.1 }, "fixes": "1c1bcf2d3ea061613119b534f57507c377df20f9", "last_affected_version": "6.3.8", "last_modified": "2023-12-27", "nvd_text": "An issue was discovered in the Linux kernel before 6.3.9. ksmbd does not validate the SMB request protocol ID, leading to an out-of-bounds read.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-38430", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-38430", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-38430", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-38430", "SUSE": "https://www.suse.com/security/cve/CVE-2023-38430", "Ubuntu": "https://ubuntu.com/security/CVE-2023-38430" } }, "CVE-2023-38431": { "affected_versions": "v5.15-rc1 to v6.4-rc6", "breaks": "0626e6641f6b467447c81dd7678a69c66f7746cf", "cmt_msg": "ksmbd: check the validation of pdu_size in ksmbd_conn_handler_loop", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "score": 9.1 }, "fixes": "368ba06881c395f1c9a7ba22203cf8d78b4addc0", "last_affected_version": "6.3.7", "last_modified": "2023-12-27", "nvd_text": "An issue was discovered in the Linux kernel before 6.3.8. fs/smb/server/connection.c in ksmbd does not validate the relationship between the NetBIOS header's length field and the SMB header sizes, via pdu_size in ksmbd_conn_handler_loop, leading to an out-of-bounds read.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-38431", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-38431", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-38431", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-38431", "SUSE": "https://www.suse.com/security/cve/CVE-2023-38431", "Ubuntu": "https://ubuntu.com/security/CVE-2023-38431" } }, "CVE-2023-38432": { "affected_versions": "v5.15-rc1 to v6.4", "breaks": "0626e6641f6b467447c81dd7678a69c66f7746cf", "cmt_msg": "ksmbd: validate command payload size", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "score": 9.1 }, "fixes": "2b9b8f3b68edb3d67d79962f02e26dbb5ae3808d", "last_affected_version": "6.3", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel before 6.3.10. fs/smb/server/smb2misc.c in ksmbd does not validate the relationship between the command payload size and the RFC1002 length specification, leading to an out-of-bounds read.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-38432", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-38432", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-38432", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-38432", "SUSE": "https://www.suse.com/security/cve/CVE-2023-38432", "Ubuntu": "https://ubuntu.com/security/CVE-2023-38432" } }, "CVE-2023-3863": { "affected_versions": "v3.8-rc1 to v6.5-rc1", "breaks": "52feb444a90304eb13c03115bb9758101dbb9254", "cmt_msg": "net: nfc: Fix use-after-free caused by nfc_llcp_find_local", "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N", "score": 4.1 }, "fixes": "6709d4b7bc2e079241fdef15d1160581c5261c10", "last_affected_version": "6.4.3", "last_modified": "2023-12-06", "nvd_text": "A use-after-free flaw was found in nfc_llcp_find_local in net/nfc/llcp_core.c in NFC in the Linux kernel. This flaw allows a local user with special privileges to impact a kernel information leak issue.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-3863", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-3863", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-3863", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-3863", "SUSE": "https://www.suse.com/security/cve/CVE-2023-3863", "Ubuntu": "https://ubuntu.com/security/CVE-2023-3863" } }, "CVE-2023-3865": { "affected_versions": "v5.15-rc1 to v6.4", "breaks": "a848c4f15ab6d5d405dbee7de5da71839b2bf35e", "cmt_msg": "ksmbd: fix out-of-bound read in smb2_write", "fixes": "5fe7f7b78290638806211046a99f031ff26164e1", "last_affected_version": "6.3", "last_modified": "2023-09-17", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-3865", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-3865", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-3865", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-3865", "SUSE": "https://www.suse.com/security/cve/CVE-2023-3865", "Ubuntu": "https://ubuntu.com/security/CVE-2023-3865" } }, "CVE-2023-3866": { "affected_versions": "v5.15-rc1 to v6.4", "breaks": "a848c4f15ab6d5d405dbee7de5da71839b2bf35e", "cmt_msg": "ksmbd: validate session id and tree id in the compound request", "fixes": "5005bcb4219156f1bf7587b185080ec1da08518e", "last_affected_version": "6.3", "last_modified": "2023-09-17", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-3866", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-3866", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-3866", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-3866", "SUSE": "https://www.suse.com/security/cve/CVE-2023-3866", "Ubuntu": "https://ubuntu.com/security/CVE-2023-3866" } }, "CVE-2023-3867": { "affected_versions": "v5.15-rc1 to v6.5-rc1", "breaks": "a848c4f15ab6d5d405dbee7de5da71839b2bf35e", "cmt_msg": "ksmbd: add missing compound request handing in some commands", "fixes": "7b7d709ef7cf285309157fb94c33f625dd22c5e1", "last_affected_version": "6.4.4", "last_modified": "2023-12-27", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-3867", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-3867", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-3867", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-3867", "SUSE": "https://www.suse.com/security/cve/CVE-2023-3867", "Ubuntu": "https://ubuntu.com/security/CVE-2023-3867" } }, "CVE-2023-39189": { "affected_versions": "v2.6.31-rc1 to v6.6-rc1", "breaks": "11eeef41d5f63c7d2f7fdfcc733eb7fb137cc384", "cmt_msg": "netfilter: nfnetlink_osf: avoid OOB read", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H", "score": 6.0 }, "fixes": "f4f8a7803119005e87b716874bec07c751efafec", "last_affected_version": "6.5.3", "last_modified": "2023-12-06", "nvd_text": "A flaw was found in the Netfilter subsystem in the Linux kernel. The nfnl_osf_add_callback function did not validate the user mode controlled opt_num field. This flaw allows a local privileged (CAP_NET_ADMIN) attacker to trigger an out-of-bounds read, leading to a crash or information disclosure.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-39189", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-39189", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-39189", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-39189", "SUSE": "https://www.suse.com/security/cve/CVE-2023-39189", "Ubuntu": "https://ubuntu.com/security/CVE-2023-39189" } }, "CVE-2023-39191": { "affected_versions": "v5.19-rc1 to v6.3-rc1", "breaks": "97e03f521050c092919591e668107b3d69c5f426", "cmt_msg": "bpf: Fix state pruning for STACK_DYNPTR stack slots", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "High", "Scope": "Changed", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "score": 8.2 }, "cwe": "Unspecified", "fixes": "d6fefa1105dacc8a742cdcf2f4bfb501c9e61349", "last_affected_version": "6.2.2", "last_modified": "2023-12-06", "nvd_text": "An improper input validation flaw was found in the eBPF subsystem in the Linux kernel. The issue occurs due to a lack of proper validation of dynamic pointers within user-supplied eBPF programs prior to executing them. This may allow an attacker with CAP_BPF privileges to escalate privileges and execute arbitrary code in the context of the kernel.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-39191", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-39191", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-39191", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-39191", "SUSE": "https://www.suse.com/security/cve/CVE-2023-39191", "Ubuntu": "https://ubuntu.com/security/CVE-2023-39191" } }, "CVE-2023-39192": { "affected_versions": "v2.6.23-rc1 to v6.6-rc1", "breaks": "1b50b8a371e90a5e110f466e4ac02cf6b5f681de", "cmt_msg": "netfilter: xt_u32: validate user space input", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H", "score": 6.0 }, "fixes": "69c5d284f67089b4750d28ff6ac6f52ec224b330", "last_affected_version": "6.5.2", "last_modified": "2023-12-06", "nvd_text": "A flaw was found in the Netfilter subsystem in the Linux kernel. The xt_u32 module did not validate the fields in the xt_u32 structure. This flaw allows a local privileged attacker to trigger an out-of-bounds read by setting the size fields with a value beyond the array boundaries, leading to a crash or information disclosure.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-39192", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-39192", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-39192", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-39192", "SUSE": "https://www.suse.com/security/cve/CVE-2023-39192", "Ubuntu": "https://ubuntu.com/security/CVE-2023-39192" } }, "CVE-2023-39193": { "affected_versions": "v2.6.16-rc1 to v6.6-rc1", "breaks": "2e4e6a17af35be359cc8f1c924f8f198fbd478cc", "cmt_msg": "netfilter: xt_sctp: validate the flag_info count", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H", "score": 6.0 }, "fixes": "e99476497687ef9e850748fe6d232264f30bc8f9", "last_affected_version": "6.5.2", "last_modified": "2023-12-06", "nvd_text": "A flaw was found in the Netfilter subsystem in the Linux kernel. The sctp_mt_check did not validate the flag_count field. This flaw allows a local privileged (CAP_NET_ADMIN) attacker to trigger an out-of-bounds read, leading to a crash or information disclosure.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-39193", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-39193", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-39193", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-39193", "SUSE": "https://www.suse.com/security/cve/CVE-2023-39193", "Ubuntu": "https://ubuntu.com/security/CVE-2023-39193" } }, "CVE-2023-39194": { "affected_versions": "v3.15-rc1 to v6.5-rc7", "breaks": "d3623099d3509fa68fa28235366049dd3156c63a", "cmt_msg": "net: xfrm: Fix xfrm_address_filter OOB read", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "score": 4.4 }, "fixes": "dfa73c17d55b921e1d4e154976de35317e43a93a", "last_affected_version": "6.4.11", "last_modified": "2023-12-06", "nvd_text": "A flaw was found in the XFRM subsystem in the Linux kernel. The specific flaw exists within the processing of state filters, which can result in a read past the end of an allocated buffer. This flaw allows a local privileged (CAP_NET_ADMIN) attacker to trigger an out-of-bounds read, potentially leading to an information disclosure.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-39194", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-39194", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-39194", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-39194", "SUSE": "https://www.suse.com/security/cve/CVE-2023-39194", "Ubuntu": "https://ubuntu.com/security/CVE-2023-39194" } }, "CVE-2023-39197": { "affected_versions": "v2.6.26-rc1 to v6.5-rc1", "breaks": "2bc780499aa33311ec0f3e42624dfaa7be0ade5e", "cmt_msg": "netfilter: conntrack: dccp: copy entire header to stack buffer, not just basic one", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "score": 7.5 }, "fixes": "ff0a3a7d52ff7282dbd183e7fc29a1fe386b0c30", "last_affected_version": "6.4.3", "last_modified": "2024-02-02", "nvd_text": "An out-of-bounds read vulnerability was found in Netfilter Connection Tracking (conntrack) in the Linux kernel. This flaw allows a remote user to disclose sensitive information via the DCCP protocol.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-39197", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-39197", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-39197", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-39197", "SUSE": "https://www.suse.com/security/cve/CVE-2023-39197", "Ubuntu": "https://ubuntu.com/security/CVE-2023-39197" } }, "CVE-2023-39198": { "affected_versions": "v3.10-rc1 to v6.5-rc7", "breaks": "f64122c1f6ade301585569863b4b3b18f6e4e332", "cmt_msg": "drm/qxl: fix UAF on handle creation", "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "score": 6.4 }, "fixes": "c611589b4259ed63b9b77be6872b1ce07ec0ac16", "last_affected_version": "6.4.11", "last_modified": "2024-02-02", "nvd_text": "A race condition was found in the QXL driver in the Linux kernel. The qxl_mode_dumb_create() function dereferences the qobj returned by the qxl_gem_object_create_with_handle(), but the handle is the only one holding a reference to it. This flaw allows an attacker to guess the returned handle value and trigger a use-after-free issue, potentially leading to a denial of service or privilege escalation.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-39198", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-39198", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-39198", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-39198", "SUSE": "https://www.suse.com/security/cve/CVE-2023-39198", "Ubuntu": "https://ubuntu.com/security/CVE-2023-39198" } }, "CVE-2023-4004": { "affected_versions": "v5.6-rc1 to v6.5-rc3", "breaks": "3c4287f62044a90e73a561aa05fc46e62da173da", "cmt_msg": "netfilter: nft_set_pipapo: fix improper element removal", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "fixes": "87b5a5c209405cb6b57424cdfa226a6dbd349232", "last_affected_version": "6.4.6", "last_modified": "2023-12-06", "nvd_text": "A use-after-free flaw was found in the Linux kernel's netfilter in the way a user triggers the nft_pipapo_remove function with the element, without a NFT_SET_EXT_KEY_END. This issue could allow a local user to crash the system or potentially escalate their privileges on the system.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-4004", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-4004", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-4004", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-4004", "SUSE": "https://www.suse.com/security/cve/CVE-2023-4004", "Ubuntu": "https://ubuntu.com/security/CVE-2023-4004" } }, "CVE-2023-4010": { "affected_versions": "v2.6.35-rc1 to unk", "breaks": "21677cfc562a27e099719d413287bc8d1d24deb7", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Physical", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 4.6 }, "fixes": "", "last_modified": "2024-02-02", "nvd_text": "A flaw was found in the USB Host Controller Driver framework in the Linux kernel. The usb_giveback_urb function has a logic loophole in its implementation. Due to the inappropriate judgment condition of the goto statement, the function cannot return under the input of a specific malformed descriptor file, so it falls into an endless loop, resulting in a denial of service.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-4010", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-4010", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-4010", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-4010", "SUSE": "https://www.suse.com/security/cve/CVE-2023-4010", "Ubuntu": "https://ubuntu.com/security/CVE-2023-4010" } }, "CVE-2023-4015": { "affected_versions": "v5.9-rc1 to v6.5-rc4", "breaks": "d0e2c7de92c7f2b3d355ad76b0bb9fc43d1beb87", "cmt_msg": "netfilter: nf_tables: skip immediate deactivate in _PREPARE_ERROR", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "fixes": "0a771f7b266b02d262900c75f1e175c7fe76fec2", "last_affected_version": "6.4.7", "last_modified": "2023-12-06", "nvd_text": "A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation.\n\nOn an error when building a nftables rule, deactivating immediate expressions in nft_immediate_deactivate() can lead unbinding the chain and objects be deactivated but later used.\n\nWe recommend upgrading past commit 0a771f7b266b02d262900c75f1e175c7fe76fec2.\n\n", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-4015", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-4015", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-4015", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-4015", "SUSE": "https://www.suse.com/security/cve/CVE-2023-4015", "Ubuntu": "https://ubuntu.com/security/CVE-2023-4015" } }, "CVE-2023-40283": { "affected_versions": "v2.6.12-rc2 to v6.5-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "Bluetooth: L2CAP: Fix use-after-free in l2cap_sock_ready_cb", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "fixes": "1728137b33c00d5a2b5110ed7aafb42e7c32e4a1", "last_affected_version": "6.4.9", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in l2cap_sock_release in net/bluetooth/l2cap_sock.c in the Linux kernel before 6.4.10. There is a use-after-free because the children of an sk are mishandled.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-40283", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-40283", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-40283", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-40283", "SUSE": "https://www.suse.com/security/cve/CVE-2023-40283", "Ubuntu": "https://ubuntu.com/security/CVE-2023-40283" } }, "CVE-2023-40791": { "affected_versions": "v6.3-rc1 to v6.5-rc6", "breaks": "0185846975339a5c348373aa450a977f5242366b", "cmt_msg": "crypto, cifs: fix error handling in extract_iter_to_sg()", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "None", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", "score": 9.1 }, "cwe": "Unspecified", "fixes": "f443fd5af5dbd531f880d3645d5dd36976cf087f", "last_affected_version": "6.4.11", "last_modified": "2023-12-06", "nvd_text": "extract_user_to_sg in lib/scatterlist.c in the Linux kernel before 6.4.12 fails to unpin pages in a certain situation, as demonstrated by a WARNING for try_grab_page.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-40791", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-40791", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-40791", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-40791", "SUSE": "https://www.suse.com/security/cve/CVE-2023-40791", "Ubuntu": "https://ubuntu.com/security/CVE-2023-40791" } }, "CVE-2023-4128": { "affected_versions": "v3.18-rc1 to v6.5-rc5", "breaks": "de5df63228fcfbd5bb7fd883774c18fec9e61f12", "cmt_msg": "net/sched: cls_u32: No longer copy tcf_result on update to avoid use-after-free", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "fixes": "3044b16e7c6fe5d24b1cdbcf1bd0a9d92d1ebd81", "last_affected_version": "6.4.9", "last_modified": "2023-12-06", "nvd_text": "Rejected reason: ** REJECT ** DO NOT USE THIS CVE RECORD. ConsultIDs: CVE-2023-4206, CVE-2023-4207, CVE-2023-4208. Reason: This record is a duplicate of CVE-2023-4206, CVE-2023-4207, CVE-2023-4208. Notes: All CVE users should reference CVE-2023-4206, CVE-2023-4207, CVE-2023-4208 instead of this record. All references and descriptions in this record have been removed to prevent accidental usage.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-4128", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-4128", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-4128", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-4128", "SUSE": "https://www.suse.com/security/cve/CVE-2023-4128", "Ubuntu": "https://ubuntu.com/security/CVE-2023-4128" } }, "CVE-2023-4132": { "affected_versions": "v4.6-rc1 to v6.5-rc1", "breaks": "dd47fbd40e6ea6884e295e13a2e50b0894258fdf", "cmt_msg": "media: usb: siano: Fix warning due to null work_func_t function pointer", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "fixes": "6f489a966fbeb0da63d45c2c66a8957eab604bf6", "last_affected_version": "6.4.3", "last_modified": "2023-12-06", "nvd_text": "A use-after-free vulnerability was found in the siano smsusb module in the Linux kernel. The bug occurs during device initialization when the siano device is plugged in. This flaw allows a local user to crash the system, causing a denial of service condition.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-4132", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-4132", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-4132", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-4132", "SUSE": "https://www.suse.com/security/cve/CVE-2023-4132", "Ubuntu": "https://ubuntu.com/security/CVE-2023-4132" } }, "CVE-2023-4133": { "affected_versions": "v4.15-rc1 to v6.3", "breaks": "e0f911c81e93fc23fe1a4fb0318ff1c3b1c9027f", "cmt_msg": "cxgb4: fix use after free bugs caused by circular dependency problem", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "fixes": "e50b9b9e8610d47b7c22529443e45a16b1ea3a15", "last_affected_version": "6.2", "last_modified": "2023-12-06", "nvd_text": "A use-after-free vulnerability was found in the cxgb4 driver in the Linux kernel. The bug occurs when the cxgb4 device is detaching due to a possible rearming of the flower_stats_timer from the work queue. This flaw allows a local user to crash the system, causing a denial of service condition.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-4133", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-4133", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-4133", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-4133", "SUSE": "https://www.suse.com/security/cve/CVE-2023-4133", "Ubuntu": "https://ubuntu.com/security/CVE-2023-4133" } }, "CVE-2023-4134": { "affected_versions": "v3.11-rc1 to v6.5-rc1", "breaks": "17fb1563d69b63fe7a79570fe870cf7e530cd2cd", "cmt_msg": "Input: cyttsp4_core - change del_timer_sync() to timer_shutdown_sync()", "fixes": "dbe836576f12743a7d2d170ad4ad4fd324c4d47a", "last_affected_version": "6.4.3", "last_modified": "2023-08-25", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-4134", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-4134", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-4134", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-4134", "SUSE": "https://www.suse.com/security/cve/CVE-2023-4134", "Ubuntu": "https://ubuntu.com/security/CVE-2023-4134" } }, "CVE-2023-4147": { "affected_versions": "v5.9-rc1 to v6.5-rc4", "breaks": "d0e2c7de92c7f2b3d355ad76b0bb9fc43d1beb87", "cmt_msg": "netfilter: nf_tables: disallow rule addition to bound chain via NFTA_RULE_CHAIN_ID", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "fixes": "0ebc1064e4874d5987722a2ddbc18f94aa53b211", "last_affected_version": "6.4.7", "last_modified": "2023-12-06", "nvd_text": "A use-after-free flaw was found in the Linux kernel\u2019s Netfilter functionality when adding a rule with NFTA_RULE_CHAIN_ID. This flaw allows a local user to crash or escalate their privileges on the system.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-4147", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-4147", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-4147", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-4147", "SUSE": "https://www.suse.com/security/cve/CVE-2023-4147", "Ubuntu": "https://ubuntu.com/security/CVE-2023-4147" } }, "CVE-2023-4155": { "affected_versions": "v5.11-rc1 to v6.5-rc6", "breaks": "291bd20d5d88814a73d43b55b9428feab2f28094", "cmt_msg": "KVM: SEV: only access GHCB fields once", "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Changed", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:H", "score": 5.6 }, "fixes": "7588dbcebcbf0193ab5b76987396d0254270b04a", "last_affected_version": "6.4.10", "last_modified": "2023-12-06", "nvd_text": "A flaw was found in KVM AMD Secure Encrypted Virtualization (SEV) in the Linux kernel. A KVM guest using SEV-ES or SEV-SNP with multiple vCPUs can trigger a double fetch race condition vulnerability and invoke the `VMGEXIT` handler recursively. If an attacker manages to call the handler multiple times, they can trigger a stack overflow and cause a denial of service or potentially guest-to-host escape in kernel configurations without stack guard pages (`CONFIG_VMAP_STACK`).", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-4155", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-4155", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-4155", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-4155", "SUSE": "https://www.suse.com/security/cve/CVE-2023-4155", "Ubuntu": "https://ubuntu.com/security/CVE-2023-4155" } }, "CVE-2023-4194": { "affected_versions": "v6.3-rc1 to v6.5-rc5", "breaks": "a096ccca6e503a5c575717ff8a36ace27510ab0a", "cmt_msg": "net: tun_chr_open(): set sk_uid from current_fsuid()", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "None", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "score": 5.5 }, "fixes": "9bc3047374d5bec163e83e743709e23753376f0c", "last_affected_version": "6.4.9", "last_modified": "2023-12-06", "nvd_text": "A flaw was found in the Linux kernel's TUN/TAP functionality. This issue could allow a local user to bypass network filters and gain unauthorized access to some resources. The original patches fixing CVE-2023-1076 are incorrect or incomplete. The problem is that the following upstream commits - a096ccca6e50 (\"tun: tun_chr_open(): correctly initialize socket uid\"), - 66b2c338adce (\"tap: tap_open(): correctly initialize socket uid\"), pass \"inode->i_uid\" to sock_init_data_uid() as the last parameter and that turns out to not be accurate.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-4194", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-4194", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-4194", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-4194", "SUSE": "https://www.suse.com/security/cve/CVE-2023-4194", "Ubuntu": "https://ubuntu.com/security/CVE-2023-4194" } }, "CVE-2023-4206": { "affected_versions": "v3.18-rc1 to v6.5-rc5", "breaks": "1109c00547fc66df45b9ff923544be4c1e1bec13", "cmt_msg": "net/sched: cls_route: No longer copy tcf_result on update to avoid use-after-free", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "fixes": "b80b829e9e2c1b3f7aae34855e04d8f6ecaf13c8", "last_affected_version": "6.4.9", "last_modified": "2023-12-06", "nvd_text": "A use-after-free vulnerability in the Linux kernel's net/sched: cls_route component can be exploited to achieve local privilege escalation.\n\nWhen route4_change() is called on an existing filter, the whole tcf_result struct is always copied into the new instance of the filter. This causes a problem when updating a filter bound to a class, as tcf_unbind_filter() is always called on the old instance in the success path, decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading to a use-after-free.\n\nWe recommend upgrading past commit b80b829e9e2c1b3f7aae34855e04d8f6ecaf13c8.\n\n", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-4206", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-4206", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-4206", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-4206", "SUSE": "https://www.suse.com/security/cve/CVE-2023-4206", "Ubuntu": "https://ubuntu.com/security/CVE-2023-4206" } }, "CVE-2023-4207": { "affected_versions": "v3.18-rc1 to v6.5-rc5", "breaks": "e35a8ee5993ba81fd6c092f6827458c60406255b", "cmt_msg": "net/sched: cls_fw: No longer copy tcf_result on update to avoid use-after-free", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "fixes": "76e42ae831991c828cffa8c37736ebfb831ad5ec", "last_affected_version": "6.4.9", "last_modified": "2023-12-06", "nvd_text": "A use-after-free vulnerability in the Linux kernel's net/sched: cls_fw component can be exploited to achieve local privilege escalation.\n\nWhen fw_change() is called on an existing filter, the whole tcf_result struct is always copied into the new instance of the filter. This causes a problem when updating a filter bound to a class, as tcf_unbind_filter() is always called on the old instance in the success path, decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading to a use-after-free.\n\nWe recommend upgrading past commit 76e42ae831991c828cffa8c37736ebfb831ad5ec.\n\n", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-4207", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-4207", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-4207", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-4207", "SUSE": "https://www.suse.com/security/cve/CVE-2023-4207", "Ubuntu": "https://ubuntu.com/security/CVE-2023-4207" } }, "CVE-2023-4208": { "affected_versions": "v3.18-rc1 to v6.5-rc5", "breaks": "de5df63228fcfbd5bb7fd883774c18fec9e61f12", "cmt_msg": "net/sched: cls_u32: No longer copy tcf_result on update to avoid use-after-free", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "fixes": "3044b16e7c6fe5d24b1cdbcf1bd0a9d92d1ebd81", "last_affected_version": "6.4.9", "last_modified": "2023-12-06", "nvd_text": "A use-after-free vulnerability in the Linux kernel's net/sched: cls_u32 component can be exploited to achieve local privilege escalation.\n\nWhen u32_change() is called on an existing filter, the whole tcf_result struct is always copied into the new instance of the filter. This causes a problem when updating a filter bound to a class, as tcf_unbind_filter() is always called on the old instance in the success path, decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading to a use-after-free.\n\nWe recommend upgrading past commit 3044b16e7c6fe5d24b1cdbcf1bd0a9d92d1ebd81.\n\n", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-4208", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-4208", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-4208", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-4208", "SUSE": "https://www.suse.com/security/cve/CVE-2023-4208", "Ubuntu": "https://ubuntu.com/security/CVE-2023-4208" } }, "CVE-2023-4244": { "affected_versions": "v5.6-rc1 to v6.5-rc7", "breaks": "3c4287f62044a90e73a561aa05fc46e62da173da", "cmt_msg": "netfilter: nf_tables: fix GC transaction races with netns and netlink event exit path", "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.0 }, "fixes": "6a33d8b73dfac0a41f3877894b38082bd0c9a5bc", "last_affected_version": "6.4.11", "last_modified": "2023-12-06", "nvd_text": "A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation.\n\nDue to a race condition between nf_tables netlink control plane transaction and nft_set element garbage collection, it is possible to underflow the reference counter causing a use-after-free vulnerability.\n\nWe recommend upgrading past commit 3e91b0ebd994635df2346353322ac51ce84ce6d8.\n\n", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-4244", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-4244", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-4244", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-4244", "SUSE": "https://www.suse.com/security/cve/CVE-2023-4244", "Ubuntu": "https://ubuntu.com/security/CVE-2023-4244" } }, "CVE-2023-4273": { "affected_versions": "v5.7-rc1 to v6.5-rc5", "breaks": "ca06197382bde0a3bc20215595d1c9ce20c6e341", "cmt_msg": "exfat: check if filename entries exceeds max filename length", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "score": 6.7 }, "fixes": "d42334578eba1390859012ebb91e1e556d51db49", "last_affected_version": "6.4.9", "last_modified": "2023-12-06", "nvd_text": "A flaw was found in the exFAT driver of the Linux kernel. The vulnerability exists in the implementation of the file name reconstruction function, which is responsible for reading file name entries from a directory index and merging file name parts belonging to one file into a single long file name. Since the file name characters are copied into a stack variable, a local privileged attacker could use this flaw to overflow the kernel stack.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-4273", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-4273", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-4273", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-4273", "SUSE": "https://www.suse.com/security/cve/CVE-2023-4273", "Ubuntu": "https://ubuntu.com/security/CVE-2023-4273" } }, "CVE-2023-42752": { "affected_versions": "v2.6.38-rc1 to v6.6-rc1", "breaks": "57e1ab6eaddc9f2c358cd4afb497cda6e3c6821a", "cmt_msg": "igmp: limit igmpv3_newpack() packet size to IP_MAX_MTU", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "fixes": "c3b704d4a4a265660e665df51b129e8425216ed1", "last_affected_version": "6.5.2", "last_modified": "2023-12-06", "nvd_text": "An integer overflow flaw was found in the Linux kernel. This issue leads to the kernel allocating `skb_shared_info` in the userspace, which is exploitable in systems without SMAP protection since `skb_shared_info` contains references to function pointers.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-42752", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-42752", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-42752", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-42752", "SUSE": "https://www.suse.com/security/cve/CVE-2023-42752", "Ubuntu": "https://ubuntu.com/security/CVE-2023-42752" } }, "CVE-2023-42753": { "affected_versions": "v4.20-rc2 to v6.6-rc1", "breaks": "886503f34d63e681662057448819edb5b1057a97", "cmt_msg": "netfilter: ipset: add the missing IP_SET_HASH_WITH_NET0 macro for ip_set_hash_netportnet.c", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "fixes": "050d91c03b28ca479df13dfb02bcd2c60dd6a878", "last_affected_version": "6.5.2", "last_modified": "2023-12-06", "nvd_text": "An array indexing vulnerability was found in the netfilter subsystem of the Linux kernel. A missing macro could lead to a miscalculation of the `h->nets` array offset, providing attackers with the primitive to arbitrarily increment/decrement a memory buffer out-of-bound. This issue may allow a local user to crash the system or potentially escalate their privileges on the system.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-42753", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-42753", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-42753", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-42753", "SUSE": "https://www.suse.com/security/cve/CVE-2023-42753", "Ubuntu": "https://ubuntu.com/security/CVE-2023-42753" } }, "CVE-2023-42754": { "affected_versions": "v5.1-rc6 to v6.6-rc3", "breaks": "ed0de45a1008991fdaa27a0152befcb74d126a8b", "cmt_msg": "ipv4: fix null-deref in ipv4_link_failure", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "fixes": "0113d9c9d1ccc07f5a3710dac4aa24b6d711278c", "last_affected_version": "6.5.5", "last_modified": "2023-12-06", "nvd_text": "A NULL pointer dereference flaw was found in the Linux kernel ipv4 stack. The socket buffer (skb) was assumed to be associated with a device before calling __ip_options_compile, which is not always the case if the skb is re-routed by ipvs. This issue may allow a local user with CAP_NET_ADMIN privileges to crash the system.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-42754", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-42754", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-42754", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-42754", "SUSE": "https://www.suse.com/security/cve/CVE-2023-42754", "Ubuntu": "https://ubuntu.com/security/CVE-2023-42754" } }, "CVE-2023-42755": { "affected_versions": "v2.6.12-rc2 to v6.3-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "net/sched: Retire rsvp classifier", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "fixes": "265b4da82dbf5df04bee5a5d46b7474b1aaf326a", "last_affected_version": "6.1.54", "last_modified": "2023-12-06", "nvd_text": "A flaw was found in the IPv4 Resource Reservation Protocol (RSVP) classifier in the Linux kernel. The xprt pointer may go beyond the linear part of the skb, leading to an out-of-bounds read in the `rsvp_classify` function. This issue may allow a local user to crash the system and cause a denial of service.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-42755", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-42755", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-42755", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-42755", "SUSE": "https://www.suse.com/security/cve/CVE-2023-42755", "Ubuntu": "https://ubuntu.com/security/CVE-2023-42755" } }, "CVE-2023-42756": { "affected_versions": "v6.4-rc6 to v6.6-rc3", "breaks": "24e227896bbf003165e006732dccb3516f87f88e", "cmt_msg": "netfilter: ipset: Fix race between IPSET_CMD_CREATE and IPSET_CMD_SWAP", "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 4.7 }, "fixes": "7433b6d2afd512d04398c73aa984d1e285be125b", "last_affected_version": "6.5.5", "last_modified": "2023-12-06", "nvd_text": "A flaw was found in the Netfilter subsystem of the Linux kernel. A race condition between IPSET_CMD_ADD and IPSET_CMD_SWAP can lead to a kernel panic due to the invocation of `__ip_set_put` on a wrong `set`. This issue may allow a local user to crash the system.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-42756", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-42756", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-42756", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-42756", "SUSE": "https://www.suse.com/security/cve/CVE-2023-42756", "Ubuntu": "https://ubuntu.com/security/CVE-2023-42756" } }, "CVE-2023-4385": { "affected_versions": "v2.6.12-rc2 to v5.19-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "fs: jfs: fix possible NULL pointer dereference in dbFree()", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "fixes": "0d4837fdb796f99369cf7691d33de1b856bcaf1f", "last_affected_version": "5.18.2", "last_modified": "2023-12-06", "nvd_text": "A NULL pointer dereference flaw was found in dbFree in fs/jfs/jfs_dmap.c in the journaling file system (JFS) in the Linux Kernel. This issue may allow a local attacker to crash the system due to a missing sanity check.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-4385", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-4385", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-4385", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-4385", "SUSE": "https://www.suse.com/security/cve/CVE-2023-4385", "Ubuntu": "https://ubuntu.com/security/CVE-2023-4385" } }, "CVE-2023-4387": { "affected_versions": "v4.4-rc4 to v5.18", "breaks": "5738a09d58d5ad2871f1f9a42bf6a3aa9ece5b3c", "cmt_msg": "net: vmxnet3: fix possible use-after-free bugs in vmxnet3_rq_alloc_rx_buf()", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "score": 7.1 }, "fixes": "9e7fef9521e73ca8afd7da9e58c14654b02dfad8", "last_affected_version": "5.17", "last_modified": "2023-12-06", "nvd_text": "A use-after-free flaw was found in vmxnet3_rq_alloc_rx_buf in drivers/net/vmxnet3/vmxnet3_drv.c in VMware's vmxnet3 ethernet NIC driver in the Linux Kernel. This issue could allow a local attacker to crash the system due to a double-free while cleaning up vmxnet3_rq_cleanup_all, which could also lead to a kernel information leak problem.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-4387", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-4387", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-4387", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-4387", "SUSE": "https://www.suse.com/security/cve/CVE-2023-4387", "Ubuntu": "https://ubuntu.com/security/CVE-2023-4387" } }, "CVE-2023-4389": { "affected_versions": "v5.7-rc1 to v5.18-rc3", "breaks": "bc44d7c4b2b179c4b74fba208b9908e2ecbc1b4d", "cmt_msg": "btrfs: fix root ref counts in error handling in btrfs_get_root_ref", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "score": 7.1 }, "fixes": "168a2f776b9762f4021421008512dd7ab7474df1", "last_affected_version": "5.17.3", "last_modified": "2023-12-06", "nvd_text": "A flaw was found in btrfs_get_root_ref in fs/btrfs/disk-io.c in the btrfs filesystem in the Linux Kernel due to a double decrement of the reference count. This issue may allow a local attacker with user privilege to crash the system or may lead to leaked internal kernel information.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-4389", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-4389", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-4389", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-4389", "SUSE": "https://www.suse.com/security/cve/CVE-2023-4389", "Ubuntu": "https://ubuntu.com/security/CVE-2023-4389" } }, "CVE-2023-4394": { "affected_versions": "v5.16-rc1 to v6.0-rc3", "breaks": "faa775c41d655a4786e9d53cb075a77bb5a75f66", "cmt_msg": "btrfs: fix possible memory leak in btrfs_get_dev_args_from_path()", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H", "score": 6.0 }, "fixes": "9ea0106a7a3d8116860712e3f17cd52ce99f6707", "last_affected_version": "5.19.5", "last_modified": "2023-12-06", "nvd_text": "A use-after-free flaw was found in btrfs_get_dev_args_from_path in fs/btrfs/volumes.c in btrfs file-system in the Linux Kernel. This flaw allows a local attacker with special privileges to cause a system crash or leak internal kernel information", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-4394", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-4394", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-4394", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-4394", "SUSE": "https://www.suse.com/security/cve/CVE-2023-4394", "Ubuntu": "https://ubuntu.com/security/CVE-2023-4394" } }, "CVE-2023-44466": { "affected_versions": "v5.11-rc1 to v6.5-rc2", "breaks": "cd1a677cad994021b19665ed476aea63f5d54f31", "cmt_msg": "libceph: harden msgr2.1 frame segment length checks", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 8.8 }, "fixes": "a282a2f10539dce2aa619e71e1817570d557fc97", "last_affected_version": "6.4.4", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in net/ceph/messenger_v2.c in the Linux kernel before 6.4.5. There is an integer signedness error, leading to a buffer overflow and remote code execution via HELLO or one of the AUTH frames. This occurs because of an untrusted length taken from a TCP packet in ceph_decode_32.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-44466", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-44466", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-44466", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-44466", "SUSE": "https://www.suse.com/security/cve/CVE-2023-44466", "Ubuntu": "https://ubuntu.com/security/CVE-2023-44466" } }, "CVE-2023-4459": { "affected_versions": "v2.6.32-rc5 to v5.18", "breaks": "d1a890fa37f27d6aca3abc6e25e4148efc3223a6", "cmt_msg": "net: vmxnet3: fix possible NULL pointer dereference in vmxnet3_rq_cleanup()", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "fixes": "edf410cb74dc612fd47ef5be319c5a0bcd6e6ccd", "last_affected_version": "5.17", "last_modified": "2023-12-06", "nvd_text": "A NULL pointer dereference flaw was found in vmxnet3_rq_cleanup in drivers/net/vmxnet3/vmxnet3_drv.c in the networking sub-component in vmxnet3 in the Linux Kernel. This issue may allow a local attacker with normal user privilege to cause a denial of service due to a missing sanity check during cleanup.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-4459", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-4459", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-4459", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-4459", "SUSE": "https://www.suse.com/security/cve/CVE-2023-4459", "Ubuntu": "https://ubuntu.com/security/CVE-2023-4459" } }, "CVE-2023-4563": { "affected_versions": "v5.6-rc1 to v6.5-rc6", "breaks": "3c4287f62044a90e73a561aa05fc46e62da173da", "cmt_msg": "netfilter: nf_tables: don't skip expired elements during walk", "fixes": "24138933b97b055d486e8064b4a1721702442a9b", "last_affected_version": "6.4.10", "last_modified": "2023-12-06", "nvd_text": "Rejected reason: This was assigned as a duplicate of CVE-2023-4244.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-4563", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-4563", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-4563", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-4563", "SUSE": "https://www.suse.com/security/cve/CVE-2023-4563", "Ubuntu": "https://ubuntu.com/security/CVE-2023-4563" }, "rejected": true }, "CVE-2023-4569": { "affected_versions": "v5.13-rc1 to v6.5-rc7", "breaks": "aaa31047a6d25da0fa101da1ed544e1247949b40", "cmt_msg": "netfilter: nf_tables: deactivate catchall elements in next generation", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "fixes": "90e5b3462efa37b8bba82d7c4e63683856e188af", "last_affected_version": "6.4.11", "last_modified": "2023-12-06", "nvd_text": "A memory leak flaw was found in nft_set_catchall_flush in net/netfilter/nf_tables_api.c in the Linux Kernel. This issue may allow a local attacker to cause double-deactivations of catchall elements, which can result in a memory leak.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-4569", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-4569", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-4569", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-4569", "SUSE": "https://www.suse.com/security/cve/CVE-2023-4569", "Ubuntu": "https://ubuntu.com/security/CVE-2023-4569" } }, "CVE-2023-45862": { "affected_versions": "v3.1-rc1 to v6.3-rc1", "breaks": "33842cedfc33ee907b2a702f321a26f7c0bf0aaa", "cmt_msg": "USB: ene_usb6250: Allocate enough memory for full object", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 7.5 }, "fixes": "ce33e64c1788912976b61314b56935abd4bc97ef", "last_affected_version": "6.2.4", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in drivers/usb/storage/ene_ub6250.c for the ENE UB6250 reader driver in the Linux kernel before 6.2.5. An object could potentially extend beyond the end of an allocation.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-45862", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-45862", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-45862", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-45862", "SUSE": "https://www.suse.com/security/cve/CVE-2023-45862", "Ubuntu": "https://ubuntu.com/security/CVE-2023-45862" } }, "CVE-2023-45863": { "affected_versions": "v2.6.12-rc2 to v6.3-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "kobject: Fix slab-out-of-bounds in fill_kobj_path()", "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "score": 6.4 }, "fixes": "3bb2a01caa813d3a1845d378bbe4169ef280d394", "last_affected_version": "6.2.2", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in lib/kobject.c in the Linux kernel before 6.2.3. With root access, an attacker can trigger a race condition that results in a fill_kobj_path out-of-bounds write.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-45863", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-45863", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-45863", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-45863", "SUSE": "https://www.suse.com/security/cve/CVE-2023-45863", "Ubuntu": "https://ubuntu.com/security/CVE-2023-45863" } }, "CVE-2023-45871": { "affected_versions": "v3.4-rc1 to v6.6-rc1", "breaks": "89eaefb61dc9170237d95b844dd357338fc7225d", "cmt_msg": "igb: set max size RX buffer when store bad packet is enabled", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "score": 9.8 }, "fixes": "bb5ed01cd2428cd25b1c88a3a9cba87055eb289f", "last_affected_version": "6.5.2", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in drivers/net/ethernet/intel/igb/igb_main.c in the IGB driver in the Linux kernel before 6.5.3. A buffer size may not be adequate for frames larger than the MTU.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-45871", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-45871", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-45871", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-45871", "SUSE": "https://www.suse.com/security/cve/CVE-2023-45871", "Ubuntu": "https://ubuntu.com/security/CVE-2023-45871" } }, "CVE-2023-45898": { "affected_versions": "v6.5-rc1 to v6.6-rc1", "breaks": "2a69c450083db164596c75c0f5b4d9c4c0e18eba", "cmt_msg": "ext4: fix slab-use-after-free in ext4_es_insert_extent()", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "fixes": "768d612f79822d30a1e7d132a4d4b05337ce42ec", "last_affected_version": "6.5.3", "last_modified": "2023-12-06", "nvd_text": "The Linux kernel before 6.5.4 has an es1 use-after-free in fs/ext4/extents_status.c, related to ext4_es_insert_extent.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-45898", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-45898", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-45898", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-45898", "SUSE": "https://www.suse.com/security/cve/CVE-2023-45898", "Ubuntu": "https://ubuntu.com/security/CVE-2023-45898" } }, "CVE-2023-4610": { "affected_versions": "v6.4-rc1 to v6.4", "breaks": "f95bdb700bc6bb74e1199b1f5f90c613e152cfa7", "cmt_msg": "Revert \"mm: vmscan: make global slab shrink lockless\"", "fixes": "71c3ad65fabec9620d3f548b2da948c79c7ad9d5", "last_affected_version": "6.3", "last_modified": "2024-01-15", "nvd_text": "Rejected reason: The SRCU code was added in upstream kernel v6.4-rc1 and removed before v6.4. This bug only existed in development kernels. Please see https://lore.kernel.org/all/ZTKVfoQZplpB8rki@casper.infradead.org and https://bugzilla.suse.com/show_bug.cgi?id=1215932 for more information.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-4610", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-4610", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-4610", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-4610", "SUSE": "https://www.suse.com/security/cve/CVE-2023-4610", "Ubuntu": "https://ubuntu.com/security/CVE-2023-4610" } }, "CVE-2023-4611": { "affected_versions": "v6.4-rc1 to v6.5-rc4", "breaks": "5e31275cc997f8ec5d9e8d65fe9840ebed89db19", "cmt_msg": "mm/mempolicy: Take VMA lock before replacing policy", "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:H", "score": 6.3 }, "fixes": "6c21e066f9256ea1df6f88768f6ae1080b7cf509", "last_affected_version": "6.4.7", "last_modified": "2023-12-06", "nvd_text": "A use-after-free flaw was found in mm/mempolicy.c in the memory management subsystem in the Linux Kernel. This issue is caused by a race between mbind() and VMA-locked page fault, and may allow a local attacker to crash the system or lead to a kernel information leak.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-4611", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-4611", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-4611", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-4611", "SUSE": "https://www.suse.com/security/cve/CVE-2023-4611", "Ubuntu": "https://ubuntu.com/security/CVE-2023-4611" } }, "CVE-2023-4622": { "affected_versions": "v4.2-rc1 to v6.5-rc1", "breaks": "869e7c62486ec0e170a9771acaa251d1a33b5871", "cmt_msg": "unix: Convert unix_stream_sendpage() to use MSG_SPLICE_PAGES", "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.0 }, "fixes": "57d44a354a43edba4ef9963327d4657d12edbfbc", "last_modified": "2023-12-06", "nvd_text": "A use-after-free vulnerability in the Linux kernel's af_unix component can be exploited to achieve local privilege escalation.\n\nThe unix_stream_sendpage() function tries to add data to the last skb in the peer's recv queue without locking the queue. Thus there is a race where unix_stream_sendpage() could access an skb locklessly that is being released by garbage collection, resulting in use-after-free.\n\nWe recommend upgrading past commit 790c2f9d15b594350ae9bca7b236f2b1859de02c.\n\n", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-4622", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-4622", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-4622", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-4622", "SUSE": "https://www.suse.com/security/cve/CVE-2023-4622", "Ubuntu": "https://ubuntu.com/security/CVE-2023-4622" } }, "CVE-2023-4623": { "affected_versions": "v2.6.12-rc2 to v6.6-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "net/sched: sch_hfsc: Ensure inner classes have fsc curve", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "fixes": "b3d26c5702c7d6c45456326e56d2ccf3f103e60f", "last_affected_version": "6.5.2", "last_modified": "2023-12-06", "nvd_text": "A use-after-free vulnerability in the Linux kernel's net/sched: sch_hfsc (HFSC qdisc traffic control) component can be exploited to achieve local privilege escalation.\n\nIf a class with a link-sharing curve (i.e. with the HFSC_FSC flag set) has a parent without a link-sharing curve, then init_vf() will call vttree_insert() on the parent, but vttree_remove() will be skipped in update_vf(). This leaves a dangling pointer that can cause a use-after-free.\n\nWe recommend upgrading past commit b3d26c5702c7d6c45456326e56d2ccf3f103e60f.\n\n", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-4623", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-4623", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-4623", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-4623", "SUSE": "https://www.suse.com/security/cve/CVE-2023-4623", "Ubuntu": "https://ubuntu.com/security/CVE-2023-4623" } }, "CVE-2023-46343": { "affected_versions": "v3.11-rc1 to v6.6-rc7", "breaks": "391d8a2da787257aeaf952c974405b53926e3fb3", "cmt_msg": "nfc: nci: fix possible NULL pointer dereference in send_acknowledge()", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "fixes": "7937609cd387246aed994e81aa4fa951358fba41", "last_affected_version": "6.5.8", "last_modified": "2024-02-02", "nvd_text": "In the Linux kernel before 6.5.9, there is a NULL pointer dereference in send_acknowledge in net/nfc/nci/spi.c.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-46343", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-46343", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-46343", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-46343", "SUSE": "https://www.suse.com/security/cve/CVE-2023-46343", "Ubuntu": "https://ubuntu.com/security/CVE-2023-46343" } }, "CVE-2023-46813": { "affected_versions": "v5.10-rc1 to v6.6-rc7", "breaks": "597cfe48212a3f110ab0f918bf59791f453e65b7", "cmt_msg": "x86/sev: Check for user-space IOIO pointing to kernel space", "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.0 }, "cwe": "Unspecified", "fixes": "63e44bc52047f182601e7817da969a105aa1f721", "last_affected_version": "6.5.8", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel before 6.5.9, exploitable by local users with userspace access to MMIO registers. Incorrect access checking in the #VC handler and instruction emulation of the SEV-ES emulation of MMIO accesses could lead to arbitrary write access to kernel memory (and thus privilege escalation). This depends on a race condition through which userspace can replace an instruction before the #VC handler reads it.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-46813", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-46813", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-46813", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-46813", "SUSE": "https://www.suse.com/security/cve/CVE-2023-46813", "Ubuntu": "https://ubuntu.com/security/CVE-2023-46813" } }, "CVE-2023-46838": { "affected_versions": "v2.6.12-rc2 to v6.8-rc2", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "xen-netback: don't produce zero-size SKB frags", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 7.5 }, "fixes": "c7ec4f2d684e17d69bbdd7c4324db0ef5daac26a", "last_affected_version": "6.7.1", "last_modified": "2024-02-02", "nvd_text": "Transmit requests in Xen's virtual network protocol can consist of\nmultiple parts. While not really useful, except for the initial part\nany of them may be of zero length, i.e. carry no data at all. Besides a\ncertain initial portion of the to be transferred data, these parts are\ndirectly translated into what Linux calls SKB fragments. Such converted\nrequest parts can, when for a particular SKB they are all of length\nzero, lead to a de-reference of NULL in core networking code.\n", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-46838", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-46838", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-46838", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-46838", "SUSE": "https://www.suse.com/security/cve/CVE-2023-46838", "Ubuntu": "https://ubuntu.com/security/CVE-2023-46838" } }, "CVE-2023-46862": { "affected_versions": "v5.10-rc1 to v6.6", "breaks": "dbbe9c642411c359ad0a0e32442eb2e11d3811b5", "cmt_msg": "io_uring/fdinfo: lock SQ thread while retrieving thread cpu/pid", "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 4.7 }, "fixes": "7644b1a1c9a7ae8ab99175989bfc8676055edb46", "last_affected_version": "6.5", "last_modified": "2023-12-06", "nvd_text": "An issue was discovered in the Linux kernel through 6.5.9. During a race with SQ thread exit, an io_uring/fdinfo.c io_uring_show_fdinfo NULL pointer dereference can occur.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-46862", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-46862", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-46862", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-46862", "SUSE": "https://www.suse.com/security/cve/CVE-2023-46862", "Ubuntu": "https://ubuntu.com/security/CVE-2023-46862" } }, "CVE-2023-47233": { "affected_versions": "v3.7-rc1 to v6.9-rc1", "breaks": "e756af5b30b008f6ffcfebf8ad0b477f6f225b62", "cmt_msg": "wifi: brcmfmac: Fix use-after-free bug in brcmf_cfg80211_detach", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Physical", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 4.3 }, "fixes": "0f7352557a35ab7888bc7831411ec8a3cbe20d78", "last_affected_version": "6.7.11", "last_modified": "2024-04-06", "nvd_text": "The brcm80211 component in the Linux kernel through 6.5.10 has a brcmf_cfg80211_detach use-after-free in the device unplugging (disconnect the USB by hotplug) code. For physically proximate attackers with local access, this \"could be exploited in a real world scenario.\" This is related to brcmf_cfg80211_escan_timeout_worker in drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-47233", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-47233", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-47233", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-47233", "SUSE": "https://www.suse.com/security/cve/CVE-2023-47233", "Ubuntu": "https://ubuntu.com/security/CVE-2023-47233" } }, "CVE-2023-4732": { "affected_versions": "v5.7-rc1 to v5.14-rc1", "breaks": "5a281062af1d43d3f3956a6b429c2d727bc92603", "cmt_msg": "mm/userfaultfd: fix uffd-wp special cases for fork()", "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 4.7 }, "fixes": "8f34f1eac3820fc2722e5159acceb22545b30b0d", "last_affected_version": "5.13.4", "last_modified": "2024-01-15", "nvd_text": "A flaw was found in pfn_swap_entry_to_page in memory management subsystem in the Linux Kernel. In this flaw, an attacker with a local user privilege may cause a denial of service problem due to a BUG statement referencing pmd_t x.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-4732", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-4732", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-4732", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-4732", "SUSE": "https://www.suse.com/security/cve/CVE-2023-4732", "Ubuntu": "https://ubuntu.com/security/CVE-2023-4732" } }, "CVE-2023-4881": { "affected_versions": "v4.1-rc1 to v6.6-rc1", "breaks": "49499c3e6e18b7677a63316f3ff54a16533dc28f", "cmt_msg": "netfilter: nftables: exthdr: fix 4-byte stack OOB write", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "score": 7.1 }, "fixes": "fd94d9dadee58e09b49075240fe83423eb1dcd36", "last_affected_version": "6.5.3", "last_modified": "2023-12-06", "nvd_text": "Rejected reason: CVE-2023-4881 was wrongly assigned to a bug that was deemed to be a non-security issue by the Linux kernel security team.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-4881", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-4881", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-4881", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-4881", "SUSE": "https://www.suse.com/security/cve/CVE-2023-4881", "Ubuntu": "https://ubuntu.com/security/CVE-2023-4881" }, "rejected": true }, "CVE-2023-4921": { "affected_versions": "v3.8-rc1 to v6.6-rc1", "breaks": "462dbc9101acd38e92eda93c0726857517a24bbd", "cmt_msg": "net: sched: sch_qfq: Fix UAF in qfq_dequeue()", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "fixes": "8fc134fee27f2263988ae38920bc03da416b03d8", "last_affected_version": "6.5.3", "last_modified": "2023-12-06", "nvd_text": "A use-after-free vulnerability in the Linux kernel's net/sched: sch_qfq component can be exploited to achieve local privilege escalation.\n\nWhen the plug qdisc is used as a class of the qfq qdisc, sending network packets triggers use-after-free in qfq_dequeue() due to the incorrect .peek handler of sch_plug and lack of error checking in agg_dequeue().\n\nWe recommend upgrading past commit 8fc134fee27f2263988ae38920bc03da416b03d8.\n\n", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-4921", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-4921", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-4921", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-4921", "SUSE": "https://www.suse.com/security/cve/CVE-2023-4921", "Ubuntu": "https://ubuntu.com/security/CVE-2023-4921" } }, "CVE-2023-50431": { "affected_versions": "v5.1-rc1 to v6.8-rc1", "breaks": "c4d66343a46a4931d6a547042198896e4fd1c592", "cmt_msg": "accel/habanalabs: fix information leak in sec_attest_info()", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.5 }, "cwe": "Unspecified", "fixes": "a9f07790a4b2250f0140e9a61c7f842fd9b618c7", "last_affected_version": "6.7.1", "last_modified": "2024-02-02", "nvd_text": "sec_attest_info in drivers/accel/habanalabs/common/habanalabs_ioctl.c in the Linux kernel through 6.6.5 allows an information leak to user space because info->pad0 is not initialized.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-50431", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-50431", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-50431", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-50431", "SUSE": "https://www.suse.com/security/cve/CVE-2023-50431", "Ubuntu": "https://ubuntu.com/security/CVE-2023-50431" } }, "CVE-2023-5090": { "affected_versions": "v6.0-rc1 to v6.6-rc7", "breaks": "4d1d7942e36add0aa741a62d0c8e3aba2d5b3ab1", "cmt_msg": "x86: KVM: SVM: always update the x2avic msr interception", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "fixes": "b65235f6e102354ccafda601eaa1c5bef5284d21", "last_affected_version": "6.5.8", "last_modified": "2023-12-06", "nvd_text": "A flaw was found in KVM. An improper check in svm_set_x2apic_msr_interception() may allow direct access to host x2apic msrs when the guest resets its apic, potentially leading to a denial of service condition.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-5090", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-5090", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-5090", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-5090", "SUSE": "https://www.suse.com/security/cve/CVE-2023-5090", "Ubuntu": "https://ubuntu.com/security/CVE-2023-5090" } }, "CVE-2023-51042": { "affected_versions": "v4.15-rc1 to v6.5-rc1", "breaks": "7a0a48ddf63bc9944b9690c6fa043ea4305f7f79", "cmt_msg": "drm/amdgpu: Fix potential fence use-after-free v2", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "fixes": "2e54154b9f27262efd0cb4f903cc7d5ad1fe9628", "last_affected_version": "6.4.11", "last_modified": "2024-02-02", "nvd_text": "In the Linux kernel before 6.4.12, amdgpu_cs_wait_all_fences in drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c has a fence use-after-free.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-51042", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-51042", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-51042", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-51042", "SUSE": "https://www.suse.com/security/cve/CVE-2023-51042", "Ubuntu": "https://ubuntu.com/security/CVE-2023-51042" } }, "CVE-2023-51043": { "affected_versions": "v2.6.12-rc2 to v6.5-rc3", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "drm/atomic: Fix potential use-after-free in nonblocking commits", "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.0 }, "fixes": "4e076c73e4f6e90816b30fcd4a0d7ab365087255", "last_affected_version": "6.4.4", "last_modified": "2024-02-02", "nvd_text": "In the Linux kernel before 6.4.5, drivers/gpu/drm/drm_atomic.c has a use-after-free during a race condition between a nonblocking atomic commit and a driver unload.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-51043", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-51043", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-51043", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-51043", "SUSE": "https://www.suse.com/security/cve/CVE-2023-51043", "Ubuntu": "https://ubuntu.com/security/CVE-2023-51043" } }, "CVE-2023-5158": { "affected_versions": "v5.13-rc1 to v6.6-rc5", "breaks": "b8c06ad4d67db56ed6bdfb685c134da74e92a2c7", "cmt_msg": "vringh: don't use vringh_kiov_advance() in vringh_iov_xfer()", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Unspecified", "fixes": "7aed44babc7f97e82b38e9a68515e699692cc100", "last_affected_version": "6.5.6", "last_modified": "2023-12-06", "nvd_text": "A flaw was found in vringh_kiov_advance in drivers/vhost/vringh.c in the host side of a virtio ring in the Linux Kernel. This issue may result in a denial of service from guest to host via zero length descriptor.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-5158", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-5158", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-5158", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-5158", "SUSE": "https://www.suse.com/security/cve/CVE-2023-5158", "Ubuntu": "https://ubuntu.com/security/CVE-2023-5158" } }, "CVE-2023-51779": { "affected_versions": "v2.6.12-rc2 to v6.7-rc7", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "Bluetooth: af_bluetooth: Fix Use-After-Free in bt_sock_recvmsg", "fixes": "2e07e8348ea454615e268222ae3fc240421be768", "last_affected_version": "6.6.8", "last_modified": "2024-04-09", "nvd_text": "bt_sock_recvmsg in net/bluetooth/af_bluetooth.c in the Linux kernel through 6.6.8 has a use-after-free because of a bt_sock_ioctl race condition.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-51779", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-51779", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-51779", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-51779", "SUSE": "https://www.suse.com/security/cve/CVE-2023-51779", "Ubuntu": "https://ubuntu.com/security/CVE-2023-51779" } }, "CVE-2023-5178": { "affected_versions": "v5.0-rc1 to v6.6-rc7", "backport": true, "breaks": "872d26a391da92ed8f0c0f5cb5fef428067b7f30", "cmt_msg": "nvmet-tcp: Fix a possible UAF in queue intialization setup", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 8.8 }, "fixes": "872d26a391da92ed8f0c0f5cb5fef428067b7f30", "last_affected_version": "6.5.8", "last_modified": "2024-02-09", "nvd_text": "A use-after-free vulnerability was found in drivers/nvme/target/tcp.c` in `nvmet_tcp_free_crypto` due to a logical bug in the NVMe/TCP subsystem in the Linux kernel. This issue may allow a malicious user to cause a use-after-free and double-free problem, which may permit remote code execution or lead to local privilege escalation.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-5178", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-5178", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-5178", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-5178", "SUSE": "https://www.suse.com/security/cve/CVE-2023-5178", "Ubuntu": "https://ubuntu.com/security/CVE-2023-5178" } }, "CVE-2023-51780": { "affected_versions": "v2.6.12-rc2 to v6.7-rc6", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "atm: Fix Use-After-Free in do_vcc_ioctl", "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.0 }, "fixes": "24e90b9e34f9e039f56b5f25f6e6eb92cdd8f4b3", "last_affected_version": "6.6.7", "last_modified": "2024-02-02", "nvd_text": "An issue was discovered in the Linux kernel before 6.6.8. do_vcc_ioctl in net/atm/ioctl.c has a use-after-free because of a vcc_recvmsg race condition.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-51780", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-51780", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-51780", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-51780", "SUSE": "https://www.suse.com/security/cve/CVE-2023-51780", "Ubuntu": "https://ubuntu.com/security/CVE-2023-51780" } }, "CVE-2023-51781": { "affected_versions": "v2.6.12-rc2 to v6.7-rc6", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "appletalk: Fix Use-After-Free in atalk_ioctl", "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.0 }, "fixes": "189ff16722ee36ced4d2a2469d4ab65a8fee4198", "last_affected_version": "6.6.7", "last_modified": "2024-02-02", "nvd_text": "An issue was discovered in the Linux kernel before 6.6.8. atalk_ioctl in net/appletalk/ddp.c has a use-after-free because of an atalk_recvmsg race condition.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-51781", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-51781", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-51781", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-51781", "SUSE": "https://www.suse.com/security/cve/CVE-2023-51781", "Ubuntu": "https://ubuntu.com/security/CVE-2023-51781" } }, "CVE-2023-51782": { "affected_versions": "v2.6.12-rc2 to v6.7-rc6", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "net/rose: Fix Use-After-Free in rose_ioctl", "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.0 }, "fixes": "810c38a369a0a0ce625b5c12169abce1dd9ccd53", "last_affected_version": "6.6.7", "last_modified": "2024-02-02", "nvd_text": "An issue was discovered in the Linux kernel before 6.6.8. rose_ioctl in net/rose/af_rose.c has a use-after-free because of a rose_accept race condition.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-51782", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-51782", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-51782", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-51782", "SUSE": "https://www.suse.com/security/cve/CVE-2023-51782", "Ubuntu": "https://ubuntu.com/security/CVE-2023-51782" } }, "CVE-2023-5197": { "affected_versions": "v5.9-rc1 to v6.6-rc3", "breaks": "d0e2c7de92c7f2b3d355ad76b0bb9fc43d1beb87", "cmt_msg": "netfilter: nf_tables: disallow rule removal from chain binding", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "Low", "Integrity": "Low", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H", "score": 6.6 }, "fixes": "f15f29fd4779be8a418b66e9d52979bb6d6c2325", "last_affected_version": "6.5.5", "last_modified": "2023-12-06", "nvd_text": "A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation.\n\nAddition and removal of rules from chain bindings within the same transaction causes leads to use-after-free.\n\nWe recommend upgrading past commit f15f29fd4779be8a418b66e9d52979bb6d6c2325.\n\n", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-5197", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-5197", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-5197", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-5197", "SUSE": "https://www.suse.com/security/cve/CVE-2023-5197", "Ubuntu": "https://ubuntu.com/security/CVE-2023-5197" } }, "CVE-2023-52340": { "affected_versions": "v2.6.12-rc2 to v6.3-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "ipv6: remove max_size check inline with ipv4", "fixes": "af6d10345ca76670c1b7c37799f0d5576ccef277", "last_affected_version": "6.1.72", "last_modified": "2024-02-24", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52340", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52340", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52340", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52340", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52340", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52340" } }, "CVE-2023-52429": { "affected_versions": "v2.6.12-rc2 to v6.8-rc3", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "dm: limit the number of targets and parameter size area", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "fixes": "bd504bcfec41a503b32054da5472904b404341a4", "last_affected_version": "6.7.5", "last_modified": "2024-04-09", "nvd_text": "dm_table_create in drivers/md/dm-table.c in the Linux kernel through 6.7.4 can attempt to (in alloc_targets) allocate more than INT_MAX bytes, and crash, because of a missing check for struct dm_ioctl.target_count.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52429", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52429", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52429", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52429", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52429", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52429" } }, "CVE-2023-52433": { "affected_versions": "v6.5-rc6 to v6.6-rc1", "breaks": "f6c383b8c31a", "cmt_msg": "netfilter: nft_set_rbtree: skip sync GC for new elements in this transaction", "fixes": "2ee52ae94baabf7ee09cf2a8d854b990dac5d0e4", "last_affected_version": "6.5.3", "last_modified": "2024-02-25", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_set_rbtree: skip sync GC for new elements in this transaction\n\nNew elements in this transaction might expired before such transaction\nends. Skip sync GC for such elements otherwise commit path might walk\nover an already released object. Once transaction is finished, async GC\nwill collect such expired element.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52433", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52433", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52433", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52433", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52433", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52433" } }, "CVE-2023-52434": { "affected_versions": "v2.6.12-rc2 to v6.7-rc6", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "smb: client: fix potential OOBs in smb2_parse_contexts()", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Adjacent", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 8.0 }, "fixes": "af1689a9b7701d9907dfc84d2a4b57c4bc907144", "last_affected_version": "6.6.7", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix potential OOBs in smb2_parse_contexts()\n\nValidate offsets and lengths before dereferencing create contexts in\nsmb2_parse_contexts().\n\nThis fixes following oops when accessing invalid create contexts from\nserver:\n\n BUG: unable to handle page fault for address: ffff8881178d8cc3\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 4a01067 P4D 4a01067 PUD 0\n Oops: 0000 [#1] PREEMPT SMP NOPTI\n CPU: 3 PID: 1736 Comm: mount.cifs Not tainted 6.7.0-rc4 #1\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS\n rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014\n RIP: 0010:smb2_parse_contexts+0xa0/0x3a0 [cifs]\n Code: f8 10 75 13 48 b8 93 ad 25 50 9c b4 11 e7 49 39 06 0f 84 d2 00\n 00 00 8b 45 00 85 c0 74 61 41 29 c5 48 01 c5 41 83 fd 0f 76 55 <0f> b7\n 7d 04 0f b7 45 06 4c 8d 74 3d 00 66 83 f8 04 75 bc ba 04 00\n RSP: 0018:ffffc900007939e0 EFLAGS: 00010216\n RAX: ffffc90000793c78 RBX: ffff8880180cc000 RCX: ffffc90000793c90\n RDX: ffffc90000793cc0 RSI: ffff8880178d8cc0 RDI: ffff8880180cc000\n RBP: ffff8881178d8cbf R08: ffffc90000793c22 R09: 0000000000000000\n R10: ffff8880180cc000 R11: 0000000000000024 R12: 0000000000000000\n R13: 0000000000000020 R14: 0000000000000000 R15: ffffc90000793c22\n FS: 00007f873753cbc0(0000) GS:ffff88806bc00000(0000)\n knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: ffff8881178d8cc3 CR3: 00000000181ca000 CR4: 0000000000750ef0\n PKRU: 55555554\n Call Trace:\n \n ? __die+0x23/0x70\n ? page_fault_oops+0x181/0x480\n ? search_module_extables+0x19/0x60\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? exc_page_fault+0x1b6/0x1c0\n ? asm_exc_page_fault+0x26/0x30\n ? smb2_parse_contexts+0xa0/0x3a0 [cifs]\n SMB2_open+0x38d/0x5f0 [cifs]\n ? smb2_is_path_accessible+0x138/0x260 [cifs]\n smb2_is_path_accessible+0x138/0x260 [cifs]\n cifs_is_path_remote+0x8d/0x230 [cifs]\n cifs_mount+0x7e/0x350 [cifs]\n cifs_smb3_do_mount+0x128/0x780 [cifs]\n smb3_get_tree+0xd9/0x290 [cifs]\n vfs_get_tree+0x2c/0x100\n ? capable+0x37/0x70\n path_mount+0x2d7/0xb80\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? _raw_spin_unlock_irqrestore+0x44/0x60\n __x64_sys_mount+0x11a/0x150\n do_syscall_64+0x47/0xf0\n entry_SYSCALL_64_after_hwframe+0x6f/0x77\n RIP: 0033:0x7f8737657b1e", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52434", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52434", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52434", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52434", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52434", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52434" } }, "CVE-2023-52435": { "affected_versions": "v4.8-rc1 to v6.7-rc6", "breaks": "3953c46c3ac7eef31a9935427371c6f54a22f1ba", "cmt_msg": "net: prevent mss overflow in skb_segment()", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "fixes": "23d05d563b7e7b0314e65c8e882bc27eac2da8e7", "last_affected_version": "6.6.10", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: prevent mss overflow in skb_segment()\n\nOnce again syzbot is able to crash the kernel in skb_segment() [1]\n\nGSO_BY_FRAGS is a forbidden value, but unfortunately the following\ncomputation in skb_segment() can reach it quite easily :\n\n\tmss = mss * partial_segs;\n\n65535 = 3 * 5 * 17 * 257, so many initial values of mss can lead to\na bad final result.\n\nMake sure to limit segmentation so that the new mss value is smaller\nthan GSO_BY_FRAGS.\n\n[1]\n\ngeneral protection fault, probably for non-canonical address 0xdffffc000000000e: 0000 [#1] PREEMPT SMP KASAN\nKASAN: null-ptr-deref in range [0x0000000000000070-0x0000000000000077]\nCPU: 1 PID: 5079 Comm: syz-executor993 Not tainted 6.7.0-rc4-syzkaller-00141-g1ae4cd3cbdd0 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023\nRIP: 0010:skb_segment+0x181d/0x3f30 net/core/skbuff.c:4551\nCode: 83 e3 02 e9 fb ed ff ff e8 90 68 1c f9 48 8b 84 24 f8 00 00 00 48 8d 78 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e 8a 21 00 00 48 8b 84 24 f8 00\nRSP: 0018:ffffc900043473d0 EFLAGS: 00010202\nRAX: dffffc0000000000 RBX: 0000000000010046 RCX: ffffffff886b1597\nRDX: 000000000000000e RSI: ffffffff886b2520 RDI: 0000000000000070\nRBP: ffffc90004347578 R08: 0000000000000005 R09: 000000000000ffff\nR10: 000000000000ffff R11: 0000000000000002 R12: ffff888063202ac0\nR13: 0000000000010000 R14: 000000000000ffff R15: 0000000000000046\nFS: 0000555556e7e380(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000020010000 CR3: 0000000027ee2000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n\nudp6_ufo_fragment+0xa0e/0xd00 net/ipv6/udp_offload.c:109\nipv6_gso_segment+0x534/0x17e0 net/ipv6/ip6_offload.c:120\nskb_mac_gso_segment+0x290/0x610 net/core/gso.c:53\n__skb_gso_segment+0x339/0x710 net/core/gso.c:124\nskb_gso_segment include/net/gso.h:83 [inline]\nvalidate_xmit_skb+0x36c/0xeb0 net/core/dev.c:3626\n__dev_queue_xmit+0x6f3/0x3d60 net/core/dev.c:4338\ndev_queue_xmit include/linux/netdevice.h:3134 [inline]\npacket_xmit+0x257/0x380 net/packet/af_packet.c:276\npacket_snd net/packet/af_packet.c:3087 [inline]\npacket_sendmsg+0x24c6/0x5220 net/packet/af_packet.c:3119\nsock_sendmsg_nosec net/socket.c:730 [inline]\n__sock_sendmsg+0xd5/0x180 net/socket.c:745\n__sys_sendto+0x255/0x340 net/socket.c:2190\n__do_sys_sendto net/socket.c:2202 [inline]\n__se_sys_sendto net/socket.c:2198 [inline]\n__x64_sys_sendto+0xe0/0x1b0 net/socket.c:2198\ndo_syscall_x64 arch/x86/entry/common.c:52 [inline]\ndo_syscall_64+0x40/0x110 arch/x86/entry/common.c:83\nentry_SYSCALL_64_after_hwframe+0x63/0x6b\nRIP: 0033:0x7f8692032aa9\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 d1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007fff8d685418 EFLAGS: 00000246 ORIG_RAX: 000000000000002c\nRAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f8692032aa9\nRDX: 0000000000010048 RSI: 00000000200000c0 RDI: 0000000000000003\nRBP: 00000000000f4240 R08: 0000000020000540 R09: 0000000000000014\nR10: 0000000000000000 R11: 0000000000000246 R12: 00007fff8d685480\nR13: 0000000000000001 R14: 00007fff8d685480 R15: 0000000000000003\n\nModules linked in:\n---[ end trace 0000000000000000 ]---\nRIP: 0010:skb_segment+0x181d/0x3f30 net/core/skbuff.c:4551\nCode: 83 e3 02 e9 fb ed ff ff e8 90 68 1c f9 48 8b 84 24 f8 00 00 00 48 8d 78 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e 8a 21 00 00 48 8b 84 24 f8 00\nRSP: 0018:ffffc900043473d0 EFLAGS: 00010202\nRAX: dffffc0000000000 RBX: 0000000000010046 RCX: ffffffff886b1597\nRDX: 000000000000000e RSI: ffffffff886b2520 RDI: 0000000000000070\nRBP: ffffc90004347578 R0\n---truncated---", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52435", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52435", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52435", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52435", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52435", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52435" } }, "CVE-2023-52436": { "affected_versions": "v2.6.12-rc2 to v6.8-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "f2fs: explicitly null-terminate the xattr list", "fixes": "e26b6d39270f5eab0087453d9b544189a38c8564", "last_affected_version": "6.7.0", "last_modified": "2024-02-25", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: explicitly null-terminate the xattr list\n\nWhen setting an xattr, explicitly null-terminate the xattr list. This\neliminates the fragile assumption that the unused xattr space is always\nzeroed.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52436", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52436", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52436", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52436", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52436", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52436" } }, "CVE-2023-52438": { "affected_versions": "v4.20-rc1 to v6.8-rc1", "breaks": "dd2283f2605e", "cmt_msg": "binder: fix use-after-free in shinker's callback", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "fixes": "3f489c2067c5824528212b0fc18b28d51332d906", "last_affected_version": "6.7.0", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nbinder: fix use-after-free in shinker's callback\n\nThe mmap read lock is used during the shrinker's callback, which means\nthat using alloc->vma pointer isn't safe as it can race with munmap().\nAs of commit dd2283f2605e (\"mm: mmap: zap pages with read mmap_sem in\nmunmap\") the mmap lock is downgraded after the vma has been isolated.\n\nI was able to reproduce this issue by manually adding some delays and\ntriggering page reclaiming through the shrinker's debug sysfs. The\nfollowing KASAN report confirms the UAF:\n\n ==================================================================\n BUG: KASAN: slab-use-after-free in zap_page_range_single+0x470/0x4b8\n Read of size 8 at addr ffff356ed50e50f0 by task bash/478\n\n CPU: 1 PID: 478 Comm: bash Not tainted 6.6.0-rc5-00055-g1c8b86a3799f-dirty #70\n Hardware name: linux,dummy-virt (DT)\n Call trace:\n zap_page_range_single+0x470/0x4b8\n binder_alloc_free_page+0x608/0xadc\n __list_lru_walk_one+0x130/0x3b0\n list_lru_walk_node+0xc4/0x22c\n binder_shrink_scan+0x108/0x1dc\n shrinker_debugfs_scan_write+0x2b4/0x500\n full_proxy_write+0xd4/0x140\n vfs_write+0x1ac/0x758\n ksys_write+0xf0/0x1dc\n __arm64_sys_write+0x6c/0x9c\n\n Allocated by task 492:\n kmem_cache_alloc+0x130/0x368\n vm_area_alloc+0x2c/0x190\n mmap_region+0x258/0x18bc\n do_mmap+0x694/0xa60\n vm_mmap_pgoff+0x170/0x29c\n ksys_mmap_pgoff+0x290/0x3a0\n __arm64_sys_mmap+0xcc/0x144\n\n Freed by task 491:\n kmem_cache_free+0x17c/0x3c8\n vm_area_free_rcu_cb+0x74/0x98\n rcu_core+0xa38/0x26d4\n rcu_core_si+0x10/0x1c\n __do_softirq+0x2fc/0xd24\n\n Last potentially related work creation:\n __call_rcu_common.constprop.0+0x6c/0xba0\n call_rcu+0x10/0x1c\n vm_area_free+0x18/0x24\n remove_vma+0xe4/0x118\n do_vmi_align_munmap.isra.0+0x718/0xb5c\n do_vmi_munmap+0xdc/0x1fc\n __vm_munmap+0x10c/0x278\n __arm64_sys_munmap+0x58/0x7c\n\nFix this issue by performing instead a vma_lookup() which will fail to\nfind the vma that was isolated before the mmap lock downgrade. Note that\nthis option has better performance than upgrading to a mmap write lock\nwhich would increase contention. Plus, mmap_write_trylock() has been\nrecently removed anyway.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52438", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52438", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52438", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52438", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52438", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52438" } }, "CVE-2023-52439": { "affected_versions": "v4.18-rc5 to v6.8-rc1", "breaks": "57c5f4df0a5a", "cmt_msg": "uio: Fix use-after-free in uio_open", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "fixes": "0c9ae0b8605078eafc3bea053cc78791e97ba2e2", "last_affected_version": "6.7.0", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nuio: Fix use-after-free in uio_open\n\ncore-1\t\t\t\tcore-2\n-------------------------------------------------------\nuio_unregister_device\t\tuio_open\n\t\t\t\tidev = idr_find()\ndevice_unregister(&idev->dev)\nput_device(&idev->dev)\nuio_device_release\n\t\t\t\tget_device(&idev->dev)\nkfree(idev)\nuio_free_minor(minor)\n\t\t\t\tuio_release\n\t\t\t\tput_device(&idev->dev)\n\t\t\t\tkfree(idev)\n-------------------------------------------------------\n\nIn the core-1 uio_unregister_device(), the device_unregister will kfree\nidev when the idev->dev kobject ref is 1. But after core-1\ndevice_unregister, put_device and before doing kfree, the core-2 may\nget_device. Then:\n1. After core-1 kfree idev, the core-2 will do use-after-free for idev.\n2. When core-2 do uio_release and put_device, the idev will be double\n freed.\n\nTo address this issue, we can get idev atomic & inc idev reference with\nminor_lock.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52439", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52439", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52439", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52439", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52439", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52439" } }, "CVE-2023-52440": { "affected_versions": "v5.17-rc4 to v6.6-rc1", "breaks": "f9929ef6a2a55f03aac61248c6a3a987b8546f2a", "cmt_msg": "ksmbd: fix slub overflow in ksmbd_decode_ntlmssp_auth_blob()", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "fixes": "4b081ce0d830b684fdf967abc3696d1261387254", "last_affected_version": "6.5.1", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix slub overflow in ksmbd_decode_ntlmssp_auth_blob()\n\nIf authblob->SessionKey.Length is bigger than session key\nsize(CIFS_KEY_SIZE), slub overflow can happen in key exchange codes.\ncifs_arc4_crypt copy to session key array from SessionKey from client.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52440", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52440", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52440", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52440", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52440", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52440" } }, "CVE-2023-52441": { "affected_versions": "v5.15-rc1 to v6.5-rc4", "breaks": "e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9", "cmt_msg": "ksmbd: fix out of bounds in init_smb2_rsp_hdr()", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "fixes": "536bb492d39bb6c080c92f31e8a55fe9934f452b", "last_affected_version": "6.4.15", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix out of bounds in init_smb2_rsp_hdr()\n\nIf client send smb2 negotiate request and then send smb1 negotiate\nrequest, init_smb2_rsp_hdr is called for smb1 negotiate request since\nneed_neg is set to false. This patch ignore smb1 packets after ->need_neg\nis set to false.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52441", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52441", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52441", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52441", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52441", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52441" } }, "CVE-2023-52442": { "affected_versions": "v2.6.12-rc2 to v6.5-rc4", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "ksmbd: validate session id and tree id in compound request", "fixes": "3df0411e132ee74a87aa13142dfd2b190275332e", "last_affected_version": "6.4.15", "last_modified": "2024-02-25", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: validate session id and tree id in compound request\n\n`smb2_get_msg()` in smb2_get_ksmbd_tcon() and smb2_check_user_session()\nwill always return the first request smb2 header in a compound request.\nif `SMB2_TREE_CONNECT_HE` is the first command in compound request, will\nreturn 0, i.e. The tree id check is skipped.\nThis patch use ksmbd_req_buf_next() to get current command in compound.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52442", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52442", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52442", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52442", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52442", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52442" } }, "CVE-2023-52443": { "affected_versions": "v4.11-rc1 to v6.8-rc1", "breaks": "04dc715e24d0", "cmt_msg": "apparmor: avoid crash when parsed profile name is empty", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "fixes": "55a8210c9e7d21ff2644809699765796d4bfb200", "last_affected_version": "6.7.1", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\napparmor: avoid crash when parsed profile name is empty\n\nWhen processing a packed profile in unpack_profile() described like\n\n \"profile :ns::samba-dcerpcd /usr/lib*/samba/{,samba/}samba-dcerpcd {...}\"\n\na string \":samba-dcerpcd\" is unpacked as a fully-qualified name and then\npassed to aa_splitn_fqname().\n\naa_splitn_fqname() treats \":samba-dcerpcd\" as only containing a namespace.\nThus it returns NULL for tmpname, meanwhile tmpns is non-NULL. Later\naa_alloc_profile() crashes as the new profile name is NULL now.\n\ngeneral protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN NOPTI\nKASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\nCPU: 6 PID: 1657 Comm: apparmor_parser Not tainted 6.7.0-rc2-dirty #16\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014\nRIP: 0010:strlen+0x1e/0xa0\nCall Trace:\n \n ? strlen+0x1e/0xa0\n aa_policy_init+0x1bb/0x230\n aa_alloc_profile+0xb1/0x480\n unpack_profile+0x3bc/0x4960\n aa_unpack+0x309/0x15e0\n aa_replace_profiles+0x213/0x33c0\n policy_update+0x261/0x370\n profile_replace+0x20e/0x2a0\n vfs_write+0x2af/0xe00\n ksys_write+0x126/0x250\n do_syscall_64+0x46/0xf0\n entry_SYSCALL_64_after_hwframe+0x6e/0x76\n \n---[ end trace 0000000000000000 ]---\nRIP: 0010:strlen+0x1e/0xa0\n\nIt seems such behaviour of aa_splitn_fqname() is expected and checked in\nother places where it is called (e.g. aa_remove_profiles). Well, there\nis an explicit comment \"a ns name without a following profile is allowed\"\ninside.\n\nAFAICS, nothing can prevent unpacked \"name\" to be in form like\n\":samba-dcerpcd\" - it is passed from userspace.\n\nDeny the whole profile set replacement in such case and inform user with\nEPROTO and an explaining message.\n\nFound by Linux Verification Center (linuxtesting.org).", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52443", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52443", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52443", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52443", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52443", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52443" } }, "CVE-2023-52444": { "affected_versions": "v4.2-rc1 to v6.8-rc1", "breaks": "7e01e7ad746b", "cmt_msg": "f2fs: fix to avoid dirent corruption", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "fixes": "53edb549565f55ccd0bdf43be3d66ce4c2d48b28", "last_affected_version": "6.7.1", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to avoid dirent corruption\n\nAs Al reported in link[1]:\n\nf2fs_rename()\n...\n\tif (old_dir != new_dir && !whiteout)\n\t\tf2fs_set_link(old_inode, old_dir_entry,\n\t\t\t\t\told_dir_page, new_dir);\n\telse\n\t\tf2fs_put_page(old_dir_page, 0);\n\nYou want correct inumber in the \"..\" link. And cross-directory\nrename does move the source to new parent, even if you'd been asked\nto leave a whiteout in the old place.\n\n[1] https://lore.kernel.org/all/20231017055040.GN800259@ZenIV/\n\nWith below testcase, it may cause dirent corruption, due to it missed\nto call f2fs_set_link() to update \"..\" link to new directory.\n- mkdir -p dir/foo\n- renameat2 -w dir/foo bar\n\n[ASSERT] (__chk_dots_dentries:1421) --> Bad inode number[0x4] for '..', parent parent ino is [0x3]\n[FSCK] other corrupted bugs [Fail]", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52444", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52444", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52444", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52444", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52444", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52444" } }, "CVE-2023-52445": { "affected_versions": "v2.6.26-rc1 to v6.8-rc1", "breaks": "e5be15c63804", "cmt_msg": "media: pvrusb2: fix use after free on context disconnection", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "fixes": "ded85b0c0edd8f45fec88783d7555a5b982449c1", "last_affected_version": "6.7.1", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: pvrusb2: fix use after free on context disconnection\n\nUpon module load, a kthread is created targeting the\npvr2_context_thread_func function, which may call pvr2_context_destroy\nand thus call kfree() on the context object. However, that might happen\nbefore the usb hub_event handler is able to notify the driver. This\npatch adds a sanity check before the invalid read reported by syzbot,\nwithin the context disconnection call stack.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52445", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52445", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52445", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52445", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52445", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52445" } }, "CVE-2023-52446": { "affected_versions": "v6.2-rc1 to v6.8-rc1", "breaks": "958cf2e273f0", "cmt_msg": "bpf: Fix a race condition between btf_put() and map_free()", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "fixes": "59e5791f59dd83e8aa72a4e74217eabb6e8cfd90", "last_affected_version": "6.7.1", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix a race condition between btf_put() and map_free()\n\nWhen running `./test_progs -j` in my local vm with latest kernel,\nI once hit a kasan error like below:\n\n [ 1887.184724] BUG: KASAN: slab-use-after-free in bpf_rb_root_free+0x1f8/0x2b0\n [ 1887.185599] Read of size 4 at addr ffff888106806910 by task kworker/u12:2/2830\n [ 1887.186498]\n [ 1887.186712] CPU: 3 PID: 2830 Comm: kworker/u12:2 Tainted: G OEL 6.7.0-rc3-00699-g90679706d486-dirty #494\n [ 1887.188034] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014\n [ 1887.189618] Workqueue: events_unbound bpf_map_free_deferred\n [ 1887.190341] Call Trace:\n [ 1887.190666] \n [ 1887.190949] dump_stack_lvl+0xac/0xe0\n [ 1887.191423] ? nf_tcp_handle_invalid+0x1b0/0x1b0\n [ 1887.192019] ? panic+0x3c0/0x3c0\n [ 1887.192449] print_report+0x14f/0x720\n [ 1887.192930] ? preempt_count_sub+0x1c/0xd0\n [ 1887.193459] ? __virt_addr_valid+0xac/0x120\n [ 1887.194004] ? bpf_rb_root_free+0x1f8/0x2b0\n [ 1887.194572] kasan_report+0xc3/0x100\n [ 1887.195085] ? bpf_rb_root_free+0x1f8/0x2b0\n [ 1887.195668] bpf_rb_root_free+0x1f8/0x2b0\n [ 1887.196183] ? __bpf_obj_drop_impl+0xb0/0xb0\n [ 1887.196736] ? preempt_count_sub+0x1c/0xd0\n [ 1887.197270] ? preempt_count_sub+0x1c/0xd0\n [ 1887.197802] ? _raw_spin_unlock+0x1f/0x40\n [ 1887.198319] bpf_obj_free_fields+0x1d4/0x260\n [ 1887.198883] array_map_free+0x1a3/0x260\n [ 1887.199380] bpf_map_free_deferred+0x7b/0xe0\n [ 1887.199943] process_scheduled_works+0x3a2/0x6c0\n [ 1887.200549] worker_thread+0x633/0x890\n [ 1887.201047] ? __kthread_parkme+0xd7/0xf0\n [ 1887.201574] ? kthread+0x102/0x1d0\n [ 1887.202020] kthread+0x1ab/0x1d0\n [ 1887.202447] ? pr_cont_work+0x270/0x270\n [ 1887.202954] ? kthread_blkcg+0x50/0x50\n [ 1887.203444] ret_from_fork+0x34/0x50\n [ 1887.203914] ? kthread_blkcg+0x50/0x50\n [ 1887.204397] ret_from_fork_asm+0x11/0x20\n [ 1887.204913] \n [ 1887.204913] \n [ 1887.205209]\n [ 1887.205416] Allocated by task 2197:\n [ 1887.205881] kasan_set_track+0x3f/0x60\n [ 1887.206366] __kasan_kmalloc+0x6e/0x80\n [ 1887.206856] __kmalloc+0xac/0x1a0\n [ 1887.207293] btf_parse_fields+0xa15/0x1480\n [ 1887.207836] btf_parse_struct_metas+0x566/0x670\n [ 1887.208387] btf_new_fd+0x294/0x4d0\n [ 1887.208851] __sys_bpf+0x4ba/0x600\n [ 1887.209292] __x64_sys_bpf+0x41/0x50\n [ 1887.209762] do_syscall_64+0x4c/0xf0\n [ 1887.210222] entry_SYSCALL_64_after_hwframe+0x63/0x6b\n [ 1887.210868]\n [ 1887.211074] Freed by task 36:\n [ 1887.211460] kasan_set_track+0x3f/0x60\n [ 1887.211951] kasan_save_free_info+0x28/0x40\n [ 1887.212485] ____kasan_slab_free+0x101/0x180\n [ 1887.213027] __kmem_cache_free+0xe4/0x210\n [ 1887.213514] btf_free+0x5b/0x130\n [ 1887.213918] rcu_core+0x638/0xcc0\n [ 1887.214347] __do_softirq+0x114/0x37e\n\nThe error happens at bpf_rb_root_free+0x1f8/0x2b0:\n\n 00000000000034c0 :\n ; {\n 34c0: f3 0f 1e fa endbr64\n 34c4: e8 00 00 00 00 callq 0x34c9 \n 34c9: 55 pushq %rbp\n 34ca: 48 89 e5 movq %rsp, %rbp\n ...\n ; if (rec && rec->refcount_off >= 0 &&\n 36aa: 4d 85 ed testq %r13, %r13\n 36ad: 74 a9 je 0x3658 \n 36af: 49 8d 7d 10 leaq 0x10(%r13), %rdi\n 36b3: e8 00 00 00 00 callq 0x36b8 \n <==== kasan function\n 36b8: 45 8b 7d 10 movl 0x10(%r13), %r15d\n <==== use-after-free load\n 36bc: 45 85 ff testl %r15d, %r15d\n 36bf: 78 8c js 0x364d \n\nSo the problem \n---truncated---", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52446", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52446", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52446", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52446", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52446", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52446" } }, "CVE-2023-52447": { "affected_versions": "v5.9-rc1 to v6.8-rc1", "breaks": "bba1dc0b55ac", "cmt_msg": "bpf: Defer the free of inner map when necessary", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "fixes": "876673364161da50eed6b472d746ef88242b2368", "last_affected_version": "6.7.1", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Defer the free of inner map when necessary\n\nWhen updating or deleting an inner map in map array or map htab, the map\nmay still be accessed by non-sleepable program or sleepable program.\nHowever bpf_map_fd_put_ptr() decreases the ref-counter of the inner map\ndirectly through bpf_map_put(), if the ref-counter is the last one\n(which is true for most cases), the inner map will be freed by\nops->map_free() in a kworker. But for now, most .map_free() callbacks\ndon't use synchronize_rcu() or its variants to wait for the elapse of a\nRCU grace period, so after the invocation of ops->map_free completes,\nthe bpf program which is accessing the inner map may incur\nuse-after-free problem.\n\nFix the free of inner map by invoking bpf_map_free_deferred() after both\none RCU grace period and one tasks trace RCU grace period if the inner\nmap has been removed from the outer map before. The deferment is\naccomplished by using call_rcu() or call_rcu_tasks_trace() when\nreleasing the last ref-counter of bpf map. The newly-added rcu_head\nfield in bpf_map shares the same storage space with work field to\nreduce the size of bpf_map.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52447", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52447", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52447", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52447", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52447", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52447" } }, "CVE-2023-52448": { "affected_versions": "v4.20-rc1 to v6.8-rc1", "breaks": "72244b6bc752", "cmt_msg": "gfs2: Fix kernel NULL pointer dereference in gfs2_rgrp_dump", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "fixes": "8877243beafa7c6bfc42022cbfdf9e39b25bd4fa", "last_affected_version": "6.7.1", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\ngfs2: Fix kernel NULL pointer dereference in gfs2_rgrp_dump\n\nSyzkaller has reported a NULL pointer dereference when accessing\nrgd->rd_rgl in gfs2_rgrp_dump(). This can happen when creating\nrgd->rd_gl fails in read_rindex_entry(). Add a NULL pointer check in\ngfs2_rgrp_dump() to prevent that.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52448", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52448", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52448", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52448", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52448", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52448" } }, "CVE-2023-52449": { "affected_versions": "v2.6.31-rc1 to v6.8-rc1", "breaks": "2ba3d76a1e29", "cmt_msg": "mtd: Fix gluebi NULL pointer dereference caused by ftl notifier", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "fixes": "a43bdc376deab5fff1ceb93dca55bcab8dbdc1d6", "last_affected_version": "6.7.1", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nmtd: Fix gluebi NULL pointer dereference caused by ftl notifier\n\nIf both ftl.ko and gluebi.ko are loaded, the notifier of ftl\ntriggers NULL pointer dereference when trying to access\n\u2018gluebi->desc\u2019 in gluebi_read().\n\nubi_gluebi_init\n ubi_register_volume_notifier\n ubi_enumerate_volumes\n ubi_notify_all\n gluebi_notify nb->notifier_call()\n gluebi_create\n mtd_device_register\n mtd_device_parse_register\n add_mtd_device\n blktrans_notify_add not->add()\n ftl_add_mtd tr->add_mtd()\n scan_header\n mtd_read\n mtd_read_oob\n mtd_read_oob_std\n gluebi_read mtd->read()\n gluebi->desc - NULL\n\nDetailed reproduction information available at the Link [1],\n\nIn the normal case, obtain gluebi->desc in the gluebi_get_device(),\nand access gluebi->desc in the gluebi_read(). However,\ngluebi_get_device() is not executed in advance in the\nftl_add_mtd() process, which leads to NULL pointer dereference.\n\nThe solution for the gluebi module is to run jffs2 on the UBI\nvolume without considering working with ftl or mtdblock [2].\nTherefore, this problem can be avoided by preventing gluebi from\ncreating the mtdblock device after creating mtd partition of the\ntype MTD_UBIVOLUME.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52449", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52449", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52449", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52449", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52449", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52449" } }, "CVE-2023-52450": { "affected_versions": "v6.2-rc1 to v6.8-rc1", "breaks": "f680b6e6062e", "cmt_msg": "perf/x86/intel/uncore: Fix NULL pointer dereference issue in upi_fill_topology()", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "fixes": "1692cf434ba13ee212495b5af795b6a07e986ce4", "last_affected_version": "6.7.1", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf/x86/intel/uncore: Fix NULL pointer dereference issue in upi_fill_topology()\n\nGet logical socket id instead of physical id in discover_upi_topology()\nto avoid out-of-bound access on 'upi = &type->topology[nid][idx];' line\nthat leads to NULL pointer dereference in upi_fill_topology()", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52450", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52450", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52450", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52450", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52450", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52450" } }, "CVE-2023-52451": { "affected_versions": "v4.1-rc1 to v6.8-rc1", "breaks": "51925fb3c5c9", "cmt_msg": "powerpc/pseries/memhp: Fix access beyond end of drmem array", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "fixes": "bd68ffce69f6cf8ddd3a3c32549d1d2275e49fc5", "last_affected_version": "6.7.1", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/pseries/memhp: Fix access beyond end of drmem array\n\ndlpar_memory_remove_by_index() may access beyond the bounds of the\ndrmem lmb array when the LMB lookup fails to match an entry with the\ngiven DRC index. When the search fails, the cursor is left pointing to\n&drmem_info->lmbs[drmem_info->n_lmbs], which is one element past the\nlast valid entry in the array. The debug message at the end of the\nfunction then dereferences this pointer:\n\n pr_debug(\"Failed to hot-remove memory at %llx\\n\",\n lmb->base_addr);\n\nThis was found by inspection and confirmed with KASAN:\n\n pseries-hotplug-mem: Attempting to hot-remove LMB, drc index 1234\n ==================================================================\n BUG: KASAN: slab-out-of-bounds in dlpar_memory+0x298/0x1658\n Read of size 8 at addr c000000364e97fd0 by task bash/949\n\n dump_stack_lvl+0xa4/0xfc (unreliable)\n print_report+0x214/0x63c\n kasan_report+0x140/0x2e0\n __asan_load8+0xa8/0xe0\n dlpar_memory+0x298/0x1658\n handle_dlpar_errorlog+0x130/0x1d0\n dlpar_store+0x18c/0x3e0\n kobj_attr_store+0x68/0xa0\n sysfs_kf_write+0xc4/0x110\n kernfs_fop_write_iter+0x26c/0x390\n vfs_write+0x2d4/0x4e0\n ksys_write+0xac/0x1a0\n system_call_exception+0x268/0x530\n system_call_vectored_common+0x15c/0x2ec\n\n Allocated by task 1:\n kasan_save_stack+0x48/0x80\n kasan_set_track+0x34/0x50\n kasan_save_alloc_info+0x34/0x50\n __kasan_kmalloc+0xd0/0x120\n __kmalloc+0x8c/0x320\n kmalloc_array.constprop.0+0x48/0x5c\n drmem_init+0x2a0/0x41c\n do_one_initcall+0xe0/0x5c0\n kernel_init_freeable+0x4ec/0x5a0\n kernel_init+0x30/0x1e0\n ret_from_kernel_user_thread+0x14/0x1c\n\n The buggy address belongs to the object at c000000364e80000\n which belongs to the cache kmalloc-128k of size 131072\n The buggy address is located 0 bytes to the right of\n allocated 98256-byte region [c000000364e80000, c000000364e97fd0)\n\n ==================================================================\n pseries-hotplug-mem: Failed to hot-remove memory at 0\n\nLog failed lookups with a separate message and dereference the\ncursor only when it points to a valid entry.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52451", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52451", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52451", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52451", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52451", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52451" } }, "CVE-2023-52452": { "affected_versions": "v5.12-rc1-dontuse to v6.8-rc1", "breaks": "01f810ace9ed3", "cmt_msg": "bpf: Fix accesses to uninit stack slots", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "fixes": "6b4a64bafd107e521c01eec3453ce94a3fb38529", "last_affected_version": "6.7.1", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix accesses to uninit stack slots\n\nPrivileged programs are supposed to be able to read uninitialized stack\nmemory (ever since 6715df8d5) but, before this patch, these accesses\nwere permitted inconsistently. In particular, accesses were permitted\nabove state->allocated_stack, but not below it. In other words, if the\nstack was already \"large enough\", the access was permitted, but\notherwise the access was rejected instead of being allowed to \"grow the\nstack\". This undesired rejection was happening in two places:\n- in check_stack_slot_within_bounds()\n- in check_stack_range_initialized()\nThis patch arranges for these accesses to be permitted. A bunch of tests\nthat were relying on the old rejection had to change; all of them were\nchanged to add also run unprivileged, in which case the old behavior\npersists. One tests couldn't be updated - global_func16 - because it\ncan't run unprivileged for other reasons.\n\nThis patch also fixes the tracking of the stack size for variable-offset\nreads. This second fix is bundled in the same commit as the first one\nbecause they're inter-related. Before this patch, writes to the stack\nusing registers containing a variable offset (as opposed to registers\nwith fixed, known values) were not properly contributing to the\nfunction's needed stack size. As a result, it was possible for a program\nto verify, but then to attempt to read out-of-bounds data at runtime\nbecause a too small stack had been allocated for it.\n\nEach function tracks the size of the stack it needs in\nbpf_subprog_info.stack_depth, which is maintained by\nupdate_stack_depth(). For regular memory accesses, check_mem_access()\nwas calling update_state_depth() but it was passing in only the fixed\npart of the offset register, ignoring the variable offset. This was\nincorrect; the minimum possible value of that register should be used\ninstead.\n\nThis tracking is now fixed by centralizing the tracking of stack size in\ngrow_stack_state(), and by lifting the calls to grow_stack_state() to\ncheck_stack_access_within_bounds() as suggested by Andrii. The code is\nnow simpler and more convincingly tracks the correct maximum stack size.\ncheck_stack_range_initialized() can now rely on enough stack having been\nallocated for the access; this helps with the fix for the first issue.\n\nA few tests were changed to also check the stack depth computation. The\none that fails without this patch is verifier_var_off:stack_write_priv_vs_unpriv.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52452", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52452", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52452", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52452", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52452", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52452" } }, "CVE-2023-52453": { "affected_versions": "v6.2-rc1 to v6.8-rc1", "breaks": "d9a871e4a143047d1d84a606772af319f11516f9", "cmt_msg": "hisi_acc_vfio_pci: Update migration data pointer correctly on saving/resume", "fixes": "be12ad45e15b5ee0e2526a50266ba1d295d26a88", "last_affected_version": "6.7.1", "last_modified": "2024-02-25", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nhisi_acc_vfio_pci: Update migration data pointer correctly on saving/resume\n\nWhen the optional PRE_COPY support was added to speed up the device\ncompatibility check, it failed to update the saving/resuming data\npointers based on the fd offset. This results in migration data\ncorruption and when the device gets started on the destination the\nfollowing error is reported in some cases,\n\n[ 478.907684] arm-smmu-v3 arm-smmu-v3.2.auto: event 0x10 received:\n[ 478.913691] arm-smmu-v3 arm-smmu-v3.2.auto: 0x0000310200000010\n[ 478.919603] arm-smmu-v3 arm-smmu-v3.2.auto: 0x000002088000007f\n[ 478.925515] arm-smmu-v3 arm-smmu-v3.2.auto: 0x0000000000000000\n[ 478.931425] arm-smmu-v3 arm-smmu-v3.2.auto: 0x0000000000000000\n[ 478.947552] hisi_zip 0000:31:00.0: qm_axi_rresp [error status=0x1] found\n[ 478.955930] hisi_zip 0000:31:00.0: qm_db_timeout [error status=0x400] found\n[ 478.955944] hisi_zip 0000:31:00.0: qm sq doorbell timeout in function 2", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52453", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52453", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52453", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52453", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52453", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52453" } }, "CVE-2023-52454": { "affected_versions": "v5.0-rc1 to v6.8-rc1", "breaks": "872d26a391da92ed8f0c0f5cb5fef428067b7f30", "cmt_msg": "nvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length", "fixes": "efa56305908ba20de2104f1b8508c6a7401833be", "last_affected_version": "6.7.1", "last_modified": "2024-02-25", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length\n\nIf the host sends an H2CData command with an invalid DATAL,\nthe kernel may crash in nvmet_tcp_build_pdu_iovec().\n\nUnable to handle kernel NULL pointer dereference at\nvirtual address 0000000000000000\nlr : nvmet_tcp_io_work+0x6ac/0x718 [nvmet_tcp]\nCall trace:\n process_one_work+0x174/0x3c8\n worker_thread+0x2d0/0x3e8\n kthread+0x104/0x110\n\nFix the bug by raising a fatal error if DATAL isn't coherent\nwith the packet size.\nAlso, the PDU length should never exceed the MAXH2CDATA parameter which\nhas been communicated to the host in nvmet_tcp_handle_icreq().", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52454", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52454", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52454", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52454", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52454", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52454" } }, "CVE-2023-52455": { "affected_versions": "v6.3-rc1 to v6.8-rc1", "breaks": "a5bf3cfce8cb77d9d24613ab52d520896f83dd48", "cmt_msg": "iommu: Don't reserve 0-length IOVA region", "fixes": "bb57f6705960bebeb832142ce9abf43220c3eab1", "last_affected_version": "6.7.1", "last_modified": "2024-02-25", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu: Don't reserve 0-length IOVA region\n\nWhen the bootloader/firmware doesn't setup the framebuffers, their\naddress and size are 0 in \"iommu-addresses\" property. If IOVA region is\nreserved with 0 length, then it ends up corrupting the IOVA rbtree with\nan entry which has pfn_hi < pfn_lo.\nIf we intend to use display driver in kernel without framebuffer then\nit's causing the display IOMMU mappings to fail as entire valid IOVA\nspace is reserved when address and length are passed as 0.\nAn ideal solution would be firmware removing the \"iommu-addresses\"\nproperty and corresponding \"memory-region\" if display is not present.\nBut the kernel should be able to handle this by checking for size of\nIOVA region and skipping the IOVA reservation if size is 0. Also, add\na warning if firmware is requesting 0-length IOVA region reservation.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52455", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52455", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52455", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52455", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52455", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52455" } }, "CVE-2023-52456": { "affected_versions": "v5.9-rc1 to v6.8-rc1", "breaks": "cb1a609236096c278ecbfb7be678a693a70283f1", "cmt_msg": "serial: imx: fix tx statemachine deadlock", "fixes": "78d60dae9a0c9f09aa3d6477c94047df2fe6f7b0", "last_affected_version": "6.7.1", "last_modified": "2024-04-06", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: imx: fix tx statemachine deadlock\n\nWhen using the serial port as RS485 port, the tx statemachine is used to\ncontrol the RTS pin to drive the RS485 transceiver TX_EN pin. When the\nTTY port is closed in the middle of a transmission (for instance during\nuserland application crash), imx_uart_shutdown disables the interface\nand disables the Transmission Complete interrupt. afer that,\nimx_uart_stop_tx bails on an incomplete transmission, to be retriggered\nby the TC interrupt. This interrupt is disabled and therefore the tx\nstatemachine never transitions out of SEND. The statemachine is in\ndeadlock now, and the TX_EN remains low, making the interface useless.\n\nimx_uart_stop_tx now checks for incomplete transmission AND whether TC\ninterrupts are enabled before bailing to be retriggered. This makes sure\nthe state machine handling is reached, and is properly set to\nWAIT_AFTER_SEND.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52456", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52456", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52456", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52456", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52456", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52456" } }, "CVE-2023-52457": { "affected_versions": "v6.1-rc6 to v6.8-rc1", "breaks": "e3f0c638f428fd66b5871154b62706772045f91a", "cmt_msg": "serial: 8250: omap: Don't skip resource freeing if pm_runtime_resume_and_get() failed", "fixes": "ad90d0358bd3b4554f243a425168fc7cebe7d04e", "last_affected_version": "6.7.1", "last_modified": "2024-04-06", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: 8250: omap: Don't skip resource freeing if pm_runtime_resume_and_get() failed\n\nReturning an error code from .remove() makes the driver core emit the\nlittle helpful error message:\n\n\tremove callback returned a non-zero value. This will be ignored.\n\nand then remove the device anyhow. So all resources that were not freed\nare leaked in this case. Skipping serial8250_unregister_port() has the\npotential to keep enough of the UART around to trigger a use-after-free.\n\nSo replace the error return (and with it the little helpful error\nmessage) by a more useful error message and continue to cleanup.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52457", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52457", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52457", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52457", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52457", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52457" } }, "CVE-2023-52458": { "affected_versions": "v2.6.12-rc2 to v6.8-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "block: add check that partition length needs to be aligned with block size", "fixes": "6f64f866aa1ae6975c95d805ed51d7e9433a0016", "last_affected_version": "6.7.1", "last_modified": "2024-04-06", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: add check that partition length needs to be aligned with block size\n\nBefore calling add partition or resize partition, there is no check\non whether the length is aligned with the logical block size.\nIf the logical block size of the disk is larger than 512 bytes,\nthen the partition size maybe not the multiple of the logical block size,\nand when the last sector is read, bio_truncate() will adjust the bio size,\nresulting in an IO error if the size of the read command is smaller than\nthe logical block size.If integrity data is supported, this will also\nresult in a null pointer dereference when calling bio_integrity_free.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52458", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52458", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52458", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52458", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52458", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52458" } }, "CVE-2023-52459": { "affected_versions": "v6.6-rc1 to v6.8-rc1", "breaks": "28a1295795d85a25f2e7dd391c43969e95fcb341", "cmt_msg": "media: v4l: async: Fix duplicated list deletion", "fixes": "3de6ee94aae701fa949cd3b5df6b6a440ddfb8f2", "last_affected_version": "6.7.1", "last_modified": "2024-02-25", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: v4l: async: Fix duplicated list deletion\n\nThe list deletion call dropped here is already called from the\nhelper function in the line before. Having a second list_del()\ncall results in either a warning (with CONFIG_DEBUG_LIST=y):\n\nlist_del corruption, c46c8198->next is LIST_POISON1 (00000100)\n\nIf CONFIG_DEBUG_LIST is disabled the operation results in a\nkernel error due to NULL pointer dereference.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52459", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52459", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52459", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52459", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52459", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52459" } }, "CVE-2023-52460": { "affected_versions": "v6.7-rc1 to v6.8-rc1", "breaks": "7966f319c66d9468623c6a6a017ecbc0dd79be75", "cmt_msg": "drm/amd/display: Fix NULL pointer dereference at hibernate", "fixes": "b719a9c15d52d4f56bdea8241a5d90fd9197ce99", "last_affected_version": "6.7.1", "last_modified": "2024-02-25", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix NULL pointer dereference at hibernate\n\nDuring hibernate sequence the source context might not have a clk_mgr.\nSo don't use it to look for DML2 support.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52460", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52460", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52460", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52460", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52460", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52460" } }, "CVE-2023-52461": { "affected_versions": "v6.7-rc1 to v6.8-rc1", "breaks": "56e449603f0ac580700621a356d35d5716a62ce5", "cmt_msg": "drm/sched: Fix bounds limiting when given a malformed entity", "fixes": "2bbe6ab2be53858507f11f99f856846d04765ae3", "last_affected_version": "6.7.1", "last_modified": "2024-02-25", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/sched: Fix bounds limiting when given a malformed entity\n\nIf we're given a malformed entity in drm_sched_entity_init()--shouldn't\nhappen, but we verify--with out-of-bounds priority value, we set it to an\nallowed value. Fix the expression which sets this limit.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52461", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52461", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52461", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52461", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52461", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52461" } }, "CVE-2023-52462": { "affected_versions": "v5.16-rc1 to v6.8-rc1", "breaks": "27113c59b6d0a587b29ae72d4ff3f832f58b0651", "cmt_msg": "bpf: fix check for attempt to corrupt spilled pointer", "fixes": "ab125ed3ec1c10ccc36bc98c7a4256ad114a3dae", "last_affected_version": "6.7.1", "last_modified": "2024-02-25", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: fix check for attempt to corrupt spilled pointer\n\nWhen register is spilled onto a stack as a 1/2/4-byte register, we set\nslot_type[BPF_REG_SIZE - 1] (plus potentially few more below it,\ndepending on actual spill size). So to check if some stack slot has\nspilled register we need to consult slot_type[7], not slot_type[0].\n\nTo avoid the need to remember and double-check this in the future, just\nuse is_spilled_reg() helper.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52462", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52462", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52462", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52462", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52462", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52462" } }, "CVE-2023-52463": { "affected_versions": "v5.8-rc7 to v6.8-rc1", "breaks": "f88814cc2578c121e6edef686365036db72af0ed", "cmt_msg": "efivarfs: force RO when remounting if SetVariable is not supported", "fixes": "0e8d2444168dd519fea501599d150e62718ed2fe", "last_affected_version": "6.7.1", "last_modified": "2024-02-25", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nefivarfs: force RO when remounting if SetVariable is not supported\n\nIf SetVariable at runtime is not supported by the firmware we never assign\na callback for that function. At the same time mount the efivarfs as\nRO so no one can call that. However, we never check the permission flags\nwhen someone remounts the filesystem as RW. As a result this leads to a\ncrash looking like this:\n\n$ mount -o remount,rw /sys/firmware/efi/efivars\n$ efi-updatevar -f PK.auth PK\n\n[ 303.279166] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000\n[ 303.280482] Mem abort info:\n[ 303.280854] ESR = 0x0000000086000004\n[ 303.281338] EC = 0x21: IABT (current EL), IL = 32 bits\n[ 303.282016] SET = 0, FnV = 0\n[ 303.282414] EA = 0, S1PTW = 0\n[ 303.282821] FSC = 0x04: level 0 translation fault\n[ 303.283771] user pgtable: 4k pages, 48-bit VAs, pgdp=000000004258c000\n[ 303.284913] [0000000000000000] pgd=0000000000000000, p4d=0000000000000000\n[ 303.286076] Internal error: Oops: 0000000086000004 [#1] PREEMPT SMP\n[ 303.286936] Modules linked in: qrtr tpm_tis tpm_tis_core crct10dif_ce arm_smccc_trng rng_core drm fuse ip_tables x_tables ipv6\n[ 303.288586] CPU: 1 PID: 755 Comm: efi-updatevar Not tainted 6.3.0-rc1-00108-gc7d0c4695c68 #1\n[ 303.289748] Hardware name: Unknown Unknown Product/Unknown Product, BIOS 2023.04-00627-g88336918701d 04/01/2023\n[ 303.291150] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 303.292123] pc : 0x0\n[ 303.292443] lr : efivar_set_variable_locked+0x74/0xec\n[ 303.293156] sp : ffff800008673c10\n[ 303.293619] x29: ffff800008673c10 x28: ffff0000037e8000 x27: 0000000000000000\n[ 303.294592] x26: 0000000000000800 x25: ffff000002467400 x24: 0000000000000027\n[ 303.295572] x23: ffffd49ea9832000 x22: ffff0000020c9800 x21: ffff000002467000\n[ 303.296566] x20: 0000000000000001 x19: 00000000000007fc x18: 0000000000000000\n[ 303.297531] x17: 0000000000000000 x16: 0000000000000000 x15: 0000aaaac807ab54\n[ 303.298495] x14: ed37489f673633c0 x13: 71c45c606de13f80 x12: 47464259e219acf4\n[ 303.299453] x11: ffff000002af7b01 x10: 0000000000000003 x9 : 0000000000000002\n[ 303.300431] x8 : 0000000000000010 x7 : ffffd49ea8973230 x6 : 0000000000a85201\n[ 303.301412] x5 : 0000000000000000 x4 : ffff0000020c9800 x3 : 00000000000007fc\n[ 303.302370] x2 : 0000000000000027 x1 : ffff000002467400 x0 : ffff000002467000\n[ 303.303341] Call trace:\n[ 303.303679] 0x0\n[ 303.303938] efivar_entry_set_get_size+0x98/0x16c\n[ 303.304585] efivarfs_file_write+0xd0/0x1a4\n[ 303.305148] vfs_write+0xc4/0x2e4\n[ 303.305601] ksys_write+0x70/0x104\n[ 303.306073] __arm64_sys_write+0x1c/0x28\n[ 303.306622] invoke_syscall+0x48/0x114\n[ 303.307156] el0_svc_common.constprop.0+0x44/0xec\n[ 303.307803] do_el0_svc+0x38/0x98\n[ 303.308268] el0_svc+0x2c/0x84\n[ 303.308702] el0t_64_sync_handler+0xf4/0x120\n[ 303.309293] el0t_64_sync+0x190/0x194\n[ 303.309794] Code: ???????? ???????? ???????? ???????? (????????)\n[ 303.310612] ---[ end trace 0000000000000000 ]---\n\nFix this by adding a .reconfigure() function to the fs operations which\nwe can use to check the requested flags and deny anything that's not RO\nif the firmware doesn't implement SetVariable at runtime.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52463", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52463", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52463", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52463", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52463", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52463" } }, "CVE-2023-52464": { "affected_versions": "v4.12-rc1 to v6.8-rc1", "breaks": "41003396f932d7f027725c7acebb6a7caa41dc3e", "cmt_msg": "EDAC/thunderx: Fix possible out-of-bounds string access", "fixes": "475c58e1a471e9b873e3e39958c64a2d278275c8", "last_affected_version": "6.7.1", "last_modified": "2024-02-25", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nEDAC/thunderx: Fix possible out-of-bounds string access\n\nEnabling -Wstringop-overflow globally exposes a warning for a common bug\nin the usage of strncat():\n\n drivers/edac/thunderx_edac.c: In function 'thunderx_ocx_com_threaded_isr':\n drivers/edac/thunderx_edac.c:1136:17: error: 'strncat' specified bound 1024 equals destination size [-Werror=stringop-overflow=]\n 1136 | strncat(msg, other, OCX_MESSAGE_SIZE);\n | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n ...\n 1145 | strncat(msg, other, OCX_MESSAGE_SIZE);\n ...\n 1150 | strncat(msg, other, OCX_MESSAGE_SIZE);\n\n ...\n\nApparently the author of this driver expected strncat() to behave the\nway that strlcat() does, which uses the size of the destination buffer\nas its third argument rather than the length of the source buffer. The\nresult is that there is no check on the size of the allocated buffer.\n\nChange it to strlcat().\n\n [ bp: Trim compiler output, fixup commit message. ]", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52464", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52464", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52464", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52464", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52464", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52464" } }, "CVE-2023-52465": { "affected_versions": "v6.5-rc1 to v6.8-rc1", "breaks": "8648aeb5d7b70e13264ff5f444f22081d37d4670", "cmt_msg": "power: supply: Fix null pointer dereference in smb2_probe", "fixes": "88f04bc3e737155e13caddf0ba8ed19db87f0212", "last_affected_version": "6.7.1", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\npower: supply: Fix null pointer dereference in smb2_probe\n\ndevm_kasprintf and devm_kzalloc return a pointer to dynamically\nallocated memory which can be NULL upon failure.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52465", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52465", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52465", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52465", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52465", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52465" } }, "CVE-2023-52467": { "affected_versions": "v5.9-rc1 to v6.8-rc1", "breaks": "e15d7f2b81d2e7d93115d46fa931b366c1cdebc2", "cmt_msg": "mfd: syscon: Fix null pointer dereference in of_syscon_register()", "fixes": "41673c66b3d0c09915698fec5c13b24336f18dd1", "last_affected_version": "6.7.1", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nmfd: syscon: Fix null pointer dereference in of_syscon_register()\n\nkasprintf() returns a pointer to dynamically allocated memory\nwhich can be NULL upon failure.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52467", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52467", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52467", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52467", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52467", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52467" } }, "CVE-2023-52468": { "affected_versions": "v6.4-rc1 to v6.8-rc1", "breaks": "dcfbb67e48a2becfce7990386e985b9c45098ee5", "cmt_msg": "class: fix use-after-free in class_register()", "fixes": "93ec4a3b76404bce01bd5c9032bef5df6feb1d62", "last_affected_version": "6.7.1", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nclass: fix use-after-free in class_register()\n\nThe lock_class_key is still registered and can be found in\nlock_keys_hash hlist after subsys_private is freed in error\nhandler path.A task who iterate over the lock_keys_hash\nlater may cause use-after-free.So fix that up and unregister\nthe lock_class_key before kfree(cp).\n\nOn our platform, a driver fails to kset_register because of\ncreating duplicate filename '/class/xxx'.With Kasan enabled,\nit prints a invalid-access bug report.\n\nKASAN bug report:\n\nBUG: KASAN: invalid-access in lockdep_register_key+0x19c/0x1bc\nWrite of size 8 at addr 15ffff808b8c0368 by task modprobe/252\nPointer tag: [15], memory tag: [fe]\n\nCPU: 7 PID: 252 Comm: modprobe Tainted: G W\n 6.6.0-mainline-maybe-dirty #1\n\nCall trace:\ndump_backtrace+0x1b0/0x1e4\nshow_stack+0x2c/0x40\ndump_stack_lvl+0xac/0xe0\nprint_report+0x18c/0x4d8\nkasan_report+0xe8/0x148\n__hwasan_store8_noabort+0x88/0x98\nlockdep_register_key+0x19c/0x1bc\nclass_register+0x94/0x1ec\ninit_module+0xbc/0xf48 [rfkill]\ndo_one_initcall+0x17c/0x72c\ndo_init_module+0x19c/0x3f8\n...\nMemory state around the buggy address:\nffffff808b8c0100: 8a 8a 8a 8a 8a 8a 8a 8a 8a 8a 8a 8a 8a 8a 8a 8a\nffffff808b8c0200: 8a 8a 8a 8a 8a 8a 8a 8a fe fe fe fe fe fe fe fe\n>ffffff808b8c0300: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe\n ^\nffffff808b8c0400: 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03\n\nAs CONFIG_KASAN_GENERIC is not set, Kasan reports invalid-access\nnot use-after-free here.In this case, modprobe is manipulating\nthe corrupted lock_keys_hash hlish where lock_class_key is already\nfreed before.\n\nIt's worth noting that this only can happen if lockdep is enabled,\nwhich is not true for normal system.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52468", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52468", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52468", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52468", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52468", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52468" } }, "CVE-2023-52469": { "affected_versions": "v4.2-rc1 to v6.8-rc1", "breaks": "a2e73f56fa6282481927ec43aa9362c03c2e2104", "cmt_msg": "drivers/amd/pm: fix a use-after-free in kv_parse_power_table", "fixes": "28dd788382c43b330480f57cd34cde0840896743", "last_affected_version": "6.7.1", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrivers/amd/pm: fix a use-after-free in kv_parse_power_table\n\nWhen ps allocated by kzalloc equals to NULL, kv_parse_power_table\nfrees adev->pm.dpm.ps that allocated before. However, after the control\nflow goes through the following call chains:\n\nkv_parse_power_table\n |-> kv_dpm_init\n |-> kv_dpm_sw_init\n\t |-> kv_dpm_fini\n\nThe adev->pm.dpm.ps is used in the for loop of kv_dpm_fini after its\nfirst free in kv_parse_power_table and causes a use-after-free bug.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52469", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52469", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52469", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52469", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52469", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52469" } }, "CVE-2023-52470": { "affected_versions": "v3.16-rc1 to v6.8-rc1", "breaks": "fa7f517cb26eb1a1a1f0baffcced39f6c3ec3337", "cmt_msg": "drm/radeon: check the alloc_workqueue return value in radeon_crtc_init()", "fixes": "7a2464fac80d42f6f8819fed97a553e9c2f43310", "last_affected_version": "6.7.1", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/radeon: check the alloc_workqueue return value in radeon_crtc_init()\n\ncheck the alloc_workqueue return value in radeon_crtc_init()\nto avoid null-ptr-deref.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52470", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52470", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52470", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52470", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52470", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52470" } }, "CVE-2023-52471": { "affected_versions": "v6.7-rc1 to v6.8-rc1", "breaks": "d938a8cca88a5f02f523f95fe3d2d1214f4b4a8d", "cmt_msg": "ice: Fix some null pointer dereference issues in ice_ptp.c", "fixes": "3027e7b15b02d2d37e3f82d6b8404f6d37e3b8cf", "last_affected_version": "6.7.1", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: Fix some null pointer dereference issues in ice_ptp.c\n\ndevm_kasprintf() returns a pointer to dynamically allocated memory\nwhich can be NULL upon failure.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52471", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52471", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52471", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52471", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52471", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52471" } }, "CVE-2023-52472": { "affected_versions": "v6.5-rc1 to v6.8-rc1", "breaks": "6637e11e4ad22ff03183da0dbd36d65c98b81cf7", "cmt_msg": "crypto: rsa - add a check for allocation failure", "fixes": "d872ca165cb67112f2841ef9c37d51ef7e63d1e4", "last_affected_version": "6.7.1", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: rsa - add a check for allocation failure\n\nStatic checkers insist that the mpi_alloc() allocation can fail so add\na check to prevent a NULL dereference. Small allocations like this\ncan't actually fail in current kernels, but adding a check is very\nsimple and makes the static checkers happy.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52472", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52472", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52472", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52472", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52472", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52472" } }, "CVE-2023-52473": { "affected_versions": "v6.4-rc1 to v6.8-rc1", "breaks": "3d439b1a2ad36c8b4ea151c8de25309d60d17407", "cmt_msg": "thermal: core: Fix NULL pointer dereference in zone registration error path", "fixes": "04e6ccfc93c5a1aa1d75a537cf27e418895e20ea", "last_affected_version": "6.7.1", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nthermal: core: Fix NULL pointer dereference in zone registration error path\n\nIf device_register() in thermal_zone_device_register_with_trips()\nreturns an error, the tz variable is set to NULL and subsequently\ndereferenced in kfree(tz->tzp).\n\nCommit adc8749b150c (\"thermal/drivers/core: Use put_device() if\ndevice_register() fails\") added the tz = NULL assignment in question to\navoid a possible double-free after dropping the reference to the zone\ndevice. However, after commit 4649620d9404 (\"thermal: core: Make\nthermal_zone_device_unregister() return after freeing the zone\"), that\nassignment has become redundant, because dropping the reference to the\nzone device does not cause the zone object to be freed any more.\n\nDrop it to address the NULL pointer dereference.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52473", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52473", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52473", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52473", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52473", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52473" } }, "CVE-2023-52474": { "affected_versions": "v4.14-rc1 to v6.4-rc1", "breaks": "7be85676f1d13c77a7e0c72e04903bfd39580d4f", "cmt_msg": "IB/hfi1: Fix bugs with non-PAGE_SIZE-end multi-iovec user SDMA requests", "fixes": "00cbce5cbf88459cd1aa1d60d0f1df15477df127", "last_affected_version": "6.3.1", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nIB/hfi1: Fix bugs with non-PAGE_SIZE-end multi-iovec user SDMA requests\n\nhfi1 user SDMA request processing has two bugs that can cause data\ncorruption for user SDMA requests that have multiple payload iovecs\nwhere an iovec other than the tail iovec does not run up to the page\nboundary for the buffer pointed to by that iovec.a\n\nHere are the specific bugs:\n1. user_sdma_txadd() does not use struct user_sdma_iovec->iov.iov_len.\n Rather, user_sdma_txadd() will add up to PAGE_SIZE bytes from iovec\n to the packet, even if some of those bytes are past\n iovec->iov.iov_len and are thus not intended to be in the packet.\n2. user_sdma_txadd() and user_sdma_send_pkts() fail to advance to the\n next iovec in user_sdma_request->iovs when the current iovec\n is not PAGE_SIZE and does not contain enough data to complete the\n packet. The transmitted packet will contain the wrong data from the\n iovec pages.\n\nThis has not been an issue with SDMA packets from hfi1 Verbs or PSM2\nbecause they only produce iovecs that end short of PAGE_SIZE as the tail\niovec of an SDMA request.\n\nFixing these bugs exposes other bugs with the SDMA pin cache\n(struct mmu_rb_handler) that get in way of supporting user SDMA requests\nwith multiple payload iovecs whose buffers do not end at PAGE_SIZE. So\nthis commit fixes those issues as well.\n\nHere are the mmu_rb_handler bugs that non-PAGE_SIZE-end multi-iovec\npayload user SDMA requests can hit:\n1. Overlapping memory ranges in mmu_rb_handler will result in duplicate\n pinnings.\n2. When extending an existing mmu_rb_handler entry (struct mmu_rb_node),\n the mmu_rb code (1) removes the existing entry under a lock, (2)\n releases that lock, pins the new pages, (3) then reacquires the lock\n to insert the extended mmu_rb_node.\n\n If someone else comes in and inserts an overlapping entry between (2)\n and (3), insert in (3) will fail.\n\n The failure path code in this case unpins _all_ pages in either the\n original mmu_rb_node or the new mmu_rb_node that was inserted between\n (2) and (3).\n3. In hfi1_mmu_rb_remove_unless_exact(), mmu_rb_node->refcount is\n incremented outside of mmu_rb_handler->lock. As a result, mmu_rb_node\n could be evicted by another thread that gets mmu_rb_handler->lock and\n checks mmu_rb_node->refcount before mmu_rb_node->refcount is\n incremented.\n4. Related to #2 above, SDMA request submission failure path does not\n check mmu_rb_node->refcount before freeing mmu_rb_node object.\n\n If there are other SDMA requests in progress whose iovecs have\n pointers to the now-freed mmu_rb_node(s), those pointers to the\n now-freed mmu_rb nodes will be dereferenced when those SDMA requests\n complete.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52474", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52474", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52474", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52474", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52474", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52474" } }, "CVE-2023-52475": { "affected_versions": "v2.6.12-rc2 to v6.6-rc6", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "Input: powermate - fix use-after-free in powermate_config_complete", "fixes": "5c15c60e7be615f05a45cd905093a54b11f461bc", "last_affected_version": "6.5.7", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nInput: powermate - fix use-after-free in powermate_config_complete\n\nsyzbot has found a use-after-free bug [1] in the powermate driver. This\nhappens when the device is disconnected, which leads to a memory free from\nthe powermate_device struct. When an asynchronous control message\ncompletes after the kfree and its callback is invoked, the lock does not\nexist anymore and hence the bug.\n\nUse usb_kill_urb() on pm->config to cancel any in-progress requests upon\ndevice disconnection.\n\n[1] https://syzkaller.appspot.com/bug?extid=0434ac83f907a1dbdd1e", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52475", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52475", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52475", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52475", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52475", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52475" } }, "CVE-2023-52476": { "affected_versions": "v2.6.12-rc2 to v6.6-rc6", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "perf/x86/lbr: Filter vsyscall addresses", "fixes": "e53899771a02f798d436655efbd9d4b46c0f9265", "last_affected_version": "6.5.7", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf/x86/lbr: Filter vsyscall addresses\n\nWe found that a panic can occur when a vsyscall is made while LBR sampling\nis active. If the vsyscall is interrupted (NMI) for perf sampling, this\ncall sequence can occur (most recent at top):\n\n __insn_get_emulate_prefix()\n insn_get_emulate_prefix()\n insn_get_prefixes()\n insn_get_opcode()\n decode_branch_type()\n get_branch_type()\n intel_pmu_lbr_filter()\n intel_pmu_handle_irq()\n perf_event_nmi_handler()\n\nWithin __insn_get_emulate_prefix() at frame 0, a macro is called:\n\n peek_nbyte_next(insn_byte_t, insn, i)\n\nWithin this macro, this dereference occurs:\n\n (insn)->next_byte\n\nInspecting registers at this point, the value of the next_byte field is the\naddress of the vsyscall made, for example the location of the vsyscall\nversion of gettimeofday() at 0xffffffffff600000. The access to an address\nin the vsyscall region will trigger an oops due to an unhandled page fault.\n\nTo fix the bug, filtering for vsyscalls can be done when\ndetermining the branch type. This patch will return\na \"none\" branch if a kernel address if found to lie in the\nvsyscall region.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52476", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52476", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52476", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52476", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52476", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52476" } }, "CVE-2023-52477": { "affected_versions": "v2.6.12-rc2 to v6.6-rc6", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "usb: hub: Guard against accesses to uninitialized BOS descriptors", "fixes": "f74a7afc224acd5e922c7a2e52244d891bbe44ee", "last_affected_version": "6.5.7", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: hub: Guard against accesses to uninitialized BOS descriptors\n\nMany functions in drivers/usb/core/hub.c and drivers/usb/core/hub.h\naccess fields inside udev->bos without checking if it was allocated and\ninitialized. If usb_get_bos_descriptor() fails for whatever\nreason, udev->bos will be NULL and those accesses will result in a\ncrash:\n\nBUG: kernel NULL pointer dereference, address: 0000000000000018\nPGD 0 P4D 0\nOops: 0000 [#1] PREEMPT SMP NOPTI\nCPU: 5 PID: 17818 Comm: kworker/5:1 Tainted: G W 5.15.108-18910-gab0e1cb584e1 #1 \nHardware name: Google Kindred/Kindred, BIOS Google_Kindred.12672.413.0 02/03/2021\nWorkqueue: usb_hub_wq hub_event\nRIP: 0010:hub_port_reset+0x193/0x788\nCode: 89 f7 e8 20 f7 15 00 48 8b 43 08 80 b8 96 03 00 00 03 75 36 0f b7 88 92 03 00 00 81 f9 10 03 00 00 72 27 48 8b 80 a8 03 00 00 <48> 83 78 18 00 74 19 48 89 df 48 8b 75 b0 ba 02 00 00 00 4c 89 e9\nRSP: 0018:ffffab740c53fcf8 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: ffffa1bc5f678000 RCX: 0000000000000310\nRDX: fffffffffffffdff RSI: 0000000000000286 RDI: ffffa1be9655b840\nRBP: ffffab740c53fd70 R08: 00001b7d5edaa20c R09: ffffffffb005e060\nR10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000\nR13: ffffab740c53fd3e R14: 0000000000000032 R15: 0000000000000000\nFS: 0000000000000000(0000) GS:ffffa1be96540000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000018 CR3: 000000022e80c005 CR4: 00000000003706e0\nCall Trace:\nhub_event+0x73f/0x156e\n? hub_activate+0x5b7/0x68f\nprocess_one_work+0x1a2/0x487\nworker_thread+0x11a/0x288\nkthread+0x13a/0x152\n? process_one_work+0x487/0x487\n? kthread_associate_blkcg+0x70/0x70\nret_from_fork+0x1f/0x30\n\nFall back to a default behavior if the BOS descriptor isn't accessible\nand skip all the functionalities that depend on it: LPM support checks,\nSuper Speed capabilitiy checks, U1/U2 states setup.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52477", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52477", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52477", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52477", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52477", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52477" } }, "CVE-2023-52478": { "affected_versions": "v2.6.12-rc2 to v6.6-rc6", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "HID: logitech-hidpp: Fix kernel crash on receiver USB disconnect", "fixes": "dac501397b9d81e4782232c39f94f4307b137452", "last_affected_version": "6.5.7", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: logitech-hidpp: Fix kernel crash on receiver USB disconnect\n\nhidpp_connect_event() has *four* time-of-check vs time-of-use (TOCTOU)\nraces when it races with itself.\n\nhidpp_connect_event() primarily runs from a workqueue but it also runs\non probe() and if a \"device-connected\" packet is received by the hw\nwhen the thread running hidpp_connect_event() from probe() is waiting on\nthe hw, then a second thread running hidpp_connect_event() will be\nstarted from the workqueue.\n\nThis opens the following races (note the below code is simplified):\n\n1. Retrieving + printing the protocol (harmless race):\n\n\tif (!hidpp->protocol_major) {\n\t\thidpp_root_get_protocol_version()\n\t\thidpp->protocol_major = response.rap.params[0];\n\t}\n\nWe can actually see this race hit in the dmesg in the abrt output\nattached to rhbz#2227968:\n\n[ 3064.624215] logitech-hidpp-device 0003:046D:4071.0049: HID++ 4.5 device connected.\n[ 3064.658184] logitech-hidpp-device 0003:046D:4071.0049: HID++ 4.5 device connected.\n\nTesting with extra logging added has shown that after this the 2 threads\ntake turn grabbing the hw access mutex (send_mutex) so they ping-pong\nthrough all the other TOCTOU cases managing to hit all of them:\n\n2. Updating the name to the HIDPP name (harmless race):\n\n\tif (hidpp->name == hdev->name) {\n\t\t...\n\t\thidpp->name = new_name;\n\t}\n\n3. Initializing the power_supply class for the battery (problematic!):\n\nhidpp_initialize_battery()\n{\n if (hidpp->battery.ps)\n return 0;\n\n\tprobe_battery(); /* Blocks, threads take turns executing this */\n\n\thidpp->battery.desc.properties =\n\t\tdevm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL);\n\n\thidpp->battery.ps =\n\t\tdevm_power_supply_register(&hidpp->hid_dev->dev,\n\t\t\t\t\t &hidpp->battery.desc, cfg);\n}\n\n4. Creating delayed input_device (potentially problematic):\n\n\tif (hidpp->delayed_input)\n\t\treturn;\n\n\thidpp->delayed_input = hidpp_allocate_input(hdev);\n\nThe really big problem here is 3. Hitting the race leads to the following\nsequence:\n\n\thidpp->battery.desc.properties =\n\t\tdevm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL);\n\n\thidpp->battery.ps =\n\t\tdevm_power_supply_register(&hidpp->hid_dev->dev,\n\t\t\t\t\t &hidpp->battery.desc, cfg);\n\n\t...\n\n\thidpp->battery.desc.properties =\n\t\tdevm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL);\n\n\thidpp->battery.ps =\n\t\tdevm_power_supply_register(&hidpp->hid_dev->dev,\n\t\t\t\t\t &hidpp->battery.desc, cfg);\n\nSo now we have registered 2 power supplies for the same battery,\nwhich looks a bit weird from userspace's pov but this is not even\nthe really big problem.\n\nNotice how:\n\n1. This is all devm-maganaged\n2. The hidpp->battery.desc struct is shared between the 2 power supplies\n3. hidpp->battery.desc.properties points to the result from the second\n devm_kmemdup()\n\nThis causes a use after free scenario on USB disconnect of the receiver:\n1. The last registered power supply class device gets unregistered\n2. The memory from the last devm_kmemdup() call gets freed,\n hidpp->battery.desc.properties now points to freed memory\n3. The first registered power supply class device gets unregistered,\n this involves sending a remove uevent to userspace which invokes\n power_supply_uevent() to fill the uevent data\n4. power_supply_uevent() uses hidpp->battery.desc.properties which\n now points to freed memory leading to backtraces like this one:\n\nSep 22 20:01:35 eric kernel: BUG: unable to handle page fault for address: ffffb2140e017f08\n...\nSep 22 20:01:35 eric kernel: Workqueue: usb_hub_wq hub_event\nSep 22 20:01:35 eric kernel: RIP: 0010:power_supply_uevent+0xee/0x1d0\n...\nSep 22 20:01:35 eric kernel: ? asm_exc_page_fault+0x26/0x30\nSep 22 20:01:35 eric kernel: ? power_supply_uevent+0xee/0x1d0\nSep 22 20:01:35 eric kernel: ? power_supply_uevent+0x10d/0x1d0\nSep 22 20:01:35 eric kernel: dev_uevent+0x10f/0x2d0\nSep 22 20:01:35 eric kernel: kobject_uevent_env+0x291/0x680\nSep 22 20:01:35 eric kernel: \n---truncated---", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52478", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52478", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52478", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52478", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52478", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52478" } }, "CVE-2023-52479": { "affected_versions": "v2.6.12-rc2 to v6.6-rc5", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "ksmbd: fix uaf in smb20_oplock_break_ack", "fixes": "c69813471a1ec081a0b9bf0c6bd7e8afd818afce", "last_affected_version": "6.5.6", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix uaf in smb20_oplock_break_ack\n\ndrop reference after use opinfo.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52479", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52479", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52479", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52479", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52479", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52479" } }, "CVE-2023-52480": { "affected_versions": "v2.6.12-rc2 to v6.6-rc5", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "ksmbd: fix race condition between session lookup and expire", "fixes": "53ff5cf89142b978b1a5ca8dc4d4425e6a09745f", "last_affected_version": "6.5.6", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix race condition between session lookup and expire\n\n Thread A + Thread B\n ksmbd_session_lookup | smb2_sess_setup\n sess = xa_load |\n |\n | xa_erase(&conn->sessions, sess->id);\n |\n | ksmbd_session_destroy(sess) --> kfree(sess)\n |\n // UAF! |\n sess->last_active = jiffies |\n +\n\nThis patch add rwsem to fix race condition between ksmbd_session_lookup\nand ksmbd_expire_session.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52480", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52480", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52480", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52480", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52480", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52480" } }, "CVE-2023-52481": { "affected_versions": "v2.6.12-rc2 to v6.6-rc5", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "arm64: errata: Add Cortex-A520 speculative unprivileged load workaround", "fixes": "471470bc7052d28ce125901877dd10e4c048e513", "last_affected_version": "6.5.6", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: errata: Add Cortex-A520 speculative unprivileged load workaround\n\nImplement the workaround for ARM Cortex-A520 erratum 2966298. On an\naffected Cortex-A520 core, a speculatively executed unprivileged load\nmight leak data from a privileged load via a cache side channel. The\nissue only exists for loads within a translation regime with the same\ntranslation (e.g. same ASID and VMID). Therefore, the issue only affects\nthe return to EL0.\n\nThe workaround is to execute a TLBI before returning to EL0 after all\nloads of privileged data. A non-shareable TLBI to any address is\nsufficient.\n\nThe workaround isn't necessary if page table isolation (KPTI) is\nenabled, but for simplicity it will be. Page table isolation should\nnormally be disabled for Cortex-A520 as it supports the CSV3 feature\nand the E0PD feature (used when KASLR is enabled).", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52481", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52481", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52481", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52481", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52481", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52481" } }, "CVE-2023-52482": { "affected_versions": "v2.6.12-rc2 to v6.6-rc4", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "x86/srso: Add SRSO mitigation for Hygon processors", "fixes": "a5ef7d68cea1344cf524f04981c2b3f80bedbb0d", "last_affected_version": "6.5.5", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/srso: Add SRSO mitigation for Hygon processors\n\nAdd mitigation for the speculative return stack overflow vulnerability\nwhich exists on Hygon processors too.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52482", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52482", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52482", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52482", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52482", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52482" } }, "CVE-2023-52483": { "affected_versions": "v5.15-rc1 to v6.6-rc6", "breaks": "889b7da23abf92faf34491df95733bda63639e32", "cmt_msg": "mctp: perform route lookups under a RCU read-side lock", "fixes": "5093bbfc10ab6636b32728e35813cbd79feb063c", "last_affected_version": "6.5.7", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nmctp: perform route lookups under a RCU read-side lock\n\nOur current route lookups (mctp_route_lookup and mctp_route_lookup_null)\ntraverse the net's route list without the RCU read lock held. This means\nthe route lookup is subject to preemption, resulting in an potential\ngrace period expiry, and so an eventual kfree() while we still have the\nroute pointer.\n\nAdd the proper read-side critical section locks around the route\nlookups, preventing premption and a possible parallel kfree.\n\nThe remaining net->mctp.routes accesses are already under a\nrcu_read_lock, or protected by the RTNL for updates.\n\nBased on an analysis from Sili Luo , where\nintroducing a delay in the route lookup could cause a UAF on\nsimultaneous sendmsg() and route deletion.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52483", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52483", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52483", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52483", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52483", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52483" } }, "CVE-2023-52484": { "affected_versions": "v2.6.12-rc2 to v6.6-rc5", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "iommu/arm-smmu-v3: Fix soft lockup triggered by arm_smmu_mm_invalidate_range", "fixes": "d5afb4b47e13161b3f33904d45110f9e6463bad6", "last_affected_version": "6.5.5", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/arm-smmu-v3: Fix soft lockup triggered by arm_smmu_mm_invalidate_range\n\nWhen running an SVA case, the following soft lockup is triggered:\n--------------------------------------------------------------------\nwatchdog: BUG: soft lockup - CPU#244 stuck for 26s!\npstate: 83400009 (Nzcv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--)\npc : arm_smmu_cmdq_issue_cmdlist+0x178/0xa50\nlr : arm_smmu_cmdq_issue_cmdlist+0x150/0xa50\nsp : ffff8000d83ef290\nx29: ffff8000d83ef290 x28: 000000003b9aca00 x27: 0000000000000000\nx26: ffff8000d83ef3c0 x25: da86c0812194a0e8 x24: 0000000000000000\nx23: 0000000000000040 x22: ffff8000d83ef340 x21: ffff0000c63980c0\nx20: 0000000000000001 x19: ffff0000c6398080 x18: 0000000000000000\nx17: 0000000000000000 x16: 0000000000000000 x15: ffff3000b4a3bbb0\nx14: ffff3000b4a30888 x13: ffff3000b4a3cf60 x12: 0000000000000000\nx11: 0000000000000000 x10: 0000000000000000 x9 : ffffc08120e4d6bc\nx8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000048cfa\nx5 : 0000000000000000 x4 : 0000000000000001 x3 : 000000000000000a\nx2 : 0000000080000000 x1 : 0000000000000000 x0 : 0000000000000001\nCall trace:\n arm_smmu_cmdq_issue_cmdlist+0x178/0xa50\n __arm_smmu_tlb_inv_range+0x118/0x254\n arm_smmu_tlb_inv_range_asid+0x6c/0x130\n arm_smmu_mm_invalidate_range+0xa0/0xa4\n __mmu_notifier_invalidate_range_end+0x88/0x120\n unmap_vmas+0x194/0x1e0\n unmap_region+0xb4/0x144\n do_mas_align_munmap+0x290/0x490\n do_mas_munmap+0xbc/0x124\n __vm_munmap+0xa8/0x19c\n __arm64_sys_munmap+0x28/0x50\n invoke_syscall+0x78/0x11c\n el0_svc_common.constprop.0+0x58/0x1c0\n do_el0_svc+0x34/0x60\n el0_svc+0x2c/0xd4\n el0t_64_sync_handler+0x114/0x140\n el0t_64_sync+0x1a4/0x1a8\n--------------------------------------------------------------------\n\nNote that since 6.6-rc1 the arm_smmu_mm_invalidate_range above is renamed\nto \"arm_smmu_mm_arch_invalidate_secondary_tlbs\", yet the problem remains.\n\nThe commit 06ff87bae8d3 (\"arm64: mm: remove unused functions and variable\nprotoypes\") fixed a similar lockup on the CPU MMU side. Yet, it can occur\nto SMMU too, since arm_smmu_mm_arch_invalidate_secondary_tlbs() is called\ntypically next to MMU tlb flush function, e.g.\n\ttlb_flush_mmu_tlbonly {\n\t\ttlb_flush {\n\t\t\t__flush_tlb_range {\n\t\t\t\t// check MAX_TLBI_OPS\n\t\t\t}\n\t\t}\n\t\tmmu_notifier_arch_invalidate_secondary_tlbs {\n\t\t\tarm_smmu_mm_arch_invalidate_secondary_tlbs {\n\t\t\t\t// does not check MAX_TLBI_OPS\n\t\t\t}\n\t\t}\n\t}\n\nClone a CMDQ_MAX_TLBI_OPS from the MAX_TLBI_OPS in tlbflush.h, since in an\nSVA case SMMU uses the CPU page table, so it makes sense to align with the\ntlbflush code. Then, replace per-page TLBI commands with a single per-asid\nTLBI command, if the request size hits this threshold.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52484", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52484", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52484", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52484", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52484", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52484" } }, "CVE-2023-52485": { "affected_versions": "v2.6.12-rc2 to v6.8-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "drm/amd/display: Wake DMCUB before sending a command", "fixes": "8892780834ae294bc3697c7d0e056d7743900b39", "last_affected_version": "6.7.2", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Wake DMCUB before sending a command\n\n[Why]\nWe can hang in place trying to send commands when the DMCUB isn't\npowered on.\n\n[How]\nFor functions that execute within a DC context or DC lock we can\nwrap the direct calls to dm_execute_dmub_cmd/list with code that\nexits idle power optimizations and reallows once we're done with\nthe command submission on success.\n\nFor DM direct submissions the DM will need to manage the enter/exit\nsequencing manually.\n\nWe cannot invoke a DMCUB command directly within the DM execution\nhelper or we can deadlock.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52485", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52485", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52485", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52485", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52485", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52485" } }, "CVE-2023-52486": { "affected_versions": "v2.6.12-rc2 to v6.8-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "drm: Don't unref the same fb many times by mistake due to deadlock handling", "fixes": "cb4daf271302d71a6b9a7c01bd0b6d76febd8f0c", "last_affected_version": "6.7.2", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm: Don't unref the same fb many times by mistake due to deadlock handling\n\nIf we get a deadlock after the fb lookup in drm_mode_page_flip_ioctl()\nwe proceed to unref the fb and then retry the whole thing from the top.\nBut we forget to reset the fb pointer back to NULL, and so if we then\nget another error during the retry, before the fb lookup, we proceed\nthe unref the same fb again without having gotten another reference.\nThe end result is that the fb will (eventually) end up being freed\nwhile it's still in use.\n\nReset fb to NULL once we've unreffed it to avoid doing it again\nuntil we've done another fb lookup.\n\nThis turned out to be pretty easy to hit on a DG2 when doing async\nflips (and CONFIG_DEBUG_WW_MUTEX_SLOWPATH=y). The first symptom I\nsaw that drm_closefb() simply got stuck in a busy loop while walking\nthe framebuffer list. Fortunately I was able to convince it to oops\ninstead, and from there it was easier to track down the culprit.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52486", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52486", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52486", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52486", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52486", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52486" } }, "CVE-2023-52487": { "affected_versions": "v6.5-rc1 to v6.8-rc2", "breaks": "9be6c21fdcf8a7ec48262bb76f78c17ac2761ac6", "cmt_msg": "net/mlx5e: Fix peer flow lists handling", "fixes": "d76fdd31f953ac5046555171620f2562715e9b71", "last_affected_version": "6.7.2", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Fix peer flow lists handling\n\nThe cited change refactored mlx5e_tc_del_fdb_peer_flow() to only clear DUP\nflag when list of peer flows has become empty. However, if any concurrent\nuser holds a reference to a peer flow (for example, the neighbor update\nworkqueue task is updating peer flow's parent encap entry concurrently),\nthen the flow will not be removed from the peer list and, consecutively,\nDUP flag will remain set. Since mlx5e_tc_del_fdb_peers_flow() calls\nmlx5e_tc_del_fdb_peer_flow() for every possible peer index the algorithm\nwill try to remove the flow from eswitch instances that it has never peered\nwith causing either NULL pointer dereference when trying to remove the flow\npeer list head of peer_index that was never initialized or a warning if the\nlist debug config is enabled[0].\n\nFix the issue by always removing the peer flow from the list even when not\nreleasing the last reference to it.\n\n[0]:\n\n[ 3102.985806] ------------[ cut here ]------------\n[ 3102.986223] list_del corruption, ffff888139110698->next is NULL\n[ 3102.986757] WARNING: CPU: 2 PID: 22109 at lib/list_debug.c:53 __list_del_entry_valid_or_report+0x4f/0xc0\n[ 3102.987561] Modules linked in: act_ct nf_flow_table bonding act_tunnel_key act_mirred act_skbedit vxlan cls_matchall nfnetlink_cttimeout act_gact cls_flower sch_ingress mlx5_vdpa vringh vhost_iotlb vdpa openvswitch nsh xt_MASQUERADE nf_conntrack_netlink nfnetlink iptable_nat xt_addrtype xt_conntrack nf_nat br_netfilter rpcsec_gss_krb5 auth_rpcg\nss oid_registry overlay rpcrdma rdma_ucm ib_iser libiscsi scsi_transport_iscsi ib_umad rdma_cm ib_ipoib iw_cm ib_cm mlx5_ib ib_uverbs ib_core mlx5_core [last unloaded: bonding]\n[ 3102.991113] CPU: 2 PID: 22109 Comm: revalidator28 Not tainted 6.6.0-rc6+ #3\n[ 3102.991695] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n[ 3102.992605] RIP: 0010:__list_del_entry_valid_or_report+0x4f/0xc0\n[ 3102.993122] Code: 39 c2 74 56 48 8b 32 48 39 fe 75 62 48 8b 51 08 48 39 f2 75 73 b8 01 00 00 00 c3 48 89 fe 48 c7 c7 48 fd 0a 82 e8 41 0b ad ff <0f> 0b 31 c0 c3 48 89 fe 48 c7 c7 70 fd 0a 82 e8 2d 0b ad ff 0f 0b\n[ 3102.994615] RSP: 0018:ffff8881383e7710 EFLAGS: 00010286\n[ 3102.995078] RAX: 0000000000000000 RBX: 0000000000000002 RCX: 0000000000000000\n[ 3102.995670] RDX: 0000000000000001 RSI: ffff88885f89b640 RDI: ffff88885f89b640\n[ 3102.997188] DEL flow 00000000be367878 on port 0\n[ 3102.998594] RBP: dead000000000122 R08: 0000000000000000 R09: c0000000ffffdfff\n[ 3102.999604] R10: 0000000000000008 R11: ffff8881383e7598 R12: dead000000000100\n[ 3103.000198] R13: 0000000000000002 R14: ffff888139110000 R15: ffff888101901240\n[ 3103.000790] FS: 00007f424cde4700(0000) GS:ffff88885f880000(0000) knlGS:0000000000000000\n[ 3103.001486] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 3103.001986] CR2: 00007fd42e8dcb70 CR3: 000000011e68a003 CR4: 0000000000370ea0\n[ 3103.002596] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 3103.003190] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 3103.003787] Call Trace:\n[ 3103.004055] \n[ 3103.004297] ? __warn+0x7d/0x130\n[ 3103.004623] ? __list_del_entry_valid_or_report+0x4f/0xc0\n[ 3103.005094] ? report_bug+0xf1/0x1c0\n[ 3103.005439] ? console_unlock+0x4a/0xd0\n[ 3103.005806] ? handle_bug+0x3f/0x70\n[ 3103.006149] ? exc_invalid_op+0x13/0x60\n[ 3103.006531] ? asm_exc_invalid_op+0x16/0x20\n[ 3103.007430] ? __list_del_entry_valid_or_report+0x4f/0xc0\n[ 3103.007910] mlx5e_tc_del_fdb_peers_flow+0xcf/0x240 [mlx5_core]\n[ 3103.008463] mlx5e_tc_del_flow+0x46/0x270 [mlx5_core]\n[ 3103.008944] mlx5e_flow_put+0x26/0x50 [mlx5_core]\n[ 3103.009401] mlx5e_delete_flower+0x25f/0x380 [mlx5_core]\n[ 3103.009901] tc_setup_cb_destroy+0xab/0x180\n[ 3103.010292] fl_hw_destroy_filter+0x99/0xc0 [cls_flower]\n[ 3103.010779] __fl_delete+0x2d4/0x2f0 [cls_flower]\n[ 3103.0\n---truncated---", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52487", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52487", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52487", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52487", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52487", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52487" } }, "CVE-2023-52488": { "affected_versions": "v3.16-rc1 to v6.8-rc1", "breaks": "dfeae619d781dee61666d5551b93ba3be755a86b", "cmt_msg": "serial: sc16is7xx: convert from _raw_ to _noinc_ regmap functions for FIFO", "fixes": "dbf4ab821804df071c8b566d9813083125e6d97b", "last_affected_version": "6.7.2", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: sc16is7xx: convert from _raw_ to _noinc_ regmap functions for FIFO\n\nThe SC16IS7XX IC supports a burst mode to access the FIFOs where the\ninitial register address is sent ($00), followed by all the FIFO data\nwithout having to resend the register address each time. In this mode, the\nIC doesn't increment the register address for each R/W byte.\n\nThe regmap_raw_read() and regmap_raw_write() are functions which can\nperform IO over multiple registers. They are currently used to read/write\nfrom/to the FIFO, and although they operate correctly in this burst mode on\nthe SPI bus, they would corrupt the regmap cache if it was not disabled\nmanually. The reason is that when the R/W size is more than 1 byte, these\nfunctions assume that the register address is incremented and handle the\ncache accordingly.\n\nConvert FIFO R/W functions to use the regmap _noinc_ versions in order to\nremove the manual cache control which was a workaround when using the\n_raw_ versions. FIFO registers are properly declared as volatile so\ncache will not be used/updated for FIFO accesses.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52488", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52488", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52488", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52488", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52488", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52488" } }, "CVE-2023-52489": { "affected_versions": "v2.6.12-rc2 to v6.8-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "mm/sparsemem: fix race in accessing memory_section->usage", "fixes": "5ec8e8ea8b7783fab150cf86404fc38cb4db8800", "last_affected_version": "6.7.2", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/sparsemem: fix race in accessing memory_section->usage\n\nThe below race is observed on a PFN which falls into the device memory\nregion with the system memory configuration where PFN's are such that\n[ZONE_NORMAL ZONE_DEVICE ZONE_NORMAL]. Since normal zone start and end\npfn contains the device memory PFN's as well, the compaction triggered\nwill try on the device memory PFN's too though they end up in NOP(because\npfn_to_online_page() returns NULL for ZONE_DEVICE memory sections). When\nfrom other core, the section mappings are being removed for the\nZONE_DEVICE region, that the PFN in question belongs to, on which\ncompaction is currently being operated is resulting into the kernel crash\nwith CONFIG_SPASEMEM_VMEMAP enabled. The crash logs can be seen at [1].\n\ncompact_zone()\t\t\tmemunmap_pages\n-------------\t\t\t---------------\n__pageblock_pfn_to_page\n ......\n (a)pfn_valid():\n valid_section()//return true\n\t\t\t (b)__remove_pages()->\n\t\t\t\t sparse_remove_section()->\n\t\t\t\t section_deactivate():\n\t\t\t\t [Free the array ms->usage and set\n\t\t\t\t ms->usage = NULL]\n pfn_section_valid()\n [Access ms->usage which\n is NULL]\n\nNOTE: From the above it can be said that the race is reduced to between\nthe pfn_valid()/pfn_section_valid() and the section deactivate with\nSPASEMEM_VMEMAP enabled.\n\nThe commit b943f045a9af(\"mm/sparse: fix kernel crash with\npfn_section_valid check\") tried to address the same problem by clearing\nthe SECTION_HAS_MEM_MAP with the expectation of valid_section() returns\nfalse thus ms->usage is not accessed.\n\nFix this issue by the below steps:\n\na) Clear SECTION_HAS_MEM_MAP before freeing the ->usage.\n\nb) RCU protected read side critical section will either return NULL\n when SECTION_HAS_MEM_MAP is cleared or can successfully access ->usage.\n\nc) Free the ->usage with kfree_rcu() and set ms->usage = NULL. No\n attempt will be made to access ->usage after this as the\n SECTION_HAS_MEM_MAP is cleared thus valid_section() return false.\n\nThanks to David/Pavan for their inputs on this patch.\n\n[1] https://lore.kernel.org/linux-mm/994410bb-89aa-d987-1f50-f514903c55aa@quicinc.com/\n\nOn Snapdragon SoC, with the mentioned memory configuration of PFN's as\n[ZONE_NORMAL ZONE_DEVICE ZONE_NORMAL], we are able to see bunch of\nissues daily while testing on a device farm.\n\nFor this particular issue below is the log. Though the below log is\nnot directly pointing to the pfn_section_valid(){ ms->usage;}, when we\nloaded this dump on T32 lauterbach tool, it is pointing.\n\n[ 540.578056] Unable to handle kernel NULL pointer dereference at\nvirtual address 0000000000000000\n[ 540.578068] Mem abort info:\n[ 540.578070] ESR = 0x0000000096000005\n[ 540.578073] EC = 0x25: DABT (current EL), IL = 32 bits\n[ 540.578077] SET = 0, FnV = 0\n[ 540.578080] EA = 0, S1PTW = 0\n[ 540.578082] FSC = 0x05: level 1 translation fault\n[ 540.578085] Data abort info:\n[ 540.578086] ISV = 0, ISS = 0x00000005\n[ 540.578088] CM = 0, WnR = 0\n[ 540.579431] pstate: 82400005 (Nzcv daif +PAN -UAO +TCO -DIT -SSBSBTYPE=--)\n[ 540.579436] pc : __pageblock_pfn_to_page+0x6c/0x14c\n[ 540.579454] lr : compact_zone+0x994/0x1058\n[ 540.579460] sp : ffffffc03579b510\n[ 540.579463] x29: ffffffc03579b510 x28: 0000000000235800 x27:000000000000000c\n[ 540.579470] x26: 0000000000235c00 x25: 0000000000000068 x24:ffffffc03579b640\n[ 540.579477] x23: 0000000000000001 x22: ffffffc03579b660 x21:0000000000000000\n[ 540.579483] x20: 0000000000235bff x19: ffffffdebf7e3940 x18:ffffffdebf66d140\n[ 540.579489] x17: 00000000739ba063 x16: 00000000739ba063 x15:00000000009f4bff\n[ 540.579495] x14: 0000008000000000 x13: 0000000000000000 x12:0000000000000001\n[ 540.579501] x11: 0000000000000000 x10: 0000000000000000 x9 :ffffff897d2cd440\n[ 540.579507] x8 : 0000000000000000 x7 : 0000000000000000 x6 :ffffffc03579b5b4\n[ 540.579512] x5 : 0000000000027f25 x4 : ffffffc03579b5b8 x3 :0000000000000\n---truncated---", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52489", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52489", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52489", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52489", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52489", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52489" } }, "CVE-2023-52490": { "affected_versions": "v6.3-rc1 to v6.8-rc1", "breaks": "64c8902ed4418317cd416c566f896bd4a92b2efc", "cmt_msg": "mm: migrate: fix getting incorrect page mapping during page migration", "fixes": "d1adb25df7111de83b64655a80b5a135adbded61", "last_affected_version": "6.7.2", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: migrate: fix getting incorrect page mapping during page migration\n\nWhen running stress-ng testing, we found below kernel crash after a few hours:\n\nUnable to handle kernel NULL pointer dereference at virtual address 0000000000000000\npc : dentry_name+0xd8/0x224\nlr : pointer+0x22c/0x370\nsp : ffff800025f134c0\n......\nCall trace:\n dentry_name+0xd8/0x224\n pointer+0x22c/0x370\n vsnprintf+0x1ec/0x730\n vscnprintf+0x2c/0x60\n vprintk_store+0x70/0x234\n vprintk_emit+0xe0/0x24c\n vprintk_default+0x3c/0x44\n vprintk_func+0x84/0x2d0\n printk+0x64/0x88\n __dump_page+0x52c/0x530\n dump_page+0x14/0x20\n set_migratetype_isolate+0x110/0x224\n start_isolate_page_range+0xc4/0x20c\n offline_pages+0x124/0x474\n memory_block_offline+0x44/0xf4\n memory_subsys_offline+0x3c/0x70\n device_offline+0xf0/0x120\n ......\n\nAfter analyzing the vmcore, I found this issue is caused by page migration.\nThe scenario is that, one thread is doing page migration, and we will use the\ntarget page's ->mapping field to save 'anon_vma' pointer between page unmap and\npage move, and now the target page is locked and refcount is 1.\n\nCurrently, there is another stress-ng thread performing memory hotplug,\nattempting to offline the target page that is being migrated. It discovers that\nthe refcount of this target page is 1, preventing the offline operation, thus\nproceeding to dump the page. However, page_mapping() of the target page may\nreturn an incorrect file mapping to crash the system in dump_mapping(), since\nthe target page->mapping only saves 'anon_vma' pointer without setting\nPAGE_MAPPING_ANON flag.\n\nThere are seveval ways to fix this issue:\n(1) Setting the PAGE_MAPPING_ANON flag for target page's ->mapping when saving\n'anon_vma', but this can confuse PageAnon() for PFN walkers, since the target\npage has not built mappings yet.\n(2) Getting the page lock to call page_mapping() in __dump_page() to avoid crashing\nthe system, however, there are still some PFN walkers that call page_mapping()\nwithout holding the page lock, such as compaction.\n(3) Using target page->private field to save the 'anon_vma' pointer and 2 bits\npage state, just as page->mapping records an anonymous page, which can remove\nthe page_mapping() impact for PFN walkers and also seems a simple way.\n\nSo I choose option 3 to fix this issue, and this can also fix other potential\nissues for PFN walkers, such as compaction.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52490", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52490", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52490", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52490", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52490", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52490" } }, "CVE-2023-52491": { "affected_versions": "v4.12-rc1 to v6.8-rc1", "breaks": "b2f0d2724ba477d326e9d654d4db1c93e98f8b93", "cmt_msg": "media: mtk-jpeg: Fix use after free bug due to error path handling in mtk_jpeg_dec_device_run", "fixes": "206c857dd17d4d026de85866f1b5f0969f2a109e", "last_affected_version": "6.7.2", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: mtk-jpeg: Fix use after free bug due to error path handling in mtk_jpeg_dec_device_run\n\nIn mtk_jpeg_probe, &jpeg->job_timeout_work is bound with\nmtk_jpeg_job_timeout_work.\n\nIn mtk_jpeg_dec_device_run, if error happens in\nmtk_jpeg_set_dec_dst, it will finally start the worker while\nmark the job as finished by invoking v4l2_m2m_job_finish.\n\nThere are two methods to trigger the bug. If we remove the\nmodule, it which will call mtk_jpeg_remove to make cleanup.\nThe possible sequence is as follows, which will cause a\nuse-after-free bug.\n\nCPU0 CPU1\nmtk_jpeg_dec_... |\n start worker\t |\n |mtk_jpeg_job_timeout_work\nmtk_jpeg_remove |\n v4l2_m2m_release |\n kfree(m2m_dev); |\n |\n | v4l2_m2m_get_curr_priv\n | m2m_dev->curr_ctx //use\n\nIf we close the file descriptor, which will call mtk_jpeg_release,\nit will have a similar sequence.\n\nFix this bug by starting timeout worker only if started jpegdec worker\nsuccessfully. Then v4l2_m2m_job_finish will only be called in\neither mtk_jpeg_job_timeout_work or mtk_jpeg_dec_device_run.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52491", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52491", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52491", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52491", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52491", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52491" } }, "CVE-2023-52492": { "affected_versions": "v5.6-rc1 to v6.8-rc1", "breaks": "d2fb0a0438384fee08a418025f743913020033ce", "cmt_msg": "dmaengine: fix NULL pointer in channel unregistration function", "fixes": "f5c24d94512f1b288262beda4d3dcb9629222fc7", "last_affected_version": "6.7.2", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: fix NULL pointer in channel unregistration function\n\n__dma_async_device_channel_register() can fail. In case of failure,\nchan->local is freed (with free_percpu()), and chan->local is nullified.\nWhen dma_async_device_unregister() is called (because of managed API or\nintentionally by DMA controller driver), channels are unconditionally\nunregistered, leading to this NULL pointer:\n[ 1.318693] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000d0\n[...]\n[ 1.484499] Call trace:\n[ 1.486930] device_del+0x40/0x394\n[ 1.490314] device_unregister+0x20/0x7c\n[ 1.494220] __dma_async_device_channel_unregister+0x68/0xc0\n\nLook at dma_async_device_register() function error path, channel device\nunregistration is done only if chan->local is not NULL.\n\nThen add the same condition at the beginning of\n__dma_async_device_channel_unregister() function, to avoid NULL pointer\nissue whatever the API used to reach this function.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52492", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52492", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52492", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52492", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52492", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52492" } }, "CVE-2023-52493": { "affected_versions": "v5.7-rc1 to v6.8-rc1", "breaks": "1d3173a3bae7039b765a0956e3e4bf846dbaacb8", "cmt_msg": "bus: mhi: host: Drop chan lock before queuing buffers", "fixes": "01bd694ac2f682fb8017e16148b928482bc8fa4b", "last_affected_version": "6.7.2", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nbus: mhi: host: Drop chan lock before queuing buffers\n\nEnsure read and write locks for the channel are not taken in succession by\ndropping the read lock from parse_xfer_event() such that a callback given\nto client can potentially queue buffers and acquire the write lock in that\nprocess. Any queueing of buffers should be done without channel read lock\nacquired as it can result in multiple locks and a soft lockup.\n\n[mani: added fixes tag and cc'ed stable]", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52493", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52493", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52493", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52493", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52493", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52493" } }, "CVE-2023-52494": { "affected_versions": "v5.13-rc1 to v6.8-rc1", "breaks": "ec32332df7645e0ba463a08d483fe97665167071", "cmt_msg": "bus: mhi: host: Add alignment check for event ring read pointer", "fixes": "eff9704f5332a13b08fbdbe0f84059c9e7051d5f", "last_affected_version": "6.7.2", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nbus: mhi: host: Add alignment check for event ring read pointer\n\nThough we do check the event ring read pointer by \"is_valid_ring_ptr\"\nto make sure it is in the buffer range, but there is another risk the\npointer may be not aligned. Since we are expecting event ring elements\nare 128 bits(struct mhi_ring_element) aligned, an unaligned read pointer\ncould lead to multiple issues like DoS or ring buffer memory corruption.\n\nSo add a alignment check for event ring read pointer.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52494", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52494", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52494", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52494", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52494", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52494" } }, "CVE-2023-52495": { "affected_versions": "v6.3-rc1 to v6.8-rc1", "breaks": "080b4e24852b1d5b66929f69344e6c3eeb963941", "cmt_msg": "soc: qcom: pmic_glink_altmode: fix port sanity check", "fixes": "c4fb7d2eac9ff9bfc35a2e4d40c7169a332416e0", "last_affected_version": "6.7.2", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoc: qcom: pmic_glink_altmode: fix port sanity check\n\nThe PMIC GLINK altmode driver currently supports at most two ports.\n\nFix the incomplete port sanity check on notifications to avoid\naccessing and corrupting memory beyond the port array if we ever get a\nnotification for an unsupported port.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52495", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52495", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52495", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52495", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52495", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52495" } }, "CVE-2023-52497": { "affected_versions": "v5.3-rc1 to v6.8-rc1", "breaks": "0ffd71bcc3a03ebb3551661a36052488369c4de9", "cmt_msg": "erofs: fix lz4 inplace decompression", "fixes": "3c12466b6b7bf1e56f9b32c366a3d83d87afb4de", "last_affected_version": "6.7.2", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nerofs: fix lz4 inplace decompression\n\nCurrently EROFS can map another compressed buffer for inplace\ndecompression, that was used to handle the cases that some pages of\ncompressed data are actually not in-place I/O.\n\nHowever, like most simple LZ77 algorithms, LZ4 expects the compressed\ndata is arranged at the end of the decompressed buffer and it\nexplicitly uses memmove() to handle overlapping:\n __________________________________________________________\n |_ direction of decompression --> ____ |_ compressed data _|\n\nAlthough EROFS arranges compressed data like this, it typically maps two\nindividual virtual buffers so the relative order is uncertain.\nPreviously, it was hardly observed since LZ4 only uses memmove() for\nshort overlapped literals and x86/arm64 memmove implementations seem to\ncompletely cover it up and they don't have this issue. Juhyung reported\nthat EROFS data corruption can be found on a new Intel x86 processor.\nAfter some analysis, it seems that recent x86 processors with the new\nFSRM feature expose this issue with \"rep movsb\".\n\nLet's strictly use the decompressed buffer for lz4 inplace\ndecompression for now. Later, as an useful improvement, we could try\nto tie up these two buffers together in the correct order.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52497", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52497", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52497", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52497", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52497", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52497" } }, "CVE-2023-52498": { "affected_versions": "v2.6.12-rc2 to v6.8-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "PM: sleep: Fix possible deadlocks in core system-wide PM code", "fixes": "7839d0078e0d5e6cc2fa0b0dfbee71de74f1e557", "last_affected_version": "6.7.2", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nPM: sleep: Fix possible deadlocks in core system-wide PM code\n\nIt is reported that in low-memory situations the system-wide resume core\ncode deadlocks, because async_schedule_dev() executes its argument\nfunction synchronously if it cannot allocate memory (and not only in\nthat case) and that function attempts to acquire a mutex that is already\nheld. Executing the argument function synchronously from within\ndpm_async_fn() may also be problematic for ordering reasons (it may\ncause a consumer device's resume callback to be invoked before a\nrequisite supplier device's one, for example).\n\nAddress this by changing the code in question to use\nasync_schedule_dev_nocall() for scheduling the asynchronous\nexecution of device suspend and resume functions and to directly\nrun them synchronously if async_schedule_dev_nocall() returns false.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52498", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52498", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52498", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52498", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52498", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52498" } }, "CVE-2023-52499": { "affected_versions": "v5.12-rc1-dontuse to v6.6-rc6", "breaks": "6f76a01173ccaa363739f913394d4e138d92d718", "cmt_msg": "powerpc/47x: Fix 47x syscall return crash", "fixes": "f0eee815babed70a749d2496a7678be5b45b4c14", "last_affected_version": "6.5.7", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/47x: Fix 47x syscall return crash\n\nEddie reported that newer kernels were crashing during boot on his 476\nFSP2 system:\n\n kernel tried to execute user page (b7ee2000) - exploit attempt? (uid: 0)\n BUG: Unable to handle kernel instruction fetch\n Faulting instruction address: 0xb7ee2000\n Oops: Kernel access of bad area, sig: 11 [#1]\n BE PAGE_SIZE=4K FSP-2\n Modules linked in:\n CPU: 0 PID: 61 Comm: mount Not tainted 6.1.55-d23900f.ppcnf-fsp2 #1\n Hardware name: ibm,fsp2 476fpe 0x7ff520c0 FSP-2\n NIP:\u00a0 b7ee2000 LR: 8c008000 CTR: 00000000\n REGS: bffebd83 TRAP: 0400\u00a0\u00a0 Not tainted (6.1.55-d23900f.ppcnf-fs p2)\n MSR:\u00a0 00000030 \u00a0 CR: 00001000\u00a0 XER: 20000000\n GPR00: c00110ac bffebe63 bffebe7e bffebe88 8c008000 00001000 00000d12 b7ee2000\n GPR08: 00000033 00000000 00000000 c139df10 48224824 1016c314 10160000 00000000\n GPR16: 10160000 10160000 00000008 00000000 10160000 00000000 10160000 1017f5b0\n GPR24: 1017fa50 1017f4f0 1017fa50 1017f740 1017f630 00000000 00000000 1017f4f0\n NIP [b7ee2000] 0xb7ee2000\n LR [8c008000] 0x8c008000\n Call Trace:\n Instruction dump:\n XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX\n XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX\n ---[ end trace 0000000000000000 ]---\n\nThe problem is in ret_from_syscall where the check for\nicache_44x_need_flush is done. When the flush is needed the code jumps\nout-of-line to do the flush, and then intends to jump back to continue\nthe syscall return.\n\nHowever the branch back to label 1b doesn't return to the correct\nlocation, instead branching back just prior to the return to userspace,\ncausing bogus register values to be used by the rfi.\n\nThe breakage was introduced by commit 6f76a01173cc\n(\"powerpc/syscall: implement system call entry/exit logic in C for PPC32\") which\ninadvertently removed the \"1\" label and reused it elsewhere.\n\nFix it by adding named local labels in the correct locations. Note that\nthe return label needs to be outside the ifdef so that CONFIG_PPC_47x=n\ncompiles.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52499", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52499", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52499", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52499", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52499", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52499" } }, "CVE-2023-52500": { "affected_versions": "v2.6.12-rc2 to v6.6-rc2", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "scsi: pm80xx: Avoid leaking tags when processing OPC_INB_SET_CONTROLLER_CONFIG command", "fixes": "c13e7331745852d0dd7c35eabbe181cbd5b01172", "last_affected_version": "6.5.5", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: pm80xx: Avoid leaking tags when processing OPC_INB_SET_CONTROLLER_CONFIG command\n\nTags allocated for OPC_INB_SET_CONTROLLER_CONFIG command need to be freed\nwhen we receive the response.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52500", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52500", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52500", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52500", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52500", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52500" } }, "CVE-2023-52501": { "affected_versions": "v2.6.12-rc2 to v6.6-rc2", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "ring-buffer: Do not attempt to read past \"commit\"", "fixes": "95a404bd60af6c4d9d8db01ad14fe8957ece31ca", "last_affected_version": "6.5.5", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nring-buffer: Do not attempt to read past \"commit\"\n\nWhen iterating over the ring buffer while the ring buffer is active, the\nwriter can corrupt the reader. There's barriers to help detect this and\nhandle it, but that code missed the case where the last event was at the\nvery end of the page and has only 4 bytes left.\n\nThe checks to detect the corruption by the writer to reads needs to see the\nlength of the event. If the length in the first 4 bytes is zero then the\nlength is stored in the second 4 bytes. But if the writer is in the process\nof updating that code, there's a small window where the length in the first\n4 bytes could be zero even though the length is only 4 bytes. That will\ncause rb_event_length() to read the next 4 bytes which could happen to be off the\nallocated page.\n\nTo protect against this, fail immediately if the next event pointer is\nless than 8 bytes from the end of the commit (last byte of data), as all\nevents must be a minimum of 8 bytes anyway.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52501", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52501", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52501", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52501", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52501", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52501" } }, "CVE-2023-52502": { "affected_versions": "v3.6-rc1 to v6.6-rc6", "breaks": "8f50020ed9b81ba909ce9573f9d05263cdebf502", "cmt_msg": "net: nfc: fix races in nfc_llcp_sock_get() and nfc_llcp_sock_get_sn()", "fixes": "31c07dffafce914c1d1543c135382a11ff058d93", "last_affected_version": "6.5.7", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: nfc: fix races in nfc_llcp_sock_get() and nfc_llcp_sock_get_sn()\n\nSili Luo reported a race in nfc_llcp_sock_get(), leading to UAF.\n\nGetting a reference on the socket found in a lookup while\nholding a lock should happen before releasing the lock.\n\nnfc_llcp_sock_get_sn() has a similar problem.\n\nFinally nfc_llcp_recv_snl() needs to make sure the socket\nfound by nfc_llcp_sock_from_sn() does not disappear.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52502", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52502", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52502", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52502", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52502", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52502" } }, "CVE-2023-52503": { "affected_versions": "v5.6-rc1 to v6.6-rc6", "breaks": "757cc3e9ff1d72d014096399d6e2bf03974d9da1", "cmt_msg": "tee: amdtee: fix use-after-free vulnerability in amdtee_close_session", "fixes": "f4384b3e54ea813868bb81a861bf5b2406e15d8f", "last_affected_version": "6.5.7", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\ntee: amdtee: fix use-after-free vulnerability in amdtee_close_session\n\nThere is a potential race condition in amdtee_close_session that may\ncause use-after-free in amdtee_open_session. For instance, if a session\nhas refcount == 1, and one thread tries to free this session via:\n\n kref_put(&sess->refcount, destroy_session);\n\nthe reference count will get decremented, and the next step would be to\ncall destroy_session(). However, if in another thread,\namdtee_open_session() is called before destroy_session() has completed\nexecution, alloc_session() may return 'sess' that will be freed up\nlater in destroy_session() leading to use-after-free in\namdtee_open_session.\n\nTo fix this issue, treat decrement of sess->refcount and removal of\n'sess' from session list in destroy_session() as a critical section, so\nthat it is executed atomically.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52503", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52503", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52503", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52503", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52503", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52503" } }, "CVE-2023-52504": { "affected_versions": "v4.17-rc1 to v6.6-rc6", "breaks": "6657fca06e3ffab8d0b3f9d8b397f5ee498952d7", "cmt_msg": "x86/alternatives: Disable KASAN in apply_alternatives()", "fixes": "d35652a5fc9944784f6f50a5c979518ff8dacf61", "last_affected_version": "6.5.7", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/alternatives: Disable KASAN in apply_alternatives()\n\nFei has reported that KASAN triggers during apply_alternatives() on\na 5-level paging machine:\n\n\tBUG: KASAN: out-of-bounds in rcu_is_watching()\n\tRead of size 4 at addr ff110003ee6419a0 by task swapper/0/0\n\t...\n\t__asan_load4()\n\trcu_is_watching()\n\ttrace_hardirqs_on()\n\ttext_poke_early()\n\tapply_alternatives()\n\t...\n\nOn machines with 5-level paging, cpu_feature_enabled(X86_FEATURE_LA57)\ngets patched. It includes KASAN code, where KASAN_SHADOW_START depends on\n__VIRTUAL_MASK_SHIFT, which is defined with cpu_feature_enabled().\n\nKASAN gets confused when apply_alternatives() patches the\nKASAN_SHADOW_START users. A test patch that makes KASAN_SHADOW_START\nstatic, by replacing __VIRTUAL_MASK_SHIFT with 56, works around the issue.\n\nFix it for real by disabling KASAN while the kernel is patching alternatives.\n\n[ mingo: updated the changelog ]", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52504", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52504", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52504", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52504", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52504", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52504" } }, "CVE-2023-52505": { "affected_versions": "v5.18-rc1 to v6.6-rc6", "breaks": "8f73b37cf3fbda67ea1e579c3b5785da4e7aa2e3", "cmt_msg": "phy: lynx-28g: serialize concurrent phy_set_mode_ext() calls to shared registers", "fixes": "139ad1143151a07be93bf741d4ea7c89e59f89ce", "last_affected_version": "6.5.7", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nphy: lynx-28g: serialize concurrent phy_set_mode_ext() calls to shared registers\n\nThe protocol converter configuration registers PCC8, PCCC, PCCD\n(implemented by the driver), as well as others, control protocol\nconverters from multiple lanes (each represented as a different\nstruct phy). So, if there are simultaneous calls to phy_set_mode_ext()\nto lanes sharing the same PCC register (either for the \"old\" or for the\n\"new\" protocol), corruption of the values programmed to hardware is\npossible, because lynx_28g_rmw() has no locking.\n\nAdd a spinlock in the struct lynx_28g_priv shared by all lanes, and take\nthe global spinlock from the phy_ops :: set_mode() implementation. There\nare no other callers which modify PCC registers.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52505", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52505", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52505", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52505", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52505", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52505" } }, "CVE-2023-52506": { "affected_versions": "v2.6.12-rc2 to v6.6-rc3", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "LoongArch: Set all reserved memblocks on Node#0 at initialization", "fixes": "b795fb9f5861ee256070d59e33130980a01fadd7", "last_affected_version": "6.5.5", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nLoongArch: Set all reserved memblocks on Node#0 at initialization\n\nAfter commit 61167ad5fecdea (\"mm: pass nid to reserve_bootmem_region()\")\nwe get a panic if DEFERRED_STRUCT_PAGE_INIT is enabled:\n\n[ 0.000000] CPU 0 Unable to handle kernel paging request at virtual address 0000000000002b82, era == 90000000040e3f28, ra == 90000000040e3f18\n[ 0.000000] Oops[#1]:\n[ 0.000000] CPU: 0 PID: 0 Comm: swapper Not tainted 6.5.0+ #733\n[ 0.000000] pc 90000000040e3f28 ra 90000000040e3f18 tp 90000000046f4000 sp 90000000046f7c90\n[ 0.000000] a0 0000000000000001 a1 0000000000200000 a2 0000000000000040 a3 90000000046f7ca0\n[ 0.000000] a4 90000000046f7ca4 a5 0000000000000000 a6 90000000046f7c38 a7 0000000000000000\n[ 0.000000] t0 0000000000000002 t1 9000000004b00ac8 t2 90000000040e3f18 t3 90000000040f0800\n[ 0.000000] t4 00000000000f0000 t5 80000000ffffe07e t6 0000000000000003 t7 900000047fff5e20\n[ 0.000000] t8 aaaaaaaaaaaaaaab u0 0000000000000018 s9 0000000000000000 s0 fffffefffe000000\n[ 0.000000] s1 0000000000000000 s2 0000000000000080 s3 0000000000000040 s4 0000000000000000\n[ 0.000000] s5 0000000000000000 s6 fffffefffe000000 s7 900000000470b740 s8 9000000004ad4000\n[ 0.000000] ra: 90000000040e3f18 reserve_bootmem_region+0xec/0x21c\n[ 0.000000] ERA: 90000000040e3f28 reserve_bootmem_region+0xfc/0x21c\n[ 0.000000] CRMD: 000000b0 (PLV0 -IE -DA +PG DACF=CC DACM=CC -WE)\n[ 0.000000] PRMD: 00000000 (PPLV0 -PIE -PWE)\n[ 0.000000] EUEN: 00000000 (-FPE -SXE -ASXE -BTE)\n[ 0.000000] ECFG: 00070800 (LIE=11 VS=7)\n[ 0.000000] ESTAT: 00010800 [PIL] (IS=11 ECode=1 EsubCode=0)\n[ 0.000000] BADV: 0000000000002b82\n[ 0.000000] PRID: 0014d000 (Loongson-64bit, Loongson-3A6000)\n[ 0.000000] Modules linked in:\n[ 0.000000] Process swapper (pid: 0, threadinfo=(____ptrval____), task=(____ptrval____))\n[ 0.000000] Stack : 0000000000000000 9000000002eb5430 0000003a00000020 90000000045ccd00\n[ 0.000000] 900000000470e000 90000000002c1918 0000000000000000 9000000004110780\n[ 0.000000] 00000000fe6c0000 0000000480000000 9000000004b4e368 9000000004110748\n[ 0.000000] 0000000000000000 900000000421ca84 9000000004620000 9000000004564970\n[ 0.000000] 90000000046f7d78 9000000002cc9f70 90000000002c1918 900000000470e000\n[ 0.000000] 9000000004564970 90000000040bc0e0 90000000046f7d78 0000000000000000\n[ 0.000000] 0000000000004000 90000000045ccd00 0000000000000000 90000000002c1918\n[ 0.000000] 90000000002c1900 900000000470b700 9000000004b4df78 9000000004620000\n[ 0.000000] 90000000046200a8 90000000046200a8 0000000000000000 9000000004218b2c\n[ 0.000000] 9000000004270008 0000000000000001 0000000000000000 90000000045ccd00\n[ 0.000000] ...\n[ 0.000000] Call Trace:\n[ 0.000000] [<90000000040e3f28>] reserve_bootmem_region+0xfc/0x21c\n[ 0.000000] [<900000000421ca84>] memblock_free_all+0x114/0x350\n[ 0.000000] [<9000000004218b2c>] mm_core_init+0x138/0x3cc\n[ 0.000000] [<9000000004200e38>] start_kernel+0x488/0x7a4\n[ 0.000000] [<90000000040df0d8>] kernel_entry+0xd8/0xdc\n[ 0.000000]\n[ 0.000000] Code: 02eb21ad 00410f4c 380c31ac <262b818d> 6800b70d 02c1c196 0015001c 57fe4bb1 260002cd\n\nThe reason is early memblock_reserve() in memblock_init() set node id to\nMAX_NUMNODES, making NODE_DATA(nid) a NULL dereference in the call chain\nreserve_bootmem_region() -> init_reserved_page(). After memblock_init(),\nthose late calls of memblock_reserve() operate on subregions of memblock\n.memory regions. As a result, these reserved regions will be set to the\ncorrect node at the first iteration of memmap_init_reserved_pages().\n\nSo set all reserved memblocks on Node#0 at initialization can avoid this\npanic.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52506", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52506", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52506", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52506", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52506", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52506" } }, "CVE-2023-52507": { "affected_versions": "v3.2-rc1 to v6.6-rc6", "breaks": "6a2968aaf50c7a22fced77a5e24aa636281efca8", "cmt_msg": "nfc: nci: assert requested protocol is valid", "fixes": "354a6e707e29cb0c007176ee5b8db8be7bd2dee0", "last_affected_version": "6.5.7", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfc: nci: assert requested protocol is valid\n\nThe protocol is used in a bit mask to determine if the protocol is\nsupported. Assert the provided protocol is less than the maximum\ndefined so it doesn't potentially perform a shift-out-of-bounds and\nprovide a clearer error for undefined protocols vs unsupported ones.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52507", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52507", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52507", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52507", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52507", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52507" } }, "CVE-2023-52508": { "affected_versions": "v2.6.12-rc2 to v6.6-rc2", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "nvme-fc: Prevent null pointer dereference in nvme_fc_io_getuuid()", "fixes": "8ae5b3a685dc59a8cf7ccfe0e850999ba9727a3c", "last_affected_version": "6.5.5", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme-fc: Prevent null pointer dereference in nvme_fc_io_getuuid()\n\nThe nvme_fc_fcp_op structure describing an AEN operation is initialized with a\nnull request structure pointer. An FC LLDD may make a call to\nnvme_fc_io_getuuid passing a pointer to an nvmefc_fcp_req for an AEN operation.\n\nAdd validation of the request structure pointer before dereference.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52508", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52508", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52508", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52508", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52508", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52508" } }, "CVE-2023-52509": { "affected_versions": "unk to v6.6-rc6", "breaks": "", "cmt_msg": "ravb: Fix use-after-free issue in ravb_tx_timeout_work()", "fixes": "3971442870713de527684398416970cf025b4f89", "last_affected_version": "6.5.7", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nravb: Fix use-after-free issue in ravb_tx_timeout_work()\n\nThe ravb_stop() should call cancel_work_sync(). Otherwise,\nravb_tx_timeout_work() is possible to use the freed priv after\nravb_remove() was called like below:\n\nCPU0\t\t\tCPU1\n\t\t\travb_tx_timeout()\nravb_remove()\nunregister_netdev()\nfree_netdev(ndev)\n// free priv\n\t\t\travb_tx_timeout_work()\n\t\t\t// use priv\n\nunregister_netdev() will call .ndo_stop() so that ravb_stop() is\ncalled. And, after phy_stop() is called, netif_carrier_off()\nis also called. So that .ndo_tx_timeout() will not be called\nafter phy_stop().", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52509", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52509", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52509", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52509", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52509", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52509" } }, "CVE-2023-52510": { "affected_versions": "v4.12-rc1 to v6.6-rc6", "breaks": "ded845a781a578dfb0b5b2c138e5a067aa3b1242", "cmt_msg": "ieee802154: ca8210: Fix a potential UAF in ca8210_probe", "fixes": "f990874b1c98fe8e57ee9385669f501822979258", "last_affected_version": "6.5.7", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nieee802154: ca8210: Fix a potential UAF in ca8210_probe\n\nIf of_clk_add_provider() fails in ca8210_register_ext_clock(),\nit calls clk_unregister() to release priv->clk and returns an\nerror. However, the caller ca8210_probe() then calls ca8210_remove(),\nwhere priv->clk is freed again in ca8210_unregister_ext_clock(). In\nthis case, a use-after-free may happen in the second time we call\nclk_unregister().\n\nFix this by removing the first clk_unregister(). Also, priv->clk could\nbe an error code on failure of clk_register_fixed_rate(). Use\nIS_ERR_OR_NULL to catch this case in ca8210_unregister_ext_clock().", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52510", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52510", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52510", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52510", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52510", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52510" } }, "CVE-2023-52511": { "affected_versions": "v2.6.12-rc2 to v6.6-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "spi: sun6i: reduce DMA RX transfer width to single byte", "fixes": "171f8a49f212e87a8b04087568e1b3d132e36a18", "last_affected_version": "6.5.5", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: sun6i: reduce DMA RX transfer width to single byte\n\nThrough empirical testing it has been determined that sometimes RX SPI\ntransfers with DMA enabled return corrupted data. This is down to single\nor even multiple bytes lost during DMA transfer from SPI peripheral to\nmemory. It seems the RX FIFO within the SPI peripheral can become\nconfused when performing bus read accesses wider than a single byte to it\nduring an active SPI transfer.\n\nThis patch reduces the width of individual DMA read accesses to the\nRX FIFO to a single byte to mitigate that issue.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52511", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52511", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52511", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52511", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52511", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52511" } }, "CVE-2023-52512": { "affected_versions": "v5.18-rc1 to v6.6-rc6", "breaks": "a1d1e0e3d80a870cc37a6c064994b89e963d2b58", "cmt_msg": "pinctrl: nuvoton: wpcm450: fix out of bounds write", "fixes": "87d315a34133edcb29c4cadbf196ec6c30dfd47b", "last_affected_version": "6.5.7", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\npinctrl: nuvoton: wpcm450: fix out of bounds write\n\nWrite into 'pctrl->gpio_bank' happens before the check for GPIO index\nvalidity, so out of bounds write may happen.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52512", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52512", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52512", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52512", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52512", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52512" } }, "CVE-2023-52513": { "affected_versions": "v5.3-rc1 to v6.6-rc5", "breaks": "6c52fdc244b5ccc468006fd65a504d4ee33743c7", "cmt_msg": "RDMA/siw: Fix connection failure handling", "fixes": "53a3f777049771496f791504e7dc8ef017cba590", "last_affected_version": "6.5.6", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/siw: Fix connection failure handling\n\nIn case immediate MPA request processing fails, the newly\ncreated endpoint unlinks the listening endpoint and is\nready to be dropped. This special case was not handled\ncorrectly by the code handling the later TCP socket close,\ncausing a NULL dereference crash in siw_cm_work_handler()\nwhen dereferencing a NULL listener. We now also cancel\nthe useless MPA timeout, if immediate MPA request\nprocessing fails.\n\nThis patch furthermore simplifies MPA processing in general:\nScheduling a useless TCP socket read in sk_data_ready() upcall\nis now surpressed, if the socket is already moved out of\nTCP_ESTABLISHED state.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52513", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52513", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52513", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52513", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52513", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52513" } }, "CVE-2023-52515": { "affected_versions": "v3.7-rc1 to v6.6-rc5", "breaks": "d8536670916a685df116b5c2cb256573fd25e4e3", "cmt_msg": "RDMA/srp: Do not call scsi_done() from srp_abort()", "fixes": "e193b7955dfad68035b983a0011f4ef3590c85eb", "last_affected_version": "6.5.6", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/srp: Do not call scsi_done() from srp_abort()\n\nAfter scmd_eh_abort_handler() has called the SCSI LLD eh_abort_handler\ncallback, it performs one of the following actions:\n* Call scsi_queue_insert().\n* Call scsi_finish_command().\n* Call scsi_eh_scmd_add().\nHence, SCSI abort handlers must not call scsi_done(). Otherwise all\nthe above actions would trigger a use-after-free. Hence remove the\nscsi_done() call from srp_abort(). Keep the srp_free_req() call\nbefore returning SUCCESS because we may not see the command again if\nSUCCESS is returned.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52515", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52515", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52515", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52515", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52515", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52515" } }, "CVE-2023-52516": { "affected_versions": "v2.6.12-rc2 to v6.6-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "dma-debug: don't call __dma_entry_alloc_check_leak() under free_entries_lock", "fixes": "fb5a4315591dae307a65fc246ca80b5159d296e1", "last_affected_version": "6.5.5", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\ndma-debug: don't call __dma_entry_alloc_check_leak() under free_entries_lock\n\n__dma_entry_alloc_check_leak() calls into printk -> serial console\noutput (qcom geni) and grabs port->lock under free_entries_lock\nspin lock, which is a reverse locking dependency chain as qcom_geni\nIRQ handler can call into dma-debug code and grab free_entries_lock\nunder port->lock.\n\nMove __dma_entry_alloc_check_leak() call out of free_entries_lock\nscope so that we don't acquire serial console's port->lock under it.\n\nTrimmed-down lockdep splat:\n\n The existing dependency chain (in reverse order) is:\n\n -> #2 (free_entries_lock){-.-.}-{2:2}:\n _raw_spin_lock_irqsave+0x60/0x80\n dma_entry_alloc+0x38/0x110\n debug_dma_map_page+0x60/0xf8\n dma_map_page_attrs+0x1e0/0x230\n dma_map_single_attrs.constprop.0+0x6c/0xc8\n geni_se_rx_dma_prep+0x40/0xcc\n qcom_geni_serial_isr+0x310/0x510\n __handle_irq_event_percpu+0x110/0x244\n handle_irq_event_percpu+0x20/0x54\n handle_irq_event+0x50/0x88\n handle_fasteoi_irq+0xa4/0xcc\n handle_irq_desc+0x28/0x40\n generic_handle_domain_irq+0x24/0x30\n gic_handle_irq+0xc4/0x148\n do_interrupt_handler+0xa4/0xb0\n el1_interrupt+0x34/0x64\n el1h_64_irq_handler+0x18/0x24\n el1h_64_irq+0x64/0x68\n arch_local_irq_enable+0x4/0x8\n ____do_softirq+0x18/0x24\n ...\n\n -> #1 (&port_lock_key){-.-.}-{2:2}:\n _raw_spin_lock_irqsave+0x60/0x80\n qcom_geni_serial_console_write+0x184/0x1dc\n console_flush_all+0x344/0x454\n console_unlock+0x94/0xf0\n vprintk_emit+0x238/0x24c\n vprintk_default+0x3c/0x48\n vprintk+0xb4/0xbc\n _printk+0x68/0x90\n register_console+0x230/0x38c\n uart_add_one_port+0x338/0x494\n qcom_geni_serial_probe+0x390/0x424\n platform_probe+0x70/0xc0\n really_probe+0x148/0x280\n __driver_probe_device+0xfc/0x114\n driver_probe_device+0x44/0x100\n __device_attach_driver+0x64/0xdc\n bus_for_each_drv+0xb0/0xd8\n __device_attach+0xe4/0x140\n device_initial_probe+0x1c/0x28\n bus_probe_device+0x44/0xb0\n device_add+0x538/0x668\n of_device_add+0x44/0x50\n of_platform_device_create_pdata+0x94/0xc8\n of_platform_bus_create+0x270/0x304\n of_platform_populate+0xac/0xc4\n devm_of_platform_populate+0x60/0xac\n geni_se_probe+0x154/0x160\n platform_probe+0x70/0xc0\n ...\n\n -> #0 (console_owner){-...}-{0:0}:\n __lock_acquire+0xdf8/0x109c\n lock_acquire+0x234/0x284\n console_flush_all+0x330/0x454\n console_unlock+0x94/0xf0\n vprintk_emit+0x238/0x24c\n vprintk_default+0x3c/0x48\n vprintk+0xb4/0xbc\n _printk+0x68/0x90\n dma_entry_alloc+0xb4/0x110\n debug_dma_map_sg+0xdc/0x2f8\n __dma_map_sg_attrs+0xac/0xe4\n dma_map_sgtable+0x30/0x4c\n get_pages+0x1d4/0x1e4 [msm]\n msm_gem_pin_pages_locked+0x38/0xac [msm]\n msm_gem_pin_vma_locked+0x58/0x88 [msm]\n msm_ioctl_gem_submit+0xde4/0x13ac [msm]\n drm_ioctl_kernel+0xe0/0x15c\n drm_ioctl+0x2e8/0x3f4\n vfs_ioctl+0x30/0x50\n ...\n\n Chain exists of:\n console_owner --> &port_lock_key --> free_entries_lock\n\n Possible unsafe locking scenario:\n\n CPU0 CPU1\n ---- ----\n lock(free_entries_lock);\n lock(&port_lock_key);\n lock(free_entries_lock);\n lock(console_owner);\n\n *** DEADLOCK ***\n\n Call trace:\n dump_backtrace+0xb4/0xf0\n show_stack+0x20/0x30\n dump_stack_lvl+0x60/0x84\n dump_stack+0x18/0x24\n print_circular_bug+0x1cc/0x234\n check_noncircular+0x78/0xac\n __lock_acquire+0xdf8/0x109c\n lock_acquire+0x234/0x284\n console_flush_all+0x330/0x454\n consol\n---truncated---", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52516", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52516", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52516", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52516", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52516", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52516" } }, "CVE-2023-52517": { "affected_versions": "v2.6.12-rc2 to v6.6-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "spi: sun6i: fix race between DMA RX transfer completion and RX FIFO drain", "fixes": "1f11f4202caf5710204d334fe63392052783876d", "last_affected_version": "6.5.5", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: sun6i: fix race between DMA RX transfer completion and RX FIFO drain\n\nPreviously the transfer complete IRQ immediately drained to RX FIFO to\nread any data remaining in FIFO to the RX buffer. This behaviour is\ncorrect when dealing with SPI in interrupt mode. However in DMA mode the\ntransfer complete interrupt still fires as soon as all bytes to be\ntransferred have been stored in the FIFO. At that point data in the FIFO\nstill needs to be picked up by the DMA engine. Thus the drain procedure\nand DMA engine end up racing to read from RX FIFO, corrupting any data\nread. Additionally the RX buffer pointer is never adjusted according to\nDMA progress in DMA mode, thus calling the RX FIFO drain procedure in DMA\nmode is a bug.\nFix corruptions in DMA RX mode by draining RX FIFO only in interrupt mode.\nAlso wait for completion of RX DMA when in DMA mode before returning to\nensure all data has been copied to the supplied memory buffer.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52517", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52517", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52517", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52517", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52517", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52517" } }, "CVE-2023-52518": { "affected_versions": "v5.16-rc1 to v6.6-rc5", "breaks": "8961987f3f5fa2f2618e72304d013c8dd5e604a6", "cmt_msg": "Bluetooth: hci_codec: Fix leaking content of local_codecs", "fixes": "b938790e70540bf4f2e653dcd74b232494d06c8f", "last_affected_version": "6.5.6", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_codec: Fix leaking content of local_codecs\n\nThe following memory leak can be observed when the controller supports\ncodecs which are stored in local_codecs list but the elements are never\nfreed:\n\nunreferenced object 0xffff88800221d840 (size 32):\n comm \"kworker/u3:0\", pid 36, jiffies 4294898739 (age 127.060s)\n hex dump (first 32 bytes):\n f8 d3 02 03 80 88 ff ff 80 d8 21 02 80 88 ff ff ..........!.....\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace:\n [] __kmalloc+0x47/0x120\n [] hci_codec_list_add.isra.0+0x2d/0x160\n [] hci_read_codec_capabilities+0x183/0x270\n [] hci_read_supported_codecs+0x1bb/0x2d0\n [] hci_read_local_codecs_sync+0x3e/0x60\n [] hci_dev_open_sync+0x943/0x11e0\n [] hci_power_on+0x10d/0x3f0\n [] process_one_work+0x404/0x800\n [] worker_thread+0x374/0x670\n [] kthread+0x188/0x1c0\n [] ret_from_fork+0x2b/0x50\n [] ret_from_fork_asm+0x1a/0x30", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52518", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52518", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52518", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52518", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52518", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52518" } }, "CVE-2023-52519": { "affected_versions": "unk to v6.6-rc5", "breaks": "", "cmt_msg": "HID: intel-ish-hid: ipc: Disable and reenable ACPI GPE bit", "fixes": "8f02139ad9a7e6e5c05712f8c1501eebed8eacfd", "last_affected_version": "6.5.6", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: intel-ish-hid: ipc: Disable and reenable ACPI GPE bit\n\nThe EHL (Elkhart Lake) based platforms provide a OOB (Out of band)\nservice, which allows to wakup device when the system is in S5 (Soft-Off\nstate). This OOB service can be enabled/disabled from BIOS settings. When\nenabled, the ISH device gets PME wake capability. To enable PME wakeup,\ndriver also needs to enable ACPI GPE bit.\n\nOn resume, BIOS will clear the wakeup bit. So driver need to re-enable it\nin resume function to keep the next wakeup capability. But this BIOS\nclearing of wakeup bit doesn't decrement internal OS GPE reference count,\nso this reenabling on every resume will cause reference count to overflow.\n\nSo first disable and reenable ACPI GPE bit using acpi_disable_gpe().", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52519", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52519", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52519", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52519", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52519", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52519" } }, "CVE-2023-52520": { "affected_versions": "v5.14-rc1 to v6.6-rc5", "breaks": "1bcad8e510b27ad843315ab2c27ccf459e3acded", "cmt_msg": "platform/x86: think-lmi: Fix reference leak", "fixes": "528ab3e605cabf2f9c9bd5944d3bfe15f6e94f81", "last_affected_version": "6.5.7", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/x86: think-lmi: Fix reference leak\n\nIf a duplicate attribute is found using kset_find_obj(), a reference\nto that attribute is returned which needs to be disposed accordingly\nusing kobject_put(). Move the setting name validation into a separate\nfunction to allow for this change without having to duplicate the\ncleanup code for this setting.\nAs a side note, a very similar bug was fixed in\ncommit 7295a996fdab (\"platform/x86: dell-sysman: Fix reference leak\"),\nso it seems that the bug was copied from that driver.\n\nCompile-tested only.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52520", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52520", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52520", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52520", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52520", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52520" } }, "CVE-2023-52522": { "affected_versions": "v2.6.37-rc1 to v6.6-rc5", "breaks": "767e97e1e0db0d0f3152cd2f3bd3403596aedbad", "cmt_msg": "net: fix possible store tearing in neigh_periodic_work()", "fixes": "25563b581ba3a1f263a00e8c9a97f5e7363be6fd", "last_affected_version": "6.5.6", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fix possible store tearing in neigh_periodic_work()\n\nWhile looking at a related syzbot report involving neigh_periodic_work(),\nI found that I forgot to add an annotation when deleting an\nRCU protected item from a list.\n\nReaders use rcu_deference(*np), we need to use either\nrcu_assign_pointer() or WRITE_ONCE() on writer side\nto prevent store tearing.\n\nI use rcu_assign_pointer() to have lockdep support,\nthis was the choice made in neigh_flush_dev().", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52522", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52522", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52522", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52522", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52522", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52522" } }, "CVE-2023-52523": { "affected_versions": "v5.13-rc1 to v6.6-rc5", "breaks": "122e6c79efe1c25816118aca9cfabe54e99c2432", "cmt_msg": "bpf, sockmap: Reject sk_msg egress redirects to non-TCP sockets", "fixes": "b80e31baa43614e086a9d29dc1151932b1bd7fc5", "last_affected_version": "6.5.6", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, sockmap: Reject sk_msg egress redirects to non-TCP sockets\n\nWith a SOCKMAP/SOCKHASH map and an sk_msg program user can steer messages\nsent from one TCP socket (s1) to actually egress from another TCP\nsocket (s2):\n\ntcp_bpf_sendmsg(s1)\t\t// = sk_prot->sendmsg\n tcp_bpf_send_verdict(s1)\t// __SK_REDIRECT case\n tcp_bpf_sendmsg_redir(s2)\n tcp_bpf_push_locked(s2)\n\ttcp_bpf_push(s2)\n\t tcp_rate_check_app_limited(s2) // expects tcp_sock\n\t tcp_sendmsg_locked(s2)\t // ditto\n\nThere is a hard-coded assumption in the call-chain, that the egress\nsocket (s2) is a TCP socket.\n\nHowever in commit 122e6c79efe1 (\"sock_map: Update sock type checks for\nUDP\") we have enabled redirects to non-TCP sockets. This was done for the\nsake of BPF sk_skb programs. There was no indention to support sk_msg\nsend-to-egress use case.\n\nAs a result, attempts to send-to-egress through a non-TCP socket lead to a\ncrash due to invalid downcast from sock to tcp_sock:\n\n BUG: kernel NULL pointer dereference, address: 000000000000002f\n ...\n Call Trace:\n \n ? show_regs+0x60/0x70\n ? __die+0x1f/0x70\n ? page_fault_oops+0x80/0x160\n ? do_user_addr_fault+0x2d7/0x800\n ? rcu_is_watching+0x11/0x50\n ? exc_page_fault+0x70/0x1c0\n ? asm_exc_page_fault+0x27/0x30\n ? tcp_tso_segs+0x14/0xa0\n tcp_write_xmit+0x67/0xce0\n __tcp_push_pending_frames+0x32/0xf0\n tcp_push+0x107/0x140\n tcp_sendmsg_locked+0x99f/0xbb0\n tcp_bpf_push+0x19d/0x3a0\n tcp_bpf_sendmsg_redir+0x55/0xd0\n tcp_bpf_send_verdict+0x407/0x550\n tcp_bpf_sendmsg+0x1a1/0x390\n inet_sendmsg+0x6a/0x70\n sock_sendmsg+0x9d/0xc0\n ? sockfd_lookup_light+0x12/0x80\n __sys_sendto+0x10e/0x160\n ? syscall_enter_from_user_mode+0x20/0x60\n ? __this_cpu_preempt_check+0x13/0x20\n ? lockdep_hardirqs_on+0x82/0x110\n __x64_sys_sendto+0x1f/0x30\n do_syscall_64+0x38/0x90\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nReject selecting a non-TCP sockets as redirect target from a BPF sk_msg\nprogram to prevent the crash. When attempted, user will receive an EACCES\nerror from send/sendto/sendmsg() syscall.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52523", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52523", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52523", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52523", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52523", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52523" } }, "CVE-2023-52524": { "affected_versions": "v6.5-rc1 to v6.6-rc5", "breaks": "6709d4b7bc2e079241fdef15d1160581c5261c10", "cmt_msg": "net: nfc: llcp: Add lock when modifying device list", "fixes": "dfc7f7a988dad34c3bf4c053124fb26aa6c5f916", "last_affected_version": "6.5.6", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: nfc: llcp: Add lock when modifying device list\n\nThe device list needs its associated lock held when modifying it, or the\nlist could become corrupted, as syzbot discovered.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52524", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52524", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52524", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52524", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52524", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52524" } }, "CVE-2023-52525": { "affected_versions": "v6.6-rc1 to v6.6-rc5", "breaks": "11958528161731c58e105b501ed60b83a91ea941", "fixes": "aef7a0300047e7b4707ea0411dc9597cba108fc8", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mwifiex: Fix oob check condition in mwifiex_process_rx_packet\n\nOnly skip the code path trying to access the rfc1042 headers when the\nbuffer is too small, so the driver can still process packets without\nrfc1042 headers.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52525", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52525", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52525", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52525", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52525", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52525" } }, "CVE-2023-52526": { "affected_versions": "v6.1-rc1 to v6.6-rc5", "breaks": "5c2a64252c5dc4cfe78e5b2a531c118894e3d155", "cmt_msg": "erofs: fix memory leak of LZMA global compressed deduplication", "fixes": "75a5221630fe5aa3fedba7a06be618db0f79ba1e", "last_affected_version": "6.5.6", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nerofs: fix memory leak of LZMA global compressed deduplication\n\nWhen stressing microLZMA EROFS images with the new global compressed\ndeduplication feature enabled (`-Ededupe`), I found some short-lived\ntemporary pages weren't properly released, which could slowly cause\nunexpected OOMs hours later.\n\nLet's fix it now (LZ4 and DEFLATE don't have this issue.)", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52526", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52526", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52526", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52526", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52526", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52526" } }, "CVE-2023-52527": { "affected_versions": "v3.5-rc1 to v6.6-rc5", "breaks": "a32e0eec7042b21ccb52896cf715e3e2641fed93", "cmt_msg": "ipv4, ipv6: Fix handling of transhdrlen in __ip{,6}_append_data()", "fixes": "9d4c75800f61e5d75c1659ba201b6c0c7ead3070", "last_affected_version": "6.5.6", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv4, ipv6: Fix handling of transhdrlen in __ip{,6}_append_data()\n\nIncluding the transhdrlen in length is a problem when the packet is\npartially filled (e.g. something like send(MSG_MORE) happened previously)\nwhen appending to an IPv4 or IPv6 packet as we don't want to repeat the\ntransport header or account for it twice. This can happen under some\ncircumstances, such as splicing into an L2TP socket.\n\nThe symptom observed is a warning in __ip6_append_data():\n\n WARNING: CPU: 1 PID: 5042 at net/ipv6/ip6_output.c:1800 __ip6_append_data.isra.0+0x1be8/0x47f0 net/ipv6/ip6_output.c:1800\n\nthat occurs when MSG_SPLICE_PAGES is used to append more data to an already\npartially occupied skbuff. The warning occurs when 'copy' is larger than\nthe amount of data in the message iterator. This is because the requested\nlength includes the transport header length when it shouldn't. This can be\ntriggered by, for example:\n\n sfd = socket(AF_INET6, SOCK_DGRAM, IPPROTO_L2TP);\n bind(sfd, ...); // ::1\n connect(sfd, ...); // ::1 port 7\n send(sfd, buffer, 4100, MSG_MORE);\n sendfile(sfd, dfd, NULL, 1024);\n\nFix this by only adding transhdrlen into the length if the write queue is\nempty in l2tp_ip6_sendmsg(), analogously to how UDP does things.\n\nl2tp_ip_sendmsg() looks like it won't suffer from this problem as it builds\nthe UDP packet itself.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52527", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52527", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52527", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52527", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52527", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52527" } }, "CVE-2023-52528": { "affected_versions": "v2.6.34-rc2 to v6.6-rc5", "breaks": "d0cad871703b898a442e4049c532ec39168e5b57", "cmt_msg": "net: usb: smsc75xx: Fix uninit-value access in __smsc75xx_read_reg", "fixes": "e9c65989920f7c28775ec4e0c11b483910fb67b8", "last_affected_version": "6.5.6", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: usb: smsc75xx: Fix uninit-value access in __smsc75xx_read_reg\n\nsyzbot reported the following uninit-value access issue:\n\n=====================================================\nBUG: KMSAN: uninit-value in smsc75xx_wait_ready drivers/net/usb/smsc75xx.c:975 [inline]\nBUG: KMSAN: uninit-value in smsc75xx_bind+0x5c9/0x11e0 drivers/net/usb/smsc75xx.c:1482\nCPU: 0 PID: 8696 Comm: kworker/0:3 Not tainted 5.8.0-rc5-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nWorkqueue: usb_hub_wq hub_event\nCall Trace:\n __dump_stack lib/dump_stack.c:77 [inline]\n dump_stack+0x21c/0x280 lib/dump_stack.c:118\n kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:121\n __msan_warning+0x58/0xa0 mm/kmsan/kmsan_instr.c:215\n smsc75xx_wait_ready drivers/net/usb/smsc75xx.c:975 [inline]\n smsc75xx_bind+0x5c9/0x11e0 drivers/net/usb/smsc75xx.c:1482\n usbnet_probe+0x1152/0x3f90 drivers/net/usb/usbnet.c:1737\n usb_probe_interface+0xece/0x1550 drivers/usb/core/driver.c:374\n really_probe+0xf20/0x20b0 drivers/base/dd.c:529\n driver_probe_device+0x293/0x390 drivers/base/dd.c:701\n __device_attach_driver+0x63f/0x830 drivers/base/dd.c:807\n bus_for_each_drv+0x2ca/0x3f0 drivers/base/bus.c:431\n __device_attach+0x4e2/0x7f0 drivers/base/dd.c:873\n device_initial_probe+0x4a/0x60 drivers/base/dd.c:920\n bus_probe_device+0x177/0x3d0 drivers/base/bus.c:491\n device_add+0x3b0e/0x40d0 drivers/base/core.c:2680\n usb_set_configuration+0x380f/0x3f10 drivers/usb/core/message.c:2032\n usb_generic_driver_probe+0x138/0x300 drivers/usb/core/generic.c:241\n usb_probe_device+0x311/0x490 drivers/usb/core/driver.c:272\n really_probe+0xf20/0x20b0 drivers/base/dd.c:529\n driver_probe_device+0x293/0x390 drivers/base/dd.c:701\n __device_attach_driver+0x63f/0x830 drivers/base/dd.c:807\n bus_for_each_drv+0x2ca/0x3f0 drivers/base/bus.c:431\n __device_attach+0x4e2/0x7f0 drivers/base/dd.c:873\n device_initial_probe+0x4a/0x60 drivers/base/dd.c:920\n bus_probe_device+0x177/0x3d0 drivers/base/bus.c:491\n device_add+0x3b0e/0x40d0 drivers/base/core.c:2680\n usb_new_device+0x1bd4/0x2a30 drivers/usb/core/hub.c:2554\n hub_port_connect drivers/usb/core/hub.c:5208 [inline]\n hub_port_connect_change drivers/usb/core/hub.c:5348 [inline]\n port_event drivers/usb/core/hub.c:5494 [inline]\n hub_event+0x5e7b/0x8a70 drivers/usb/core/hub.c:5576\n process_one_work+0x1688/0x2140 kernel/workqueue.c:2269\n worker_thread+0x10bc/0x2730 kernel/workqueue.c:2415\n kthread+0x551/0x590 kernel/kthread.c:292\n ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:293\n\nLocal variable ----buf.i87@smsc75xx_bind created at:\n __smsc75xx_read_reg drivers/net/usb/smsc75xx.c:83 [inline]\n smsc75xx_wait_ready drivers/net/usb/smsc75xx.c:968 [inline]\n smsc75xx_bind+0x485/0x11e0 drivers/net/usb/smsc75xx.c:1482\n __smsc75xx_read_reg drivers/net/usb/smsc75xx.c:83 [inline]\n smsc75xx_wait_ready drivers/net/usb/smsc75xx.c:968 [inline]\n smsc75xx_bind+0x485/0x11e0 drivers/net/usb/smsc75xx.c:1482\n\nThis issue is caused because usbnet_read_cmd() reads less bytes than requested\n(zero byte in the reproducer). In this case, 'buf' is not properly filled.\n\nThis patch fixes the issue by returning -ENODATA if usbnet_read_cmd() reads\nless bytes than requested.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52528", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52528", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52528", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52528", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52528", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52528" } }, "CVE-2023-52529": { "affected_versions": "v5.14-rc1 to v6.6-rc5", "breaks": "fb1a79a6b6e1223ddb18f12aa35e36f832da2290", "cmt_msg": "HID: sony: Fix a potential memory leak in sony_probe()", "fixes": "e1cd4004cde7c9b694bbdd8def0e02288ee58c74", "last_affected_version": "6.5.6", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: sony: Fix a potential memory leak in sony_probe()\n\nIf an error occurs after a successful usb_alloc_urb() call, usb_free_urb()\nshould be called.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52529", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52529", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52529", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52529", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52529", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52529" } }, "CVE-2023-52530": { "affected_versions": "v4.14-rc6 to v6.6-rc5", "breaks": "fdf7cb4185b60c68e1a75e61691c4afdc15dea0e", "cmt_msg": "wifi: mac80211: fix potential key use-after-free", "fixes": "31db78a4923ef5e2008f2eed321811ca79e7f71b", "last_affected_version": "6.5.6", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: fix potential key use-after-free\n\nWhen ieee80211_key_link() is called by ieee80211_gtk_rekey_add()\nbut returns 0 due to KRACK protection (identical key reinstall),\nieee80211_gtk_rekey_add() will still return a pointer into the\nkey, in a potential use-after-free. This normally doesn't happen\nsince it's only called by iwlwifi in case of WoWLAN rekey offload\nwhich has its own KRACK protection, but still better to fix, do\nthat by returning an error code and converting that to success on\nthe cfg80211 boundary only, leaving the error for bad callers of\nieee80211_gtk_rekey_add().", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52530", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52530", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52530", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52530", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52530", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52530" } }, "CVE-2023-52531": { "affected_versions": "v3.9-rc1 to v6.6-rc5", "breaks": "8ca151b568b67a7b72dcfc6ee6ea7c107ddd795c", "cmt_msg": "wifi: iwlwifi: mvm: Fix a memory corruption issue", "fixes": "8ba438ef3cacc4808a63ed0ce24d4f0942cfe55d", "last_affected_version": "6.5.6", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: mvm: Fix a memory corruption issue\n\nA few lines above, space is kzalloc()'ed for:\n\tsizeof(struct iwl_nvm_data) +\n\tsizeof(struct ieee80211_channel) +\n\tsizeof(struct ieee80211_rate)\n\n'mvm->nvm_data' is a 'struct iwl_nvm_data', so it is fine.\n\nAt the end of this structure, there is the 'channels' flex array.\nEach element is of type 'struct ieee80211_channel'.\nSo only 1 element is allocated in this array.\n\nWhen doing:\n mvm->nvm_data->bands[0].channels = mvm->nvm_data->channels;\nWe point at the first element of the 'channels' flex array.\nSo this is fine.\n\nHowever, when doing:\n mvm->nvm_data->bands[0].bitrates =\n\t\t\t(void *)((u8 *)mvm->nvm_data->channels + 1);\nbecause of the \"(u8 *)\" cast, we add only 1 to the address of the beginning\nof the flex array.\n\nIt is likely that we want point at the 'struct ieee80211_rate' allocated\njust after.\n\nRemove the spurious casting so that the pointer arithmetic works as\nexpected.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52531", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52531", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52531", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52531", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52531", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52531" } }, "CVE-2023-52532": { "affected_versions": "unk to v6.6-rc5", "breaks": "", "cmt_msg": "net: mana: Fix TX CQE error handling", "fixes": "b2b000069a4c307b09548dc2243f31f3ca0eac9c", "last_affected_version": "6.5.6", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: mana: Fix TX CQE error handling\n\nFor an unknown TX CQE error type (probably from a newer hardware),\nstill free the SKB, update the queue tail, etc., otherwise the\naccounting will be wrong.\n\nAlso, TX errors can be triggered by injecting corrupted packets, so\nreplace the WARN_ONCE to ratelimited error logging.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52532", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52532", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52532", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52532", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52532", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52532" } }, "CVE-2023-52559": { "affected_versions": "v2.6.12-rc2 to v6.6-rc5", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "iommu/vt-d: Avoid memory allocation in iommu_suspend()", "fixes": "59df44bfb0ca4c3ee1f1c3c5d0ee8e314844799e", "last_affected_version": "6.5.6", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/vt-d: Avoid memory allocation in iommu_suspend()\n\nThe iommu_suspend() syscore suspend callback is invoked with IRQ disabled.\nAllocating memory with the GFP_KERNEL flag may re-enable IRQs during\nthe suspend callback, which can cause intermittent suspend/hibernation\nproblems with the following kernel traces:\n\nCalling iommu_suspend+0x0/0x1d0\n------------[ cut here ]------------\nWARNING: CPU: 0 PID: 15 at kernel/time/timekeeping.c:868 ktime_get+0x9b/0xb0\n...\nCPU: 0 PID: 15 Comm: rcu_preempt Tainted: G U E 6.3-intel #r1\nRIP: 0010:ktime_get+0x9b/0xb0\n...\nCall Trace:\n \n tick_sched_timer+0x22/0x90\n ? __pfx_tick_sched_timer+0x10/0x10\n __hrtimer_run_queues+0x111/0x2b0\n hrtimer_interrupt+0xfa/0x230\n __sysvec_apic_timer_interrupt+0x63/0x140\n sysvec_apic_timer_interrupt+0x7b/0xa0\n \n \n asm_sysvec_apic_timer_interrupt+0x1f/0x30\n...\n------------[ cut here ]------------\nInterrupts enabled after iommu_suspend+0x0/0x1d0\nWARNING: CPU: 0 PID: 27420 at drivers/base/syscore.c:68 syscore_suspend+0x147/0x270\nCPU: 0 PID: 27420 Comm: rtcwake Tainted: G U W E 6.3-intel #r1\nRIP: 0010:syscore_suspend+0x147/0x270\n...\nCall Trace:\n \n hibernation_snapshot+0x25b/0x670\n hibernate+0xcd/0x390\n state_store+0xcf/0xe0\n kobj_attr_store+0x13/0x30\n sysfs_kf_write+0x3f/0x50\n kernfs_fop_write_iter+0x128/0x200\n vfs_write+0x1fd/0x3c0\n ksys_write+0x6f/0xf0\n __x64_sys_write+0x1d/0x30\n do_syscall_64+0x3b/0x90\n entry_SYSCALL_64_after_hwframe+0x72/0xdc\n\nGiven that only 4 words memory is needed, avoid the memory allocation in\niommu_suspend().", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52559", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52559", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52559", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52559", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52559", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52559" } }, "CVE-2023-52560": { "affected_versions": "v5.16-rc5 to v6.6-rc4", "breaks": "9f86d624292c238203b3687cdb870a2cde1a6f9b", "cmt_msg": "mm/damon/vaddr-test: fix memory leak in damon_do_test_apply_three_regions()", "fixes": "45120b15743fa7c0aa53d5db6dfb4c8f87be4abd", "last_affected_version": "6.5.5", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/damon/vaddr-test: fix memory leak in damon_do_test_apply_three_regions()\n\nWhen CONFIG_DAMON_VADDR_KUNIT_TEST=y and making CONFIG_DEBUG_KMEMLEAK=y\nand CONFIG_DEBUG_KMEMLEAK_AUTO_SCAN=y, the below memory leak is detected.\n\nSince commit 9f86d624292c (\"mm/damon/vaddr-test: remove unnecessary\nvariables\"), the damon_destroy_ctx() is removed, but still call\ndamon_new_target() and damon_new_region(), the damon_region which is\nallocated by kmem_cache_alloc() in damon_new_region() and the damon_target\nwhich is allocated by kmalloc in damon_new_target() are not freed. And\nthe damon_region which is allocated in damon_new_region() in\ndamon_set_regions() is also not freed.\n\nSo use damon_destroy_target to free all the damon_regions and damon_target.\n\n unreferenced object 0xffff888107c9a940 (size 64):\n comm \"kunit_try_catch\", pid 1069, jiffies 4294670592 (age 732.761s)\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 06 00 00 00 6b 6b 6b 6b ............kkkk\n 60 c7 9c 07 81 88 ff ff f8 cb 9c 07 81 88 ff ff `...............\n backtrace:\n [] kmalloc_trace+0x27/0xa0\n [] damon_new_target+0x3f/0x1b0\n [] damon_do_test_apply_three_regions.constprop.0+0x95/0x3e0\n [] damon_test_apply_three_regions1+0x21e/0x260\n [] kunit_generic_run_threadfn_adapter+0x4a/0x90\n [] kthread+0x2b6/0x380\n [] ret_from_fork+0x2d/0x70\n [] ret_from_fork_asm+0x11/0x20\n unreferenced object 0xffff8881079cc740 (size 56):\n comm \"kunit_try_catch\", pid 1069, jiffies 4294670592 (age 732.761s)\n hex dump (first 32 bytes):\n 05 00 00 00 00 00 00 00 14 00 00 00 00 00 00 00 ................\n 6b 6b 6b 6b 6b 6b 6b 6b 00 00 00 00 6b 6b 6b 6b kkkkkkkk....kkkk\n backtrace:\n [] damon_new_region+0x22/0x1c0\n [] damon_do_test_apply_three_regions.constprop.0+0xd1/0x3e0\n [] damon_test_apply_three_regions1+0x21e/0x260\n [] kunit_generic_run_threadfn_adapter+0x4a/0x90\n [] kthread+0x2b6/0x380\n [] ret_from_fork+0x2d/0x70\n [] ret_from_fork_asm+0x11/0x20\n unreferenced object 0xffff888107c9ac40 (size 64):\n comm \"kunit_try_catch\", pid 1071, jiffies 4294670595 (age 732.843s)\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 06 00 00 00 6b 6b 6b 6b ............kkkk\n a0 cc 9c 07 81 88 ff ff 78 a1 76 07 81 88 ff ff ........x.v.....\n backtrace:\n [] kmalloc_trace+0x27/0xa0\n [] damon_new_target+0x3f/0x1b0\n [] damon_do_test_apply_three_regions.constprop.0+0x95/0x3e0\n [] damon_test_apply_three_regions2+0x21e/0x260\n [] kunit_generic_run_threadfn_adapter+0x4a/0x90\n [] kthread+0x2b6/0x380\n [] ret_from_fork+0x2d/0x70\n [] ret_from_fork_asm+0x11/0x20\n unreferenced object 0xffff8881079ccc80 (size 56):\n comm \"kunit_try_catch\", pid 1071, jiffies 4294670595 (age 732.843s)\n hex dump (first 32 bytes):\n 05 00 00 00 00 00 00 00 14 00 00 00 00 00 00 00 ................\n 6b 6b 6b 6b 6b 6b 6b 6b 00 00 00 00 6b 6b 6b 6b kkkkkkkk....kkkk\n backtrace:\n [] damon_new_region+0x22/0x1c0\n [] damon_do_test_apply_three_regions.constprop.0+0xd1/0x3e0\n [] damon_test_apply_three_regions2+0x21e/0x260\n [] kunit_generic_run_threadfn_adapter+0x4a/0x90\n [] kthread+0x2b6/0x380\n [] ret_from_fork+0x2d/0x70\n [prev should be ffff89f596fb5768, but was 52f1e5016aeee75d. (next=ffff89f595a1b268)\n [ 1041.219165] ------------[ cut here ]------------\n [ 1041.221517] kernel BUG at lib/list_debug.c:62!\n [ 1041.223452] invalid opcode: 0000 [#1] PREEMPT SMP PTI\n [ 1041.225408] CPU: 2 PID: 1852 Comm: rmmod Kdump: loaded Tainted: G B W OE 6.5.0 #15\n [ 1041.228244] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS edk2-20230524-3.fc37 05/24/2023\n [ 1041.231212] RIP: 0010:__list_del_entry_valid+0xae/0xb0\n\nAnother quick way to trigger this issue, in a kernel with CONFIG_SLUB=y,\nis to set slub_debug to poison the released objects and then just run\ncat /proc/slabinfo after removing the module that leaks slab objects,\nin which case the kernel will panic:\n\n [ 50.954843] general protection fault, probably for non-canonical address 0xa56b6b6b6b6b6b8b: 0000 [#1] PREEMPT SMP PTI\n [ 50.961545] CPU: 2 PID: 1495 Comm: cat Kdump: loaded Tainted: G B W OE 6.5.0 #15\n [ 50.966808] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS edk2-20230524-3.fc37 05/24/2023\n [ 50.972663] RIP: 0010:get_slabinfo+0x42/0xf0\n\nThis patch fixes this issue by properly checking shutdown_cache()'s\nreturn value before taking the kmem_cache_release() branch.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52562", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52562", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52562", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52562", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52562", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52562" } }, "CVE-2023-52563": { "affected_versions": "unk to v6.6-rc3", "breaks": "", "cmt_msg": "drm/meson: fix memory leak on ->hpd_notify callback", "fixes": "099f0af9d98231bb74956ce92508e87cbcb896be", "last_affected_version": "6.5.5", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/meson: fix memory leak on ->hpd_notify callback\n\nThe EDID returned by drm_bridge_get_edid() needs to be freed.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52563", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52563", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52563", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52563", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52563", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52563" } }, "CVE-2023-52564": { "affected_versions": "v6.5-rc4 to v6.6-rc4", "breaks": "9b9c8195f3f0d74a826077fc1c01b9ee74907239", "cmt_msg": "Revert \"tty: n_gsm: fix UAF in gsm_cleanup_mux\"", "fixes": "29346e217b8ab8a52889b88f00b268278d6b7668", "last_affected_version": "6.5.5", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nRevert \"tty: n_gsm: fix UAF in gsm_cleanup_mux\"\n\nThis reverts commit 9b9c8195f3f0d74a826077fc1c01b9ee74907239.\n\nThe commit above is reverted as it did not solve the original issue.\n\ngsm_cleanup_mux() tries to free up the virtual ttys by calling\ngsm_dlci_release() for each available DLCI. There, dlci_put() is called to\ndecrease the reference counter for the DLCI via tty_port_put() which\nfinally calls gsm_dlci_free(). This already clears the pointer which is\nbeing checked in gsm_cleanup_mux() before calling gsm_dlci_release().\nTherefore, it is not necessary to clear this pointer in gsm_cleanup_mux()\nas done in the reverted commit. The commit introduces a null pointer\ndereference:\n \n ? __die+0x1f/0x70\n ? page_fault_oops+0x156/0x420\n ? search_exception_tables+0x37/0x50\n ? fixup_exception+0x21/0x310\n ? exc_page_fault+0x69/0x150\n ? asm_exc_page_fault+0x26/0x30\n ? tty_port_put+0x19/0xa0\n gsmtty_cleanup+0x29/0x80 [n_gsm]\n release_one_tty+0x37/0xe0\n process_one_work+0x1e6/0x3e0\n worker_thread+0x4c/0x3d0\n ? __pfx_worker_thread+0x10/0x10\n kthread+0xe1/0x110\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x2f/0x50\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1b/0x30\n \n\nThe actual issue is that nothing guards dlci_put() from being called\nmultiple times while the tty driver was triggered but did not yet finished\ncalling gsm_dlci_free().", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52564", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52564", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52564", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52564", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52564", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52564" } }, "CVE-2023-52565": { "affected_versions": "unk to v6.6-rc3", "breaks": "", "cmt_msg": "media: uvcvideo: Fix OOB read", "fixes": "41ebaa5e0eebea4c3bac96b72f9f8ae0d77c0bdb", "last_affected_version": "6.5.5", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: uvcvideo: Fix OOB read\n\nIf the index provided by the user is bigger than the mask size, we might do\nan out of bound read.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52565", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52565", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52565", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52565", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52565", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52565" } }, "CVE-2023-52566": { "affected_versions": "unk to v6.6-rc4", "breaks": "", "cmt_msg": "nilfs2: fix potential use after free in nilfs_gccache_submit_read_data()", "fixes": "7ee29facd8a9c5a26079148e36bcf07141b3a6bc", "last_affected_version": "6.5.5", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix potential use after free in nilfs_gccache_submit_read_data()\n\nIn nilfs_gccache_submit_read_data(), brelse(bh) is called to drop the\nreference count of bh when the call to nilfs_dat_translate() fails. If\nthe reference count hits 0 and its owner page gets unlocked, bh may be\nfreed. However, bh->b_page is dereferenced to put the page after that,\nwhich may result in a use-after-free bug. This patch moves the release\noperation after unlocking and putting the page.\n\nNOTE: The function in question is only called in GC, and in combination\nwith current userland tools, address translation using DAT does not occur\nin that function, so the code path that causes this issue will not be\nexecuted. However, it is possible to run that code path by intentionally\nmodifying the userland GC library or by calling the GC ioctl directly.\n\n[konishi.ryusuke@gmail.com: NOTE added to the commit log]", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52566", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52566", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52566", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52566", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52566", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52566" } }, "CVE-2023-52567": { "affected_versions": "v6.4-rc1 to v6.6-rc4", "breaks": "0ba9e3a13c6adfa99e32b2576d20820ab10ad48a", "cmt_msg": "serial: 8250_port: Check IRQ data before use", "fixes": "cce7fc8b29961b64fadb1ce398dc5ff32a79643b", "last_affected_version": "6.5.5", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: 8250_port: Check IRQ data before use\n\nIn case the leaf driver wants to use IRQ polling (irq = 0) and\nIIR register shows that an interrupt happened in the 8250 hardware\nthe IRQ data can be NULL. In such a case we need to skip the wake\nevent as we came to this path from the timer interrupt and quite\nlikely system is already awake.\n\nWithout this fix we have got an Oops:\n\n serial8250: ttyS0 at I/O 0x3f8 (irq = 0, base_baud = 115200) is a 16550A\n ...\n BUG: kernel NULL pointer dereference, address: 0000000000000010\n RIP: 0010:serial8250_handle_irq+0x7c/0x240\n Call Trace:\n ? serial8250_handle_irq+0x7c/0x240\n ? __pfx_serial8250_timeout+0x10/0x10", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52567", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52567", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52567", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52567", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52567", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52567" } }, "CVE-2023-52568": { "affected_versions": "unk to v6.6-rc4", "breaks": "", "cmt_msg": "x86/sgx: Resolves SECS reclaim vs. page fault for EAUG race", "fixes": "c6c2adcba50c2622ed25ba5d5e7f05f584711358", "last_affected_version": "6.5.5", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/sgx: Resolves SECS reclaim vs. page fault for EAUG race\n\nThe SGX EPC reclaimer (ksgxd) may reclaim the SECS EPC page for an\nenclave and set secs.epc_page to NULL. The SECS page is used for EAUG\nand ELDU in the SGX page fault handler. However, the NULL check for\nsecs.epc_page is only done for ELDU, not EAUG before being used.\n\nFix this by doing the same NULL check and reloading of the SECS page as\nneeded for both EAUG and ELDU.\n\nThe SECS page holds global enclave metadata. It can only be reclaimed\nwhen there are no other enclave pages remaining. At that point,\nvirtually nothing can be done with the enclave until the SECS page is\npaged back in.\n\nAn enclave can not run nor generate page faults without a resident SECS\npage. But it is still possible for a #PF for a non-SECS page to race\nwith paging out the SECS page: when the last resident non-SECS page A\ntriggers a #PF in a non-resident page B, and then page A and the SECS\nboth are paged out before the #PF on B is handled.\n\nHitting this bug requires that race triggered with a #PF for EAUG.\nFollowing is a trace when it happens.\n\nBUG: kernel NULL pointer dereference, address: 0000000000000000\nRIP: 0010:sgx_encl_eaug_page+0xc7/0x210\nCall Trace:\n ? __kmem_cache_alloc_node+0x16a/0x440\n ? xa_load+0x6e/0xa0\n sgx_vma_fault+0x119/0x230\n __do_fault+0x36/0x140\n do_fault+0x12f/0x400\n __handle_mm_fault+0x728/0x1110\n handle_mm_fault+0x105/0x310\n do_user_addr_fault+0x1ee/0x750\n ? __this_cpu_preempt_check+0x13/0x20\n exc_page_fault+0x76/0x180\n asm_exc_page_fault+0x27/0x30", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52568", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52568", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52568", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52568", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52568", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52568" } }, "CVE-2023-52569": { "affected_versions": "v2.6.12-rc2 to v6.6-rc2", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "btrfs: remove BUG() after failure to insert delayed dir index item", "fixes": "2c58c3931ede7cd08cbecf1f1a4acaf0a04a41a9", "last_affected_version": "6.5.5", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: remove BUG() after failure to insert delayed dir index item\n\nInstead of calling BUG() when we fail to insert a delayed dir index item\ninto the delayed node's tree, we can just release all the resources we\nhave allocated/acquired before and return the error to the caller. This is\nfine because all existing call chains undo anything they have done before\ncalling btrfs_insert_delayed_dir_index() or BUG_ON (when creating pending\nsnapshots in the transaction commit path).\n\nSo remove the BUG() call and do proper error handling.\n\nThis relates to a syzbot report linked below, but does not fix it because\nit only prevents hitting a BUG(), it does not fix the issue where somehow\nwe attempt to use twice the same index number for different index items.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52569", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52569", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52569", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52569", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52569", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52569" } }, "CVE-2023-52570": { "affected_versions": "v6.1-rc1 to v6.6-rc4", "breaks": "da44c340c4fe9d9653ae84fa6a60f406bafcffce", "cmt_msg": "vfio/mdev: Fix a null-ptr-deref bug for mdev_unregister_parent()", "fixes": "c777b11d34e0f47dbbc4b018ef65ad030f2b283a", "last_affected_version": "6.5.5", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nvfio/mdev: Fix a null-ptr-deref bug for mdev_unregister_parent()\n\nInject fault while probing mdpy.ko, if kstrdup() of create_dir() fails in\nkobject_add_internal() in kobject_init_and_add() in mdev_type_add()\nin parent_create_sysfs_files(), it will return 0 and probe successfully.\nAnd when rmmod mdpy.ko, the mdpy_dev_exit() will call\nmdev_unregister_parent(), the mdev_type_remove() may traverse uninitialized\nparent->types[i] in parent_remove_sysfs_files(), and it will cause\nbelow null-ptr-deref.\n\nIf mdev_type_add() fails, return the error code and kset_unregister()\nto fix the issue.\n\n general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] PREEMPT SMP KASAN\n KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]\n CPU: 2 PID: 10215 Comm: rmmod Tainted: G W N 6.6.0-rc2+ #20\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\n RIP: 0010:__kobject_del+0x62/0x1c0\n Code: 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 51 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 8b 6b 28 48 8d 7d 10 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 24 01 00 00 48 8b 75 10 48 89 df 48 8d 6b 3c e8\n RSP: 0018:ffff88810695fd30 EFLAGS: 00010202\n RAX: dffffc0000000000 RBX: ffffffffa0270268 RCX: 0000000000000000\n RDX: 0000000000000002 RSI: 0000000000000004 RDI: 0000000000000010\n RBP: 0000000000000000 R08: 0000000000000001 R09: ffffed10233a4ef1\n R10: ffff888119d2778b R11: 0000000063666572 R12: 0000000000000000\n R13: fffffbfff404e2d4 R14: dffffc0000000000 R15: ffffffffa0271660\n FS: 00007fbc81981540(0000) GS:ffff888119d00000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007fc14a142dc0 CR3: 0000000110a62003 CR4: 0000000000770ee0\n DR0: ffffffff8fb0bce8 DR1: ffffffff8fb0bce9 DR2: ffffffff8fb0bcea\n DR3: ffffffff8fb0bceb DR6: 00000000fffe0ff0 DR7: 0000000000000600\n PKRU: 55555554\n Call Trace:\n \n ? die_addr+0x3d/0xa0\n ? exc_general_protection+0x144/0x220\n ? asm_exc_general_protection+0x22/0x30\n ? __kobject_del+0x62/0x1c0\n kobject_del+0x32/0x50\n parent_remove_sysfs_files+0xd6/0x170 [mdev]\n mdev_unregister_parent+0xfb/0x190 [mdev]\n ? mdev_register_parent+0x270/0x270 [mdev]\n ? find_module_all+0x9d/0xe0\n mdpy_dev_exit+0x17/0x63 [mdpy]\n __do_sys_delete_module.constprop.0+0x2fa/0x4b0\n ? module_flags+0x300/0x300\n ? __fput+0x4e7/0xa00\n do_syscall_64+0x35/0x80\n entry_SYSCALL_64_after_hwframe+0x46/0xb0\n RIP: 0033:0x7fbc813221b7\n Code: 73 01 c3 48 8b 0d d1 8c 2c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 b0 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d a1 8c 2c 00 f7 d8 64 89 01 48\n RSP: 002b:00007ffe780e0648 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0\n RAX: ffffffffffffffda RBX: 00007ffe780e06a8 RCX: 00007fbc813221b7\n RDX: 000000000000000a RSI: 0000000000000800 RDI: 000055e214df9b58\n RBP: 000055e214df9af0 R08: 00007ffe780df5c1 R09: 0000000000000000\n R10: 00007fbc8139ecc0 R11: 0000000000000206 R12: 00007ffe780e0870\n R13: 00007ffe780e0ed0 R14: 000055e214df9260 R15: 000055e214df9af0\n \n Modules linked in: mdpy(-) mdev vfio_iommu_type1 vfio [last unloaded: mdpy]\n Dumping ftrace buffer:\n (ftrace buffer empty)\n ---[ end trace 0000000000000000 ]---\n RIP: 0010:__kobject_del+0x62/0x1c0\n Code: 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 51 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 8b 6b 28 48 8d 7d 10 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 24 01 00 00 48 8b 75 10 48 89 df 48 8d 6b 3c e8\n RSP: 0018:ffff88810695fd30 EFLAGS: 00010202\n RAX: dffffc0000000000 RBX: ffffffffa0270268 RCX: 0000000000000000\n RDX: 0000000000000002 RSI: 0000000000000004 RDI: 0000000000000010\n RBP: 0000000000000000 R08: 0000000000000001 R09: ffffed10233a4ef1\n R10: ffff888119d2778b R11: 0000000063666572 R12: 0000000000000000\n R13: fffffbfff404e2d4 R14: dffffc0000000000 R15: ffffffffa0271660\n FS: 00007fbc81981540(0000) GS:ffff888119d00000(000\n---truncated---", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52570", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52570", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52570", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52570", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52570", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52570" } }, "CVE-2023-52571": { "affected_versions": "unk to v6.6-rc4", "breaks": "", "cmt_msg": "power: supply: rk817: Fix node refcount leak", "fixes": "488ef44c068e79752dba8eda0b75f524f111a695", "last_affected_version": "6.5.5", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\npower: supply: rk817: Fix node refcount leak\n\nDan Carpenter reports that the Smatch static checker warning has found\nthat there is another refcount leak in the probe function. While\nof_node_put() was added in one of the return paths, it should in\nfact be added for ALL return paths that return an error and at driver\nremoval time.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52571", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52571", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52571", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52571", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52571", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52571" } }, "CVE-2023-52572": { "affected_versions": "v2.6.12-rc2 to v6.6-rc3", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "cifs: Fix UAF in cifs_demultiplex_thread()", "fixes": "d527f51331cace562393a8038d870b3e9916686f", "last_affected_version": "6.5.5", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: Fix UAF in cifs_demultiplex_thread()\n\nThere is a UAF when xfstests on cifs:\n\n BUG: KASAN: use-after-free in smb2_is_network_name_deleted+0x27/0x160\n Read of size 4 at addr ffff88810103fc08 by task cifsd/923\n\n CPU: 1 PID: 923 Comm: cifsd Not tainted 6.1.0-rc4+ #45\n ...\n Call Trace:\n \n dump_stack_lvl+0x34/0x44\n print_report+0x171/0x472\n kasan_report+0xad/0x130\n kasan_check_range+0x145/0x1a0\n smb2_is_network_name_deleted+0x27/0x160\n cifs_demultiplex_thread.cold+0x172/0x5a4\n kthread+0x165/0x1a0\n ret_from_fork+0x1f/0x30\n \n\n Allocated by task 923:\n kasan_save_stack+0x1e/0x40\n kasan_set_track+0x21/0x30\n __kasan_slab_alloc+0x54/0x60\n kmem_cache_alloc+0x147/0x320\n mempool_alloc+0xe1/0x260\n cifs_small_buf_get+0x24/0x60\n allocate_buffers+0xa1/0x1c0\n cifs_demultiplex_thread+0x199/0x10d0\n kthread+0x165/0x1a0\n ret_from_fork+0x1f/0x30\n\n Freed by task 921:\n kasan_save_stack+0x1e/0x40\n kasan_set_track+0x21/0x30\n kasan_save_free_info+0x2a/0x40\n ____kasan_slab_free+0x143/0x1b0\n kmem_cache_free+0xe3/0x4d0\n cifs_small_buf_release+0x29/0x90\n SMB2_negotiate+0x8b7/0x1c60\n smb2_negotiate+0x51/0x70\n cifs_negotiate_protocol+0xf0/0x160\n cifs_get_smb_ses+0x5fa/0x13c0\n mount_get_conns+0x7a/0x750\n cifs_mount+0x103/0xd00\n cifs_smb3_do_mount+0x1dd/0xcb0\n smb3_get_tree+0x1d5/0x300\n vfs_get_tree+0x41/0xf0\n path_mount+0x9b3/0xdd0\n __x64_sys_mount+0x190/0x1d0\n do_syscall_64+0x35/0x80\n entry_SYSCALL_64_after_hwframe+0x46/0xb0\n\nThe UAF is because:\n\n mount(pid: 921) | cifsd(pid: 923)\n-------------------------------|-------------------------------\n | cifs_demultiplex_thread\nSMB2_negotiate |\n cifs_send_recv |\n compound_send_recv |\n smb_send_rqst |\n wait_for_response |\n wait_event_state [1] |\n | standard_receive3\n | cifs_handle_standard\n | handle_mid\n | mid->resp_buf = buf; [2]\n | dequeue_mid [3]\n KILL the process [4] |\n resp_iov[i].iov_base = buf |\n free_rsp_buf [5] |\n | is_network_name_deleted [6]\n | callback\n\n1. After send request to server, wait the response until\n mid->mid_state != SUBMITTED;\n2. Receive response from server, and set it to mid;\n3. Set the mid state to RECEIVED;\n4. Kill the process, the mid state already RECEIVED, get 0;\n5. Handle and release the negotiate response;\n6. UAF.\n\nIt can be easily reproduce with add some delay in [3] - [6].\n\nOnly sync call has the problem since async call's callback is\nexecuted in cifsd process.\n\nAdd an extra state to mark the mid state to READY before wakeup the\nwaitter, then it can get the resp safely.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52572", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52572", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52572", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52572", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52572", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52572" } }, "CVE-2023-52573": { "affected_versions": "v5.1-rc1 to v6.6-rc3", "breaks": "fd261ce6a30e01ad67c416e2c67e263024b3a6f9", "cmt_msg": "net: rds: Fix possible NULL-pointer dereference", "fixes": "f1d95df0f31048f1c59092648997686e3f7d9478", "last_affected_version": "6.5.5", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: rds: Fix possible NULL-pointer dereference\n\nIn rds_rdma_cm_event_handler_cmn() check, if conn pointer exists\nbefore dereferencing it as rdma_set_service_type() argument\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52573", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52573", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52573", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52573", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52573", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52573" } }, "CVE-2023-52574": { "affected_versions": "unk to v6.6-rc3", "breaks": "", "cmt_msg": "team: fix null-ptr-deref when team device type is changed", "fixes": "492032760127251e5540a5716a70996bacf2a3fd", "last_affected_version": "6.5.5", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nteam: fix null-ptr-deref when team device type is changed\n\nGet a null-ptr-deref bug as follows with reproducer [1].\n\nBUG: kernel NULL pointer dereference, address: 0000000000000228\n...\nRIP: 0010:vlan_dev_hard_header+0x35/0x140 [8021q]\n...\nCall Trace:\n \n ? __die+0x24/0x70\n ? page_fault_oops+0x82/0x150\n ? exc_page_fault+0x69/0x150\n ? asm_exc_page_fault+0x26/0x30\n ? vlan_dev_hard_header+0x35/0x140 [8021q]\n ? vlan_dev_hard_header+0x8e/0x140 [8021q]\n neigh_connected_output+0xb2/0x100\n ip6_finish_output2+0x1cb/0x520\n ? nf_hook_slow+0x43/0xc0\n ? ip6_mtu+0x46/0x80\n ip6_finish_output+0x2a/0xb0\n mld_sendpack+0x18f/0x250\n mld_ifc_work+0x39/0x160\n process_one_work+0x1e6/0x3f0\n worker_thread+0x4d/0x2f0\n ? __pfx_worker_thread+0x10/0x10\n kthread+0xe5/0x120\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x34/0x50\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1b/0x30\n\n[1]\n$ teamd -t team0 -d -c '{\"runner\": {\"name\": \"loadbalance\"}}'\n$ ip link add name t-dummy type dummy\n$ ip link add link t-dummy name t-dummy.100 type vlan id 100\n$ ip link add name t-nlmon type nlmon\n$ ip link set t-nlmon master team0\n$ ip link set t-nlmon nomaster\n$ ip link set t-dummy up\n$ ip link set team0 up\n$ ip link set t-dummy.100 down\n$ ip link set t-dummy.100 master team0\n\nWhen enslave a vlan device to team device and team device type is changed\nfrom non-ether to ether, header_ops of team device is changed to\nvlan_header_ops. That is incorrect and will trigger null-ptr-deref\nfor vlan->real_dev in vlan_dev_hard_header() because team device is not\na vlan device.\n\nCache eth_header_ops in team_setup(), then assign cached header_ops to\nheader_ops of team net device when its type is changed from non-ether\nto ether to fix the bug.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52574", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52574", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52574", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52574", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52574", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52574" } }, "CVE-2023-52575": { "affected_versions": "v6.5-rc6 to v6.6-rc3", "breaks": "fb3bd914b3ec28f5fb697ac55c4846ac2d542855", "cmt_msg": "x86/srso: Fix SBPB enablement for spec_rstack_overflow=off", "fixes": "01b057b2f4cc2d905a0bd92195657dbd9a7005ab", "last_affected_version": "6.5.5", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/srso: Fix SBPB enablement for spec_rstack_overflow=off\n\nIf the user has requested no SRSO mitigation, other mitigations can use\nthe lighter-weight SBPB instead of IBPB.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52575", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52575", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52575", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52575", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52575", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52575" } }, "CVE-2023-52576": { "affected_versions": "v5.13-rc1 to v6.6-rc3", "breaks": "fee3ff99bc67604fba77f19da0106f3ec52b1956", "cmt_msg": "x86/mm, kexec, ima: Use memblock_free_late() from ima_free_kexec_buffer()", "fixes": "34cf99c250d5cd2530b93a57b0de31d3aaf8685b", "last_affected_version": "6.5.5", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/mm, kexec, ima: Use memblock_free_late() from ima_free_kexec_buffer()\n\nThe code calling ima_free_kexec_buffer() runs long after the memblock\nallocator has already been torn down, potentially resulting in a use\nafter free in memblock_isolate_range().\n\nWith KASAN or KFENCE, this use after free will result in a BUG\nfrom the idle task, and a subsequent kernel panic.\n\nSwitch ima_free_kexec_buffer() over to memblock_free_late() to avoid\nthat bug.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52576", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52576", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52576", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52576", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52576", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52576" } }, "CVE-2023-52577": { "affected_versions": "v6.6-rc1 to v6.6-rc3", "breaks": "977ad86c2a1bcaf58f01ab98df5cc145083c489c", "fixes": "6af289746a636f71f4c0535a9801774118486c7a", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\ndccp: fix dccp_v4_err()/dccp_v6_err() again\n\ndh->dccph_x is the 9th byte (offset 8) in \"struct dccp_hdr\",\nnot in the \"byte 7\" as Jann claimed.\n\nWe need to make sure the ICMP messages are big enough,\nusing more standard ways (no more assumptions).\n\nsyzbot reported:\nBUG: KMSAN: uninit-value in pskb_may_pull_reason include/linux/skbuff.h:2667 [inline]\nBUG: KMSAN: uninit-value in pskb_may_pull include/linux/skbuff.h:2681 [inline]\nBUG: KMSAN: uninit-value in dccp_v6_err+0x426/0x1aa0 net/dccp/ipv6.c:94\npskb_may_pull_reason include/linux/skbuff.h:2667 [inline]\npskb_may_pull include/linux/skbuff.h:2681 [inline]\ndccp_v6_err+0x426/0x1aa0 net/dccp/ipv6.c:94\nicmpv6_notify+0x4c7/0x880 net/ipv6/icmp.c:867\nicmpv6_rcv+0x19d5/0x30d0\nip6_protocol_deliver_rcu+0xda6/0x2a60 net/ipv6/ip6_input.c:438\nip6_input_finish net/ipv6/ip6_input.c:483 [inline]\nNF_HOOK include/linux/netfilter.h:304 [inline]\nip6_input+0x15d/0x430 net/ipv6/ip6_input.c:492\nip6_mc_input+0xa7e/0xc80 net/ipv6/ip6_input.c:586\ndst_input include/net/dst.h:468 [inline]\nip6_rcv_finish+0x5db/0x870 net/ipv6/ip6_input.c:79\nNF_HOOK include/linux/netfilter.h:304 [inline]\nipv6_rcv+0xda/0x390 net/ipv6/ip6_input.c:310\n__netif_receive_skb_one_core net/core/dev.c:5523 [inline]\n__netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5637\nnetif_receive_skb_internal net/core/dev.c:5723 [inline]\nnetif_receive_skb+0x58/0x660 net/core/dev.c:5782\ntun_rx_batched+0x83b/0x920\ntun_get_user+0x564c/0x6940 drivers/net/tun.c:2002\ntun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048\ncall_write_iter include/linux/fs.h:1985 [inline]\nnew_sync_write fs/read_write.c:491 [inline]\nvfs_write+0x8ef/0x15c0 fs/read_write.c:584\nksys_write+0x20f/0x4c0 fs/read_write.c:637\n__do_sys_write fs/read_write.c:649 [inline]\n__se_sys_write fs/read_write.c:646 [inline]\n__x64_sys_write+0x93/0xd0 fs/read_write.c:646\ndo_syscall_x64 arch/x86/entry/common.c:50 [inline]\ndo_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nUninit was created at:\nslab_post_alloc_hook+0x12f/0xb70 mm/slab.h:767\nslab_alloc_node mm/slub.c:3478 [inline]\nkmem_cache_alloc_node+0x577/0xa80 mm/slub.c:3523\nkmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:559\n__alloc_skb+0x318/0x740 net/core/skbuff.c:650\nalloc_skb include/linux/skbuff.h:1286 [inline]\nalloc_skb_with_frags+0xc8/0xbd0 net/core/skbuff.c:6313\nsock_alloc_send_pskb+0xa80/0xbf0 net/core/sock.c:2795\ntun_alloc_skb drivers/net/tun.c:1531 [inline]\ntun_get_user+0x23cf/0x6940 drivers/net/tun.c:1846\ntun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048\ncall_write_iter include/linux/fs.h:1985 [inline]\nnew_sync_write fs/read_write.c:491 [inline]\nvfs_write+0x8ef/0x15c0 fs/read_write.c:584\nksys_write+0x20f/0x4c0 fs/read_write.c:637\n__do_sys_write fs/read_write.c:649 [inline]\n__se_sys_write fs/read_write.c:646 [inline]\n__x64_sys_write+0x93/0xd0 fs/read_write.c:646\ndo_syscall_x64 arch/x86/entry/common.c:50 [inline]\ndo_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nCPU: 0 PID: 4995 Comm: syz-executor153 Not tainted 6.6.0-rc1-syzkaller-00014-ga747acc0b752 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52577", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52577", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52577", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52577", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52577", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52577" } }, "CVE-2023-52578": { "affected_versions": "v2.6.17-rc4 to v6.6-rc3", "breaks": "1c29fc4989bc2a3838b2837adc12b8aeb0feeede", "cmt_msg": "net: bridge: use DEV_STATS_INC()", "fixes": "44bdb313da57322c9b3c108eb66981c6ec6509f4", "last_affected_version": "6.5.5", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: bridge: use DEV_STATS_INC()\n\nsyzbot/KCSAN reported data-races in br_handle_frame_finish() [1]\nThis function can run from multiple cpus without mutual exclusion.\n\nAdopt SMP safe DEV_STATS_INC() to update dev->stats fields.\n\nHandles updates to dev->stats.tx_dropped while we are at it.\n\n[1]\nBUG: KCSAN: data-race in br_handle_frame_finish / br_handle_frame_finish\n\nread-write to 0xffff8881374b2178 of 8 bytes by interrupt on cpu 1:\nbr_handle_frame_finish+0xd4f/0xef0 net/bridge/br_input.c:189\nbr_nf_hook_thresh+0x1ed/0x220\nbr_nf_pre_routing_finish_ipv6+0x50f/0x540\nNF_HOOK include/linux/netfilter.h:304 [inline]\nbr_nf_pre_routing_ipv6+0x1e3/0x2a0 net/bridge/br_netfilter_ipv6.c:178\nbr_nf_pre_routing+0x526/0xba0 net/bridge/br_netfilter_hooks.c:508\nnf_hook_entry_hookfn include/linux/netfilter.h:144 [inline]\nnf_hook_bridge_pre net/bridge/br_input.c:272 [inline]\nbr_handle_frame+0x4c9/0x940 net/bridge/br_input.c:417\n__netif_receive_skb_core+0xa8a/0x21e0 net/core/dev.c:5417\n__netif_receive_skb_one_core net/core/dev.c:5521 [inline]\n__netif_receive_skb+0x57/0x1b0 net/core/dev.c:5637\nprocess_backlog+0x21f/0x380 net/core/dev.c:5965\n__napi_poll+0x60/0x3b0 net/core/dev.c:6527\nnapi_poll net/core/dev.c:6594 [inline]\nnet_rx_action+0x32b/0x750 net/core/dev.c:6727\n__do_softirq+0xc1/0x265 kernel/softirq.c:553\nrun_ksoftirqd+0x17/0x20 kernel/softirq.c:921\nsmpboot_thread_fn+0x30a/0x4a0 kernel/smpboot.c:164\nkthread+0x1d7/0x210 kernel/kthread.c:388\nret_from_fork+0x48/0x60 arch/x86/kernel/process.c:147\nret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304\n\nread-write to 0xffff8881374b2178 of 8 bytes by interrupt on cpu 0:\nbr_handle_frame_finish+0xd4f/0xef0 net/bridge/br_input.c:189\nbr_nf_hook_thresh+0x1ed/0x220\nbr_nf_pre_routing_finish_ipv6+0x50f/0x540\nNF_HOOK include/linux/netfilter.h:304 [inline]\nbr_nf_pre_routing_ipv6+0x1e3/0x2a0 net/bridge/br_netfilter_ipv6.c:178\nbr_nf_pre_routing+0x526/0xba0 net/bridge/br_netfilter_hooks.c:508\nnf_hook_entry_hookfn include/linux/netfilter.h:144 [inline]\nnf_hook_bridge_pre net/bridge/br_input.c:272 [inline]\nbr_handle_frame+0x4c9/0x940 net/bridge/br_input.c:417\n__netif_receive_skb_core+0xa8a/0x21e0 net/core/dev.c:5417\n__netif_receive_skb_one_core net/core/dev.c:5521 [inline]\n__netif_receive_skb+0x57/0x1b0 net/core/dev.c:5637\nprocess_backlog+0x21f/0x380 net/core/dev.c:5965\n__napi_poll+0x60/0x3b0 net/core/dev.c:6527\nnapi_poll net/core/dev.c:6594 [inline]\nnet_rx_action+0x32b/0x750 net/core/dev.c:6727\n__do_softirq+0xc1/0x265 kernel/softirq.c:553\ndo_softirq+0x5e/0x90 kernel/softirq.c:454\n__local_bh_enable_ip+0x64/0x70 kernel/softirq.c:381\n__raw_spin_unlock_bh include/linux/spinlock_api_smp.h:167 [inline]\n_raw_spin_unlock_bh+0x36/0x40 kernel/locking/spinlock.c:210\nspin_unlock_bh include/linux/spinlock.h:396 [inline]\nbatadv_tt_local_purge+0x1a8/0x1f0 net/batman-adv/translation-table.c:1356\nbatadv_tt_purge+0x2b/0x630 net/batman-adv/translation-table.c:3560\nprocess_one_work kernel/workqueue.c:2630 [inline]\nprocess_scheduled_works+0x5b8/0xa30 kernel/workqueue.c:2703\nworker_thread+0x525/0x730 kernel/workqueue.c:2784\nkthread+0x1d7/0x210 kernel/kthread.c:388\nret_from_fork+0x48/0x60 arch/x86/kernel/process.c:147\nret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304\n\nvalue changed: 0x00000000000d7190 -> 0x00000000000d7191\n\nReported by Kernel Concurrency Sanitizer on:\nCPU: 0 PID: 14848 Comm: kworker/u4:11 Not tainted 6.6.0-rc1-syzkaller-00236-gad8a69f361b9 #0", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52578", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52578", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52578", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52578", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52578", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52578" } }, "CVE-2023-52580": { "affected_versions": "v5.12-rc1-dontuse to v6.6-rc3", "breaks": "4f1cc51f34886d645cd3e8fc2915cc9b7a55c3b6", "cmt_msg": "net/core: Fix ETH_P_1588 flow dissector", "fixes": "75ad80ed88a182ab2ad5513e448cf07b403af5c3", "last_affected_version": "6.5.5", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/core: Fix ETH_P_1588 flow dissector\n\nWhen a PTP ethernet raw frame with a size of more than 256 bytes followed\nby a 0xff pattern is sent to __skb_flow_dissect, nhoff value calculation\nis wrong. For example: hdr->message_length takes the wrong value (0xffff)\nand it does not replicate real header length. In this case, 'nhoff' value\nwas overridden and the PTP header was badly dissected. This leads to a\nkernel crash.\n\nnet/core: flow_dissector\nnet/core flow dissector nhoff = 0x0000000e\nnet/core flow dissector hdr->message_length = 0x0000ffff\nnet/core flow dissector nhoff = 0x0001000d (u16 overflow)\n...\nskb linear: 00000000: 00 a0 c9 00 00 00 00 a0 c9 00 00 00 88\nskb frag: 00000000: f7 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n\nUsing the size of the ptp_header struct will allow the corrected\ncalculation of the nhoff value.\n\nnet/core flow dissector nhoff = 0x0000000e\nnet/core flow dissector nhoff = 0x00000030 (sizeof ptp_header)\n...\nskb linear: 00000000: 00 a0 c9 00 00 00 00 a0 c9 00 00 00 88 f7 ff ff\nskb linear: 00000010: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\nskb linear: 00000020: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\nskb frag: 00000000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n\nKernel trace:\n[ 74.984279] ------------[ cut here ]------------\n[ 74.989471] kernel BUG at include/linux/skbuff.h:2440!\n[ 74.995237] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\n[ 75.001098] CPU: 4 PID: 0 Comm: swapper/4 Tainted: G U 5.15.85-intel-ese-standard-lts #1\n[ 75.011629] Hardware name: Intel Corporation A-Island (CPU:AlderLake)/A-Island (ID:06), BIOS SB_ADLP.01.01.00.01.03.008.D-6A9D9E73-dirty Mar 30 2023\n[ 75.026507] RIP: 0010:eth_type_trans+0xd0/0x130\n[ 75.031594] Code: 03 88 47 78 eb c7 8b 47 68 2b 47 6c 48 8b 97 c0 00 00 00 83 f8 01 7e 1b 48 85 d2 74 06 66 83 3a ff 74 09 b8 00 04 00 00 eb ab <0f> 0b b8 00 01 00 00 eb a2 48 85 ff 74 eb 48 8d 54 24 06 31 f6 b9\n[ 75.052612] RSP: 0018:ffff9948c0228de0 EFLAGS: 00010297\n[ 75.058473] RAX: 00000000000003f2 RBX: ffff8e47047dc300 RCX: 0000000000001003\n[ 75.066462] RDX: ffff8e4e8c9ea040 RSI: ffff8e4704e0a000 RDI: ffff8e47047dc300\n[ 75.074458] RBP: ffff8e4704e2acc0 R08: 00000000000003f3 R09: 0000000000000800\n[ 75.082466] R10: 000000000000000d R11: ffff9948c0228dec R12: ffff8e4715e4e010\n[ 75.090461] R13: ffff9948c0545018 R14: 0000000000000001 R15: 0000000000000800\n[ 75.098464] FS: 0000000000000000(0000) GS:ffff8e4e8fb00000(0000) knlGS:0000000000000000\n[ 75.107530] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 75.113982] CR2: 00007f5eb35934a0 CR3: 0000000150e0a002 CR4: 0000000000770ee0\n[ 75.121980] PKRU: 55555554\n[ 75.125035] Call Trace:\n[ 75.127792] \n[ 75.130063] ? eth_get_headlen+0xa4/0xc0\n[ 75.134472] igc_process_skb_fields+0xcd/0x150\n[ 75.139461] igc_poll+0xc80/0x17b0\n[ 75.143272] __napi_poll+0x27/0x170\n[ 75.147192] net_rx_action+0x234/0x280\n[ 75.151409] __do_softirq+0xef/0x2f4\n[ 75.155424] irq_exit_rcu+0xc7/0x110\n[ 75.159432] common_interrupt+0xb8/0xd0\n[ 75.163748] \n[ 75.166112] \n[ 75.168473] asm_common_interrupt+0x22/0x40\n[ 75.173175] RIP: 0010:cpuidle_enter_state+0xe2/0x350\n[ 75.178749] Code: 85 c0 0f 8f 04 02 00 00 31 ff e8 39 6c 67 ff 45 84 ff 74 12 9c 58 f6 c4 02 0f 85 50 02 00 00 31 ff e8 52 b0 6d ff fb 45 85 f6 <0f> 88 b1 00 00 00 49 63 ce 4c 2b 2c 24 48 89 c8 48 6b d1 68 48 c1\n[ 75.199757] RSP: 0018:ffff9948c013bea8 EFLAGS: 00000202\n[ 75.205614] RAX: ffff8e4e8fb00000 RBX: ffffb948bfd23900 RCX: 000000000000001f\n[ 75.213619] RDX: 0000000000000004 RSI: ffffffff94206161 RDI: ffffffff94212e20\n[ 75.221620] RBP: 0000000000000004 R08: 000000117568973a R09: 0000000000000001\n[ 75.229622] R10: 000000000000afc8 R11: ffff8e4e8fb29ce4 R12: ffffffff945ae980\n[ 75.237628] R13: 000000117568973a R14: 0000000000000004 R15: 0000000000000000\n[ 75.245635] ? \n---truncated---", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52580", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52580", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52580", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52580", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52580", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52580" } }, "CVE-2023-52581": { "affected_versions": "v6.5-rc6 to v6.6-rc3", "breaks": "5f68718b34a531a556f2f50300ead2862278da26", "cmt_msg": "netfilter: nf_tables: fix memleak when more than 255 elements expired", "fixes": "cf5000a7787cbc10341091d37245a42c119d26c5", "last_affected_version": "6.5.5", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: fix memleak when more than 255 elements expired\n\nWhen more than 255 elements expired we're supposed to switch to a new gc\ncontainer structure.\n\nThis never happens: u8 type will wrap before reaching the boundary\nand nft_trans_gc_space() always returns true.\n\nThis means we recycle the initial gc container structure and\nlose track of the elements that came before.\n\nWhile at it, don't deref 'gc' after we've passed it to call_rcu.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52581", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52581", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52581", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52581", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52581", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52581" } }, "CVE-2023-52582": { "affected_versions": "v5.13-rc1 to v6.6-rc3", "breaks": "3d3c95046742e4eebaa4b891b0b01cbbed94ebbd", "cmt_msg": "netfs: Only call folio_start_fscache() one time for each folio", "fixes": "df1c357f25d808e30b216188330e708e09e1a412", "last_affected_version": "6.5.5", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfs: Only call folio_start_fscache() one time for each folio\n\nIf a network filesystem using netfs implements a clamp_length()\nfunction, it can set subrequest lengths smaller than a page size.\n\nWhen we loop through the folios in netfs_rreq_unlock_folios() to\nset any folios to be written back, we need to make sure we only\ncall folio_start_fscache() once for each folio.\n\nOtherwise, this simple testcase:\n\n mount -o fsc,rsize=1024,wsize=1024 127.0.0.1:/export /mnt/nfs\n dd if=/dev/zero of=/mnt/nfs/file.bin bs=4096 count=1\n 1+0 records in\n 1+0 records out\n 4096 bytes (4.1 kB, 4.0 KiB) copied, 0.0126359 s, 324 kB/s\n echo 3 > /proc/sys/vm/drop_caches\n cat /mnt/nfs/file.bin > /dev/null\n\nwill trigger an oops similar to the following:\n\n page dumped because: VM_BUG_ON_FOLIO(folio_test_private_2(folio))\n ------------[ cut here ]------------\n kernel BUG at include/linux/netfs.h:44!\n ...\n CPU: 5 PID: 134 Comm: kworker/u16:5 Kdump: loaded Not tainted 6.4.0-rc5\n ...\n RIP: 0010:netfs_rreq_unlock_folios+0x68e/0x730 [netfs]\n ...\n Call Trace:\n netfs_rreq_assess+0x497/0x660 [netfs]\n netfs_subreq_terminated+0x32b/0x610 [netfs]\n nfs_netfs_read_completion+0x14e/0x1a0 [nfs]\n nfs_read_completion+0x2f9/0x330 [nfs]\n rpc_free_task+0x72/0xa0 [sunrpc]\n rpc_async_release+0x46/0x70 [sunrpc]\n process_one_work+0x3bd/0x710\n worker_thread+0x89/0x610\n kthread+0x181/0x1c0\n ret_from_fork+0x29/0x50", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52582", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52582", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52582", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52582", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52582", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52582" } }, "CVE-2023-52583": { "affected_versions": "unk to v6.8-rc1", "breaks": "", "cmt_msg": "ceph: fix deadlock or deadcode of misusing dget()", "fixes": "b493ad718b1f0357394d2cdecbf00a44a36fa085", "last_affected_version": "6.7.3", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nceph: fix deadlock or deadcode of misusing dget()\n\nThe lock order is incorrect between denty and its parent, we should\nalways make sure that the parent get the lock first.\n\nBut since this deadcode is never used and the parent dir will always\nbe set from the callers, let's just remove it.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52583", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52583", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52583", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52583", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52583", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52583" } }, "CVE-2023-52584": { "affected_versions": "v2.6.12-rc2 to v6.8-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "spmi: mediatek: Fix UAF on device remove", "fixes": "e821d50ab5b956ed0effa49faaf29912fd4106d9", "last_affected_version": "6.7.3", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nspmi: mediatek: Fix UAF on device remove\n\nThe pmif driver data that contains the clocks is allocated along with\nspmi_controller.\nOn device remove, spmi_controller will be freed first, and then devres\n, including the clocks, will be cleanup.\nThis leads to UAF because putting the clocks will access the clocks in\nthe pmif driver data, which is already freed along with spmi_controller.\n\nThis can be reproduced by enabling DEBUG_TEST_DRIVER_REMOVE and\nbuilding the kernel with KASAN.\n\nFix the UAF issue by using unmanaged clk_bulk_get() and putting the\nclocks before freeing spmi_controller.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52584", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52584", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52584", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52584", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52584", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52584" } }, "CVE-2023-52585": { "affected_versions": "v2.6.12-rc2 to v6.8-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "drm/amdgpu: Fix possible NULL dereference in amdgpu_ras_query_error_status_helper()", "fixes": "b8d55a90fd55b767c25687747e2b24abd1ef8680", "last_affected_version": "6.7.3", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Fix possible NULL dereference in amdgpu_ras_query_error_status_helper()\n\nReturn invalid error code -EINVAL for invalid block id.\n\nFixes the below:\n\ndrivers/gpu/drm/amd/amdgpu/amdgpu_ras.c:1183 amdgpu_ras_query_error_status_helper() error: we previously assumed 'info' could be null (see line 1176)", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52585", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52585", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52585", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52585", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52585", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52585" } }, "CVE-2023-52586": { "affected_versions": "v2.6.12-rc2 to v6.8-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "drm/msm/dpu: Add mutex lock in control vblank irq", "fixes": "45284ff733e4caf6c118aae5131eb7e7cf3eea5a", "last_affected_version": "6.7.3", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm/dpu: Add mutex lock in control vblank irq\n\nAdd a mutex lock to control vblank irq to synchronize vblank\nenable/disable operations happening from different threads to prevent\nrace conditions while registering/unregistering the vblank irq callback.\n\nv4: -Removed vblank_ctl_lock from dpu_encoder_virt, so it is only a\n parameter of dpu_encoder_phys.\n -Switch from atomic refcnt to a simple int counter as mutex has\n now been added\nv3: Mistakenly did not change wording in last version. It is done now.\nv2: Slightly changed wording of commit message\n\nPatchwork: https://patchwork.freedesktop.org/patch/571854/", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52586", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52586", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52586", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52586", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52586", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52586" } }, "CVE-2023-52587": { "affected_versions": "v2.6.12-rc2 to v6.8-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "IB/ipoib: Fix mcast list locking", "fixes": "4f973e211b3b1c6d36f7c6a19239d258856749f9", "last_affected_version": "6.7.3", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nIB/ipoib: Fix mcast list locking\n\nReleasing the `priv->lock` while iterating the `priv->multicast_list` in\n`ipoib_mcast_join_task()` opens a window for `ipoib_mcast_dev_flush()` to\nremove the items while in the middle of iteration. If the mcast is removed\nwhile the lock was dropped, the for loop spins forever resulting in a hard\nlockup (as was reported on RHEL 4.18.0-372.75.1.el8_6 kernel):\n\n Task A (kworker/u72:2 below) | Task B (kworker/u72:0 below)\n -----------------------------------+-----------------------------------\n ipoib_mcast_join_task(work) | ipoib_ib_dev_flush_light(work)\n spin_lock_irq(&priv->lock) | __ipoib_ib_dev_flush(priv, ...)\n list_for_each_entry(mcast, | ipoib_mcast_dev_flush(dev = priv->dev)\n &priv->multicast_list, list) |\n ipoib_mcast_join(dev, mcast) |\n spin_unlock_irq(&priv->lock) |\n | spin_lock_irqsave(&priv->lock, flags)\n | list_for_each_entry_safe(mcast, tmcast,\n | &priv->multicast_list, list)\n | list_del(&mcast->list);\n | list_add_tail(&mcast->list, &remove_list)\n | spin_unlock_irqrestore(&priv->lock, flags)\n spin_lock_irq(&priv->lock) |\n | ipoib_mcast_remove_list(&remove_list)\n (Here, `mcast` is no longer on the | list_for_each_entry_safe(mcast, tmcast,\n `priv->multicast_list` and we keep | remove_list, list)\n spinning on the `remove_list` of | >>> wait_for_completion(&mcast->done)\n the other thread which is blocked |\n and the list is still valid on |\n it's stack.)\n\nFix this by keeping the lock held and changing to GFP_ATOMIC to prevent\neventual sleeps.\nUnfortunately we could not reproduce the lockup and confirm this fix but\nbased on the code review I think this fix should address such lockups.\n\ncrash> bc 31\nPID: 747 TASK: ff1c6a1a007e8000 CPU: 31 COMMAND: \"kworker/u72:2\"\n--\n [exception RIP: ipoib_mcast_join_task+0x1b1]\n RIP: ffffffffc0944ac1 RSP: ff646f199a8c7e00 RFLAGS: 00000002\n RAX: 0000000000000000 RBX: ff1c6a1a04dc82f8 RCX: 0000000000000000\n work (&priv->mcast_task{,.work})\n RDX: ff1c6a192d60ac68 RSI: 0000000000000286 RDI: ff1c6a1a04dc8000\n &mcast->list\n RBP: ff646f199a8c7e90 R8: ff1c699980019420 R9: ff1c6a1920c9a000\n R10: ff646f199a8c7e00 R11: ff1c6a191a7d9800 R12: ff1c6a192d60ac00\n mcast\n R13: ff1c6a1d82200000 R14: ff1c6a1a04dc8000 R15: ff1c6a1a04dc82d8\n dev priv (&priv->lock) &priv->multicast_list (aka head)\n ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018\n--- ---\n #5 [ff646f199a8c7e00] ipoib_mcast_join_task+0x1b1 at ffffffffc0944ac1 [ib_ipoib]\n #6 [ff646f199a8c7e98] process_one_work+0x1a7 at ffffffff9bf10967\n\ncrash> rx ff646f199a8c7e68\nff646f199a8c7e68: ff1c6a1a04dc82f8 <<< work = &priv->mcast_task.work\n\ncrash> list -hO ipoib_dev_priv.multicast_list ff1c6a1a04dc8000\n(empty)\n\ncrash> ipoib_dev_priv.mcast_task.work.func,mcast_mutex.owner.counter ff1c6a1a04dc8000\n mcast_task.work.func = 0xffffffffc0944910 ,\n mcast_mutex.owner.counter = 0xff1c69998efec000\n\ncrash> b 8\nPID: 8 TASK: ff1c69998efec000 CPU: 33 COMMAND: \"kworker/u72:0\"\n--\n #3 [ff646f1980153d50] wait_for_completion+0x96 at ffffffff9c7d7646\n #4 [ff646f1980153d90] ipoib_mcast_remove_list+0x56 at ffffffffc0944dc6 [ib_ipoib]\n #5 [ff646f1980153de8] ipoib_mcast_dev_flush+0x1a7 at ffffffffc09455a7 [ib_ipoib]\n #6 [ff646f1980153e58] __ipoib_ib_dev_flush+0x1a4 at ffffffffc09431a4 [ib_ipoib]\n #7 [ff\n---truncated---", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52587", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52587", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52587", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52587", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52587", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52587" } }, "CVE-2023-52588": { "affected_versions": "v2.6.12-rc2 to v6.8-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "f2fs: fix to tag gcing flag on page during block migration", "fixes": "4961acdd65c956e97c1a000c82d91a8c1cdbe44b", "last_affected_version": "6.7.3", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to tag gcing flag on page during block migration\n\nIt needs to add missing gcing flag on page during block migration,\nin order to garantee migrated data be persisted during checkpoint,\notherwise out-of-order persistency between data and node may cause\ndata corruption after SPOR.\n\nSimilar issue was fixed by commit 2d1fe8a86bf5 (\"f2fs: fix to tag\ngcing flag on page during file defragment\").", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52588", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52588", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52588", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52588", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52588", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52588" } }, "CVE-2023-52589": { "affected_versions": "v2.6.12-rc2 to v6.8-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "media: rkisp1: Fix IRQ disable race issue", "fixes": "870565f063a58576e8a4529f122cac4325c6b395", "last_affected_version": "6.7.3", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: rkisp1: Fix IRQ disable race issue\n\nIn rkisp1_isp_stop() and rkisp1_csi_disable() the driver masks the\ninterrupts and then apparently assumes that the interrupt handler won't\nbe running, and proceeds in the stop procedure. This is not the case, as\nthe interrupt handler can already be running, which would lead to the\nISP being disabled while the interrupt handler handling a captured\nframe.\n\nThis brings up two issues: 1) the ISP could be powered off while the\ninterrupt handler is still running and accessing registers, leading to\nboard lockup, and 2) the interrupt handler code and the code that\ndisables the streaming might do things that conflict.\n\nIt is not clear to me if 2) causes a real issue, but 1) can be seen with\na suitable delay (or printk in my case) in the interrupt handler,\nleading to board lockup.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52589", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52589", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52589", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52589", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52589", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52589" } }, "CVE-2023-52590": { "affected_versions": "v2.6.12-rc2 to v6.8-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "ocfs2: Avoid touching renamed directory if parent does not change", "fixes": "9d618d19b29c2943527e3a43da0a35aea91062fc", "last_affected_version": "6.7.3", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: Avoid touching renamed directory if parent does not change\n\nThe VFS will not be locking moved directory if its parent does not\nchange. Change ocfs2 rename code to avoid touching renamed directory if\nits parent does not change as without locking that can corrupt the\nfilesystem.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52590", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52590", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52590", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52590", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52590", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52590" } }, "CVE-2023-52591": { "affected_versions": "v2.6.12-rc2 to v6.8-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "reiserfs: Avoid touching renamed directory if parent does not change", "fixes": "49db9b1b86a82448dfaf3fcfefcf678dee56c8ed", "last_affected_version": "6.7.3", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nreiserfs: Avoid touching renamed directory if parent does not change\n\nThe VFS will not be locking moved directory if its parent does not\nchange. Change reiserfs rename code to avoid touching renamed directory\nif its parent does not change as without locking that can corrupt the\nfilesystem.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52591", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52591", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52591", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52591", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52591", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52591" } }, "CVE-2023-52593": { "affected_versions": "v2.6.12-rc2 to v6.8-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "wifi: wfx: fix possible NULL pointer dereference in wfx_set_mfp_ap()", "fixes": "fe0a7776d4d19e613bb8dd80fe2d78ae49e8b49d", "last_affected_version": "6.7.3", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: wfx: fix possible NULL pointer dereference in wfx_set_mfp_ap()\n\nSince 'ieee80211_beacon_get()' can return NULL, 'wfx_set_mfp_ap()'\nshould check the return value before examining skb data. So convert\nthe latter to return an appropriate error code and propagate it to\nreturn from 'wfx_start_ap()' as well. Compile tested only.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52593", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52593", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52593", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52593", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52593", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52593" } }, "CVE-2023-52594": { "affected_versions": "v3.0-rc1 to v6.8-rc1", "breaks": "27876a29de221186c9d5883e5fe5f6da18ef9a45", "cmt_msg": "wifi: ath9k: Fix potential array-index-out-of-bounds read in ath9k_htc_txstatus()", "fixes": "2adc886244dff60f948497b59affb6c6ebb3c348", "last_affected_version": "6.7.3", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath9k: Fix potential array-index-out-of-bounds read in ath9k_htc_txstatus()\n\nFix an array-index-out-of-bounds read in ath9k_htc_txstatus(). The bug\noccurs when txs->cnt, data from a URB provided by a USB device, is\nbigger than the size of the array txs->txstatus, which is\nHTC_MAX_TX_STATUS. WARN_ON() already checks it, but there is no bug\nhandling code after the check. Make the function return if that is the\ncase.\n\nFound by a modified version of syzkaller.\n\nUBSAN: array-index-out-of-bounds in htc_drv_txrx.c\nindex 13 is out of range for type '__wmi_event_txstatus [12]'\nCall Trace:\n ath9k_htc_txstatus\n ath9k_wmi_event_tasklet\n tasklet_action_common\n __do_softirq\n irq_exit_rxu\n sysvec_apic_timer_interrupt", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52594", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52594", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52594", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52594", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52594", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52594" } }, "CVE-2023-52595": { "affected_versions": "v2.6.12-rc2 to v6.8-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "wifi: rt2x00: restart beacon queue when hardware reset", "fixes": "a11d965a218f0cd95b13fe44d0bcd8a20ce134a8", "last_affected_version": "6.7.3", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rt2x00: restart beacon queue when hardware reset\n\nWhen a hardware reset is triggered, all registers are reset, so all\nqueues are forced to stop in hardware interface. However, mac80211\nwill not automatically stop the queue. If we don't manually stop the\nbeacon queue, the queue will be deadlocked and unable to start again.\nThis patch fixes the issue where Apple devices cannot connect to the\nAP after calling ieee80211_restart_hw().", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52595", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52595", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52595", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52595", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52595", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52595" } }, "CVE-2023-52596": { "affected_versions": "v2.6.12-rc2 to v6.8-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "sysctl: Fix out of bounds access for empty sysctl registers", "fixes": "315552310c7de92baea4e570967066569937a843", "last_affected_version": "6.7.3", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nsysctl: Fix out of bounds access for empty sysctl registers\n\nWhen registering tables to the sysctl subsystem there is a check to see\nif header is a permanently empty directory (used for mounts). This check\nevaluates the first element of the ctl_table. This results in an out of\nbounds evaluation when registering empty directories.\n\nThe function register_sysctl_mount_point now passes a ctl_table of size\n1 instead of size 0. It now relies solely on the type to identify\na permanently empty register.\n\nMake sure that the ctl_table has at least one element before testing for\npermanent emptiness.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52596", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52596", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52596", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52596", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52596", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52596" } }, "CVE-2023-52597": { "affected_versions": "v2.6.12-rc2 to v6.8-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "KVM: s390: fix setting of fpc register", "fixes": "b988b1bb0053c0dcd26187d29ef07566a565cf55", "last_affected_version": "6.7.3", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: s390: fix setting of fpc register\n\nkvm_arch_vcpu_ioctl_set_fpu() allows to set the floating point control\n(fpc) register of a guest cpu. The new value is tested for validity by\ntemporarily loading it into the fpc register.\n\nThis may lead to corruption of the fpc register of the host process:\nif an interrupt happens while the value is temporarily loaded into the fpc\nregister, and within interrupt context floating point or vector registers\nare used, the current fp/vx registers are saved with save_fpu_regs()\nassuming they belong to user space and will be loaded into fp/vx registers\nwhen returning to user space.\n\ntest_fp_ctl() restores the original user space / host process fpc register\nvalue, however it will be discarded, when returning to user space.\n\nIn result the host process will incorrectly continue to run with the value\nthat was supposed to be used for a guest cpu.\n\nFix this by simply removing the test. There is another test right before\nthe SIE context is entered which will handles invalid values.\n\nThis results in a change of behaviour: invalid values will now be accepted\ninstead of that the ioctl fails with -EINVAL. This seems to be acceptable,\ngiven that this interface is most likely not used anymore, and this is in\naddition the same behaviour implemented with the memory mapped interface\n(replace invalid values with zero) - see sync_regs() in kvm-s390.c.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52597", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52597", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52597", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52597", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52597", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52597" } }, "CVE-2023-52598": { "affected_versions": "unk to v6.8-rc1", "breaks": "", "cmt_msg": "s390/ptrace: handle setting of fpc register correctly", "fixes": "8b13601d19c541158a6e18b278c00ba69ae37829", "last_affected_version": "6.7.3", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/ptrace: handle setting of fpc register correctly\n\nIf the content of the floating point control (fpc) register of a traced\nprocess is modified with the ptrace interface the new value is tested for\nvalidity by temporarily loading it into the fpc register.\n\nThis may lead to corruption of the fpc register of the tracing process:\nif an interrupt happens while the value is temporarily loaded into the\nfpc register, and within interrupt context floating point or vector\nregisters are used, the current fp/vx registers are saved with\nsave_fpu_regs() assuming they belong to user space and will be loaded into\nfp/vx registers when returning to user space.\n\ntest_fp_ctl() restores the original user space fpc register value, however\nit will be discarded, when returning to user space.\n\nIn result the tracer will incorrectly continue to run with the value that\nwas supposed to be used for the traced process.\n\nFix this by saving fpu register contents with save_fpu_regs() before using\ntest_fp_ctl().", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52598", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52598", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52598", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52598", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52598", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52598" } }, "CVE-2023-52599": { "affected_versions": "v2.6.12-rc2 to v6.8-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "jfs: fix array-index-out-of-bounds in diNewExt", "fixes": "49f9637aafa6e63ba686c13cb8549bf5e6920402", "last_affected_version": "6.7.3", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\njfs: fix array-index-out-of-bounds in diNewExt\n\n[Syz report]\nUBSAN: array-index-out-of-bounds in fs/jfs/jfs_imap.c:2360:2\nindex -878706688 is out of range for type 'struct iagctl[128]'\nCPU: 1 PID: 5065 Comm: syz-executor282 Not tainted 6.7.0-rc4-syzkaller-00009-gbee0e7762ad2 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106\n ubsan_epilogue lib/ubsan.c:217 [inline]\n __ubsan_handle_out_of_bounds+0x11c/0x150 lib/ubsan.c:348\n diNewExt+0x3cf3/0x4000 fs/jfs/jfs_imap.c:2360\n diAllocExt fs/jfs/jfs_imap.c:1949 [inline]\n diAllocAG+0xbe8/0x1e50 fs/jfs/jfs_imap.c:1666\n diAlloc+0x1d3/0x1760 fs/jfs/jfs_imap.c:1587\n ialloc+0x8f/0x900 fs/jfs/jfs_inode.c:56\n jfs_mkdir+0x1c5/0xb90 fs/jfs/namei.c:225\n vfs_mkdir+0x2f1/0x4b0 fs/namei.c:4106\n do_mkdirat+0x264/0x3a0 fs/namei.c:4129\n __do_sys_mkdir fs/namei.c:4149 [inline]\n __se_sys_mkdir fs/namei.c:4147 [inline]\n __x64_sys_mkdir+0x6e/0x80 fs/namei.c:4147\n do_syscall_x64 arch/x86/entry/common.c:51 [inline]\n do_syscall_64+0x45/0x110 arch/x86/entry/common.c:82\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\nRIP: 0033:0x7fcb7e6a0b57\nCode: ff ff 77 07 31 c0 c3 0f 1f 40 00 48 c7 c2 b8 ff ff ff f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 b8 53 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007ffd83023038 EFLAGS: 00000286 ORIG_RAX: 0000000000000053\nRAX: ffffffffffffffda RBX: 00000000ffffffff RCX: 00007fcb7e6a0b57\nRDX: 00000000000a1020 RSI: 00000000000001ff RDI: 0000000020000140\nRBP: 0000000020000140 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000286 R12: 00007ffd830230d0\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n\n[Analysis]\nWhen the agstart is too large, it can cause agno overflow.\n\n[Fix]\nAfter obtaining agno, if the value is invalid, exit the subsequent process.\n\n\nModified the test from agno > MAXAG to agno >= MAXAG based on linux-next\nreport by kernel test robot (Dan Carpenter).", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52599", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52599", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52599", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52599", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52599", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52599" } }, "CVE-2023-52600": { "affected_versions": "v2.6.12-rc2 to v6.8-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "jfs: fix uaf in jfs_evict_inode", "fixes": "e0e1958f4c365e380b17ccb35617345b31ef7bf3", "last_affected_version": "6.7.3", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\njfs: fix uaf in jfs_evict_inode\n\nWhen the execution of diMount(ipimap) fails, the object ipimap that has been\nreleased may be accessed in diFreeSpecial(). Asynchronous ipimap release occurs\nwhen rcu_core() calls jfs_free_node().\n\nTherefore, when diMount(ipimap) fails, sbi->ipimap should not be initialized as\nipimap.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52600", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52600", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52600", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52600", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52600", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52600" } }, "CVE-2023-52601": { "affected_versions": "unk to v6.8-rc1", "breaks": "", "cmt_msg": "jfs: fix array-index-out-of-bounds in dbAdjTree", "fixes": "74ecdda68242b174920fe7c6133a856fb7d8559b", "last_affected_version": "6.7.3", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\njfs: fix array-index-out-of-bounds in dbAdjTree\n\nCurrently there is a bound check missing in the dbAdjTree while\naccessing the dmt_stree. To add the required check added the bool is_ctl\nwhich is required to determine the size as suggest in the following\ncommit.\nhttps://lore.kernel.org/linux-kernel-mentees/f9475918-2186-49b8-b801-6f0f9e75f4fa@oracle.com/", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52601", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52601", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52601", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52601", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52601", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52601" } }, "CVE-2023-52602": { "affected_versions": "v2.6.12-rc2 to v6.8-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "jfs: fix slab-out-of-bounds Read in dtSearch", "fixes": "fa5492ee89463a7590a1449358002ff7ef63529f", "last_affected_version": "6.7.3", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\njfs: fix slab-out-of-bounds Read in dtSearch\n\nCurrently while searching for current page in the sorted entry table\nof the page there is a out of bound access. Added a bound check to fix\nthe error.\n\nDave:\nSet return code to -EIO", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52602", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52602", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52602", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52602", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52602", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52602" } }, "CVE-2023-52603": { "affected_versions": "v2.6.12-rc2 to v6.8-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "UBSAN: array-index-out-of-bounds in dtSplitRoot", "fixes": "27e56f59bab5ddafbcfe69ad7a4a6ea1279c1b16", "last_affected_version": "6.7.3", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nUBSAN: array-index-out-of-bounds in dtSplitRoot\n\nSyzkaller reported the following issue:\n\noop0: detected capacity change from 0 to 32768\n\nUBSAN: array-index-out-of-bounds in fs/jfs/jfs_dtree.c:1971:9\nindex -2 is out of range for type 'struct dtslot [128]'\nCPU: 0 PID: 3613 Comm: syz-executor270 Not tainted 6.0.0-syzkaller-09423-g493ffd6605b2 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x1b1/0x28e lib/dump_stack.c:106\n ubsan_epilogue lib/ubsan.c:151 [inline]\n __ubsan_handle_out_of_bounds+0xdb/0x130 lib/ubsan.c:283\n dtSplitRoot+0x8d8/0x1900 fs/jfs/jfs_dtree.c:1971\n dtSplitUp fs/jfs/jfs_dtree.c:985 [inline]\n dtInsert+0x1189/0x6b80 fs/jfs/jfs_dtree.c:863\n jfs_mkdir+0x757/0xb00 fs/jfs/namei.c:270\n vfs_mkdir+0x3b3/0x590 fs/namei.c:4013\n do_mkdirat+0x279/0x550 fs/namei.c:4038\n __do_sys_mkdirat fs/namei.c:4053 [inline]\n __se_sys_mkdirat fs/namei.c:4051 [inline]\n __x64_sys_mkdirat+0x85/0x90 fs/namei.c:4051\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\nRIP: 0033:0x7fcdc0113fd9\nCode: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007ffeb8bc67d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000102\nRAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fcdc0113fd9\nRDX: 0000000000000000 RSI: 0000000020000340 RDI: 0000000000000003\nRBP: 00007fcdc00d37a0 R08: 0000000000000000 R09: 00007fcdc00d37a0\nR10: 00005555559a72c0 R11: 0000000000000246 R12: 00000000f8008000\nR13: 0000000000000000 R14: 00083878000000f8 R15: 0000000000000000\n \n\nThe issue is caused when the value of fsi becomes less than -1.\nThe check to break the loop when fsi value becomes -1 is present\nbut syzbot was able to produce value less than -1 which cause the error.\nThis patch simply add the change for the values less than 0.\n\nThe patch is tested via syzbot.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52603", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52603", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52603", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52603", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52603", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52603" } }, "CVE-2023-52604": { "affected_versions": "v2.6.12-rc2 to v6.8-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "FS:JFS:UBSAN:array-index-out-of-bounds in dbAdjTree", "fixes": "9862ec7ac1cbc6eb5ee4a045b5d5b8edbb2f7e68", "last_affected_version": "6.7.3", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nFS:JFS:UBSAN:array-index-out-of-bounds in dbAdjTree\n\nSyzkaller reported the following issue:\n\nUBSAN: array-index-out-of-bounds in fs/jfs/jfs_dmap.c:2867:6\nindex 196694 is out of range for type 's8[1365]' (aka 'signed char[1365]')\nCPU: 1 PID: 109 Comm: jfsCommit Not tainted 6.6.0-rc3-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106\n ubsan_epilogue lib/ubsan.c:217 [inline]\n __ubsan_handle_out_of_bounds+0x11c/0x150 lib/ubsan.c:348\n dbAdjTree+0x474/0x4f0 fs/jfs/jfs_dmap.c:2867\n dbJoin+0x210/0x2d0 fs/jfs/jfs_dmap.c:2834\n dbFreeBits+0x4eb/0xda0 fs/jfs/jfs_dmap.c:2331\n dbFreeDmap fs/jfs/jfs_dmap.c:2080 [inline]\n dbFree+0x343/0x650 fs/jfs/jfs_dmap.c:402\n txFreeMap+0x798/0xd50 fs/jfs/jfs_txnmgr.c:2534\n txUpdateMap+0x342/0x9e0\n txLazyCommit fs/jfs/jfs_txnmgr.c:2664 [inline]\n jfs_lazycommit+0x47a/0xb70 fs/jfs/jfs_txnmgr.c:2732\n kthread+0x2d3/0x370 kernel/kthread.c:388\n ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304\n \n================================================================================\nKernel panic - not syncing: UBSAN: panic_on_warn set ...\nCPU: 1 PID: 109 Comm: jfsCommit Not tainted 6.6.0-rc3-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106\n panic+0x30f/0x770 kernel/panic.c:340\n check_panic_on_warn+0x82/0xa0 kernel/panic.c:236\n ubsan_epilogue lib/ubsan.c:223 [inline]\n __ubsan_handle_out_of_bounds+0x13c/0x150 lib/ubsan.c:348\n dbAdjTree+0x474/0x4f0 fs/jfs/jfs_dmap.c:2867\n dbJoin+0x210/0x2d0 fs/jfs/jfs_dmap.c:2834\n dbFreeBits+0x4eb/0xda0 fs/jfs/jfs_dmap.c:2331\n dbFreeDmap fs/jfs/jfs_dmap.c:2080 [inline]\n dbFree+0x343/0x650 fs/jfs/jfs_dmap.c:402\n txFreeMap+0x798/0xd50 fs/jfs/jfs_txnmgr.c:2534\n txUpdateMap+0x342/0x9e0\n txLazyCommit fs/jfs/jfs_txnmgr.c:2664 [inline]\n jfs_lazycommit+0x47a/0xb70 fs/jfs/jfs_txnmgr.c:2732\n kthread+0x2d3/0x370 kernel/kthread.c:388\n ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304\n \nKernel Offset: disabled\nRebooting in 86400 seconds..\n\nThe issue is caused when the value of lp becomes greater than\nCTLTREESIZE which is the max size of stree. Adding a simple check\nsolves this issue.\n\nDave:\nAs the function returns a void, good error handling\nwould require a more intrusive code reorganization, so I modified\nOsama's patch at use WARN_ON_ONCE for lack of a cleaner option.\n\nThe patch is tested via syzbot.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52604", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52604", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52604", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52604", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52604", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52604" } }, "CVE-2023-52606": { "affected_versions": "v2.6.12-rc2 to v6.8-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "powerpc/lib: Validate size for vector operations", "fixes": "8f9abaa6d7de0a70fc68acaedce290c1f96e2e59", "last_affected_version": "6.7.3", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/lib: Validate size for vector operations\n\nSome of the fp/vmx code in sstep.c assume a certain maximum size for the\ninstructions being emulated. The size of those operations however is\ndetermined separately in analyse_instr().\n\nAdd a check to validate the assumption on the maximum size of the\noperations, so as to prevent any unintended kernel stack corruption.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52606", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52606", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52606", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52606", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52606", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52606" } }, "CVE-2023-52607": { "affected_versions": "v2.6.33-rc1 to v6.8-rc1", "breaks": "a0668cdc154e54bf0c85182e0535eea237d53146", "cmt_msg": "powerpc/mm: Fix null-pointer dereference in pgtable_cache_add", "fixes": "f46c8a75263f97bda13c739ba1c90aced0d3b071", "last_affected_version": "6.7.3", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/mm: Fix null-pointer dereference in pgtable_cache_add\n\nkasprintf() returns a pointer to dynamically allocated memory\nwhich can be NULL upon failure. Ensure the allocation was successful\nby checking the pointer validity.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52607", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52607", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52607", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52607", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52607", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52607" } }, "CVE-2023-52608": { "affected_versions": "v5.7-rc1 to v6.8-rc2", "breaks": "5c8a47a5a91d4d6e185f758d61997613d9c5d6ac", "cmt_msg": "firmware: arm_scmi: Check mailbox/SMT channel for consistency", "fixes": "437a310b22244d4e0b78665c3042e5d1c0f45306", "last_affected_version": "6.7.2", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nfirmware: arm_scmi: Check mailbox/SMT channel for consistency\n\nOn reception of a completion interrupt the shared memory area is accessed\nto retrieve the message header at first and then, if the message sequence\nnumber identifies a transaction which is still pending, the related\npayload is fetched too.\n\nWhen an SCMI command times out the channel ownership remains with the\nplatform until eventually a late reply is received and, as a consequence,\nany further transmission attempt remains pending, waiting for the channel\nto be relinquished by the platform.\n\nOnce that late reply is received the channel ownership is given back\nto the agent and any pending request is then allowed to proceed and\noverwrite the SMT area of the just delivered late reply; then the wait\nfor the reply to the new request starts.\n\nIt has been observed that the spurious IRQ related to the late reply can\nbe wrongly associated with the freshly enqueued request: when that happens\nthe SCMI stack in-flight lookup procedure is fooled by the fact that the\nmessage header now present in the SMT area is related to the new pending\ntransaction, even though the real reply has still to arrive.\n\nThis race-condition on the A2P channel can be detected by looking at the\nchannel status bits: a genuine reply from the platform will have set the\nchannel free bit before triggering the completion IRQ.\n\nAdd a consistency check to validate such condition in the A2P ISR.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52608", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52608", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52608", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52608", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52608", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52608" } }, "CVE-2023-52609": { "affected_versions": "unk to v6.8-rc1", "breaks": "", "cmt_msg": "binder: fix race between mmput() and do_exit()", "fixes": "9a9ab0d963621d9d12199df9817e66982582d5a5", "last_affected_version": "6.7.1", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nbinder: fix race between mmput() and do_exit()\n\nTask A calls binder_update_page_range() to allocate and insert pages on\na remote address space from Task B. For this, Task A pins the remote mm\nvia mmget_not_zero() first. This can race with Task B do_exit() and the\nfinal mmput() refcount decrement will come from Task A.\n\n Task A | Task B\n ------------------+------------------\n mmget_not_zero() |\n | do_exit()\n | exit_mm()\n | mmput()\n mmput() |\n exit_mmap() |\n remove_vma() |\n fput() |\n\nIn this case, the work of ____fput() from Task B is queued up in Task A\nas TWA_RESUME. So in theory, Task A returns to userspace and the cleanup\nwork gets executed. However, Task A instead sleep, waiting for a reply\nfrom Task B that never comes (it's dead).\n\nThis means the binder_deferred_release() is blocked until an unrelated\nbinder event forces Task A to go back to userspace. All the associated\ndeath notifications will also be delayed until then.\n\nIn order to fix this use mmput_async() that will schedule the work in\nthe corresponding mm->async_put_work WQ instead of Task A.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52609", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52609", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52609", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52609", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52609", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52609" } }, "CVE-2023-52610": { "affected_versions": "v5.3-rc1 to v6.8-rc1", "breaks": "b57dc7c13ea90e09ae15f821d2583fa0231b4935", "cmt_msg": "net/sched: act_ct: fix skb leak and crash on ooo frags", "fixes": "3f14b377d01d8357eba032b4cabc8c1149b458b6", "last_affected_version": "6.7.1", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: act_ct: fix skb leak and crash on ooo frags\n\nact_ct adds skb->users before defragmentation. If frags arrive in order,\nthe last frag's reference is reset in:\n\n inet_frag_reasm_prepare\n skb_morph\n\nwhich is not straightforward.\n\nHowever when frags arrive out of order, nobody unref the last frag, and\nall frags are leaked. The situation is even worse, as initiating packet\ncapture can lead to a crash[0] when skb has been cloned and shared at the\nsame time.\n\nFix the issue by removing skb_get() before defragmentation. act_ct\nreturns TC_ACT_CONSUMED when defrag failed or in progress.\n\n[0]:\n[ 843.804823] ------------[ cut here ]------------\n[ 843.809659] kernel BUG at net/core/skbuff.c:2091!\n[ 843.814516] invalid opcode: 0000 [#1] PREEMPT SMP\n[ 843.819296] CPU: 7 PID: 0 Comm: swapper/7 Kdump: loaded Tainted: G S 6.7.0-rc3 #2\n[ 843.824107] Hardware name: XFUSION 1288H V6/BC13MBSBD, BIOS 1.29 11/25/2022\n[ 843.828953] RIP: 0010:pskb_expand_head+0x2ac/0x300\n[ 843.833805] Code: 8b 70 28 48 85 f6 74 82 48 83 c6 08 bf 01 00 00 00 e8 38 bd ff ff 8b 83 c0 00 00 00 48 03 83 c8 00 00 00 e9 62 ff ff ff 0f 0b <0f> 0b e8 8d d0 ff ff e9 b3 fd ff ff 81 7c 24 14 40 01 00 00 4c 89\n[ 843.843698] RSP: 0018:ffffc9000cce07c0 EFLAGS: 00010202\n[ 843.848524] RAX: 0000000000000002 RBX: ffff88811a211d00 RCX: 0000000000000820\n[ 843.853299] RDX: 0000000000000640 RSI: 0000000000000000 RDI: ffff88811a211d00\n[ 843.857974] RBP: ffff888127d39518 R08: 00000000bee97314 R09: 0000000000000000\n[ 843.862584] R10: 0000000000000000 R11: ffff8881109f0000 R12: 0000000000000880\n[ 843.867147] R13: ffff888127d39580 R14: 0000000000000640 R15: ffff888170f7b900\n[ 843.871680] FS: 0000000000000000(0000) GS:ffff889ffffc0000(0000) knlGS:0000000000000000\n[ 843.876242] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 843.880778] CR2: 00007fa42affcfb8 CR3: 000000011433a002 CR4: 0000000000770ef0\n[ 843.885336] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 843.889809] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 843.894229] PKRU: 55555554\n[ 843.898539] Call Trace:\n[ 843.902772] \n[ 843.906922] ? __die_body+0x1e/0x60\n[ 843.911032] ? die+0x3c/0x60\n[ 843.915037] ? do_trap+0xe2/0x110\n[ 843.918911] ? pskb_expand_head+0x2ac/0x300\n[ 843.922687] ? do_error_trap+0x65/0x80\n[ 843.926342] ? pskb_expand_head+0x2ac/0x300\n[ 843.929905] ? exc_invalid_op+0x50/0x60\n[ 843.933398] ? pskb_expand_head+0x2ac/0x300\n[ 843.936835] ? asm_exc_invalid_op+0x1a/0x20\n[ 843.940226] ? pskb_expand_head+0x2ac/0x300\n[ 843.943580] inet_frag_reasm_prepare+0xd1/0x240\n[ 843.946904] ip_defrag+0x5d4/0x870\n[ 843.950132] nf_ct_handle_fragments+0xec/0x130 [nf_conntrack]\n[ 843.953334] tcf_ct_act+0x252/0xd90 [act_ct]\n[ 843.956473] ? tcf_mirred_act+0x516/0x5a0 [act_mirred]\n[ 843.959657] tcf_action_exec+0xa1/0x160\n[ 843.962823] fl_classify+0x1db/0x1f0 [cls_flower]\n[ 843.966010] ? skb_clone+0x53/0xc0\n[ 843.969173] tcf_classify+0x24d/0x420\n[ 843.972333] tc_run+0x8f/0xf0\n[ 843.975465] __netif_receive_skb_core+0x67a/0x1080\n[ 843.978634] ? dev_gro_receive+0x249/0x730\n[ 843.981759] __netif_receive_skb_list_core+0x12d/0x260\n[ 843.984869] netif_receive_skb_list_internal+0x1cb/0x2f0\n[ 843.987957] ? mlx5e_handle_rx_cqe_mpwrq_rep+0xfa/0x1a0 [mlx5_core]\n[ 843.991170] napi_complete_done+0x72/0x1a0\n[ 843.994305] mlx5e_napi_poll+0x28c/0x6d0 [mlx5_core]\n[ 843.997501] __napi_poll+0x25/0x1b0\n[ 844.000627] net_rx_action+0x256/0x330\n[ 844.003705] __do_softirq+0xb3/0x29b\n[ 844.006718] irq_exit_rcu+0x9e/0xc0\n[ 844.009672] common_interrupt+0x86/0xa0\n[ 844.012537] \n[ 844.015285] \n[ 844.017937] asm_common_interrupt+0x26/0x40\n[ 844.020591] RIP: 0010:acpi_safe_halt+0x1b/0x20\n[ 844.023247] Code: ff 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 65 48 8b 04 25 00 18 03 00 48 8b 00 a8 08 75 0c 66 90 0f 00 2d 81 d0 44 00 fb\n---truncated---", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52610", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52610", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52610", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52610", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52610", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52610" } }, "CVE-2023-52611": { "affected_versions": "v6.4-rc1 to v6.8-rc1", "breaks": "65371a3f14e73979958aea0db1e3bb456a296149", "cmt_msg": "wifi: rtw88: sdio: Honor the host max_req_size in the RX path", "fixes": "00384f565a91c08c4bedae167f749b093d10e3fe", "last_affected_version": "6.7.1", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtw88: sdio: Honor the host max_req_size in the RX path\n\nLukas reports skb_over_panic errors on his Banana Pi BPI-CM4 which comes\nwith an Amlogic A311D (G12B) SoC and a RTL8822CS SDIO wifi/Bluetooth\ncombo card. The error he observed is identical to what has been fixed\nin commit e967229ead0e (\"wifi: rtw88: sdio: Check the HISR RX_REQUEST\nbit in rtw_sdio_rx_isr()\") but that commit didn't fix Lukas' problem.\n\nLukas found that disabling or limiting RX aggregation works around the\nproblem for some time (but does not fully fix it). In the following\ndiscussion a few key topics have been discussed which have an impact on\nthis problem:\n- The Amlogic A311D (G12B) SoC has a hardware bug in the SDIO controller\n which prevents DMA transfers. Instead all transfers need to go through\n the controller SRAM which limits transfers to 1536 bytes\n- rtw88 chips don't split incoming (RX) packets, so if a big packet is\n received this is forwarded to the host in it's original form\n- rtw88 chips can do RX aggregation, meaning more multiple incoming\n packets can be pulled by the host from the card with one MMC/SDIO\n transfer. This Depends on settings in the REG_RXDMA_AGG_PG_TH\n register (BIT_RXDMA_AGG_PG_TH limits the number of packets that will\n be aggregated, BIT_DMA_AGG_TO_V1 configures a timeout for aggregation\n and BIT_EN_PRE_CALC makes the chip honor the limits more effectively)\n\nUse multiple consecutive reads in rtw_sdio_read_port() and limit the\nnumber of bytes which are copied by the host from the card in one\nMMC/SDIO transfer. This allows receiving a buffer that's larger than\nthe hosts max_req_size (number of bytes which can be transferred in\none MMC/SDIO transfer). As a result of this the skb_over_panic error\nis gone as the rtw88 driver is now able to receive more than 1536 bytes\nfrom the card (either because the incoming packet is larger than that\nor because multiple packets have been aggregated).\n\nIn case of an receive errors (-EILSEQ has been observed by Lukas) we\nneed to drain the remaining data from the card's buffer, otherwise the\ncard will return corrupt data for the next rtw_sdio_read_port() call.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52611", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52611", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52611", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52611", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52611", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52611" } }, "CVE-2023-52612": { "affected_versions": "v4.10-rc1 to v6.8-rc1", "breaks": "1ab53a77b772bf7369464a0e4fa6fd6499acf8f1", "cmt_msg": "crypto: scomp - fix req->dst buffer overflow", "fixes": "744e1885922a9943458954cfea917b31064b4131", "last_affected_version": "6.7.1", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: scomp - fix req->dst buffer overflow\n\nThe req->dst buffer size should be checked before copying from the\nscomp_scratch->dst to avoid req->dst buffer overflow problem.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52612", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52612", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52612", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52612", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52612", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52612" } }, "CVE-2023-52613": { "affected_versions": "v6.6-rc1 to v6.8-rc1", "breaks": "e7e3a7c35791fe7a70997883fb8ada5866a40f4d", "cmt_msg": "drivers/thermal/loongson2_thermal: Fix incorrect PTR_ERR() judgment", "fixes": "15ef92e9c41124ee9d88b01208364f3fe1f45f84", "last_affected_version": "6.7.1", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrivers/thermal/loongson2_thermal: Fix incorrect PTR_ERR() judgment\n\nPTR_ERR() returns -ENODEV when thermal-zones are undefined, and we need\n-ENODEV as the right value for comparison.\n\nOtherwise, tz->type is NULL when thermal-zones is undefined, resulting\nin the following error:\n\n[ 12.290030] CPU 1 Unable to handle kernel paging request at virtual address fffffffffffffff1, era == 900000000355f410, ra == 90000000031579b8\n[ 12.302877] Oops[#1]:\n[ 12.305190] CPU: 1 PID: 181 Comm: systemd-udevd Not tainted 6.6.0-rc7+ #5385\n[ 12.312304] pc 900000000355f410 ra 90000000031579b8 tp 90000001069e8000 sp 90000001069eba10\n[ 12.320739] a0 0000000000000000 a1 fffffffffffffff1 a2 0000000000000014 a3 0000000000000001\n[ 12.329173] a4 90000001069eb990 a5 0000000000000001 a6 0000000000001001 a7 900000010003431c\n[ 12.337606] t0 fffffffffffffff1 t1 54567fd5da9b4fd4 t2 900000010614ec40 t3 00000000000dc901\n[ 12.346041] t4 0000000000000000 t5 0000000000000004 t6 900000010614ee20 t7 900000000d00b790\n[ 12.354472] t8 00000000000dc901 u0 54567fd5da9b4fd4 s9 900000000402ae10 s0 900000010614ec40\n[ 12.362916] s1 90000000039fced0 s2 ffffffffffffffed s3 ffffffffffffffed s4 9000000003acc000\n[ 12.362931] s5 0000000000000004 s6 fffffffffffff000 s7 0000000000000490 s8 90000001028b2ec8\n[ 12.362938] ra: 90000000031579b8 thermal_add_hwmon_sysfs+0x258/0x300\n[ 12.386411] ERA: 900000000355f410 strscpy+0xf0/0x160\n[ 12.391626] CRMD: 000000b0 (PLV0 -IE -DA +PG DACF=CC DACM=CC -WE)\n[ 12.397898] PRMD: 00000004 (PPLV0 +PIE -PWE)\n[ 12.403678] EUEN: 00000000 (-FPE -SXE -ASXE -BTE)\n[ 12.409859] ECFG: 00071c1c (LIE=2-4,10-12 VS=7)\n[ 12.415882] ESTAT: 00010000 [PIL] (IS= ECode=1 EsubCode=0)\n[ 12.415907] BADV: fffffffffffffff1\n[ 12.415911] PRID: 0014a000 (Loongson-64bit, Loongson-2K1000)\n[ 12.415917] Modules linked in: loongson2_thermal(+) vfat fat uio_pdrv_genirq uio fuse zram zsmalloc\n[ 12.415950] Process systemd-udevd (pid: 181, threadinfo=00000000358b9718, task=00000000ace72fe3)\n[ 12.415961] Stack : 0000000000000dc0 54567fd5da9b4fd4 900000000402ae10 9000000002df9358\n[ 12.415982] ffffffffffffffed 0000000000000004 9000000107a10aa8 90000001002a3410\n[ 12.415999] ffffffffffffffed ffffffffffffffed 9000000107a11268 9000000003157ab0\n[ 12.416016] 9000000107a10aa8 ffffff80020fc0c8 90000001002a3410 ffffffffffffffed\n[ 12.416032] 0000000000000024 ffffff80020cc1e8 900000000402b2a0 9000000003acc000\n[ 12.416048] 90000001002a3410 0000000000000000 ffffff80020f4030 90000001002a3410\n[ 12.416065] 0000000000000000 9000000002df6808 90000001002a3410 0000000000000000\n[ 12.416081] ffffff80020f4030 0000000000000000 90000001002a3410 9000000002df2ba8\n[ 12.416097] 00000000000000b4 90000001002a34f4 90000001002a3410 0000000000000002\n[ 12.416114] ffffff80020f4030 fffffffffffffff0 90000001002a3410 9000000002df2f30\n[ 12.416131] ...\n[ 12.416138] Call Trace:\n[ 12.416142] [<900000000355f410>] strscpy+0xf0/0x160\n[ 12.416167] [<90000000031579b8>] thermal_add_hwmon_sysfs+0x258/0x300\n[ 12.416183] [<9000000003157ab0>] devm_thermal_add_hwmon_sysfs+0x50/0xe0\n[ 12.416200] [] loongson2_thermal_probe+0x128/0x200 [loongson2_thermal]\n[ 12.416232] [<9000000002df6808>] platform_probe+0x68/0x140\n[ 12.416249] [<9000000002df2ba8>] really_probe+0xc8/0x3c0\n[ 12.416269] [<9000000002df2f30>] __driver_probe_device+0x90/0x180\n[ 12.416286] [<9000000002df3058>] driver_probe_device+0x38/0x160\n[ 12.416302] [<9000000002df33a8>] __driver_attach+0xa8/0x200\n[ 12.416314] [<9000000002deffec>] bus_for_each_dev+0x8c/0x120\n[ 12.416330] [<9000000002df198c>] bus_add_driver+0x10c/0x2a0\n[ 12.416346] [<9000000002df46b4>] driver_register+0x74/0x160\n[ 12.416358] [<90000000022201a4>] do_one_initcall+0x84/0x220\n[ 12.416372] [<90000000022f3ab8>] do_init_module+0x58/0x2c0\n[\n---truncated---", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52613", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52613", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52613", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52613", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52613", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52613" } }, "CVE-2023-52614": { "affected_versions": "unk to v6.8-rc1", "breaks": "", "cmt_msg": "PM / devfreq: Fix buffer overflow in trans_stat_show", "fixes": "08e23d05fa6dc4fc13da0ccf09defdd4bbc92ff4", "last_affected_version": "6.7.2", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nPM / devfreq: Fix buffer overflow in trans_stat_show\n\nFix buffer overflow in trans_stat_show().\n\nConvert simple snprintf to the more secure scnprintf with size of\nPAGE_SIZE.\n\nAdd condition checking if we are exceeding PAGE_SIZE and exit early from\nloop. Also add at the end a warning that we exceeded PAGE_SIZE and that\nstats is disabled.\n\nReturn -EFBIG in the case where we don't have enough space to write the\nfull transition table.\n\nAlso document in the ABI that this function can return -EFBIG error.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52614", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52614", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52614", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52614", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52614", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52614" } }, "CVE-2023-52615": { "affected_versions": "v2.6.33-rc1 to v6.8-rc1", "breaks": "9996508b3353063f2d6c48c1a28a84543d72d70b", "cmt_msg": "hwrng: core - Fix page fault dead lock on mmap-ed hwrng", "fixes": "78aafb3884f6bc6636efcc1760c891c8500b9922", "last_affected_version": "6.7.2", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nhwrng: core - Fix page fault dead lock on mmap-ed hwrng\n\nThere is a dead-lock in the hwrng device read path. This triggers\nwhen the user reads from /dev/hwrng into memory also mmap-ed from\n/dev/hwrng. The resulting page fault triggers a recursive read\nwhich then dead-locks.\n\nFix this by using a stack buffer when calling copy_to_user.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52615", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52615", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52615", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52615", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52615", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52615" } }, "CVE-2023-52616": { "affected_versions": "v5.10-rc1 to v6.8-rc1", "breaks": "d58bb7e55a8a65894cc02f27c3e2bf9403e7c40f", "cmt_msg": "crypto: lib/mpi - Fix unexpected pointer access in mpi_ec_init", "fixes": "ba3c5574203034781ac4231acf117da917efcd2a", "last_affected_version": "6.7.2", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: lib/mpi - Fix unexpected pointer access in mpi_ec_init\n\nWhen the mpi_ec_ctx structure is initialized, some fields are not\ncleared, causing a crash when referencing the field when the\nstructure was released. Initially, this issue was ignored because\nmemory for mpi_ec_ctx is allocated with the __GFP_ZERO flag.\nFor example, this error will be triggered when calculating the\nZa value for SM2 separately.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52616", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52616", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52616", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52616", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52616", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52616" } }, "CVE-2023-52617": { "affected_versions": "v2.6.12-rc2 to v6.8-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "PCI: switchtec: Fix stdev_release() crash after surprise hot remove", "fixes": "df25461119d987b8c81d232cfe4411e91dcabe66", "last_affected_version": "6.7.3", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: switchtec: Fix stdev_release() crash after surprise hot remove\n\nA PCI device hot removal may occur while stdev->cdev is held open. The call\nto stdev_release() then happens during close or exit, at a point way past\nswitchtec_pci_remove(). Otherwise the last ref would vanish with the\ntrailing put_device(), just before return.\n\nAt that later point in time, the devm cleanup has already removed the\nstdev->mmio_mrpc mapping. Also, the stdev->pdev reference was not a counted\none. Therefore, in DMA mode, the iowrite32() in stdev_release() will cause\na fatal page fault, and the subsequent dma_free_coherent(), if reached,\nwould pass a stale &stdev->pdev->dev pointer.\n\nFix by moving MRPC DMA shutdown into switchtec_pci_remove(), after\nstdev_kill(). Counting the stdev->pdev ref is now optional, but may prevent\nfuture accidents.\n\nReproducible via the script at\nhttps://lore.kernel.org/r/20231113212150.96410-1-dns@arista.com", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52617", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52617", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52617", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52617", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52617", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52617" } }, "CVE-2023-52618": { "affected_versions": "v2.6.12-rc2 to v6.8-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "block/rnbd-srv: Check for unlikely string overflow", "fixes": "9e4bf6a08d1e127bcc4bd72557f2dfafc6bc7f41", "last_affected_version": "6.7.3", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock/rnbd-srv: Check for unlikely string overflow\n\nSince \"dev_search_path\" can technically be as large as PATH_MAX,\nthere was a risk of truncation when copying it and a second string\ninto \"full_path\" since it was also PATH_MAX sized. The W=1 builds were\nreporting this warning:\n\ndrivers/block/rnbd/rnbd-srv.c: In function 'process_msg_open.isra':\ndrivers/block/rnbd/rnbd-srv.c:616:51: warning: '%s' directive output may be truncated writing up to 254 bytes into a region of size between 0 and 4095 [-Wformat-truncation=]\n 616 | snprintf(full_path, PATH_MAX, \"%s/%s\",\n | ^~\nIn function 'rnbd_srv_get_full_path',\n inlined from 'process_msg_open.isra' at drivers/block/rnbd/rnbd-srv.c:721:14: drivers/block/rnbd/rnbd-srv.c:616:17: note: 'snprintf' output between 2 and 4351 bytes into a destination of size 4096\n 616 | snprintf(full_path, PATH_MAX, \"%s/%s\",\n | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n 617 | dev_search_path, dev_name);\n | ~~~~~~~~~~~~~~~~~~~~~~~~~~\n\nTo fix this, unconditionally check for truncation (as was already done\nfor the case where \"%SESSNAME%\" was present).", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52618", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52618", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52618", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52618", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52618", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52618" } }, "CVE-2023-52619": { "affected_versions": "v2.6.12-rc2 to v6.8-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "pstore/ram: Fix crash when setting number of cpus to an odd number", "fixes": "d49270a04623ce3c0afddbf3e984cb245aa48e9c", "last_affected_version": "6.7.3", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\npstore/ram: Fix crash when setting number of cpus to an odd number\n\nWhen the number of cpu cores is adjusted to 7 or other odd numbers,\nthe zone size will become an odd number.\nThe address of the zone will become:\n addr of zone0 = BASE\n addr of zone1 = BASE + zone_size\n addr of zone2 = BASE + zone_size*2\n ...\nThe address of zone1/3/5/7 will be mapped to non-alignment va.\nEventually crashes will occur when accessing these va.\n\nSo, use ALIGN_DOWN() to make sure the zone size is even\nto avoid this bug.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52619", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52619", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52619", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52619", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52619", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52619" } }, "CVE-2023-52620": { "affected_versions": "v2.6.12-rc2 to v6.4", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "netfilter: nf_tables: disallow timeout for anonymous sets", "fixes": "e26d3009efda338f19016df4175f354a9bd0a4ab", "last_affected_version": "6.3", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: disallow timeout for anonymous sets\n\nNever used from userspace, disallow these parameters.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52620", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52620", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52620", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52620", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52620", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52620" } }, "CVE-2023-52621": { "affected_versions": "v2.6.12-rc2 to v6.8-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "bpf: Check rcu_read_lock_trace_held() before calling bpf map helpers", "fixes": "169410eba271afc9f0fb476d996795aa26770c6d", "last_affected_version": "6.7.3", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Check rcu_read_lock_trace_held() before calling bpf map helpers\n\nThese three bpf_map_{lookup,update,delete}_elem() helpers are also\navailable for sleepable bpf program, so add the corresponding lock\nassertion for sleepable bpf program, otherwise the following warning\nwill be reported when a sleepable bpf program manipulates bpf map under\ninterpreter mode (aka bpf_jit_enable=0):\n\n WARNING: CPU: 3 PID: 4985 at kernel/bpf/helpers.c:40 ......\n CPU: 3 PID: 4985 Comm: test_progs Not tainted 6.6.0+ #2\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) ......\n RIP: 0010:bpf_map_lookup_elem+0x54/0x60\n ......\n Call Trace:\n \n ? __warn+0xa5/0x240\n ? bpf_map_lookup_elem+0x54/0x60\n ? report_bug+0x1ba/0x1f0\n ? handle_bug+0x40/0x80\n ? exc_invalid_op+0x18/0x50\n ? asm_exc_invalid_op+0x1b/0x20\n ? __pfx_bpf_map_lookup_elem+0x10/0x10\n ? rcu_lockdep_current_cpu_online+0x65/0xb0\n ? rcu_is_watching+0x23/0x50\n ? bpf_map_lookup_elem+0x54/0x60\n ? __pfx_bpf_map_lookup_elem+0x10/0x10\n ___bpf_prog_run+0x513/0x3b70\n __bpf_prog_run32+0x9d/0xd0\n ? __bpf_prog_enter_sleepable_recur+0xad/0x120\n ? __bpf_prog_enter_sleepable_recur+0x3e/0x120\n bpf_trampoline_6442580665+0x4d/0x1000\n __x64_sys_getpgid+0x5/0x30\n ? do_syscall_64+0x36/0xb0\n entry_SYSCALL_64_after_hwframe+0x6e/0x76\n ", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52621", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52621", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52621", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52621", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52621", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52621" } }, "CVE-2023-52622": { "affected_versions": "v2.6.12-rc2 to v6.8-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "ext4: avoid online resizing failures due to oversized flex bg", "fixes": "5d1935ac02ca5aee364a449a35e2977ea84509b0", "last_affected_version": "6.7.3", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: avoid online resizing failures due to oversized flex bg\n\nWhen we online resize an ext4 filesystem with a oversized flexbg_size,\n\n mkfs.ext4 -F -G 67108864 $dev -b 4096 100M\n mount $dev $dir\n resize2fs $dev 16G\n\nthe following WARN_ON is triggered:\n==================================================================\nWARNING: CPU: 0 PID: 427 at mm/page_alloc.c:4402 __alloc_pages+0x411/0x550\nModules linked in: sg(E)\nCPU: 0 PID: 427 Comm: resize2fs Tainted: G E 6.6.0-rc5+ #314\nRIP: 0010:__alloc_pages+0x411/0x550\nCall Trace:\n \n __kmalloc_large_node+0xa2/0x200\n __kmalloc+0x16e/0x290\n ext4_resize_fs+0x481/0xd80\n __ext4_ioctl+0x1616/0x1d90\n ext4_ioctl+0x12/0x20\n __x64_sys_ioctl+0xf0/0x150\n do_syscall_64+0x3b/0x90\n==================================================================\n\nThis is because flexbg_size is too large and the size of the new_group_data\narray to be allocated exceeds MAX_ORDER. Currently, the minimum value of\nMAX_ORDER is 8, the minimum value of PAGE_SIZE is 4096, the corresponding\nmaximum number of groups that can be allocated is:\n\n (PAGE_SIZE << MAX_ORDER) / sizeof(struct ext4_new_group_data) ? 21845\n\nAnd the value that is down-aligned to the power of 2 is 16384. Therefore,\nthis value is defined as MAX_RESIZE_BG, and the number of groups added\neach time does not exceed this value during resizing, and is added multiple\ntimes to complete the online resizing. The difference is that the metadata\nin a flex_bg may be more dispersed.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52622", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52622", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52622", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52622", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52622", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52622" } }, "CVE-2023-52623": { "affected_versions": "v2.6.12-rc2 to v6.8-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "SUNRPC: Fix a suspicious RCU usage warning", "fixes": "31b62908693c90d4d07db597e685d9f25a120073", "last_affected_version": "6.7.3", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nSUNRPC: Fix a suspicious RCU usage warning\n\nI received the following warning while running cthon against an ontap\nserver running pNFS:\n\n[ 57.202521] =============================\n[ 57.202522] WARNING: suspicious RCU usage\n[ 57.202523] 6.7.0-rc3-g2cc14f52aeb7 #41492 Not tainted\n[ 57.202525] -----------------------------\n[ 57.202525] net/sunrpc/xprtmultipath.c:349 RCU-list traversed in non-reader section!!\n[ 57.202527]\n other info that might help us debug this:\n\n[ 57.202528]\n rcu_scheduler_active = 2, debug_locks = 1\n[ 57.202529] no locks held by test5/3567.\n[ 57.202530]\n stack backtrace:\n[ 57.202532] CPU: 0 PID: 3567 Comm: test5 Not tainted 6.7.0-rc3-g2cc14f52aeb7 #41492 5b09971b4965c0aceba19f3eea324a4a806e227e\n[ 57.202534] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS unknown 2/2/2022\n[ 57.202536] Call Trace:\n[ 57.202537] \n[ 57.202540] dump_stack_lvl+0x77/0xb0\n[ 57.202551] lockdep_rcu_suspicious+0x154/0x1a0\n[ 57.202556] rpc_xprt_switch_has_addr+0x17c/0x190 [sunrpc ebe02571b9a8ceebf7d98e71675af20c19bdb1f6]\n[ 57.202596] rpc_clnt_setup_test_and_add_xprt+0x50/0x180 [sunrpc ebe02571b9a8ceebf7d98e71675af20c19bdb1f6]\n[ 57.202621] ? rpc_clnt_add_xprt+0x254/0x300 [sunrpc ebe02571b9a8ceebf7d98e71675af20c19bdb1f6]\n[ 57.202646] rpc_clnt_add_xprt+0x27a/0x300 [sunrpc ebe02571b9a8ceebf7d98e71675af20c19bdb1f6]\n[ 57.202671] ? __pfx_rpc_clnt_setup_test_and_add_xprt+0x10/0x10 [sunrpc ebe02571b9a8ceebf7d98e71675af20c19bdb1f6]\n[ 57.202696] nfs4_pnfs_ds_connect+0x345/0x760 [nfsv4 c716d88496ded0ea6d289bbea684fa996f9b57a9]\n[ 57.202728] ? __pfx_nfs4_test_session_trunk+0x10/0x10 [nfsv4 c716d88496ded0ea6d289bbea684fa996f9b57a9]\n[ 57.202754] nfs4_fl_prepare_ds+0x75/0xc0 [nfs_layout_nfsv41_files e3a4187f18ae8a27b630f9feae6831b584a9360a]\n[ 57.202760] filelayout_write_pagelist+0x4a/0x200 [nfs_layout_nfsv41_files e3a4187f18ae8a27b630f9feae6831b584a9360a]\n[ 57.202765] pnfs_generic_pg_writepages+0xbe/0x230 [nfsv4 c716d88496ded0ea6d289bbea684fa996f9b57a9]\n[ 57.202788] __nfs_pageio_add_request+0x3fd/0x520 [nfs 6c976fa593a7c2976f5a0aeb4965514a828e6902]\n[ 57.202813] nfs_pageio_add_request+0x18b/0x390 [nfs 6c976fa593a7c2976f5a0aeb4965514a828e6902]\n[ 57.202831] nfs_do_writepage+0x116/0x1e0 [nfs 6c976fa593a7c2976f5a0aeb4965514a828e6902]\n[ 57.202849] nfs_writepages_callback+0x13/0x30 [nfs 6c976fa593a7c2976f5a0aeb4965514a828e6902]\n[ 57.202866] write_cache_pages+0x265/0x450\n[ 57.202870] ? __pfx_nfs_writepages_callback+0x10/0x10 [nfs 6c976fa593a7c2976f5a0aeb4965514a828e6902]\n[ 57.202891] nfs_writepages+0x141/0x230 [nfs 6c976fa593a7c2976f5a0aeb4965514a828e6902]\n[ 57.202913] do_writepages+0xd2/0x230\n[ 57.202917] ? filemap_fdatawrite_wbc+0x5c/0x80\n[ 57.202921] filemap_fdatawrite_wbc+0x67/0x80\n[ 57.202924] filemap_write_and_wait_range+0xd9/0x170\n[ 57.202930] nfs_wb_all+0x49/0x180 [nfs 6c976fa593a7c2976f5a0aeb4965514a828e6902]\n[ 57.202947] nfs4_file_flush+0x72/0xb0 [nfsv4 c716d88496ded0ea6d289bbea684fa996f9b57a9]\n[ 57.202969] __se_sys_close+0x46/0xd0\n[ 57.202972] do_syscall_64+0x68/0x100\n[ 57.202975] ? do_syscall_64+0x77/0x100\n[ 57.202976] ? do_syscall_64+0x77/0x100\n[ 57.202979] entry_SYSCALL_64_after_hwframe+0x6e/0x76\n[ 57.202982] RIP: 0033:0x7fe2b12e4a94\n[ 57.202985] Code: 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 80 3d d5 18 0e 00 00 74 13 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 44 c3 0f 1f 00 48 83 ec 18 89 7c 24 0c e8 c3\n[ 57.202987] RSP: 002b:00007ffe857ddb38 EFLAGS: 00000202 ORIG_RAX: 0000000000000003\n[ 57.202989] RAX: ffffffffffffffda RBX: 00007ffe857dfd68 RCX: 00007fe2b12e4a94\n[ 57.202991] RDX: 0000000000002000 RSI: 00007ffe857ddc40 RDI: 0000000000000003\n[ 57.202992] RBP: 00007ffe857dfc50 R08: 7fffffffffffffff R09: 0000000065650f49\n[ 57.202993] R10: 00007f\n---truncated---", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52623", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52623", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52623", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52623", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52623", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52623" } }, "CVE-2023-52624": { "affected_versions": "v2.6.12-rc2 to v6.8-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "drm/amd/display: Wake DMCUB before executing GPINT commands", "fixes": "e5ffd1263dd5b44929c676171802e7b6af483f21", "last_affected_version": "6.7.2", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Wake DMCUB before executing GPINT commands\n\n[Why]\nDMCUB can be in idle when we attempt to interface with the HW through\nthe GPINT mailbox resulting in a system hang.\n\n[How]\nAdd dc_wake_and_execute_gpint() to wrap the wake, execute, sleep\nsequence.\n\nIf the GPINT executes successfully then DMCUB will be put back into\nsleep after the optional response is returned.\n\nIt functions similar to the inbox command interface.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52624", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52624", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52624", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52624", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52624", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52624" } }, "CVE-2023-52625": { "affected_versions": "v2.6.12-rc2 to v6.8-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "drm/amd/display: Refactor DMCUB enter/exit idle interface", "fixes": "8e57c06bf4b0f51a4d6958e15e1a99c9520d00fa", "last_affected_version": "6.7.2", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Refactor DMCUB enter/exit idle interface\n\n[Why]\nWe can hang in place trying to send commands when the DMCUB isn't\npowered on.\n\n[How]\nWe need to exit out of the idle state prior to sending a command,\nbut the process that performs the exit also invokes a command itself.\n\nFixing this issue involves the following:\n\n1. Using a software state to track whether or not we need to start\n the process to exit idle or notify idle.\n\nIt's possible for the hardware to have exited an idle state without\ndriver knowledge, but entering one is always restricted to a driver\nallow - which makes the SW state vs HW state mismatch issue purely one\nof optimization, which should seldomly be hit, if at all.\n\n2. Refactor any instances of exit/notify idle to use a single wrapper\n that maintains this SW state.\n\nThis works simialr to dc_allow_idle_optimizations, but works at the\nDMCUB level and makes sure the state is marked prior to any notify/exit\nidle so we don't enter an infinite loop.\n\n3. Make sure we exit out of idle prior to sending any commands or\n waiting for DMCUB idle.\n\nThis patch takes care of 1/2. A future patch will take care of wrapping\nDMCUB command submission with calls to this new interface.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52625", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52625", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52625", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52625", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52625", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52625" } }, "CVE-2023-52626": { "affected_versions": "v6.7-rc2 to v6.8-rc2", "breaks": "92214be5979c0961a471b7eaaaeacab41bdf456c", "cmt_msg": "net/mlx5e: Fix operation precedence bug in port timestamping napi_poll context", "fixes": "3876638b2c7ebb2c9d181de1191db0de8cac143a", "last_affected_version": "6.7.2", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Fix operation precedence bug in port timestamping napi_poll context\n\nIndirection (*) is of lower precedence than postfix increment (++). Logic\nin napi_poll context would cause an out-of-bound read by first increment\nthe pointer address by byte address space and then dereference the value.\nRather, the intended logic was to dereference first and then increment the\nunderlying value.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52626", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52626", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52626", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52626", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52626", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52626" } }, "CVE-2023-52627": { "affected_versions": "v5.6-rc1 to v6.8-rc1", "breaks": "ca69300173b642ba64118200172171ea5967b6c5", "cmt_msg": "iio: adc: ad7091r: Allow users to configure device events", "fixes": "020e71c7ffc25dfe29ed9be6c2d39af7bd7f661f", "last_affected_version": "6.7.2", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: adc: ad7091r: Allow users to configure device events\n\nAD7091R-5 devices are supported by the ad7091r-5 driver together with\nthe ad7091r-base driver. Those drivers declared iio events for notifying\nuser space when ADC readings fall bellow the thresholds of low limit\nregisters or above the values set in high limit registers.\nHowever, to configure iio events and their thresholds, a set of callback\nfunctions must be implemented and those were not present until now.\nThe consequence of trying to configure ad7091r-5 events without the\nproper callback functions was a null pointer dereference in the kernel\nbecause the pointers to the callback functions were not set.\n\nImplement event configuration callbacks allowing users to read/write\nevent thresholds and enable/disable event generation.\n\nSince the event spec structs are generic to AD7091R devices, also move\nthose from the ad7091r-5 driver the base driver so they can be reused\nwhen support for ad7091r-2/-4/-8 be added.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52627", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52627", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52627", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52627", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52627", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52627" } }, "CVE-2023-52628": { "affected_versions": "v4.1-rc1 to v6.6-rc1", "breaks": "49499c3e6e18b7677a63316f3ff54a16533dc28f", "cmt_msg": "netfilter: nftables: exthdr: fix 4-byte stack OOB write", "fixes": "fd94d9dadee58e09b49075240fe83423eb1dcd36", "last_affected_version": "6.5.3", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nftables: exthdr: fix 4-byte stack OOB write\n\nIf priv->len is a multiple of 4, then dst[len / 4] can write past\nthe destination array which leads to stack corruption.\n\nThis construct is necessary to clean the remainder of the register\nin case ->len is NOT a multiple of the register size, so make it\nconditional just like nft_payload.c does.\n\nThe bug was added in 4.1 cycle and then copied/inherited when\ntcp/sctp and ip option support was added.\n\nBug reported by Zero Day Initiative project (ZDI-CAN-21950,\nZDI-CAN-21951, ZDI-CAN-21961).", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52628", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52628", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52628", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52628", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52628", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52628" } }, "CVE-2023-52629": { "affected_versions": "v2.6.20-rc1 to v6.6-rc1", "breaks": "9f5e8eee5cfe1328660c71812d87c2a67bda389f", "cmt_msg": "sh: push-switch: Reorder cleanup operations to avoid use-after-free bug", "fixes": "246f80a0b17f8f582b2c0996db02998239057c65", "last_affected_version": "6.5.3", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nsh: push-switch: Reorder cleanup operations to avoid use-after-free bug\n\nThe original code puts flush_work() before timer_shutdown_sync()\nin switch_drv_remove(). Although we use flush_work() to stop\nthe worker, it could be rescheduled in switch_timer(). As a result,\na use-after-free bug can occur. The details are shown below:\n\n (cpu 0) | (cpu 1)\nswitch_drv_remove() |\n flush_work() |\n ... | switch_timer // timer\n | schedule_work(&psw->work)\n timer_shutdown_sync() |\n ... | switch_work_handler // worker\n kfree(psw) // free |\n | psw->state = 0 // use\n\nThis patch puts timer_shutdown_sync() before flush_work() to\nmitigate the bugs. As a result, the worker and timer will be\nstopped safely before the deallocate operations.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52629", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52629", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52629", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52629", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52629", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52629" } }, "CVE-2023-52630": { "affected_versions": "v5.10-rc1 to v6.8-rc4", "breaks": "5160a5a53c0c4ae3708959d9465ea43ad5d90542", "cmt_msg": "blk-iocost: Fix an UBSAN shift-out-of-bounds warning", "fixes": "2a427b49d02995ea4a6ff93a1432c40fa4d36821", "last_affected_version": "6.7.4", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nblk-iocost: Fix an UBSAN shift-out-of-bounds warning\n\nWhen iocg_kick_delay() is called from a CPU different than the one which set\nthe delay, @now may be in the past of @iocg->delay_at leading to the\nfollowing warning:\n\n UBSAN: shift-out-of-bounds in block/blk-iocost.c:1359:23\n shift exponent 18446744073709 is too large for 64-bit type 'u64' (aka 'unsigned long long')\n ...\n Call Trace:\n \n dump_stack_lvl+0x79/0xc0\n __ubsan_handle_shift_out_of_bounds+0x2ab/0x300\n iocg_kick_delay+0x222/0x230\n ioc_rqos_merge+0x1d7/0x2c0\n __rq_qos_merge+0x2c/0x80\n bio_attempt_back_merge+0x83/0x190\n blk_attempt_plug_merge+0x101/0x150\n blk_mq_submit_bio+0x2b1/0x720\n submit_bio_noacct_nocheck+0x320/0x3e0\n __swap_writepage+0x2ab/0x9d0\n\nThe underflow itself doesn't really affect the behavior in any meaningful\nway; however, the past timestamp may exaggerate the delay amount calculated\nlater in the code, which shouldn't be a material problem given the nature of\nthe delay mechanism.\n\nIf @now is in the past, this CPU is racing another CPU which recently set up\nthe delay and there's nothing this CPU can contribute w.r.t. the delay.\nLet's bail early from iocg_kick_delay() in such cases.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52630", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52630", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52630", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52630", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52630", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52630" } }, "CVE-2023-52631": { "affected_versions": "v5.15-rc1 to v6.8-rc4", "breaks": "be71b5cba2e6485e8959da7a9f9a44461a1bb074", "cmt_msg": "fs/ntfs3: Fix an NULL dereference bug", "fixes": "b2dd7b953c25ffd5912dda17e980e7168bebcf6c", "last_affected_version": "6.7.4", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Fix an NULL dereference bug\n\nThe issue here is when this is called from ntfs_load_attr_list(). The\n\"size\" comes from le32_to_cpu(attr->res.data_size) so it can't overflow\non a 64bit systems but on 32bit systems the \"+ 1023\" can overflow and\nthe result is zero. This means that the kmalloc will succeed by\nreturning the ZERO_SIZE_PTR and then the memcpy() will crash with an\nOops on the next line.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52631", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52631", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52631", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52631", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52631", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52631" } }, "CVE-2023-52632": { "affected_versions": "v2.6.12-rc2 to v6.8-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "drm/amdkfd: Fix lock dependency warning with srcu", "fixes": "2a9de42e8d3c82c6990d226198602be44f43f340", "last_affected_version": "6.7.3", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdkfd: Fix lock dependency warning with srcu\n\n======================================================\nWARNING: possible circular locking dependency detected\n6.5.0-kfd-yangp #2289 Not tainted\n------------------------------------------------------\nkworker/0:2/996 is trying to acquire lock:\n (srcu){.+.+}-{0:0}, at: __synchronize_srcu+0x5/0x1a0\n\nbut task is already holding lock:\n ((work_completion)(&svms->deferred_list_work)){+.+.}-{0:0}, at:\n\tprocess_one_work+0x211/0x560\n\nwhich lock already depends on the new lock.\n\nthe existing dependency chain (in reverse order) is:\n\n-> #3 ((work_completion)(&svms->deferred_list_work)){+.+.}-{0:0}:\n __flush_work+0x88/0x4f0\n svm_range_list_lock_and_flush_work+0x3d/0x110 [amdgpu]\n svm_range_set_attr+0xd6/0x14c0 [amdgpu]\n kfd_ioctl+0x1d1/0x630 [amdgpu]\n __x64_sys_ioctl+0x88/0xc0\n\n-> #2 (&info->lock#2){+.+.}-{3:3}:\n __mutex_lock+0x99/0xc70\n amdgpu_amdkfd_gpuvm_restore_process_bos+0x54/0x740 [amdgpu]\n restore_process_helper+0x22/0x80 [amdgpu]\n restore_process_worker+0x2d/0xa0 [amdgpu]\n process_one_work+0x29b/0x560\n worker_thread+0x3d/0x3d0\n\n-> #1 ((work_completion)(&(&process->restore_work)->work)){+.+.}-{0:0}:\n __flush_work+0x88/0x4f0\n __cancel_work_timer+0x12c/0x1c0\n kfd_process_notifier_release_internal+0x37/0x1f0 [amdgpu]\n __mmu_notifier_release+0xad/0x240\n exit_mmap+0x6a/0x3a0\n mmput+0x6a/0x120\n do_exit+0x322/0xb90\n do_group_exit+0x37/0xa0\n __x64_sys_exit_group+0x18/0x20\n do_syscall_64+0x38/0x80\n\n-> #0 (srcu){.+.+}-{0:0}:\n __lock_acquire+0x1521/0x2510\n lock_sync+0x5f/0x90\n __synchronize_srcu+0x4f/0x1a0\n __mmu_notifier_release+0x128/0x240\n exit_mmap+0x6a/0x3a0\n mmput+0x6a/0x120\n svm_range_deferred_list_work+0x19f/0x350 [amdgpu]\n process_one_work+0x29b/0x560\n worker_thread+0x3d/0x3d0\n\nother info that might help us debug this:\nChain exists of:\n srcu --> &info->lock#2 --> (work_completion)(&svms->deferred_list_work)\n\nPossible unsafe locking scenario:\n\n CPU0 CPU1\n ---- ----\n lock((work_completion)(&svms->deferred_list_work));\n lock(&info->lock#2);\n\t\t\tlock((work_completion)(&svms->deferred_list_work));\n sync(srcu);", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52632", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52632", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52632", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52632", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52632", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52632" } }, "CVE-2023-52633": { "affected_versions": "v2.6.12-rc2 to v6.8-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "um: time-travel: fix time corruption", "fixes": "abe4eaa8618bb36c2b33e9cdde0499296a23448c", "last_affected_version": "6.7.3", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\num: time-travel: fix time corruption\n\nIn 'basic' time-travel mode (without =inf-cpu or =ext), we\nstill get timer interrupts. These can happen at arbitrary\npoints in time, i.e. while in timer_read(), which pushes\ntime forward just a little bit. Then, if we happen to get\nthe interrupt after calculating the new time to push to,\nbut before actually finishing that, the interrupt will set\nthe time to a value that's incompatible with the forward,\nand we'll crash because time goes backwards when we do the\nforwarding.\n\nFix this by reading the time_travel_time, calculating the\nadjustment, and doing the adjustment all with interrupts\ndisabled.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52633", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52633", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52633", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52633", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52633", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52633" } }, "CVE-2023-52634": { "affected_versions": "v2.6.12-rc2 to v6.8-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "drm/amd/display: Fix disable_otg_wa logic", "fixes": "2ce156482a6fef349d2eba98e5070c412d3af662", "last_affected_version": "6.7.3", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix disable_otg_wa logic\n\n[Why]\nWhen switching to another HDMI mode, we are unnecesarilly\ndisabling/enabling FIFO causing both HPO and DIG registers to be set at\nthe same time when only HPO is supposed to be set.\n\nThis can lead to a system hang the next time we change refresh rates as\nthere are cases when we don't disable OTG/FIFO but FIFO is enabled when\nit isn't supposed to be.\n\n[How]\nRemoving the enable/disable FIFO entirely.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52634", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52634", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52634", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52634", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52634", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52634" } }, "CVE-2023-52635": { "affected_versions": "v2.6.12-rc2 to v6.8-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "PM / devfreq: Synchronize devfreq_monitor_[start/stop]", "fixes": "aed5ed595960c6d301dcd4ed31aeaa7a8054c0c6", "last_affected_version": "6.7.3", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nPM / devfreq: Synchronize devfreq_monitor_[start/stop]\n\nThere is a chance if a frequent switch of the governor\ndone in a loop result in timer list corruption where\ntimer cancel being done from two place one from\ncancel_delayed_work_sync() and followed by expire_timers()\ncan be seen from the traces[1].\n\nwhile true\ndo\n echo \"simple_ondemand\" > /sys/class/devfreq/1d84000.ufshc/governor\n echo \"performance\" > /sys/class/devfreq/1d84000.ufshc/governor\ndone\n\nIt looks to be issue with devfreq driver where\ndevice_monitor_[start/stop] need to synchronized so that\ndelayed work should get corrupted while it is either\nbeing queued or running or being cancelled.\n\nLet's use polling flag and devfreq lock to synchronize the\nqueueing the timer instance twice and work data being\ncorrupted.\n\n[1]\n...\n..\n-0 [003] 9436.209662: timer_cancel timer=0xffffff80444f0428\n-0 [003] 9436.209664: timer_expire_entry timer=0xffffff80444f0428 now=0x10022da1c function=__typeid__ZTSFvP10timer_listE_global_addr baseclk=0x10022da1c\n-0 [003] 9436.209718: timer_expire_exit timer=0xffffff80444f0428\nkworker/u16:6-14217 [003] 9436.209863: timer_start timer=0xffffff80444f0428 function=__typeid__ZTSFvP10timer_listE_global_addr expires=0x10022da2b now=0x10022da1c flags=182452227\nvendor.xxxyyy.ha-1593 [004] 9436.209888: timer_cancel timer=0xffffff80444f0428\nvendor.xxxyyy.ha-1593 [004] 9436.216390: timer_init timer=0xffffff80444f0428\nvendor.xxxyyy.ha-1593 [004] 9436.216392: timer_start timer=0xffffff80444f0428 function=__typeid__ZTSFvP10timer_listE_global_addr expires=0x10022da2c now=0x10022da1d flags=186646532\nvendor.xxxyyy.ha-1593 [005] 9436.220992: timer_cancel timer=0xffffff80444f0428\nxxxyyyTraceManag-7795 [004] 9436.261641: timer_cancel timer=0xffffff80444f0428\n\n[2]\n\n 9436.261653][ C4] Unable to handle kernel paging request at virtual address dead00000000012a\n[ 9436.261664][ C4] Mem abort info:\n[ 9436.261666][ C4] ESR = 0x96000044\n[ 9436.261669][ C4] EC = 0x25: DABT (current EL), IL = 32 bits\n[ 9436.261671][ C4] SET = 0, FnV = 0\n[ 9436.261673][ C4] EA = 0, S1PTW = 0\n[ 9436.261675][ C4] Data abort info:\n[ 9436.261677][ C4] ISV = 0, ISS = 0x00000044\n[ 9436.261680][ C4] CM = 0, WnR = 1\n[ 9436.261682][ C4] [dead00000000012a] address between user and kernel address ranges\n[ 9436.261685][ C4] Internal error: Oops: 96000044 [#1] PREEMPT SMP\n[ 9436.261701][ C4] Skip md ftrace buffer dump for: 0x3a982d0\n...\n\n[ 9436.262138][ C4] CPU: 4 PID: 7795 Comm: TraceManag Tainted: G S W O 5.10.149-android12-9-o-g17f915d29d0c #1\n[ 9436.262141][ C4] Hardware name: Qualcomm Technologies, Inc. (DT)\n[ 9436.262144][ C4] pstate: 22400085 (nzCv daIf +PAN -UAO +TCO BTYPE=--)\n[ 9436.262161][ C4] pc : expire_timers+0x9c/0x438\n[ 9436.262164][ C4] lr : expire_timers+0x2a4/0x438\n[ 9436.262168][ C4] sp : ffffffc010023dd0\n[ 9436.262171][ C4] x29: ffffffc010023df0 x28: ffffffd0636fdc18\n[ 9436.262178][ C4] x27: ffffffd063569dd0 x26: ffffffd063536008\n[ 9436.262182][ C4] x25: 0000000000000001 x24: ffffff88f7c69280\n[ 9436.262185][ C4] x23: 00000000000000e0 x22: dead000000000122\n[ 9436.262188][ C4] x21: 000000010022da29 x20: ffffff8af72b4e80\n[ 9436.262191][ C4] x19: ffffffc010023e50 x18: ffffffc010025038\n[ 9436.262195][ C4] x17: 0000000000000240 x16: 0000000000000201\n[ 9436.262199][ C4] x15: ffffffffffffffff x14: ffffff889f3c3100\n[ 9436.262203][ C4] x13: ffffff889f3c3100 x12: 00000000049f56b8\n[ 9436.262207][ C4] x11: 00000000049f56b8 x10: 00000000ffffffff\n[ 9436.262212][ C4] x9 : ffffffc010023e50 x8 : dead000000000122\n[ 9436.262216][ C4] x7 : ffffffffffffffff x6 : ffffffc0100239d8\n[ 9436.262220][ C4] x5 : 0000000000000000 x4 : 0000000000000101\n[ 9436.262223][ C4] x3 : 0000000000000080 x2 : ffffff8\n---truncated---", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52635", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52635", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52635", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52635", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52635", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52635" } }, "CVE-2023-52636": { "affected_versions": "v6.6-rc1 to v6.8-rc4", "breaks": "d396f89db39a2f259e2125ca43b4c31bb65afcad", "cmt_msg": "libceph: just wait for more data to be available on the socket", "fixes": "8e46a2d068c92a905d01cbb018b00d66991585ab", "last_affected_version": "6.7.4", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nlibceph: just wait for more data to be available on the socket\n\nA short read may occur while reading the message footer from the\nsocket. Later, when the socket is ready for another read, the\nmessenger invokes all read_partial_*() handlers, including\nread_partial_sparse_msg_data(). The expectation is that\nread_partial_sparse_msg_data() would bail, allowing the messenger to\ninvoke read_partial() for the footer and pick up where it left off.\n\nHowever read_partial_sparse_msg_data() violates that and ends up\ncalling into the state machine in the OSD client. The sparse-read\nstate machine assumes that it's a new op and interprets some piece of\nthe footer as the sparse-read header and returns bogus extents/data\nlength, etc.\n\nTo determine whether read_partial_sparse_msg_data() should bail, let's\nreuse cursor->total_resid. Because once it reaches to zero that means\nall the extents and data have been successfully received in last read,\nelse it could break out when partially reading any of the extents and\ndata. And then osd_sparse_read() could continue where it left off.\n\n[ idryomov: changelog ]", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52636", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52636", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52636", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52636", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52636", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52636" } }, "CVE-2023-52637": { "affected_versions": "v5.4-rc1 to v6.8-rc5", "breaks": "9d71dd0c70099914fcd063135da3c580865e924c", "cmt_msg": "can: j1939: Fix UAF in j1939_sk_match_filter during setsockopt(SO_J1939_FILTER)", "fixes": "efe7cf828039aedb297c1f9920b638fffee6aabc", "last_affected_version": "6.7.5", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: j1939: Fix UAF in j1939_sk_match_filter during setsockopt(SO_J1939_FILTER)\n\nLock jsk->sk to prevent UAF when setsockopt(..., SO_J1939_FILTER, ...)\nmodifies jsk->filters while receiving packets.\n\nFollowing trace was seen on affected system:\n ==================================================================\n BUG: KASAN: slab-use-after-free in j1939_sk_recv_match_one+0x1af/0x2d0 [can_j1939]\n Read of size 4 at addr ffff888012144014 by task j1939/350\n\n CPU: 0 PID: 350 Comm: j1939 Tainted: G W OE 6.5.0-rc5 #1\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014\n Call Trace:\n print_report+0xd3/0x620\n ? kasan_complete_mode_report_info+0x7d/0x200\n ? j1939_sk_recv_match_one+0x1af/0x2d0 [can_j1939]\n kasan_report+0xc2/0x100\n ? j1939_sk_recv_match_one+0x1af/0x2d0 [can_j1939]\n __asan_load4+0x84/0xb0\n j1939_sk_recv_match_one+0x1af/0x2d0 [can_j1939]\n j1939_sk_recv+0x20b/0x320 [can_j1939]\n ? __kasan_check_write+0x18/0x20\n ? __pfx_j1939_sk_recv+0x10/0x10 [can_j1939]\n ? j1939_simple_recv+0x69/0x280 [can_j1939]\n ? j1939_ac_recv+0x5e/0x310 [can_j1939]\n j1939_can_recv+0x43f/0x580 [can_j1939]\n ? __pfx_j1939_can_recv+0x10/0x10 [can_j1939]\n ? raw_rcv+0x42/0x3c0 [can_raw]\n ? __pfx_j1939_can_recv+0x10/0x10 [can_j1939]\n can_rcv_filter+0x11f/0x350 [can]\n can_receive+0x12f/0x190 [can]\n ? __pfx_can_rcv+0x10/0x10 [can]\n can_rcv+0xdd/0x130 [can]\n ? __pfx_can_rcv+0x10/0x10 [can]\n __netif_receive_skb_one_core+0x13d/0x150\n ? __pfx___netif_receive_skb_one_core+0x10/0x10\n ? __kasan_check_write+0x18/0x20\n ? _raw_spin_lock_irq+0x8c/0xe0\n __netif_receive_skb+0x23/0xb0\n process_backlog+0x107/0x260\n __napi_poll+0x69/0x310\n net_rx_action+0x2a1/0x580\n ? __pfx_net_rx_action+0x10/0x10\n ? __pfx__raw_spin_lock+0x10/0x10\n ? handle_irq_event+0x7d/0xa0\n __do_softirq+0xf3/0x3f8\n do_softirq+0x53/0x80\n \n \n __local_bh_enable_ip+0x6e/0x70\n netif_rx+0x16b/0x180\n can_send+0x32b/0x520 [can]\n ? __pfx_can_send+0x10/0x10 [can]\n ? __check_object_size+0x299/0x410\n raw_sendmsg+0x572/0x6d0 [can_raw]\n ? __pfx_raw_sendmsg+0x10/0x10 [can_raw]\n ? apparmor_socket_sendmsg+0x2f/0x40\n ? __pfx_raw_sendmsg+0x10/0x10 [can_raw]\n sock_sendmsg+0xef/0x100\n sock_write_iter+0x162/0x220\n ? __pfx_sock_write_iter+0x10/0x10\n ? __rtnl_unlock+0x47/0x80\n ? security_file_permission+0x54/0x320\n vfs_write+0x6ba/0x750\n ? __pfx_vfs_write+0x10/0x10\n ? __fget_light+0x1ca/0x1f0\n ? __rcu_read_unlock+0x5b/0x280\n ksys_write+0x143/0x170\n ? __pfx_ksys_write+0x10/0x10\n ? __kasan_check_read+0x15/0x20\n ? fpregs_assert_state_consistent+0x62/0x70\n __x64_sys_write+0x47/0x60\n do_syscall_64+0x60/0x90\n ? do_syscall_64+0x6d/0x90\n ? irqentry_exit+0x3f/0x50\n ? exc_page_fault+0x79/0xf0\n entry_SYSCALL_64_after_hwframe+0x6e/0xd8\n\n Allocated by task 348:\n kasan_save_stack+0x2a/0x50\n kasan_set_track+0x29/0x40\n kasan_save_alloc_info+0x1f/0x30\n __kasan_kmalloc+0xb5/0xc0\n __kmalloc_node_track_caller+0x67/0x160\n j1939_sk_setsockopt+0x284/0x450 [can_j1939]\n __sys_setsockopt+0x15c/0x2f0\n __x64_sys_setsockopt+0x6b/0x80\n do_syscall_64+0x60/0x90\n entry_SYSCALL_64_after_hwframe+0x6e/0xd8\n\n Freed by task 349:\n kasan_save_stack+0x2a/0x50\n kasan_set_track+0x29/0x40\n kasan_save_free_info+0x2f/0x50\n __kasan_slab_free+0x12e/0x1c0\n __kmem_cache_free+0x1b9/0x380\n kfree+0x7a/0x120\n j1939_sk_setsockopt+0x3b2/0x450 [can_j1939]\n __sys_setsockopt+0x15c/0x2f0\n __x64_sys_setsockopt+0x6b/0x80\n do_syscall_64+0x60/0x90\n entry_SYSCALL_64_after_hwframe+0x6e/0xd8", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52637", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52637", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52637", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52637", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52637", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52637" } }, "CVE-2023-52638": { "affected_versions": "v2.6.12-rc2 to v6.8-rc5", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "can: j1939: prevent deadlock by changing j1939_socks_lock to rwlock", "fixes": "6cdedc18ba7b9dacc36466e27e3267d201948c8d", "last_affected_version": "6.7.5", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: j1939: prevent deadlock by changing j1939_socks_lock to rwlock\n\nThe following 3 locks would race against each other, causing the\ndeadlock situation in the Syzbot bug report:\n\n- j1939_socks_lock\n- active_session_list_lock\n- sk_session_queue_lock\n\nA reasonable fix is to change j1939_socks_lock to an rwlock, since in\nthe rare situations where a write lock is required for the linked list\nthat j1939_socks_lock is protecting, the code does not attempt to\nacquire any more locks. This would break the circular lock dependency,\nwhere, for example, the current thread already locks j1939_socks_lock\nand attempts to acquire sk_session_queue_lock, and at the same time,\nanother thread attempts to acquire j1939_socks_lock while holding\nsk_session_queue_lock.\n\nNOTE: This patch along does not fix the unregister_netdevice bug\nreported by Syzbot; instead, it solves a deadlock situation to prepare\nfor one or more further patches to actually fix the Syzbot bug, which\nappears to be a reference counting problem within the j1939 codebase.\n\n[mkl: remove unrelated newline change]", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52638", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52638", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52638", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52638", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52638", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52638" } }, "CVE-2023-52639": { "affected_versions": "unk to v6.8-rc4", "breaks": "", "cmt_msg": "KVM: s390: vsie: fix race during shadow creation", "fixes": "fe752331d4b361d43cfd0b89534b4b2176057c32", "last_affected_version": "6.7.5", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: s390: vsie: fix race during shadow creation\n\nRight now it is possible to see gmap->private being zero in\nkvm_s390_vsie_gmap_notifier resulting in a crash. This is due to the\nfact that we add gmap->private == kvm after creation:\n\nstatic int acquire_gmap_shadow(struct kvm_vcpu *vcpu,\n struct vsie_page *vsie_page)\n{\n[...]\n gmap = gmap_shadow(vcpu->arch.gmap, asce, edat);\n if (IS_ERR(gmap))\n return PTR_ERR(gmap);\n gmap->private = vcpu->kvm;\n\nLet children inherit the private field of the parent.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52639", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52639", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52639", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52639", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52639", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52639" } }, "CVE-2023-52640": { "affected_versions": "v2.6.12-rc2 to v6.8-rc4", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "fs/ntfs3: Fix oob in ntfs_listxattr", "fixes": "731ab1f9828800df871c5a7ab9ffe965317d3f15", "last_affected_version": "6.7.6", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Fix oob in ntfs_listxattr\n\nThe length of name cannot exceed the space occupied by ea.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52640", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52640", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52640", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52640", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52640", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52640" } }, "CVE-2023-52641": { "affected_versions": "unk to v6.8-rc4", "breaks": "", "cmt_msg": "fs/ntfs3: Add NULL ptr dereference checking at the end of attr_allocate_frame()", "fixes": "aaab47f204aaf47838241d57bf8662c8840de60a", "last_affected_version": "6.7.6", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Add NULL ptr dereference checking at the end of attr_allocate_frame()\n\nIt is preferable to exit through the out: label because\ninternal debugging functions are located there.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-52641", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-52641", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-52641", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-52641", "SUSE": "https://www.suse.com/security/cve/CVE-2023-52641", "Ubuntu": "https://ubuntu.com/security/CVE-2023-52641" } }, "CVE-2023-5345": { "affected_versions": "v6.1-rc1 to v6.6-rc4", "breaks": "a4e430c8c8ba96be8c6ec4f2eb108bb8bcbee069", "cmt_msg": "fs/smb/client: Reset password pointer to NULL", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "fixes": "e6e43b8aa7cd3c3af686caf0c2e11819a886d705", "last_affected_version": "6.5.5", "last_modified": "2023-12-06", "nvd_text": "A use-after-free vulnerability in the Linux kernel's fs/smb/client component can be exploited to achieve local privilege escalation.\n\nIn case of an error in smb3_fs_context_parse_param, ctx->password was freed but the field was not set to NULL which could lead to double free.\n\nWe recommend upgrading past commit e6e43b8aa7cd3c3af686caf0c2e11819a886d705.\n\n", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-5345", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-5345", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-5345", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-5345", "SUSE": "https://www.suse.com/security/cve/CVE-2023-5345", "Ubuntu": "https://ubuntu.com/security/CVE-2023-5345" } }, "CVE-2023-5633": { "affected_versions": "v6.2 to v6.6-rc6", "breaks": "a950b989ea29ab3b38ea7f6e3d2540700a3c54e8", "cmt_msg": "drm/vmwgfx: Keep a gem reference to user bos in surfaces", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "fixes": "91398b413d03660fd5828f7b4abc64e884b98069", "last_affected_version": "6.5.7", "last_modified": "2023-12-06", "nvd_text": "The reference count changes made as part of the CVE-2023-33951 and CVE-2023-33952 fixes exposed a use-after-free flaw in the way memory objects were handled when they were being used to store a surface. When running inside a VMware guest with 3D acceleration enabled, a local, unprivileged user could potentially use this flaw to escalate their privileges.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-5633", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-5633", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-5633", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-5633", "SUSE": "https://www.suse.com/security/cve/CVE-2023-5633", "Ubuntu": "https://ubuntu.com/security/CVE-2023-5633" } }, "CVE-2023-5717": { "affected_versions": "v4.4-rc1 to v6.6-rc7", "breaks": "fa8c269353d560b7c28119ad7617029f92e40b15", "cmt_msg": "perf: Disallow mis-matched inherited group reads", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "fixes": "32671e3799ca2e4590773fd0e63aaa4229e50c06", "last_affected_version": "6.5.8", "last_modified": "2023-12-06", "nvd_text": "A heap out-of-bounds write vulnerability in the Linux kernel's Linux Kernel Performance Events (perf) component can be exploited to achieve local privilege escalation.\n\nIf perf_read_group() is called while an event's sibling_list is smaller than its child's sibling_list, it can increment or write to memory locations outside of the allocated buffer.\n\nWe recommend upgrading past commit 32671e3799ca2e4590773fd0e63aaa4229e50c06.\n\n", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-5717", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-5717", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-5717", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-5717", "SUSE": "https://www.suse.com/security/cve/CVE-2023-5717", "Ubuntu": "https://ubuntu.com/security/CVE-2023-5717" } }, "CVE-2023-5972": { "affected_versions": "v6.2-rc1 to v6.6-rc7", "breaks": "3a07327d10a09379315c844c63f27941f5081e0a", "cmt_msg": "nf_tables: fix NULL pointer dereference in nft_expr_inner_parse()", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "fixes": "505ce0630ad5d31185695f8a29dde8d29f28faa7", "last_affected_version": "6.5.8", "last_modified": "2023-12-27", "nvd_text": "A null pointer dereference flaw was found in the nft_inner.c functionality of netfilter in the Linux kernel. This issue could allow a local user to crash the system or escalate their privileges on the system.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-5972", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-5972", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-5972", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-5972", "SUSE": "https://www.suse.com/security/cve/CVE-2023-5972", "Ubuntu": "https://ubuntu.com/security/CVE-2023-5972" } }, "CVE-2023-6039": { "affected_versions": "v5.15-rc1 to v6.5-rc5", "breaks": "77dfff5bb7e20ce1eaaf4c599d9c54a8f4331124", "cmt_msg": "net: usb: lan78xx: reorder cleanup operations to avoid UAF bugs", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "fixes": "1e7417c188d0a83fb385ba2dbe35fd2563f2b6f3", "last_affected_version": "6.4.9", "last_modified": "2023-12-06", "nvd_text": "A use-after-free flaw was found in lan78xx_disconnect in drivers/net/usb/lan78xx.c in the network sub-component, net/usb/lan78xx in the Linux Kernel. This flaw allows a local attacker to crash the system when the LAN78XX USB device detaches.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-6039", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-6039", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-6039", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-6039", "SUSE": "https://www.suse.com/security/cve/CVE-2023-6039", "Ubuntu": "https://ubuntu.com/security/CVE-2023-6039" } }, "CVE-2023-6040": { "affected_versions": "v2.6.12-rc2 to v5.18-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "netfilter: nf_tables: Reject tables of unsupported family", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "fixes": "f1082dd31fe461d482d69da2a8eccfeb7bf07ac2", "last_affected_version": "5.15.146", "last_modified": "2024-02-02", "nvd_text": "An out-of-bounds access vulnerability involving netfilter was reported and fixed as: f1082dd31fe4 (netfilter: nf_tables: Reject tables of unsupported family); While creating a new netfilter table, lack of a safeguard against invalid nf_tables family (pf) values within `nf_tables_newtable` function enables an attacker to achieve out-of-bounds access.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-6040", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-6040", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-6040", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-6040", "SUSE": "https://www.suse.com/security/cve/CVE-2023-6040", "Ubuntu": "https://ubuntu.com/security/CVE-2023-6040" } }, "CVE-2023-6111": { "affected_versions": "v6.6-rc3 to v6.7-rc1", "breaks": "4a9e12ea7e70223555ec010bec9f711089ce96f6", "cmt_msg": "netfilter: nf_tables: remove catchall element in GC sync path", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "fixes": "93995bf4af2c5a99e2a87f0cd5ce547d31eb7630", "last_affected_version": "6.6.2", "last_modified": "2023-12-06", "nvd_text": "A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation.\n\nThe function nft_trans_gc_catchall did not remove the catchall set element from the catchall_list when the argument sync is true, making it possible to free a catchall set element many times.\n\nWe recommend upgrading past commit 93995bf4af2c5a99e2a87f0cd5ce547d31eb7630.\n\n", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-6111", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-6111", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-6111", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-6111", "SUSE": "https://www.suse.com/security/cve/CVE-2023-6111", "Ubuntu": "https://ubuntu.com/security/CVE-2023-6111" } }, "CVE-2023-6121": { "affected_versions": "v4.8-rc1 to v6.7-rc3", "breaks": "a07b4970f464f13640e28e16dad6cfa33647cc99", "cmt_msg": "nvmet: nul-terminate the NQNs passed in the connect command", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "None", "Confidentiality": "Low", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "score": 4.3 }, "fixes": "1c22e0295a5eb571c27b53c7371f95699ef705ff", "last_affected_version": "6.6.3", "last_modified": "2024-01-12", "nvd_text": "An out-of-bounds read vulnerability was found in the NVMe-oF/TCP subsystem in the Linux kernel. This issue may allow a remote attacker to send a crafted TCP packet, triggering a heap-based buffer overflow that results in kmalloc data being printed and potentially leaked to the kernel ring buffer (dmesg).", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-6121", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-6121", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-6121", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-6121", "SUSE": "https://www.suse.com/security/cve/CVE-2023-6121", "Ubuntu": "https://ubuntu.com/security/CVE-2023-6121" } }, "CVE-2023-6176": { "affected_versions": "v5.7-rc7 to v6.6-rc2", "breaks": "635d9398178659d8ddba79dd061f9451cec0b4d1", "cmt_msg": "net/tls: do not free tls_rec on async operation in bpf_exec_tx_verdict()", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "fixes": "cfaa80c91f6f99b9342b6557f0f0e1143e434066", "last_affected_version": "6.5.3", "last_modified": "2023-12-06", "nvd_text": "A null pointer dereference flaw was found in the Linux kernel API for the cryptographic algorithm scatterwalk functionality. This issue occurs when a user constructs a malicious packet with specific socket configuration, which could allow a local user to crash the system or escalate their privileges on the system.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-6176", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-6176", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-6176", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-6176", "SUSE": "https://www.suse.com/security/cve/CVE-2023-6176", "Ubuntu": "https://ubuntu.com/security/CVE-2023-6176" } }, "CVE-2023-6200": { "affected_versions": "v6.6-rc1 to v6.7-rc7", "breaks": "3dec89b14d37ee635e772636dad3f09f78f1ab87", "cmt_msg": "net/ipv6: Revert remove expired routes with a separated list of routes", "cvss3": { "Attack Complexity": "High", "Attack Vector": "Adjacent", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "score": 7.5 }, "fixes": "dade3f6a1e4e35a5ae916d5e78b3229ec34c78ec", "last_affected_version": "6.6.8", "last_modified": "2024-02-02", "nvd_text": "A race condition was found in the Linux Kernel. Under certain conditions, an unauthenticated attacker from an adjacent network could send an ICMPv6 router advertisement packet, causing arbitrary code execution.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-6200", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-6200", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-6200", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-6200", "SUSE": "https://www.suse.com/security/cve/CVE-2023-6200", "Ubuntu": "https://ubuntu.com/security/CVE-2023-6200" } }, "CVE-2023-6238": { "affected_versions": "v6.2-rc1 to unk", "breaks": "855b7717f44b13e0990aa5ad36bbf9aa35051516", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "fixes": "", "last_modified": "2024-02-09", "nvd_text": "A buffer overflow vulnerability was found in the NVM Express (NVMe) driver in the Linux kernel. Only privileged user could specify a small meta buffer and let the device perform larger Direct Memory Access (DMA) into the same buffer, overwriting unrelated kernel memory, causing random kernel crashes and memory corruption.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-6238", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-6238", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-6238", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-6238", "SUSE": "https://www.suse.com/security/cve/CVE-2023-6238", "Ubuntu": "https://ubuntu.com/security/CVE-2023-6238" } }, "CVE-2023-6240": { "affected_versions": "unk to unk", "breaks": "", "cvss3": { "Attack Complexity": "High", "Attack Vector": "Network", "Availability": "None", "Confidentiality": "High", "Integrity": "Low", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N", "score": 6.5 }, "fixes": "", "last_modified": "2024-02-25", "nvd_text": "A Marvin vulnerability side-channel leakage was found in the RSA decryption operation in the Linux Kernel. This issue may allow a network attacker to decrypt ciphertexts or forge signatures, limiting the services that use that private key.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-6240", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-6240", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-6240", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-6240", "SUSE": "https://www.suse.com/security/cve/CVE-2023-6240", "Ubuntu": "https://ubuntu.com/security/CVE-2023-6240" } }, "CVE-2023-6270": { "affected_versions": "unk to v6.9-rc1", "breaks": "", "cmt_msg": "aoe: fix the potential use-after-free problem in aoecmd_cfg_pkts", "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.0 }, "fixes": "f98364e926626c678fb4b9004b75cacf92ff0662", "last_affected_version": "6.7.10", "last_modified": "2024-04-08", "nvd_text": "A flaw was found in the ATA over Ethernet (AoE) driver in the Linux kernel. The aoecmd_cfg_pkts() function improperly updates the refcnt on `struct net_device`, and a use-after-free can be triggered by racing between the free on the struct and the access through the `skbtxq` global queue. This could lead to a denial of service condition or potential code execution.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-6270", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-6270", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-6270", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-6270", "SUSE": "https://www.suse.com/security/cve/CVE-2023-6270", "Ubuntu": "https://ubuntu.com/security/CVE-2023-6270" } }, "CVE-2023-6356": { "affected_versions": "unk to v6.8-rc1", "breaks": "", "cmt_msg": "nvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 7.5 }, "fixes": "efa56305908ba20de2104f1b8508c6a7401833be", "last_affected_version": "6.7.1", "last_modified": "2024-04-08", "nvd_text": "A flaw was found in the Linux kernel's NVMe driver. This issue may allow an unauthenticated malicious actor to send a set of crafted TCP packages when using NVMe over TCP, leading the NVMe driver to a NULL pointer dereference in the NVMe driver and causing kernel panic and a denial of service.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-6356", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-6356", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-6356", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-6356", "SUSE": "https://www.suse.com/security/cve/CVE-2023-6356", "Ubuntu": "https://ubuntu.com/security/CVE-2023-6356" } }, "CVE-2023-6531": { "affected_versions": "v6.1-rc1 to v6.7-rc5", "breaks": "0091bfc81741b8d3aeb3b7ab8636f911b2de6e80", "cmt_msg": "io_uring/af_unix: disable sending io_uring over sockets", "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.0 }, "fixes": "705318a99a138c29a512a72c3e0043b3cd7f55f4", "last_affected_version": "6.6.6", "last_modified": "2024-02-02", "nvd_text": "A use-after-free flaw was found in the Linux Kernel due to a race problem in the unix garbage collector's deletion of SKB races with unix_stream_read_generic() on the socket that the SKB is queued on.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-6531", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-6531", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-6531", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-6531", "SUSE": "https://www.suse.com/security/cve/CVE-2023-6531", "Ubuntu": "https://ubuntu.com/security/CVE-2023-6531" } }, "CVE-2023-6535": { "affected_versions": "unk to unk", "breaks": "", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 7.5 }, "fixes": "", "last_modified": "2024-02-25", "nvd_text": "A flaw was found in the Linux kernel's NVMe driver. This issue may allow an unauthenticated malicious actor to send a set of crafted TCP packages when using NVMe over TCP, leading the NVMe driver to a NULL pointer dereference in the NVMe driver, causing kernel panic and a denial of service.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-6535", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-6535", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-6535", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-6535", "SUSE": "https://www.suse.com/security/cve/CVE-2023-6535", "Ubuntu": "https://ubuntu.com/security/CVE-2023-6535" } }, "CVE-2023-6536": { "affected_versions": "unk to v6.8-rc1", "breaks": "", "cmt_msg": "nvmet-tcp: fix a crash in nvmet_req_complete()", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 7.5 }, "fixes": "0849a5441358cef02586fb2d60f707c0db195628", "last_affected_version": "6.7.1", "last_modified": "2024-04-08", "nvd_text": "A flaw was found in the Linux kernel's NVMe driver. This issue may allow an unauthenticated malicious actor to send a set of crafted TCP packages when using NVMe over TCP, leading the NVMe driver to a NULL pointer dereference in the NVMe driver, causing kernel panic and a denial of service.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-6536", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-6536", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-6536", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-6536", "SUSE": "https://www.suse.com/security/cve/CVE-2023-6536", "Ubuntu": "https://ubuntu.com/security/CVE-2023-6536" } }, "CVE-2023-6546": { "affected_versions": "v2.6.35-rc1 to v6.5-rc7", "breaks": "e1eaea46bb4020b38a141b84f88565d4603f8dd0", "cmt_msg": "tty: n_gsm: fix the UAF caused by race condition in gsm_cleanup_mux", "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.0 }, "fixes": "3c4f8333b582487a2d1e02171f1465531cde53e3", "last_affected_version": "6.4.11", "last_modified": "2024-01-12", "nvd_text": "A race condition was found in the GSM 0710 tty multiplexor in the Linux kernel. This issue occurs when two threads execute the GSMIOC_SETCONF ioctl on the same tty file descriptor with the gsm line discipline enabled, and can lead to a use-after-free problem on a struct gsm_dlci while restarting the gsm mux. This could allow a local unprivileged user to escalate their privileges on the system.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-6546", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-6546", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-6546", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-6546", "SUSE": "https://www.suse.com/security/cve/CVE-2023-6546", "Ubuntu": "https://ubuntu.com/security/CVE-2023-6546" } }, "CVE-2023-6560": { "affected_versions": "v5.1-rc1 to v6.7-rc4", "breaks": "2b188cc1bb857a9d4701ae59aa7768b5124e262e", "cmt_msg": "io_uring: don't allow discontig pages for IORING_SETUP_NO_MMAP", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "fixes": "820d070feb668aab5bc9413c285a1dda2a70e076", "last_affected_version": "6.6.4", "last_modified": "2024-01-12", "nvd_text": "An out-of-bounds memory access flaw was found in the io_uring SQ/CQ rings functionality in the Linux kernel. This issue could allow a local user to crash the system.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-6560", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-6560", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-6560", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-6560", "SUSE": "https://www.suse.com/security/cve/CVE-2023-6560", "Ubuntu": "https://ubuntu.com/security/CVE-2023-6560" } }, "CVE-2023-6606": { "affected_versions": "v2.6.12-rc2 to v6.7-rc7", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "smb: client: fix OOB in smbCalcSize()", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "score": 7.1 }, "fixes": "b35858b3786ddbb56e1c35138ba25d6adf8d0bef", "last_affected_version": "6.6.8", "last_modified": "2024-01-12", "nvd_text": "An out-of-bounds read vulnerability was found in smbCalcSize in fs/smb/client/netmisc.c in the Linux Kernel. This issue could allow a local attacker to crash the system or leak internal kernel information.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-6606", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-6606", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-6606", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-6606", "SUSE": "https://www.suse.com/security/cve/CVE-2023-6606", "Ubuntu": "https://ubuntu.com/security/CVE-2023-6606" } }, "CVE-2023-6610": { "affected_versions": "v2.6.12-rc2 to v6.7-rc7", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "smb: client: fix potential OOB in smb2_dump_detail()", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "score": 7.1 }, "fixes": "567320c46a60a3c39b69aa1df802d753817a3f86", "last_affected_version": "6.6.12", "last_modified": "2024-02-02", "nvd_text": "An out-of-bounds read vulnerability was found in smb2_dump_detail in fs/smb/client/smb2ops.c in the Linux Kernel. This issue could allow a local attacker to crash the system or leak internal kernel information.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-6610", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-6610", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-6610", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-6610", "SUSE": "https://www.suse.com/security/cve/CVE-2023-6610", "Ubuntu": "https://ubuntu.com/security/CVE-2023-6610" } }, "CVE-2023-6622": { "affected_versions": "v5.11-rc1 to v6.7-rc5", "breaks": "48b0ae046ee96eac999839f6d26c624b8c93ed66", "cmt_msg": "netfilter: nf_tables: bail out on mismatching dynset and set expressions", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "fixes": "3701cd390fd731ee7ae8b8006246c8db82c72bea", "last_affected_version": "6.6.6", "last_modified": "2024-02-02", "nvd_text": "A null pointer dereference vulnerability was found in nft_dynset_init() in net/netfilter/nft_dynset.c in nf_tables in the Linux kernel. This issue may allow a local attacker with CAP_NET_ADMIN user privilege to trigger a denial of service.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-6622", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-6622", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-6622", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-6622", "SUSE": "https://www.suse.com/security/cve/CVE-2023-6622", "Ubuntu": "https://ubuntu.com/security/CVE-2023-6622" } }, "CVE-2023-6679": { "affected_versions": "v6.7-rc1 to v6.7-rc6", "breaks": "9d71b54b65b1fb6c0d3a6c5c88ba9b915c783fbc", "cmt_msg": "dpll: sanitize possible null pointer dereference in dpll_pin_parent_pin_set()", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "fixes": "65c95f78917ea6fa7ff189a2c19879c4fe161873", "last_modified": "2024-01-12", "nvd_text": "A null pointer dereference vulnerability was found in dpll_pin_parent_pin_set() in drivers/dpll/dpll_netlink.c in the Digital Phase Locked Loop (DPLL) subsystem in the Linux kernel. This issue could be exploited to trigger a denial of service.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-6679", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-6679", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-6679", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-6679", "SUSE": "https://www.suse.com/security/cve/CVE-2023-6679", "Ubuntu": "https://ubuntu.com/security/CVE-2023-6679" } }, "CVE-2023-6817": { "affected_versions": "v5.6-rc1 to v6.7-rc5", "breaks": "3c4287f62044a90e73a561aa05fc46e62da173da", "cmt_msg": "netfilter: nft_set_pipapo: skip inactive elements during set walk", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "fixes": "317eb9685095678f2c9f5a8189de698c5354316a", "last_affected_version": "6.6.6", "last_modified": "2024-02-02", "nvd_text": "A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation.\n\nThe function nft_pipapo_walk did not skip inactive elements during set walk which could lead double deactivations of PIPAPO (Pile Packet Policies) elements, leading to use-after-free.\n\nWe recommend upgrading past commit 317eb9685095678f2c9f5a8189de698c5354316a.\n\n", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-6817", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-6817", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-6817", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-6817", "SUSE": "https://www.suse.com/security/cve/CVE-2023-6817", "Ubuntu": "https://ubuntu.com/security/CVE-2023-6817" } }, "CVE-2023-6915": { "affected_versions": "v2.6.23-rc1 to v6.7-rc7", "breaks": "72dba584b695d8bc8c1a50ed54ad4cba7c62314d", "cmt_msg": "ida: Fix crash in ida_free when the bitmap is empty", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 7.5 }, "fixes": "af73483f4e8b6f5c68c9aa63257bdd929a9c194a", "last_affected_version": "6.6.12", "last_modified": "2024-02-02", "nvd_text": "A Null pointer dereference problem was found in ida_free in lib/idr.c in the Linux Kernel. This issue may allow an attacker using this library to cause a denial of service problem due to a missing check at a function return.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-6915", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-6915", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-6915", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-6915", "SUSE": "https://www.suse.com/security/cve/CVE-2023-6915", "Ubuntu": "https://ubuntu.com/security/CVE-2023-6915" } }, "CVE-2023-6931": { "affected_versions": "v4.3-rc4 to v6.7-rc5", "breaks": "a723968c0ed36db676478c3d26078f13484fe01c", "cmt_msg": "perf: Fix perf_event_validate_size()", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "fixes": "382c27f4ed28f803b1f1473ac2d8db0afc795a1b", "last_affected_version": "6.6.6", "last_modified": "2024-01-15", "nvd_text": "A heap out-of-bounds write vulnerability in the Linux kernel's Performance Events system component can be exploited to achieve local privilege escalation.\n\nA perf_event's read_size can overflow, leading to an heap out-of-bounds increment or write in perf_read_group().\n\nWe recommend upgrading past commit 382c27f4ed28f803b1f1473ac2d8db0afc795a1b.\n\n", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-6931", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-6931", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-6931", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-6931", "SUSE": "https://www.suse.com/security/cve/CVE-2023-6931", "Ubuntu": "https://ubuntu.com/security/CVE-2023-6931" } }, "CVE-2023-6932": { "affected_versions": "v2.6.12-rc2 to v6.7-rc4", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "ipv4: igmp: fix refcnt uaf issue when receiving igmp query packet", "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.0 }, "fixes": "e2b706c691905fe78468c361aaabc719d0a496f1", "last_affected_version": "6.6.4", "last_modified": "2024-01-12", "nvd_text": "A use-after-free vulnerability in the Linux kernel's ipv4: igmp component can be exploited to achieve local privilege escalation.\n\nA race condition can be exploited to cause a timer be mistakenly registered on a RCU read locked object which is freed by another thread.\n\nWe recommend upgrading past commit e2b706c691905fe78468c361aaabc719d0a496f1.\n\n", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-6932", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-6932", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-6932", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-6932", "SUSE": "https://www.suse.com/security/cve/CVE-2023-6932", "Ubuntu": "https://ubuntu.com/security/CVE-2023-6932" } }, "CVE-2023-7042": { "affected_versions": "v3.11-rc1 to v6.9-rc1", "breaks": "5e3dd157d7e70f0e3cea3f2573ed69fb156a19d5", "cmt_msg": "wifi: ath10k: fix NULL pointer dereference in ath10k_wmi_tlv_op_pull_mgmt_tx_compl_ev()", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "fixes": "ad25ee36f00172f7d53242dc77c69fff7ced0755", "last_affected_version": "6.7.10", "last_modified": "2024-04-08", "nvd_text": "A null pointer dereference vulnerability was found in ath10k_wmi_tlv_op_pull_mgmt_tx_compl_ev() in drivers/net/wireless/ath/ath10k/wmi-tlv.c in the Linux kernel. This issue could be exploited to trigger a denial of service.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-7042", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-7042", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-7042", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-7042", "SUSE": "https://www.suse.com/security/cve/CVE-2023-7042", "Ubuntu": "https://ubuntu.com/security/CVE-2023-7042" } }, "CVE-2023-7192": { "affected_versions": "v3.3-rc6 to v6.3-rc1", "breaks": "7d367e06688dc7a2cc98c2ace04e1296e1d987e2", "cmt_msg": "netfilter: ctnetlink: fix possible refcount leak in ctnetlink_create_conntrack()", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "score": 4.4 }, "fixes": "ac4893980bbe79ce383daf9a0885666a30fe4c83", "last_affected_version": "6.2.4", "last_modified": "2024-01-12", "nvd_text": "A memory leak problem was found in ctnetlink_create_conntrack in net/netfilter/nf_conntrack_netlink.c in the Linux Kernel. This issue may allow a local attacker with CAP_NET_ADMIN privileges to cause a denial of service (DoS) attack due to a refcount overflow.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2023-7192", "ExploitDB": "https://www.exploit-db.com/search?cve=2023-7192", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2023-7192", "Red Hat": "https://access.redhat.com/security/cve/CVE-2023-7192", "SUSE": "https://www.suse.com/security/cve/CVE-2023-7192", "Ubuntu": "https://ubuntu.com/security/CVE-2023-7192" } }, "CVE-2024-0193": { "affected_versions": "v6.5-rc6 to v6.7", "breaks": "5f68718b34a531a556f2f50300ead2862278da26", "cmt_msg": "netfilter: nf_tables: skip set commit for deleted/destroyed sets", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "High", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "score": 6.7 }, "fixes": "7315dc1e122c85ffdfc8defffbb8f8b616c2eb1a", "last_affected_version": "6.6", "last_modified": "2024-01-15", "nvd_text": "A use-after-free flaw was found in the netfilter subsystem of the Linux kernel. If the catchall element is garbage-collected when the pipapo set is removed, the element can be deactivated twice. This can cause a use-after-free issue on an NFT_CHAIN object or NFT_OBJECT object, allowing a local unprivileged user with CAP_NET_ADMIN capability to escalate their privileges on the system.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-0193", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-0193", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-0193", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-0193", "SUSE": "https://www.suse.com/security/cve/CVE-2024-0193", "Ubuntu": "https://ubuntu.com/security/CVE-2024-0193" } }, "CVE-2024-0340": { "affected_versions": "v2.6.12-rc2 to v6.4-rc6", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "vhost: use kzalloc() instead of kmalloc() followed by memset()", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.5 }, "cwe": "Unspecified", "fixes": "4d8df0f5f79f747d75a7d356d9b9ea40a4e4c8a9", "last_affected_version": "6.1.77", "last_modified": "2024-02-24", "nvd_text": "A vulnerability was found in vhost_new_msg in drivers/vhost/vhost.c in the Linux kernel, which does not properly initialize memory in messages passed between virtual guests and the host operating system in the vhost/vhost.c:vhost_new_msg() function. This issue can allow local privileged users to read some kernel memory contents when reading from the /dev/vhost-net device file.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-0340", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-0340", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-0340", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-0340", "SUSE": "https://www.suse.com/security/cve/CVE-2024-0340", "Ubuntu": "https://ubuntu.com/security/CVE-2024-0340" } }, "CVE-2024-0443": { "affected_versions": "v6.2-rc1 to v6.4-rc7", "breaks": "3b8cc6298724021da845f2f9fd7dd4b6829a6817", "cmt_msg": "blk-cgroup: Flush stats before releasing blkcg_gq", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "fixes": "20cb1c2fb7568a6054c55defe044311397e01ddb", "last_affected_version": "6.3.8", "last_modified": "2024-02-02", "nvd_text": "A flaw was found in the blkgs destruction path in block/blk-cgroup.c in the Linux kernel, leading to a cgroup blkio memory leakage problem. When a cgroup is being destroyed, cgroup_rstat_flush() is only called at css_release_work_fn(), which is called when the blkcg reference count reaches 0. This circular dependency will prevent blkcg and some blkgs from being freed after they are made offline. This issue may allow an attacker with a local access to cause system instability, such as an out of memory error.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-0443", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-0443", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-0443", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-0443", "SUSE": "https://www.suse.com/security/cve/CVE-2024-0443", "Ubuntu": "https://ubuntu.com/security/CVE-2024-0443" } }, "CVE-2024-0562": { "affected_versions": "v5.15-rc1 to v6.0-rc3", "breaks": "45a2966fd64147518dc5bca25f447bd0fb5359ac", "cmt_msg": "writeback: avoid use-after-free after removing device", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "fixes": "f87904c075515f3e1d8f4a7115869d3b914674fd", "last_affected_version": "5.19.5", "last_modified": "2024-02-02", "nvd_text": "A use-after-free flaw was found in the Linux Kernel. When a disk is removed, bdi_unregister is called to stop further write-back and waits for associated delayed work to complete. However, wb_inode_writeback_end() may schedule bandwidth estimation work after this has completed, which can result in the timer attempting to access the recently freed bdi_writeback.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-0562", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-0562", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-0562", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-0562", "SUSE": "https://www.suse.com/security/cve/CVE-2024-0562", "Ubuntu": "https://ubuntu.com/security/CVE-2024-0562" } }, "CVE-2024-0564": { "affected_versions": "v4.13-rc1 to unk", "breaks": "2c653d0ee2ae78ff3a174cc877a057c8afac7069", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Adjacent", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "score": 6.5 }, "fixes": "", "last_modified": "2024-02-09", "nvd_text": "A flaw was found in the Linux kernel's memory deduplication mechanism. The max page sharing of Kernel Samepage Merging (KSM), added in Linux kernel version 4.4.0-96.119, can create a side channel. When the attacker and the victim share the same host and the default setting of KSM is \"max page sharing=256\", it is possible for the attacker to time the unmap to merge with the victim's page. The unmapping time depends on whether it merges with the victim's page and additional physical pages are created beyond the KSM's \"max page share\". Through these operations, the attacker can leak the victim's page.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-0564", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-0564", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-0564", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-0564", "SUSE": "https://www.suse.com/security/cve/CVE-2024-0564", "Ubuntu": "https://ubuntu.com/security/CVE-2024-0564" } }, "CVE-2024-0565": { "affected_versions": "v4.19-rc1 to v6.7-rc6", "breaks": "b24df3e30cbf48255db866720fb71f14bf9d2f39", "cmt_msg": "smb: client: fix OOB in receive_encrypted_standard()", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Network", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 8.8 }, "fixes": "eec04ea119691e65227a97ce53c0da6b9b74b0b7", "last_affected_version": "6.6.7", "last_modified": "2024-04-08", "nvd_text": "An out-of-bounds memory read flaw was found in receive_encrypted_standard in fs/smb/client/smb2ops.c in the SMB Client sub-component in the Linux Kernel. This issue occurs due to integer underflow on the memcpy length, leading to a denial of service.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-0565", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-0565", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-0565", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-0565", "SUSE": "https://www.suse.com/security/cve/CVE-2024-0565", "Ubuntu": "https://ubuntu.com/security/CVE-2024-0565" } }, "CVE-2024-0582": { "affected_versions": "v6.4-rc1 to v6.7-rc4", "breaks": "c56e022c0a27142b7b59ae6bdf45f86bf4b298a1", "cmt_msg": "io_uring/kbuf: defer release of mapped buffer rings", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "fixes": "c392cbecd8eca4c53f2bf508731257d9d0a21c2d", "last_affected_version": "6.6.4", "last_modified": "2024-02-02", "nvd_text": "A memory leak flaw was found in the Linux kernel\u2019s io_uring functionality in how a user registers a buffer ring with IORING_REGISTER_PBUF_RING, mmap() it, and then frees it. This flaw allows a local user to crash or potentially escalate their privileges on the system.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-0582", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-0582", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-0582", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-0582", "SUSE": "https://www.suse.com/security/cve/CVE-2024-0582", "Ubuntu": "https://ubuntu.com/security/CVE-2024-0582" } }, "CVE-2024-0584": { "affected_versions": "v2.6.12-rc2 to v6.7-rc4", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "ipv4: igmp: fix refcnt uaf issue when receiving igmp query packet", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "None", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.5 }, "fixes": "e2b706c691905fe78468c361aaabc719d0a496f1", "last_affected_version": "6.6.4", "last_modified": "2024-02-25", "nvd_text": "Rejected reason: Do not use this CVE as it is duplicate of CVE-2023-6932", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-0584", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-0584", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-0584", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-0584", "SUSE": "https://www.suse.com/security/cve/CVE-2024-0584", "Ubuntu": "https://ubuntu.com/security/CVE-2024-0584" } }, "CVE-2024-0607": { "affected_versions": "v4.5-rc1 to v6.7-rc2", "breaks": "ce1e7989d989e36ee3b032d46aab28b7d5e30428", "cmt_msg": "netfilter: nf_tables: fix pointer math issue in nft_byteorder_eval()", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "Low", "Integrity": "Low", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H", "score": 6.6 }, "cwe": "Unspecified", "fixes": "c301f0981fdd3fd1ffac6836b423c4d7a8e0eb63", "last_affected_version": "6.6.2", "last_modified": "2024-02-24", "nvd_text": "A flaw was found in the Netfilter subsystem in the Linux kernel. The issue is in the nft_byteorder_eval() function, where the code iterates through a loop and writes to the `dst` array. On each iteration, 8 bytes are written, but `dst` is an array of u32, so each element only has space for 4 bytes. That means every iteration overwrites part of the previous element corrupting this array of u32. This flaw allows a local user to cause a denial of service or potentially break NetFilter functionality.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-0607", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-0607", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-0607", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-0607", "SUSE": "https://www.suse.com/security/cve/CVE-2024-0607", "Ubuntu": "https://ubuntu.com/security/CVE-2024-0607" } }, "CVE-2024-0639": { "affected_versions": "v5.13-rc1 to v6.5-rc1", "breaks": "34e5b01186858b36c4d7c87e1a025071e8e2401f", "cmt_msg": "sctp: fix potential deadlock on &net->sctp.addr_wq_lock", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "fixes": "6feb37b3b06e9049e20dcf7e23998f92c9c5be9a", "last_affected_version": "6.4.3", "last_modified": "2024-02-02", "nvd_text": "A denial of service vulnerability due to a deadlock was found in sctp_auto_asconf_init in net/sctp/socket.c in the Linux kernel\u2019s SCTP subsystem. This flaw allows guests with local user privileges to trigger a deadlock and potentially crash the system.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-0639", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-0639", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-0639", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-0639", "SUSE": "https://www.suse.com/security/cve/CVE-2024-0639", "Ubuntu": "https://ubuntu.com/security/CVE-2024-0639" } }, "CVE-2024-0641": { "affected_versions": "v5.5-rc1 to v6.6-rc5", "breaks": "fc1b6d6de2208774efd2a20bf0daddb02d18b1e0", "cmt_msg": "tipc: fix a potential deadlock on &tx->lock", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "fixes": "08e50cf071847323414df0835109b6f3560d44f5", "last_affected_version": "6.5.6", "last_modified": "2024-02-02", "nvd_text": "A denial of service vulnerability was found in tipc_crypto_key_revoke in net/tipc/crypto.c in the Linux kernel\u2019s TIPC subsystem. This flaw allows guests with local user privileges to trigger a deadlock and potentially crash the system.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-0641", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-0641", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-0641", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-0641", "SUSE": "https://www.suse.com/security/cve/CVE-2024-0641", "Ubuntu": "https://ubuntu.com/security/CVE-2024-0641" } }, "CVE-2024-0646": { "affected_versions": "v4.20-rc1 to v6.7-rc5", "breaks": "d829e9c4112b52f4f00195900fd4c685f61365ab", "cmt_msg": "net: tls, update curr on splice as well", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "fixes": "c5a595000e2677e865a39f249c056bc05d6e55fd", "last_affected_version": "6.6.6", "last_modified": "2024-02-02", "nvd_text": "An out-of-bounds memory write flaw was found in the Linux kernel\u2019s Transport Layer Security functionality in how a user calls a function splice with a ktls socket as the destination. This flaw allows a local user to crash or potentially escalate their privileges on the system.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-0646", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-0646", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-0646", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-0646", "SUSE": "https://www.suse.com/security/cve/CVE-2024-0646", "Ubuntu": "https://ubuntu.com/security/CVE-2024-0646" } }, "CVE-2024-0775": { "affected_versions": "v3.6-rc1 to v6.4-rc2", "breaks": "7c319d328505b7781b65238ae9f53293b5ee0ca8", "cmt_msg": "ext4: improve error recovery code paths in __ext4_remount()", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "score": 7.1 }, "fixes": "4c0b4818b1f636bc96359f7817a2d8bab6370162", "last_affected_version": "6.3.2", "last_modified": "2024-02-02", "nvd_text": "A use-after-free flaw was found in the __ext4_remount in fs/ext4/super.c in ext4 in the Linux kernel. This flaw allows a local user to cause an information leak problem while freeing the old quota file names before a potential failure, leading to a use-after-free.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-0775", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-0775", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-0775", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-0775", "SUSE": "https://www.suse.com/security/cve/CVE-2024-0775", "Ubuntu": "https://ubuntu.com/security/CVE-2024-0775" } }, "CVE-2024-0841": { "affected_versions": "v5.1-rc1 to v6.8-rc4", "breaks": "32021982a324dce93b4ae00c06213bf45fb319c8", "cmt_msg": "fs,hugetlb: fix NULL pointer dereference in hugetlbs_fill_super", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "fixes": "79d72c68c58784a3e1cd2378669d51bfd0cb7498", "last_affected_version": "6.7.5", "last_modified": "2024-04-08", "nvd_text": "A null pointer dereference flaw was found in the hugetlbfs_fill_super function in the Linux kernel hugetlbfs (HugeTLB pages) functionality. This issue may allow a local user to crash the system or potentially escalate their privileges on the system.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-0841", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-0841", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-0841", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-0841", "SUSE": "https://www.suse.com/security/cve/CVE-2024-0841", "Ubuntu": "https://ubuntu.com/security/CVE-2024-0841" } }, "CVE-2024-1085": { "affected_versions": "v5.13-rc1 to v6.8-rc1", "breaks": "aaa31047a6d25da0fa101da1ed544e1247949b40", "cmt_msg": "netfilter: nf_tables: check if catch-all set element is active in next generation", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "fixes": "b1db244ffd041a49ecc9618e8feb6b5c1afcdaa7", "last_affected_version": "6.7.1", "last_modified": "2024-02-09", "nvd_text": "A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation.\n\nThe nft_setelem_catchall_deactivate() function checks whether the catch-all set element is active in the current generation instead of the next generation before freeing it, but only flags it inactive in the next generation, making it possible to free the element multiple times, leading to a double free vulnerability.\n\nWe recommend upgrading past commit b1db244ffd041a49ecc9618e8feb6b5c1afcdaa7.\n\n", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-1085", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-1085", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-1085", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-1085", "SUSE": "https://www.suse.com/security/cve/CVE-2024-1085", "Ubuntu": "https://ubuntu.com/security/CVE-2024-1085" } }, "CVE-2024-1086": { "affected_versions": "v3.15-rc1 to v6.8-rc2", "breaks": "e0abdadcc6e113ed2e22c85b350074487095875b", "cmt_msg": "netfilter: nf_tables: reject QUEUE/DROP verdict parameters", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "fixes": "f342de4e2f33e0e39165d8639387aa6c19dff660", "last_affected_version": "6.7.2", "last_modified": "2024-02-24", "nvd_text": "A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation.\n\nThe nft_verdict_init() function allows positive values as drop error within the hook verdict, and hence the nf_hook_slow() function can cause a double free vulnerability when NF_DROP is issued with a drop error which resembles NF_ACCEPT.\n\nWe recommend upgrading past commit f342de4e2f33e0e39165d8639387aa6c19dff660.\n\n", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-1086", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-1086", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-1086", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-1086", "SUSE": "https://www.suse.com/security/cve/CVE-2024-1086", "Ubuntu": "https://ubuntu.com/security/CVE-2024-1086" } }, "CVE-2024-1151": { "affected_versions": "v4.12-rc1 to v6.8-rc5", "breaks": "798c166173ffb50128993641fcf791df51bed48e", "cmt_msg": "net: openvswitch: limit the number of recursions from action sets", "fixes": "6e2f90d31fe09f2b852de25125ca875aabd81367", "last_affected_version": "6.7.5", "last_modified": "2024-02-25", "nvd_text": "A vulnerability was reported in the Open vSwitch sub-component in the Linux Kernel. The flaw occurs when a recursive operation of code push recursively calls into the code block. The OVS module does not validate the stack depth, pushing too many frames and causing a stack overflow. As a result, this can lead to a crash or other related issues.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-1151", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-1151", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-1151", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-1151", "SUSE": "https://www.suse.com/security/cve/CVE-2024-1151", "Ubuntu": "https://ubuntu.com/security/CVE-2024-1151" } }, "CVE-2024-1312": { "affected_versions": "unk to v6.5-rc4", "backport": true, "breaks": "6c21e066f9256ea1df6f88768f6ae1080b7cf509", "cmt_msg": "mm: lock_vma_under_rcu() must check vma->anon_vma under vma lock", "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 4.7 }, "fixes": "657b5146955eba331e01b9a6ae89ce2e716ba306", "last_affected_version": "6.4.9", "last_modified": "2024-02-25", "nvd_text": "A use-after-free flaw was found in the Linux kernel's Memory Management subsystem when a user wins two races at the same time with a fail in the mas_prev_slot function. This issue could allow a local user to crash the system.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-1312", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-1312", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-1312", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-1312", "SUSE": "https://www.suse.com/security/cve/CVE-2024-1312", "Ubuntu": "https://ubuntu.com/security/CVE-2024-1312" } }, "CVE-2024-21803": { "affected_versions": "unk to unk", "breaks": "", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "fixes": "", "last_modified": "2024-02-09", "nvd_text": "Use After Free vulnerability in Linux Linux kernel kernel on Linux, x86, ARM (bluetooth modules) allows Local Execution of Code. This vulnerability is associated with program files https://gitee.Com/anolis/cloud-kernel/blob/devel-5.10/net/bluetooth/af_bluetooth.C.\n\nThis issue affects Linux kernel: from v2.6.12-rc2 before v6.8-rc1.\n\n", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-21803", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-21803", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-21803", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-21803", "SUSE": "https://www.suse.com/security/cve/CVE-2024-21803", "Ubuntu": "https://ubuntu.com/security/CVE-2024-21803" } }, "CVE-2024-2193": { "affected_versions": "unk to unk", "breaks": "", "fixes": "", "last_modified": "2024-04-09", "nvd_text": "A Speculative Race Condition (SRC) vulnerability that impacts modern CPU architectures supporting speculative execution (related to Spectre V1) has been disclosed. An unauthenticated attacker can exploit this vulnerability to disclose arbitrary data from the CPU using race conditions to access the speculative executable code paths.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-2193", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-2193", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-2193", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-2193", "SUSE": "https://www.suse.com/security/cve/CVE-2024-2193", "Ubuntu": "https://ubuntu.com/security/CVE-2024-2193" } }, "CVE-2024-22099": { "affected_versions": "unk to v6.8-rc7", "breaks": "", "cmt_msg": "Bluetooth: rfcomm: Fix null-ptr-deref in rfcomm_check_security", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "fixes": "2535b848fa0f42ddff3e5255cf5e742c9b77bb26", "last_affected_version": "6.7.10", "last_modified": "2024-04-08", "nvd_text": "NULL Pointer Dereference vulnerability in Linux Linux kernel kernel on Linux, x86, ARM (net, bluetooth modules) allows Overflow Buffers. This vulnerability is associated with program files /net/bluetooth/rfcomm/core.C.\n\nThis issue affects Linux kernel: v2.6.12-rc2.\n\n", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-22099", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-22099", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-22099", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-22099", "SUSE": "https://www.suse.com/security/cve/CVE-2024-22099", "Ubuntu": "https://ubuntu.com/security/CVE-2024-22099" } }, "CVE-2024-22386": { "affected_versions": "unk to unk", "breaks": "", "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 4.7 }, "fixes": "", "last_modified": "2024-02-25", "nvd_text": "A race condition was found in the Linux kernel's drm/exynos device driver in\u00a0exynos_drm_crtc_atomic_disable() function. This can result in a null pointer dereference issue, possibly leading to a kernel panic or denial of service issue.\n\n\n", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-22386", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-22386", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-22386", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-22386", "SUSE": "https://www.suse.com/security/cve/CVE-2024-22386", "Ubuntu": "https://ubuntu.com/security/CVE-2024-22386" } }, "CVE-2024-22705": { "affected_versions": "v5.15-rc1 to v6.7-rc8", "breaks": "e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9", "cmt_msg": "ksmbd: fix slab-out-of-bounds in smb_strndup_from_utf16()", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "fixes": "d10c77873ba1e9e6b91905018e29e196fd5f863d", "last_affected_version": "6.6.9", "last_modified": "2024-02-09", "nvd_text": "An issue was discovered in ksmbd in the Linux kernel before 6.6.10. smb2_get_data_area_len in fs/smb/server/smb2misc.c can cause an smb_strndup_from_utf16 out-of-bounds access because the relationship between Name data and CreateContexts data is mishandled.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-22705", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-22705", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-22705", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-22705", "SUSE": "https://www.suse.com/security/cve/CVE-2024-22705", "Ubuntu": "https://ubuntu.com/security/CVE-2024-22705" } }, "CVE-2024-23196": { "affected_versions": "unk to v6.5-rc1", "breaks": "", "cmt_msg": "ALSA: hda: fix a possible null-pointer dereference due to data race in snd_hdac_regmap_sync()", "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 4.7 }, "fixes": "1f4a08fed450db87fbb5ff5105354158bdbe1a22", "last_affected_version": "6.4.11", "last_modified": "2024-04-08", "nvd_text": "A race condition was found in the Linux kernel's sound/hda device driver in snd_hdac_regmap_sync() function. This can result in a null pointer dereference issue, possibly leading to a kernel panic or denial of service issue.\n\n", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-23196", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-23196", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-23196", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-23196", "SUSE": "https://www.suse.com/security/cve/CVE-2024-23196", "Ubuntu": "https://ubuntu.com/security/CVE-2024-23196" } }, "CVE-2024-23307": { "affected_versions": "v4.1-rc1 to v6.9-rc1", "breaks": "edbe83ab4c27ea6669eb57adb5ed7eaec1118ceb", "cmt_msg": "md/raid5: fix atomicity violation in raid5_cache_count", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "fixes": "dfd2bf436709b2bccb78c2dda550dde93700efa7", "last_affected_version": "6.7.11", "last_modified": "2024-04-08", "nvd_text": "Integer Overflow or Wraparound vulnerability in Linux Linux kernel kernel on Linux, x86, ARM (md, raid, raid5 modules) allows Forced Integer Overflow.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-23307", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-23307", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-23307", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-23307", "SUSE": "https://www.suse.com/security/cve/CVE-2024-23307", "Ubuntu": "https://ubuntu.com/security/CVE-2024-23307" } }, "CVE-2024-23848": { "affected_versions": "unk to unk", "breaks": "", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "fixes": "", "last_modified": "2024-02-02", "nvd_text": "In the Linux kernel through 6.7.1, there is a use-after-free in cec_queue_msg_fh, related to drivers/media/cec/core/cec-adap.c and drivers/media/cec/core/cec-api.c.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-23848", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-23848", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-23848", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-23848", "SUSE": "https://www.suse.com/security/cve/CVE-2024-23848", "Ubuntu": "https://ubuntu.com/security/CVE-2024-23848" } }, "CVE-2024-23849": { "affected_versions": "v4.11-rc1 to v6.8-rc2", "breaks": "3289025aedc018f8fd9d0e37fb9efa0c6d531ffa", "cmt_msg": "net/rds: Fix UBSAN: array-index-out-of-bounds in rds_cmsg_recv", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "fixes": "13e788deb7348cc88df34bed736c3b3b9927ea52", "last_affected_version": "6.7.2", "last_modified": "2024-02-24", "nvd_text": "In rds_recv_track_latency in net/rds/af_rds.c in the Linux kernel through 6.7.1, there is an off-by-one error for an RDS_MSG_RX_DGRAM_TRACE_MAX comparison, resulting in out-of-bounds access.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-23849", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-23849", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-23849", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-23849", "SUSE": "https://www.suse.com/security/cve/CVE-2024-23849", "Ubuntu": "https://ubuntu.com/security/CVE-2024-23849" } }, "CVE-2024-23850": { "affected_versions": "v5.9-rc1 to v6.8-rc4", "breaks": "2dfb1e43f57dd3aeaa66f7cf05d068db2d4c8788", "cmt_msg": "btrfs: do not ASSERT() if the newly created subvolume already got read", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Unspecified", "fixes": "e03ee2fe873eb68c1f9ba5112fee70303ebf9dfb", "last_affected_version": "6.7.5", "last_modified": "2024-02-24", "nvd_text": "In btrfs_get_root_ref in fs/btrfs/disk-io.c in the Linux kernel through 6.7.1, there can be an assertion failure and crash because a subvolume can be read out too soon after its root item is inserted upon subvolume creation.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-23850", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-23850", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-23850", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-23850", "SUSE": "https://www.suse.com/security/cve/CVE-2024-23850", "Ubuntu": "https://ubuntu.com/security/CVE-2024-23850" } }, "CVE-2024-23851": { "affected_versions": "v2.6.12-rc2 to v6.8-rc3", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "dm: limit the number of targets and parameter size area", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "cwe": "Unspecified", "fixes": "bd504bcfec41a503b32054da5472904b404341a4", "last_affected_version": "6.7.5", "last_modified": "2024-04-08", "nvd_text": "copy_params in drivers/md/dm-ioctl.c in the Linux kernel through 6.7.1 can attempt to allocate more than INT_MAX bytes, and crash, because of a missing param_kernel->data_size check. This is related to ctl_ioctl.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-23851", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-23851", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-23851", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-23851", "SUSE": "https://www.suse.com/security/cve/CVE-2024-23851", "Ubuntu": "https://ubuntu.com/security/CVE-2024-23851" } }, "CVE-2024-24855": { "affected_versions": "v2.6.34-rc1 to v6.5-rc2", "breaks": "ecfd03c6a99ad98fea5cb75ec83cd9945adff8d9", "cmt_msg": "scsi: lpfc: Fix a possible data race in lpfc_unregister_fcf_rescan()", "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 4.7 }, "fixes": "0e881c0a4b6146b7e856735226208f48251facd8", "last_modified": "2024-02-25", "nvd_text": "A race condition was found in the Linux kernel's scsi device driver in lpfc_unregister_fcf_rescan() function. This can result in a null pointer dereference issue, possibly leading to a kernel panic or denial of service issue.\n\n\n\n\n", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-24855", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-24855", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-24855", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-24855", "SUSE": "https://www.suse.com/security/cve/CVE-2024-24855", "Ubuntu": "https://ubuntu.com/security/CVE-2024-24855" } }, "CVE-2024-24857": { "affected_versions": "v3.16-rc1 to unk", "breaks": "31ad169148df2252a774c73c504aff43bfa4b656", "cvss3": { "Attack Complexity": "High", "Attack Vector": "Adjacent", "Availability": "High", "Confidentiality": "None", "Integrity": "High", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H", "score": 6.8 }, "fixes": "", "last_modified": "2024-02-25", "nvd_text": "A race condition was found in the Linux kernel's net/bluetooth device driver in conn_info_{min,max}_age_set() function. This can result in integrity overflow issue, possibly leading to bluetooth connection abnormality or denial of service.\n\n\n\n\n", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-24857", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-24857", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-24857", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-24857", "SUSE": "https://www.suse.com/security/cve/CVE-2024-24857", "Ubuntu": "https://ubuntu.com/security/CVE-2024-24857" } }, "CVE-2024-24858": { "affected_versions": "v3.13-rc1 to unk", "breaks": "4e70c7e71c5f9cf11013628ab5a0ced449b1c7b2", "cvss3": { "Attack Complexity": "High", "Attack Vector": "Adjacent", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 5.3 }, "fixes": "", "last_modified": "2024-02-25", "nvd_text": "A race condition was found in the Linux kernel's net/bluetooth in {conn,adv}_{min,max}_interval_set() function. This can result in I2cap connection or broadcast abnormality issue, possibly leading to denial of service.\n\n\n\n\n", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-24858", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-24858", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-24858", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-24858", "SUSE": "https://www.suse.com/security/cve/CVE-2024-24858", "Ubuntu": "https://ubuntu.com/security/CVE-2024-24858" } }, "CVE-2024-24859": { "affected_versions": "v2.6.18-rc1 to unk", "breaks": "04837f6447c7f3ef114cda1ad761822dedbff8cf", "cvss3": { "Attack Complexity": "High", "Attack Vector": "Adjacent", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "Required", "raw": "CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H", "score": 4.8 }, "fixes": "", "last_modified": "2024-02-25", "nvd_text": "A race condition was found in the Linux kernel's net/bluetooth in sniff_{min,max}_interval_set() function. This can result in a bluetooth sniffing exception issue, possibly leading denial of service.\n\n\n\n\n\n\n\n", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-24859", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-24859", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-24859", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-24859", "SUSE": "https://www.suse.com/security/cve/CVE-2024-24859", "Ubuntu": "https://ubuntu.com/security/CVE-2024-24859" } }, "CVE-2024-24860": { "affected_versions": "v4.2-rc1 to v6.8-rc1", "breaks": "2fd36558f02c0606768929fc77671716680d01c2", "cmt_msg": "Bluetooth: Fix atomicity violation in {min,max}_key_size_set", "cvss3": { "Attack Complexity": "High", "Attack Vector": "Adjacent", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "None", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 5.3 }, "fixes": "da9065caa594d19b26e1a030fd0cc27bd365d685", "last_affected_version": "6.7.1", "last_modified": "2024-02-25", "nvd_text": "A race condition was found in the Linux kernel's bluetooth device driver in {min,max}_key_size_set() function. This can result in a null pointer dereference issue, possibly leading to a kernel panic or denial of service issue.\n\n\n\n\n", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-24860", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-24860", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-24860", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-24860", "SUSE": "https://www.suse.com/security/cve/CVE-2024-24860", "Ubuntu": "https://ubuntu.com/security/CVE-2024-24860" } }, "CVE-2024-24861": { "affected_versions": "unk to v6.9-rc1", "breaks": "", "cmt_msg": "media: xc4000: Fix atomicity violation in xc4000_get_frequency", "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H", "score": 6.3 }, "fixes": "36d503ad547d1c75758a6fcdbec2806f1b6aeb41", "last_affected_version": "6.7.11", "last_modified": "2024-04-08", "nvd_text": "A race condition was found in the Linux kernel's media/xc4000 device driver in xc4000 xc4000_get_frequency() function. This can result in return value overflow issue, possibly leading to malfunction or denial of service issue.\n\n\n\n\n", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-24861", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-24861", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-24861", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-24861", "SUSE": "https://www.suse.com/security/cve/CVE-2024-24861", "Ubuntu": "https://ubuntu.com/security/CVE-2024-24861" } }, "CVE-2024-24864": { "affected_versions": "unk to unk", "breaks": "", "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 4.7 }, "fixes": "", "last_modified": "2024-02-25", "nvd_text": "A race condition was found in the Linux kernel's media/dvb-core in dvbdmx_write()\u00a0function. This can result in a null pointer dereference issue, possibly leading to a kernel panic or denial of service issue.\n\n\n\n\n", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-24864", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-24864", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-24864", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-24864", "SUSE": "https://www.suse.com/security/cve/CVE-2024-24864", "Ubuntu": "https://ubuntu.com/security/CVE-2024-24864" } }, "CVE-2024-25739": { "affected_versions": "v2.6.22-rc1 to unk", "breaks": "801c135ce73d5df1caf3eca35b66a10824ae0707", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "fixes": "", "last_modified": "2024-04-09", "nvd_text": "create_empty_lvol in drivers/mtd/ubi/vtbl.c in the Linux kernel through 6.7.4 can attempt to allocate zero bytes, and crash, because of a missing check for ubi->leb_size.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-25739", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-25739", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-25739", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-25739", "SUSE": "https://www.suse.com/security/cve/CVE-2024-25739", "Ubuntu": "https://ubuntu.com/security/CVE-2024-25739" } }, "CVE-2024-25740": { "affected_versions": "unk to unk", "breaks": "", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "fixes": "", "last_modified": "2024-04-09", "nvd_text": "A memory leak flaw was found in the UBI driver in drivers/mtd/ubi/attach.c in the Linux kernel through 6.7.4 for UBI_IOCATT, because kobj->name is not released.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-25740", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-25740", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-25740", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-25740", "SUSE": "https://www.suse.com/security/cve/CVE-2024-25740", "Ubuntu": "https://ubuntu.com/security/CVE-2024-25740" } }, "CVE-2024-25741": { "affected_versions": "unk to unk", "breaks": "", "fixes": "", "last_modified": "2024-02-25", "nvd_text": "printer_write in drivers/usb/gadget/function/f_printer.c in the Linux kernel through 6.7.4 does not properly call usb_ep_queue, which might allow attackers to cause a denial of service or have unspecified other impact.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-25741", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-25741", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-25741", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-25741", "SUSE": "https://www.suse.com/security/cve/CVE-2024-25741", "Ubuntu": "https://ubuntu.com/security/CVE-2024-25741" } }, "CVE-2024-25744": { "affected_versions": "v2.6.12-rc2 to v6.7-rc5", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "x86/coco: Disable 32-bit emulation by default on TDX and SEV", "fixes": "b82a8dbd3d2f4563156f7150c6f2ecab6e960b30", "last_affected_version": "6.6.6", "last_modified": "2024-02-25", "nvd_text": "In the Linux kernel before 6.6.7, an untrusted VMM can trigger int80 syscall handling at any given point. This is related to arch/x86/coco/tdx/tdx.c and arch/x86/mm/mem_encrypt_amd.c.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-25744", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-25744", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-25744", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-25744", "SUSE": "https://www.suse.com/security/cve/CVE-2024-25744", "Ubuntu": "https://ubuntu.com/security/CVE-2024-25744" } }, "CVE-2024-26581": { "affected_versions": "v6.5-rc4 to v6.8-rc4", "breaks": "f718863aca469a109895cb855e6b81fff4827d71", "cmt_msg": "netfilter: nft_set_rbtree: skip end interval element from gc", "fixes": "60c0c230c6f046da536d3df8b39a20b9a9fd6af0", "last_affected_version": "6.7.4", "last_modified": "2024-02-25", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_set_rbtree: skip end interval element from gc\n\nrbtree lazy gc on insert might collect an end interval element that has\nbeen just added in this transactions, skip end interval elements that\nare not yet active.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26581", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26581", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26581", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26581", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26581", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26581" } }, "CVE-2024-26582": { "affected_versions": "v6.0-rc1 to v6.8-rc5", "breaks": "fd31f3996af2", "cmt_msg": "net: tls: fix use-after-free with partial reads and async decrypt", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "fixes": "32b55c5ff9103b8508c1e04bfa5a08c64e7a925f", "last_affected_version": "6.7.5", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: tls: fix use-after-free with partial reads and async decrypt\n\ntls_decrypt_sg doesn't take a reference on the pages from clear_skb,\nso the put_page() in tls_decrypt_done releases them, and we trigger\na use-after-free in process_rx_list when we try to read from the\npartially-read skb.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26582", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26582", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26582", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26582", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26582", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26582" } }, "CVE-2024-26583": { "affected_versions": "v5.7 to v6.8-rc5", "breaks": "0cada33241d9de205522e3858b18e506ca5cce2c", "cmt_msg": "tls: fix race between async notify and socket close", "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 4.7 }, "fixes": "aec7961916f3f9e88766e2688992da6980f11b8d", "last_affected_version": "6.7.5", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\ntls: fix race between async notify and socket close\n\nThe submitting thread (one which called recvmsg/sendmsg)\nmay exit as soon as the async crypto handler calls complete()\nso any code past that point risks touching already freed data.\n\nTry to avoid the locking and extra flags altogether.\nHave the main thread hold an extra reference, this way\nwe can depend solely on the atomic ref counter for\nsynchronization.\n\nDon't futz with reiniting the completion, either, we are now\ntightly controlling when completion fires.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26583", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26583", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26583", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26583", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26583", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26583" } }, "CVE-2024-26584": { "affected_versions": "v4.16-rc1 to v6.8-rc5", "breaks": "a54667f6728c", "cmt_msg": "net: tls: handle backlogging of crypto requests", "fixes": "8590541473188741055d27b955db0777569438e3", "last_affected_version": "6.7.5", "last_modified": "2024-04-08", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: tls: handle backlogging of crypto requests\n\nSince we're setting the CRYPTO_TFM_REQ_MAY_BACKLOG flag on our\nrequests to the crypto API, crypto_aead_{encrypt,decrypt} can return\n -EBUSY instead of -EINPROGRESS in valid situations. For example, when\nthe cryptd queue for AESNI is full (easy to trigger with an\nartificially low cryptd.cryptd_max_cpu_qlen), requests will be enqueued\nto the backlog but still processed. In that case, the async callback\nwill also be called twice: first with err == -EINPROGRESS, which it\nseems we can just ignore, then with err == 0.\n\nCompared to Sabrina's original patch this version uses the new\ntls_*crypt_async_wait() helpers and converts the EBUSY to\nEINPROGRESS to avoid having to modify all the error handling\npaths. The handling is identical.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26584", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26584", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26584", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26584", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26584", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26584" } }, "CVE-2024-26585": { "affected_versions": "v4.20-rc1 to v6.8-rc5", "breaks": "a42055e8d2c3", "cmt_msg": "tls: fix race between tx work scheduling and socket close", "cvss3": { "Attack Complexity": "High", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 4.7 }, "fixes": "e01e3934a1b2d122919f73bc6ddbe1cdafc4bbdb", "last_affected_version": "6.7.5", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\ntls: fix race between tx work scheduling and socket close\n\nSimilarly to previous commit, the submitting thread (recvmsg/sendmsg)\nmay exit as soon as the async crypto handler calls complete().\nReorder scheduling the work before calling complete().\nThis seems more logical in the first place, as it's\nthe inverse order of what the submitting thread will do.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26585", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26585", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26585", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26585", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26585", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26585" } }, "CVE-2024-26586": { "affected_versions": "v4.19-rc1 to v6.8-rc1", "breaks": "c3ab435466d5", "cmt_msg": "mlxsw: spectrum_acl_tcam: Fix stack corruption", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "fixes": "483ae90d8f976f8339cf81066312e1329f2d3706", "last_affected_version": "6.7.1", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nmlxsw: spectrum_acl_tcam: Fix stack corruption\n\nWhen tc filters are first added to a net device, the corresponding local\nport gets bound to an ACL group in the device. The group contains a list\nof ACLs. In turn, each ACL points to a different TCAM region where the\nfilters are stored. During forwarding, the ACLs are sequentially\nevaluated until a match is found.\n\nOne reason to place filters in different regions is when they are added\nwith decreasing priorities and in an alternating order so that two\nconsecutive filters can never fit in the same region because of their\nkey usage.\n\nIn Spectrum-2 and newer ASICs the firmware started to report that the\nmaximum number of ACLs in a group is more than 16, but the layout of the\nregister that configures ACL groups (PAGT) was not updated to account\nfor that. It is therefore possible to hit stack corruption [1] in the\nrare case where more than 16 ACLs in a group are required.\n\nFix by limiting the maximum ACL group size to the minimum between what\nthe firmware reports and the maximum ACLs that fit in the PAGT register.\n\nAdd a test case to make sure the machine does not crash when this\ncondition is hit.\n\n[1]\nKernel panic - not syncing: stack-protector: Kernel stack is corrupted in: mlxsw_sp_acl_tcam_group_update+0x116/0x120\n[...]\n dump_stack_lvl+0x36/0x50\n panic+0x305/0x330\n __stack_chk_fail+0x15/0x20\n mlxsw_sp_acl_tcam_group_update+0x116/0x120\n mlxsw_sp_acl_tcam_group_region_attach+0x69/0x110\n mlxsw_sp_acl_tcam_vchunk_get+0x492/0xa20\n mlxsw_sp_acl_tcam_ventry_add+0x25/0xe0\n mlxsw_sp_acl_rule_add+0x47/0x240\n mlxsw_sp_flower_replace+0x1a9/0x1d0\n tc_setup_cb_add+0xdc/0x1c0\n fl_hw_replace_filter+0x146/0x1f0\n fl_change+0xc17/0x1360\n tc_new_tfilter+0x472/0xb90\n rtnetlink_rcv_msg+0x313/0x3b0\n netlink_rcv_skb+0x58/0x100\n netlink_unicast+0x244/0x390\n netlink_sendmsg+0x1e4/0x440\n ____sys_sendmsg+0x164/0x260\n ___sys_sendmsg+0x9a/0xe0\n __sys_sendmsg+0x7a/0xc0\n do_syscall_64+0x40/0xe0\n entry_SYSCALL_64_after_hwframe+0x63/0x6b", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26586", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26586", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26586", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26586", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26586", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26586" } }, "CVE-2024-26587": { "affected_versions": "v6.6-rc1 to v6.8-rc1", "breaks": "b63e78fca889e07931ec8f259701718a24e5052e", "cmt_msg": "net: netdevsim: don't try to destroy PHC on VFs", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "fixes": "ea937f77208323d35ffe2f8d8fc81b00118bfcda", "last_affected_version": "6.7.1", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: netdevsim: don't try to destroy PHC on VFs\n\nPHC gets initialized in nsim_init_netdevsim(), which\nis only called if (nsim_dev_port_is_pf()).\n\nCreate a counterpart of nsim_init_netdevsim() and\nmove the mock_phc_destroy() there.\n\nThis fixes a crash trying to destroy netdevsim with\nVFs instantiated, as caught by running the devlink.sh test:\n\n BUG: kernel NULL pointer dereference, address: 00000000000000b8\n RIP: 0010:mock_phc_destroy+0xd/0x30\n Call Trace:\n \n nsim_destroy+0x4a/0x70 [netdevsim]\n __nsim_dev_port_del+0x47/0x70 [netdevsim]\n nsim_dev_reload_destroy+0x105/0x120 [netdevsim]\n nsim_drv_remove+0x2f/0xb0 [netdevsim]\n device_release_driver_internal+0x1a1/0x210\n bus_remove_device+0xd5/0x120\n device_del+0x159/0x490\n device_unregister+0x12/0x30\n del_device_store+0x11a/0x1a0 [netdevsim]\n kernfs_fop_write_iter+0x130/0x1d0\n vfs_write+0x30b/0x4b0\n ksys_write+0x69/0xf0\n do_syscall_64+0xcc/0x1e0\n entry_SYSCALL_64_after_hwframe+0x6f/0x77", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26587", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26587", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26587", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26587", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26587", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26587" } }, "CVE-2024-26588": { "affected_versions": "v6.1-rc3 to v6.8-rc1", "breaks": "bbfddb904df6f82a5948687a2d57766216b9bc0f", "cmt_msg": "LoongArch: BPF: Prevent out-of-bounds memory access", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "fixes": "36a87385e31c9343af9a4756598e704741250a67", "last_affected_version": "6.7.1", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nLoongArch: BPF: Prevent out-of-bounds memory access\n\nThe test_tag test triggers an unhandled page fault:\n\n # ./test_tag\n [ 130.640218] CPU 0 Unable to handle kernel paging request at virtual address ffff80001b898004, era == 9000000003137f7c, ra == 9000000003139e70\n [ 130.640501] Oops[#3]:\n [ 130.640553] CPU: 0 PID: 1326 Comm: test_tag Tainted: G D O 6.7.0-rc4-loong-devel-gb62ab1a397cf #47 61985c1d94084daa2432f771daa45b56b10d8d2a\n [ 130.640764] Hardware name: QEMU QEMU Virtual Machine, BIOS unknown 2/2/2022\n [ 130.640874] pc 9000000003137f7c ra 9000000003139e70 tp 9000000104cb4000 sp 9000000104cb7a40\n [ 130.641001] a0 ffff80001b894000 a1 ffff80001b897ff8 a2 000000006ba210be a3 0000000000000000\n [ 130.641128] a4 000000006ba210be a5 00000000000000f1 a6 00000000000000b3 a7 0000000000000000\n [ 130.641256] t0 0000000000000000 t1 00000000000007f6 t2 0000000000000000 t3 9000000004091b70\n [ 130.641387] t4 000000006ba210be t5 0000000000000004 t6 fffffffffffffff0 t7 90000000040913e0\n [ 130.641512] t8 0000000000000005 u0 0000000000000dc0 s9 0000000000000009 s0 9000000104cb7ae0\n [ 130.641641] s1 00000000000007f6 s2 0000000000000009 s3 0000000000000095 s4 0000000000000000\n [ 130.641771] s5 ffff80001b894000 s6 ffff80001b897fb0 s7 9000000004090c50 s8 0000000000000000\n [ 130.641900] ra: 9000000003139e70 build_body+0x1fcc/0x4988\n [ 130.642007] ERA: 9000000003137f7c build_body+0xd8/0x4988\n [ 130.642112] CRMD: 000000b0 (PLV0 -IE -DA +PG DACF=CC DACM=CC -WE)\n [ 130.642261] PRMD: 00000004 (PPLV0 +PIE -PWE)\n [ 130.642353] EUEN: 00000003 (+FPE +SXE -ASXE -BTE)\n [ 130.642458] ECFG: 00071c1c (LIE=2-4,10-12 VS=7)\n [ 130.642554] ESTAT: 00010000 [PIL] (IS= ECode=1 EsubCode=0)\n [ 130.642658] BADV: ffff80001b898004\n [ 130.642719] PRID: 0014c010 (Loongson-64bit, Loongson-3A5000)\n [ 130.642815] Modules linked in: [last unloaded: bpf_testmod(O)]\n [ 130.642924] Process test_tag (pid: 1326, threadinfo=00000000f7f4015f, task=000000006499f9fd)\n [ 130.643062] Stack : 0000000000000000 9000000003380724 0000000000000000 0000000104cb7be8\n [ 130.643213] 0000000000000000 25af8d9b6e600558 9000000106250ea0 9000000104cb7ae0\n [ 130.643378] 0000000000000000 0000000000000000 9000000104cb7be8 90000000049f6000\n [ 130.643538] 0000000000000090 9000000106250ea0 ffff80001b894000 ffff80001b894000\n [ 130.643685] 00007ffffb917790 900000000313ca94 0000000000000000 0000000000000000\n [ 130.643831] ffff80001b894000 0000000000000ff7 0000000000000000 9000000100468000\n [ 130.643983] 0000000000000000 0000000000000000 0000000000000040 25af8d9b6e600558\n [ 130.644131] 0000000000000bb7 ffff80001b894048 0000000000000000 0000000000000000\n [ 130.644276] 9000000104cb7be8 90000000049f6000 0000000000000090 9000000104cb7bdc\n [ 130.644423] ffff80001b894000 0000000000000000 00007ffffb917790 90000000032acfb0\n [ 130.644572] ...\n [ 130.644629] Call Trace:\n [ 130.644641] [<9000000003137f7c>] build_body+0xd8/0x4988\n [ 130.644785] [<900000000313ca94>] bpf_int_jit_compile+0x228/0x4ec\n [ 130.644891] [<90000000032acfb0>] bpf_prog_select_runtime+0x158/0x1b0\n [ 130.645003] [<90000000032b3504>] bpf_prog_load+0x760/0xb44\n [ 130.645089] [<90000000032b6744>] __sys_bpf+0xbb8/0x2588\n [ 130.645175] [<90000000032b8388>] sys_bpf+0x20/0x2c\n [ 130.645259] [<9000000003f6ab38>] do_syscall+0x7c/0x94\n [ 130.645369] [<9000000003121c5c>] handle_syscall+0xbc/0x158\n [ 130.645507]\n [ 130.645539] Code: 380839f6 380831f9 28412bae <24000ca6> 004081ad 0014cb50 004083e8 02bff34c 58008e91\n [ 130.645729]\n [ 130.646418] ---[ end trace 0000000000000000 ]---\n\nOn my machine, which has CONFIG_PAGE_SIZE_16KB=y, the test failed at\nloading a BPF prog with 2039 instructions:\n\n prog = (struct bpf_prog *)ffff80001b894000\n insn = (struct bpf_insn *)(prog->insnsi)fff\n---truncated---", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26588", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26588", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26588", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26588", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26588", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26588" } }, "CVE-2024-26589": { "affected_versions": "v4.20-rc1 to v6.8-rc1", "breaks": "d58e468b1112", "cmt_msg": "bpf: Reject variable offset alu on PTR_TO_FLOW_KEYS", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "High", "Integrity": "High", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "score": 7.8 }, "fixes": "22c7fa171a02d310e3a3f6ed46a698ca8a0060ed", "last_affected_version": "6.7.1", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Reject variable offset alu on PTR_TO_FLOW_KEYS\n\nFor PTR_TO_FLOW_KEYS, check_flow_keys_access() only uses fixed off\nfor validation. However, variable offset ptr alu is not prohibited\nfor this ptr kind. So the variable offset is not checked.\n\nThe following prog is accepted:\n\n func#0 @0\n 0: R1=ctx() R10=fp0\n 0: (bf) r6 = r1 ; R1=ctx() R6_w=ctx()\n 1: (79) r7 = *(u64 *)(r6 +144) ; R6_w=ctx() R7_w=flow_keys()\n 2: (b7) r8 = 1024 ; R8_w=1024\n 3: (37) r8 /= 1 ; R8_w=scalar()\n 4: (57) r8 &= 1024 ; R8_w=scalar(smin=smin32=0,\n smax=umax=smax32=umax32=1024,var_off=(0x0; 0x400))\n 5: (0f) r7 += r8\n mark_precise: frame0: last_idx 5 first_idx 0 subseq_idx -1\n mark_precise: frame0: regs=r8 stack= before 4: (57) r8 &= 1024\n mark_precise: frame0: regs=r8 stack= before 3: (37) r8 /= 1\n mark_precise: frame0: regs=r8 stack= before 2: (b7) r8 = 1024\n 6: R7_w=flow_keys(smin=smin32=0,smax=umax=smax32=umax32=1024,var_off\n =(0x0; 0x400)) R8_w=scalar(smin=smin32=0,smax=umax=smax32=umax32=1024,\n var_off=(0x0; 0x400))\n 6: (79) r0 = *(u64 *)(r7 +0) ; R0_w=scalar()\n 7: (95) exit\n\nThis prog loads flow_keys to r7, and adds the variable offset r8\nto r7, and finally causes out-of-bounds access:\n\n BUG: unable to handle page fault for address: ffffc90014c80038\n [...]\n Call Trace:\n \n bpf_dispatcher_nop_func include/linux/bpf.h:1231 [inline]\n __bpf_prog_run include/linux/filter.h:651 [inline]\n bpf_prog_run include/linux/filter.h:658 [inline]\n bpf_prog_run_pin_on_cpu include/linux/filter.h:675 [inline]\n bpf_flow_dissect+0x15f/0x350 net/core/flow_dissector.c:991\n bpf_prog_test_run_flow_dissector+0x39d/0x620 net/bpf/test_run.c:1359\n bpf_prog_test_run kernel/bpf/syscall.c:4107 [inline]\n __sys_bpf+0xf8f/0x4560 kernel/bpf/syscall.c:5475\n __do_sys_bpf kernel/bpf/syscall.c:5561 [inline]\n __se_sys_bpf kernel/bpf/syscall.c:5559 [inline]\n __x64_sys_bpf+0x73/0xb0 kernel/bpf/syscall.c:5559\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0x3f/0x110 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\n\nFix this by rejecting ptr alu with variable offset on flow_keys.\nApplying the patch rejects the program with \"R7 pointer arithmetic\non flow_keys prohibited\".", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26589", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26589", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26589", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26589", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26589", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26589" } }, "CVE-2024-26590": { "affected_versions": "v5.16-rc1 to v6.8-rc1", "breaks": "8f89926290c4", "cmt_msg": "erofs: fix inconsistent per-file compression format", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "fixes": "118a8cf504d7dfa519562d000f423ee3ca75d2c4", "last_affected_version": "6.7.1", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nerofs: fix inconsistent per-file compression format\n\nEROFS can select compression algorithms on a per-file basis, and each\nper-file compression algorithm needs to be marked in the on-disk\nsuperblock for initialization.\n\nHowever, syzkaller can generate inconsistent crafted images that use\nan unsupported algorithmtype for specific inodes, e.g. use MicroLZMA\nalgorithmtype even it's not set in `sbi->available_compr_algs`. This\ncan lead to an unexpected \"BUG: kernel NULL pointer dereference\" if\nthe corresponding decompressor isn't built-in.\n\nFix this by checking against `sbi->available_compr_algs` for each\nm_algorithmformat request. Incorrect !erofs_sb_has_compr_cfgs preset\nbitmap is now fixed together since it was harmless previously.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26590", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26590", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26590", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26590", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26590", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26590" } }, "CVE-2024-26591": { "affected_versions": "v5.13-rc1 to v6.8-rc1", "breaks": "f3a95075549e0e5c36db922caf86847db7a35403", "cmt_msg": "bpf: Fix re-attachment branch in bpf_tracing_prog_attach", "cvss3": { "Attack Complexity": "Low", "Attack Vector": "Local", "Availability": "High", "Confidentiality": "None", "Integrity": "None", "Privileges Required": "Low", "Scope": "Unchanged", "User Interaction": "None", "raw": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "score": 5.5 }, "fixes": "715d82ba636cb3629a6e18a33bb9dbe53f9936ee", "last_affected_version": "6.7.1", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix re-attachment branch in bpf_tracing_prog_attach\n\nThe following case can cause a crash due to missing attach_btf:\n\n1) load rawtp program\n2) load fentry program with rawtp as target_fd\n3) create tracing link for fentry program with target_fd = 0\n4) repeat 3\n\nIn the end we have:\n\n- prog->aux->dst_trampoline == NULL\n- tgt_prog == NULL (because we did not provide target_fd to link_create)\n- prog->aux->attach_btf == NULL (the program was loaded with attach_prog_fd=X)\n- the program was loaded for tgt_prog but we have no way to find out which one\n\n BUG: kernel NULL pointer dereference, address: 0000000000000058\n Call Trace:\n \n ? __die+0x20/0x70\n ? page_fault_oops+0x15b/0x430\n ? fixup_exception+0x22/0x330\n ? exc_page_fault+0x6f/0x170\n ? asm_exc_page_fault+0x22/0x30\n ? bpf_tracing_prog_attach+0x279/0x560\n ? btf_obj_id+0x5/0x10\n bpf_tracing_prog_attach+0x439/0x560\n __sys_bpf+0x1cf4/0x2de0\n __x64_sys_bpf+0x1c/0x30\n do_syscall_64+0x41/0xf0\n entry_SYSCALL_64_after_hwframe+0x6e/0x76\n\nReturn -EINVAL in this situation.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26591", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26591", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26591", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26591", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26591", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26591" } }, "CVE-2024-26592": { "affected_versions": "unk to v6.8-rc1", "breaks": "", "cmt_msg": "ksmbd: fix UAF issue in ksmbd_tcp_new_connection()", "fixes": "38d20c62903d669693a1869aa68c4dd5674e2544", "last_affected_version": "6.7.1", "last_modified": "2024-02-25", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix UAF issue in ksmbd_tcp_new_connection()\n\nThe race is between the handling of a new TCP connection and\nits disconnection. It leads to UAF on `struct tcp_transport` in\nksmbd_tcp_new_connection() function.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26592", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26592", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26592", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26592", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26592", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26592" } }, "CVE-2024-26593": { "affected_versions": "v5.3-rc1 to v6.8-rc5", "breaks": "315cd67c9453", "cmt_msg": "i2c: i801: Fix block process call transactions", "fixes": "c1c9d0f6f7f1dbf29db996bd8e166242843a5f21", "last_affected_version": "6.7.5", "last_modified": "2024-02-25", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: i801: Fix block process call transactions\n\nAccording to the Intel datasheets, software must reset the block\nbuffer index twice for block process call transactions: once before\nwriting the outgoing data to the buffer, and once again before\nreading the incoming data from the buffer.\n\nThe driver is currently missing the second reset, causing the wrong\nportion of the block buffer to be read.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26593", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26593", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26593", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26593", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26593", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26593" } }, "CVE-2024-26594": { "affected_versions": "v2.6.12-rc2 to v6.8-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "ksmbd: validate mech token in session setup", "fixes": "92e470163d96df8db6c4fa0f484e4a229edb903d", "last_affected_version": "6.7.1", "last_modified": "2024-02-25", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: validate mech token in session setup\n\nIf client send invalid mech token in session setup request, ksmbd\nvalidate and make the error if it is invalid.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26594", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26594", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26594", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26594", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26594", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26594" } }, "CVE-2024-26595": { "affected_versions": "v4.11-rc1 to v6.8-rc1", "breaks": "22a677661f5624539d394f681276171f92d714df", "cmt_msg": "mlxsw: spectrum_acl_tcam: Fix NULL pointer dereference in error path", "fixes": "efeb7dfea8ee10cdec11b6b6ba4e405edbe75809", "last_affected_version": "6.7.1", "last_modified": "2024-02-25", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nmlxsw: spectrum_acl_tcam: Fix NULL pointer dereference in error path\n\nWhen calling mlxsw_sp_acl_tcam_region_destroy() from an error path after\nfailing to attach the region to an ACL group, we hit a NULL pointer\ndereference upon 'region->group->tcam' [1].\n\nFix by retrieving the 'tcam' pointer using mlxsw_sp_acl_to_tcam().\n\n[1]\nBUG: kernel NULL pointer dereference, address: 0000000000000000\n[...]\nRIP: 0010:mlxsw_sp_acl_tcam_region_destroy+0xa0/0xd0\n[...]\nCall Trace:\n mlxsw_sp_acl_tcam_vchunk_get+0x88b/0xa20\n mlxsw_sp_acl_tcam_ventry_add+0x25/0xe0\n mlxsw_sp_acl_rule_add+0x47/0x240\n mlxsw_sp_flower_replace+0x1a9/0x1d0\n tc_setup_cb_add+0xdc/0x1c0\n fl_hw_replace_filter+0x146/0x1f0\n fl_change+0xc17/0x1360\n tc_new_tfilter+0x472/0xb90\n rtnetlink_rcv_msg+0x313/0x3b0\n netlink_rcv_skb+0x58/0x100\n netlink_unicast+0x244/0x390\n netlink_sendmsg+0x1e4/0x440\n ____sys_sendmsg+0x164/0x260\n ___sys_sendmsg+0x9a/0xe0\n __sys_sendmsg+0x7a/0xc0\n do_syscall_64+0x40/0xe0\n entry_SYSCALL_64_after_hwframe+0x63/0x6b", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26595", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26595", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26595", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26595", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26595", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26595" } }, "CVE-2024-26596": { "affected_versions": "v6.1-rc1 to v6.8-rc1", "breaks": "4c3f80d22b2eca911143ce656fa45c4699ff5bf4", "cmt_msg": "net: dsa: fix netdev_priv() dereference before check on non-DSA netdevice events", "fixes": "844f104790bd69c2e4dbb9ee3eba46fde1fcea7b", "last_affected_version": "6.7.1", "last_modified": "2024-02-25", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dsa: fix netdev_priv() dereference before check on non-DSA netdevice events\n\nAfter the blamed commit, we started doing this dereference for every\nNETDEV_CHANGEUPPER and NETDEV_PRECHANGEUPPER event in the system.\n\nstatic inline struct dsa_port *dsa_user_to_port(const struct net_device *dev)\n{\n\tstruct dsa_user_priv *p = netdev_priv(dev);\n\n\treturn p->dp;\n}\n\nWhich is obviously bogus, because not all net_devices have a netdev_priv()\nof type struct dsa_user_priv. But struct dsa_user_priv is fairly small,\nand p->dp means dereferencing 8 bytes starting with offset 16. Most\ndrivers allocate that much private memory anyway, making our access not\nfault, and we discard the bogus data quickly afterwards, so this wasn't\ncaught.\n\nBut the dummy interface is somewhat special in that it calls\nalloc_netdev() with a priv size of 0. So every netdev_priv() dereference\nis invalid, and we get this when we emit a NETDEV_PRECHANGEUPPER event\nwith a VLAN as its new upper:\n\n$ ip link add dummy1 type dummy\n$ ip link add link dummy1 name dummy1.100 type vlan id 100\n[ 43.309174] ==================================================================\n[ 43.316456] BUG: KASAN: slab-out-of-bounds in dsa_user_prechangeupper+0x30/0xe8\n[ 43.323835] Read of size 8 at addr ffff3f86481d2990 by task ip/374\n[ 43.330058]\n[ 43.342436] Call trace:\n[ 43.366542] dsa_user_prechangeupper+0x30/0xe8\n[ 43.371024] dsa_user_netdevice_event+0xb38/0xee8\n[ 43.375768] notifier_call_chain+0xa4/0x210\n[ 43.379985] raw_notifier_call_chain+0x24/0x38\n[ 43.384464] __netdev_upper_dev_link+0x3ec/0x5d8\n[ 43.389120] netdev_upper_dev_link+0x70/0xa8\n[ 43.393424] register_vlan_dev+0x1bc/0x310\n[ 43.397554] vlan_newlink+0x210/0x248\n[ 43.401247] rtnl_newlink+0x9fc/0xe30\n[ 43.404942] rtnetlink_rcv_msg+0x378/0x580\n\nAvoid the kernel oops by dereferencing after the type check, as customary.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26596", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26596", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26596", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26596", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26596", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26596" } }, "CVE-2024-26597": { "affected_versions": "v4.17-rc1 to v6.8-rc1", "breaks": "14452ca3b5ce304fb2fea96dbc9ca1e4e7978551", "cmt_msg": "net: qualcomm: rmnet: fix global oob in rmnet_policy", "fixes": "b33fb5b801c6db408b774a68e7c8722796b59ecc", "last_affected_version": "6.7.1", "last_modified": "2024-02-25", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: qualcomm: rmnet: fix global oob in rmnet_policy\n\nThe variable rmnet_link_ops assign a *bigger* maxtype which leads to a\nglobal out-of-bounds read when parsing the netlink attributes. See bug\ntrace below:\n\n==================================================================\nBUG: KASAN: global-out-of-bounds in validate_nla lib/nlattr.c:386 [inline]\nBUG: KASAN: global-out-of-bounds in __nla_validate_parse+0x24af/0x2750 lib/nlattr.c:600\nRead of size 1 at addr ffffffff92c438d0 by task syz-executor.6/84207\n\nCPU: 0 PID: 84207 Comm: syz-executor.6 Tainted: G N 6.1.0 #3\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x8b/0xb3 lib/dump_stack.c:106\n print_address_description mm/kasan/report.c:284 [inline]\n print_report+0x172/0x475 mm/kasan/report.c:395\n kasan_report+0xbb/0x1c0 mm/kasan/report.c:495\n validate_nla lib/nlattr.c:386 [inline]\n __nla_validate_parse+0x24af/0x2750 lib/nlattr.c:600\n __nla_parse+0x3e/0x50 lib/nlattr.c:697\n nla_parse_nested_deprecated include/net/netlink.h:1248 [inline]\n __rtnl_newlink+0x50a/0x1880 net/core/rtnetlink.c:3485\n rtnl_newlink+0x64/0xa0 net/core/rtnetlink.c:3594\n rtnetlink_rcv_msg+0x43c/0xd70 net/core/rtnetlink.c:6091\n netlink_rcv_skb+0x14f/0x410 net/netlink/af_netlink.c:2540\n netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]\n netlink_unicast+0x54e/0x800 net/netlink/af_netlink.c:1345\n netlink_sendmsg+0x930/0xe50 net/netlink/af_netlink.c:1921\n sock_sendmsg_nosec net/socket.c:714 [inline]\n sock_sendmsg+0x154/0x190 net/socket.c:734\n ____sys_sendmsg+0x6df/0x840 net/socket.c:2482\n ___sys_sendmsg+0x110/0x1b0 net/socket.c:2536\n __sys_sendmsg+0xf3/0x1c0 net/socket.c:2565\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\nRIP: 0033:0x7fdcf2072359\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007fdcf13e3168 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\nRAX: ffffffffffffffda RBX: 00007fdcf219ff80 RCX: 00007fdcf2072359\nRDX: 0000000000000000 RSI: 0000000020000200 RDI: 0000000000000003\nRBP: 00007fdcf20bd493 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 00007fffbb8d7bdf R14: 00007fdcf13e3300 R15: 0000000000022000\n \n\nThe buggy address belongs to the variable:\n rmnet_policy+0x30/0xe0\n\nThe buggy address belongs to the physical page:\npage:0000000065bdeb3c refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x155243\nflags: 0x200000000001000(reserved|node=0|zone=2)\nraw: 0200000000001000 ffffea00055490c8 ffffea00055490c8 0000000000000000\nraw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000\npage dumped because: kasan: bad access detected\n\nMemory state around the buggy address:\n ffffffff92c43780: f9 f9 f9 f9 00 00 00 02 f9 f9 f9 f9 00 00 00 07\n ffffffff92c43800: f9 f9 f9 f9 00 00 00 05 f9 f9 f9 f9 06 f9 f9 f9\n>ffffffff92c43880: f9 f9 f9 f9 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9\n ^\n ffffffff92c43900: 00 00 00 00 00 00 00 00 07 f9 f9 f9 f9 f9 f9 f9\n ffffffff92c43980: 00 00 00 07 f9 f9 f9 f9 00 00 00 05 f9 f9 f9 f9\n\nAccording to the comment of `nla_parse_nested_deprecated`, the maxtype\nshould be len(destination array) - 1. Hence use `IFLA_RMNET_MAX` here.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26597", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26597", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26597", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26597", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26597", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26597" } }, "CVE-2024-26598": { "affected_versions": "v2.6.12-rc2 to v6.8-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "KVM: arm64: vgic-its: Avoid potential UAF in LPI translation cache", "fixes": "ad362fe07fecf0aba839ff2cc59a3617bd42c33f", "last_affected_version": "6.7.1", "last_modified": "2024-02-25", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: arm64: vgic-its: Avoid potential UAF in LPI translation cache\n\nThere is a potential UAF scenario in the case of an LPI translation\ncache hit racing with an operation that invalidates the cache, such\nas a DISCARD ITS command. The root of the problem is that\nvgic_its_check_cache() does not elevate the refcount on the vgic_irq\nbefore dropping the lock that serializes refcount changes.\n\nHave vgic_its_check_cache() raise the refcount on the returned vgic_irq\nand add the corresponding decrement after queueing the interrupt.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26598", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26598", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26598", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26598", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26598", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26598" } }, "CVE-2024-26599": { "affected_versions": "v5.17-rc1 to v6.8-rc1", "breaks": "3ab7b6ac5d829e60c3b89d415811ff1c9f358c8e", "cmt_msg": "pwm: Fix out-of-bounds access in of_pwm_single_xlate()", "fixes": "a297d07b9a1e4fb8cda25a4a2363a507d294b7c9", "last_affected_version": "6.7.1", "last_modified": "2024-02-25", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\npwm: Fix out-of-bounds access in of_pwm_single_xlate()\n\nWith args->args_count == 2 args->args[2] is not defined. Actually the\nflags are contained in args->args[1].", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26599", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26599", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26599", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26599", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26599", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26599" } }, "CVE-2024-26600": { "affected_versions": "v3.7-rc1 to v6.8-rc3", "breaks": "657b306a7bdfca4ae1514b533a0e7c3c6d26dbc6", "cmt_msg": "phy: ti: phy-omap-usb2: Fix NULL pointer dereference for SRP", "fixes": "7104ba0f1958adb250319e68a15eff89ec4fd36d", "last_affected_version": "6.7.4", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nphy: ti: phy-omap-usb2: Fix NULL pointer dereference for SRP\n\nIf the external phy working together with phy-omap-usb2 does not implement\nsend_srp(), we may still attempt to call it. This can happen on an idle\nEthernet gadget triggering a wakeup for example:\n\nconfigfs-gadget.g1 gadget.0: ECM Suspend\nconfigfs-gadget.g1 gadget.0: Port suspended. Triggering wakeup\n...\nUnable to handle kernel NULL pointer dereference at virtual address\n00000000 when execute\n...\nPC is at 0x0\nLR is at musb_gadget_wakeup+0x1d4/0x254 [musb_hdrc]\n...\nmusb_gadget_wakeup [musb_hdrc] from usb_gadget_wakeup+0x1c/0x3c [udc_core]\nusb_gadget_wakeup [udc_core] from eth_start_xmit+0x3b0/0x3d4 [u_ether]\neth_start_xmit [u_ether] from dev_hard_start_xmit+0x94/0x24c\ndev_hard_start_xmit from sch_direct_xmit+0x104/0x2e4\nsch_direct_xmit from __dev_queue_xmit+0x334/0xd88\n__dev_queue_xmit from arp_solicit+0xf0/0x268\narp_solicit from neigh_probe+0x54/0x7c\nneigh_probe from __neigh_event_send+0x22c/0x47c\n__neigh_event_send from neigh_resolve_output+0x14c/0x1c0\nneigh_resolve_output from ip_finish_output2+0x1c8/0x628\nip_finish_output2 from ip_send_skb+0x40/0xd8\nip_send_skb from udp_send_skb+0x124/0x340\nudp_send_skb from udp_sendmsg+0x780/0x984\nudp_sendmsg from __sys_sendto+0xd8/0x158\n__sys_sendto from ret_fast_syscall+0x0/0x58\n\nLet's fix the issue by checking for send_srp() and set_vbus() before\ncalling them. For USB peripheral only cases these both could be NULL.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26600", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26600", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26600", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26600", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26600", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26600" } }, "CVE-2024-26601": { "affected_versions": "v5.11-rc1 to v6.8-rc3", "breaks": "6bd97bf273bdb4944904e57480f6545bca48ad77", "cmt_msg": "ext4: regenerate buddy after block freeing failed if under fc replay", "fixes": "c9b528c35795b711331ed36dc3dbee90d5812d4e", "last_affected_version": "6.7.4", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: regenerate buddy after block freeing failed if under fc replay\n\nThis mostly reverts commit 6bd97bf273bd (\"ext4: remove redundant\nmb_regenerate_buddy()\") and reintroduces mb_regenerate_buddy(). Based on\ncode in mb_free_blocks(), fast commit replay can end up marking as free\nblocks that are already marked as such. This causes corruption of the\nbuddy bitmap so we need to regenerate it in that case.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26601", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26601", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26601", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26601", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26601", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26601" } }, "CVE-2024-26602": { "affected_versions": "v4.14-rc1 to v6.8-rc6", "breaks": "22e4ebb975822833b083533035233d128b30e98f", "cmt_msg": "sched/membarrier: reduce the ability to hammer on sys_membarrier", "fixes": "944d5fe50f3f03daacfea16300e656a1691c4a23", "last_affected_version": "6.7.5", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched/membarrier: reduce the ability to hammer on sys_membarrier\n\nOn some systems, sys_membarrier can be very expensive, causing overall\nslowdowns for everything. So put a lock on the path in order to\nserialize the accesses to prevent the ability for this to be called at\ntoo high of a frequency and saturate the machine.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26602", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26602", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26602", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26602", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26602", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26602" } }, "CVE-2024-26603": { "affected_versions": "v5.14-rc1 to v6.8-rc4", "breaks": "fcb3635f5018e53024c6be3c3213737f469f74ff", "cmt_msg": "x86/fpu: Stop relying on userspace for info to fault in xsave buffer", "fixes": "d877550eaf2dc9090d782864c96939397a3c6835", "last_affected_version": "6.7.5", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/fpu: Stop relying on userspace for info to fault in xsave buffer\n\nBefore this change, the expected size of the user space buffer was\ntaken from fx_sw->xstate_size. fx_sw->xstate_size can be changed\nfrom user-space, so it is possible construct a sigreturn frame where:\n\n * fx_sw->xstate_size is smaller than the size required by valid bits in\n fx_sw->xfeatures.\n * user-space unmaps parts of the sigrame fpu buffer so that not all of\n the buffer required by xrstor is accessible.\n\nIn this case, xrstor tries to restore and accesses the unmapped area\nwhich results in a fault. But fault_in_readable succeeds because buf +\nfx_sw->xstate_size is within the still mapped area, so it goes back and\ntries xrstor again. It will spin in this loop forever.\n\nInstead, fault in the maximum size which can be touched by XRSTOR (taken\nfrom fpstate->user_size).\n\n[ dhansen: tweak subject / changelog ]", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26603", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26603", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26603", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26603", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26603", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26603" } }, "CVE-2024-26604": { "affected_versions": "v6.6-rc1 to v6.8-rc5", "breaks": "1b28cb81dab7c1eedc6034206f4e8d644046ad31", "cmt_msg": "Revert \"kobject: Remove redundant checks for whether ktype is NULL\"", "fixes": "3ca8fbabcceb8bfe44f7f50640092fd8f1de375c", "last_affected_version": "6.7.5", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nRevert \"kobject: Remove redundant checks for whether ktype is NULL\"\n\nThis reverts commit 1b28cb81dab7c1eedc6034206f4e8d644046ad31.\n\nIt is reported to cause problems, so revert it for now until the root\ncause can be found.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26604", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26604", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26604", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26604", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26604", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26604" } }, "CVE-2024-26605": { "affected_versions": "v6.7 to v6.8-rc3", "breaks": "f93e71aea6c60ebff8adbd8941e678302d377869", "cmt_msg": "PCI/ASPM: Fix deadlock when enabling ASPM", "fixes": "1e560864159d002b453da42bd2c13a1805515a20", "last_affected_version": "6.7.4", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI/ASPM: Fix deadlock when enabling ASPM\n\nA last minute revert in 6.7-final introduced a potential deadlock when\nenabling ASPM during probe of Qualcomm PCIe controllers as reported by\nlockdep:\n\n ============================================\n WARNING: possible recursive locking detected\n 6.7.0 #40 Not tainted\n --------------------------------------------\n kworker/u16:5/90 is trying to acquire lock:\n ffffacfa78ced000 (pci_bus_sem){++++}-{3:3}, at: pcie_aspm_pm_state_change+0x58/0xdc\n\n but task is already holding lock:\n ffffacfa78ced000 (pci_bus_sem){++++}-{3:3}, at: pci_walk_bus+0x34/0xbc\n\n other info that might help us debug this:\n Possible unsafe locking scenario:\n\n CPU0\n ----\n lock(pci_bus_sem);\n lock(pci_bus_sem);\n\n *** DEADLOCK ***\n\n Call trace:\n print_deadlock_bug+0x25c/0x348\n __lock_acquire+0x10a4/0x2064\n lock_acquire+0x1e8/0x318\n down_read+0x60/0x184\n pcie_aspm_pm_state_change+0x58/0xdc\n pci_set_full_power_state+0xa8/0x114\n pci_set_power_state+0xc4/0x120\n qcom_pcie_enable_aspm+0x1c/0x3c [pcie_qcom]\n pci_walk_bus+0x64/0xbc\n qcom_pcie_host_post_init_2_7_0+0x28/0x34 [pcie_qcom]\n\nThe deadlock can easily be reproduced on machines like the Lenovo ThinkPad\nX13s by adding a delay to increase the race window during asynchronous\nprobe where another thread can take a write lock.\n\nAdd a new pci_set_power_state_locked() and associated helper functions that\ncan be called with the PCI bus semaphore held to avoid taking the read lock\ntwice.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26605", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26605", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26605", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26605", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26605", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26605" } }, "CVE-2024-26606": { "affected_versions": "v2.6.29-rc1 to v6.8-rc3", "breaks": "457b9a6f09f011ebcb9b52cc203a6331a6fc2de7", "cmt_msg": "binder: signal epoll threads of self-work", "fixes": "97830f3c3088638ff90b20dfba2eb4d487bf14d7", "last_affected_version": "6.7.5", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nbinder: signal epoll threads of self-work\n\nIn (e)poll mode, threads often depend on I/O events to determine when\ndata is ready for consumption. Within binder, a thread may initiate a\ncommand via BINDER_WRITE_READ without a read buffer and then make use\nof epoll_wait() or similar to consume any responses afterwards.\n\nIt is then crucial that epoll threads are signaled via wakeup when they\nqueue their own work. Otherwise, they risk waiting indefinitely for an\nevent leaving their work unhandled. What is worse, subsequent commands\nwon't trigger a wakeup either as the thread has pending work.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26606", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26606", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26606", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26606", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26606", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26606" } }, "CVE-2024-26607": { "affected_versions": "v5.0-rc1 to v6.8-rc2", "breaks": "21d808405fe49028036932dd969920f4fee4f481", "cmt_msg": "drm/bridge: sii902x: Fix probing race issue", "fixes": "08ac6f132dd77e40f786d8af51140c96c6d739c9", "last_affected_version": "6.7.2", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/bridge: sii902x: Fix probing race issue\n\nA null pointer dereference crash has been observed rarely on TI\nplatforms using sii9022 bridge:\n\n[ 53.271356] sii902x_get_edid+0x34/0x70 [sii902x]\n[ 53.276066] sii902x_bridge_get_edid+0x14/0x20 [sii902x]\n[ 53.281381] drm_bridge_get_edid+0x20/0x34 [drm]\n[ 53.286305] drm_bridge_connector_get_modes+0x8c/0xcc [drm_kms_helper]\n[ 53.292955] drm_helper_probe_single_connector_modes+0x190/0x538 [drm_kms_helper]\n[ 53.300510] drm_client_modeset_probe+0x1f0/0xbd4 [drm]\n[ 53.305958] __drm_fb_helper_initial_config_and_unlock+0x50/0x510 [drm_kms_helper]\n[ 53.313611] drm_fb_helper_initial_config+0x48/0x58 [drm_kms_helper]\n[ 53.320039] drm_fbdev_dma_client_hotplug+0x84/0xd4 [drm_dma_helper]\n[ 53.326401] drm_client_register+0x5c/0xa0 [drm]\n[ 53.331216] drm_fbdev_dma_setup+0xc8/0x13c [drm_dma_helper]\n[ 53.336881] tidss_probe+0x128/0x264 [tidss]\n[ 53.341174] platform_probe+0x68/0xc4\n[ 53.344841] really_probe+0x188/0x3c4\n[ 53.348501] __driver_probe_device+0x7c/0x16c\n[ 53.352854] driver_probe_device+0x3c/0x10c\n[ 53.357033] __device_attach_driver+0xbc/0x158\n[ 53.361472] bus_for_each_drv+0x88/0xe8\n[ 53.365303] __device_attach+0xa0/0x1b4\n[ 53.369135] device_initial_probe+0x14/0x20\n[ 53.373314] bus_probe_device+0xb0/0xb4\n[ 53.377145] deferred_probe_work_func+0xcc/0x124\n[ 53.381757] process_one_work+0x1f0/0x518\n[ 53.385770] worker_thread+0x1e8/0x3dc\n[ 53.389519] kthread+0x11c/0x120\n[ 53.392750] ret_from_fork+0x10/0x20\n\nThe issue here is as follows:\n\n- tidss probes, but is deferred as sii902x is still missing.\n- sii902x starts probing and enters sii902x_init().\n- sii902x calls drm_bridge_add(). Now the sii902x bridge is ready from\n DRM's perspective.\n- sii902x calls sii902x_audio_codec_init() and\n platform_device_register_data()\n- The registration of the audio platform device causes probing of the\n deferred devices.\n- tidss probes, which eventually causes sii902x_bridge_get_edid() to be\n called.\n- sii902x_bridge_get_edid() tries to use the i2c to read the edid.\n However, the sii902x driver has not set up the i2c part yet, leading\n to the crash.\n\nFix this by moving the drm_bridge_add() to the end of the\nsii902x_init(), which is also at the very end of sii902x_probe().", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26607", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26607", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26607", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26607", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26607", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26607" } }, "CVE-2024-26608": { "affected_versions": "v5.15-rc1 to v6.8-rc2", "breaks": "0626e6641f6b467447c81dd7678a69c66f7746cf", "cmt_msg": "ksmbd: fix global oob in ksmbd_nl_policy", "fixes": "ebeae8adf89d9a82359f6659b1663d09beec2faa", "last_affected_version": "6.7.2", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix global oob in ksmbd_nl_policy\n\nSimilar to a reported issue (check the commit b33fb5b801c6 (\"net:\nqualcomm: rmnet: fix global oob in rmnet_policy\"), my local fuzzer finds\nanother global out-of-bounds read for policy ksmbd_nl_policy. See bug\ntrace below:\n\n==================================================================\nBUG: KASAN: global-out-of-bounds in validate_nla lib/nlattr.c:386 [inline]\nBUG: KASAN: global-out-of-bounds in __nla_validate_parse+0x24af/0x2750 lib/nlattr.c:600\nRead of size 1 at addr ffffffff8f24b100 by task syz-executor.1/62810\n\nCPU: 0 PID: 62810 Comm: syz-executor.1 Tainted: G N 6.1.0 #3\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x8b/0xb3 lib/dump_stack.c:106\n print_address_description mm/kasan/report.c:284 [inline]\n print_report+0x172/0x475 mm/kasan/report.c:395\n kasan_report+0xbb/0x1c0 mm/kasan/report.c:495\n validate_nla lib/nlattr.c:386 [inline]\n __nla_validate_parse+0x24af/0x2750 lib/nlattr.c:600\n __nla_parse+0x3e/0x50 lib/nlattr.c:697\n __nlmsg_parse include/net/netlink.h:748 [inline]\n genl_family_rcv_msg_attrs_parse.constprop.0+0x1b0/0x290 net/netlink/genetlink.c:565\n genl_family_rcv_msg_doit+0xda/0x330 net/netlink/genetlink.c:734\n genl_family_rcv_msg net/netlink/genetlink.c:833 [inline]\n genl_rcv_msg+0x441/0x780 net/netlink/genetlink.c:850\n netlink_rcv_skb+0x14f/0x410 net/netlink/af_netlink.c:2540\n genl_rcv+0x24/0x40 net/netlink/genetlink.c:861\n netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]\n netlink_unicast+0x54e/0x800 net/netlink/af_netlink.c:1345\n netlink_sendmsg+0x930/0xe50 net/netlink/af_netlink.c:1921\n sock_sendmsg_nosec net/socket.c:714 [inline]\n sock_sendmsg+0x154/0x190 net/socket.c:734\n ____sys_sendmsg+0x6df/0x840 net/socket.c:2482\n ___sys_sendmsg+0x110/0x1b0 net/socket.c:2536\n __sys_sendmsg+0xf3/0x1c0 net/socket.c:2565\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\nRIP: 0033:0x7fdd66a8f359\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007fdd65e00168 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\nRAX: ffffffffffffffda RBX: 00007fdd66bbcf80 RCX: 00007fdd66a8f359\nRDX: 0000000000000000 RSI: 0000000020000500 RDI: 0000000000000003\nRBP: 00007fdd66ada493 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 00007ffc84b81aff R14: 00007fdd65e00300 R15: 0000000000022000\n \n\nThe buggy address belongs to the variable:\n ksmbd_nl_policy+0x100/0xa80\n\nThe buggy address belongs to the physical page:\npage:0000000034f47940 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1ccc4b\nflags: 0x200000000001000(reserved|node=0|zone=2)\nraw: 0200000000001000 ffffea00073312c8 ffffea00073312c8 0000000000000000\nraw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000\npage dumped because: kasan: bad access detected\n\nMemory state around the buggy address:\n ffffffff8f24b000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n ffffffff8f24b080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n>ffffffff8f24b100: f9 f9 f9 f9 00 00 f9 f9 f9 f9 f9 f9 00 00 07 f9\n ^\n ffffffff8f24b180: f9 f9 f9 f9 00 05 f9 f9 f9 f9 f9 f9 00 00 00 05\n ffffffff8f24b200: f9 f9 f9 f9 00 00 03 f9 f9 f9 f9 f9 00 00 04 f9\n==================================================================\n\nTo fix it, add a placeholder named __KSMBD_EVENT_MAX and let\nKSMBD_EVENT_MAX to be its original value - 1 according to what other\nnetlink families do. Also change two sites that refer the\nKSMBD_EVENT_MAX to correct value.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26608", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26608", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26608", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26608", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26608", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26608" } }, "CVE-2024-26610": { "affected_versions": "v5.5-rc1 to v6.8-rc2", "breaks": "cf29c5b66b9f83939367d90679eb68cdfa2f0356", "cmt_msg": "wifi: iwlwifi: fix a memory corruption", "fixes": "cf4a0d840ecc72fcf16198d5e9c505ab7d5a5e4d", "last_affected_version": "6.7.2", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: fix a memory corruption\n\niwl_fw_ini_trigger_tlv::data is a pointer to a __le32, which means that\nif we copy to iwl_fw_ini_trigger_tlv::data + offset while offset is in\nbytes, we'll write past the buffer.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26610", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26610", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26610", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26610", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26610", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26610" } }, "CVE-2024-26611": { "affected_versions": "v6.6-rc1 to v6.8-rc2", "breaks": "24ea50127ecf0efe819c1f6230add27abc6ca9d9", "cmt_msg": "xsk: fix usage of multi-buffer BPF helpers for ZC XDP", "fixes": "c5114710c8ce86b8317e9b448f4fd15c711c2a82", "last_affected_version": "6.7.2", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nxsk: fix usage of multi-buffer BPF helpers for ZC XDP\n\nCurrently when packet is shrunk via bpf_xdp_adjust_tail() and memory\ntype is set to MEM_TYPE_XSK_BUFF_POOL, null ptr dereference happens:\n\n[1136314.192256] BUG: kernel NULL pointer dereference, address:\n0000000000000034\n[1136314.203943] #PF: supervisor read access in kernel mode\n[1136314.213768] #PF: error_code(0x0000) - not-present page\n[1136314.223550] PGD 0 P4D 0\n[1136314.230684] Oops: 0000 [#1] PREEMPT SMP NOPTI\n[1136314.239621] CPU: 8 PID: 54203 Comm: xdpsock Not tainted 6.6.0+ #257\n[1136314.250469] Hardware name: Intel Corporation S2600WFT/S2600WFT,\nBIOS SE5C620.86B.02.01.0008.031920191559 03/19/2019\n[1136314.265615] RIP: 0010:__xdp_return+0x6c/0x210\n[1136314.274653] Code: ad 00 48 8b 47 08 49 89 f8 a8 01 0f 85 9b 01 00 00 0f 1f 44 00 00 f0 41 ff 48 34 75 32 4c 89 c7 e9 79 cd 80 ff 83 fe 03 75 17 41 34 01 0f 85 02 01 00 00 48 89 cf e9 22 cc 1e 00 e9 3d d2 86\n[1136314.302907] RSP: 0018:ffffc900089f8db0 EFLAGS: 00010246\n[1136314.312967] RAX: ffffc9003168aed0 RBX: ffff8881c3300000 RCX:\n0000000000000000\n[1136314.324953] RDX: 0000000000000000 RSI: 0000000000000003 RDI:\nffffc9003168c000\n[1136314.336929] RBP: 0000000000000ae0 R08: 0000000000000002 R09:\n0000000000010000\n[1136314.348844] R10: ffffc9000e495000 R11: 0000000000000040 R12:\n0000000000000001\n[1136314.360706] R13: 0000000000000524 R14: ffffc9003168aec0 R15:\n0000000000000001\n[1136314.373298] FS: 00007f8df8bbcb80(0000) GS:ffff8897e0e00000(0000)\nknlGS:0000000000000000\n[1136314.386105] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[1136314.396532] CR2: 0000000000000034 CR3: 00000001aa912002 CR4:\n00000000007706f0\n[1136314.408377] DR0: 0000000000000000 DR1: 0000000000000000 DR2:\n0000000000000000\n[1136314.420173] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:\n0000000000000400\n[1136314.431890] PKRU: 55555554\n[1136314.439143] Call Trace:\n[1136314.446058] \n[1136314.452465] ? __die+0x20/0x70\n[1136314.459881] ? page_fault_oops+0x15b/0x440\n[1136314.468305] ? exc_page_fault+0x6a/0x150\n[1136314.476491] ? asm_exc_page_fault+0x22/0x30\n[1136314.484927] ? __xdp_return+0x6c/0x210\n[1136314.492863] bpf_xdp_adjust_tail+0x155/0x1d0\n[1136314.501269] bpf_prog_ccc47ae29d3b6570_xdp_sock_prog+0x15/0x60\n[1136314.511263] ice_clean_rx_irq_zc+0x206/0xc60 [ice]\n[1136314.520222] ? ice_xmit_zc+0x6e/0x150 [ice]\n[1136314.528506] ice_napi_poll+0x467/0x670 [ice]\n[1136314.536858] ? ttwu_do_activate.constprop.0+0x8f/0x1a0\n[1136314.546010] __napi_poll+0x29/0x1b0\n[1136314.553462] net_rx_action+0x133/0x270\n[1136314.561619] __do_softirq+0xbe/0x28e\n[1136314.569303] do_softirq+0x3f/0x60\n\nThis comes from __xdp_return() call with xdp_buff argument passed as\nNULL which is supposed to be consumed by xsk_buff_free() call.\n\nTo address this properly, in ZC case, a node that represents the frag\nbeing removed has to be pulled out of xskb_list. Introduce\nappropriate xsk helpers to do such node operation and use them\naccordingly within bpf_xdp_adjust_tail().", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26611", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26611", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26611", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26611", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26611", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26611" } }, "CVE-2024-26612": { "affected_versions": "v5.17-rc1 to v6.8-rc2", "breaks": "9549332df4ed4e761a1d41c83f2c25d28bb22431", "cmt_msg": "netfs, fscache: Prevent Oops in fscache_put_cache()", "fixes": "3be0b3ed1d76c6703b9ee482b55f7e01c369cc68", "last_affected_version": "6.7.2", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfs, fscache: Prevent Oops in fscache_put_cache()\n\nThis function dereferences \"cache\" and then checks if it's\nIS_ERR_OR_NULL(). Check first, then dereference.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26612", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26612", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26612", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26612", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26612", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26612" } }, "CVE-2024-26614": { "affected_versions": "v4.4-rc1 to v6.8-rc2", "breaks": "fff1f3001cc58b5064a0f1154a7ac09b76f29c44", "cmt_msg": "tcp: make sure init the accept_queue's spinlocks once", "fixes": "198bc90e0e734e5f98c3d2833e8390cac3df61b2", "last_affected_version": "6.7.2", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: make sure init the accept_queue's spinlocks once\n\nWhen I run syz's reproduction C program locally, it causes the following\nissue:\npvqspinlock: lock 0xffff9d181cd5c660 has corrupted value 0x0!\nWARNING: CPU: 19 PID: 21160 at __pv_queued_spin_unlock_slowpath (kernel/locking/qspinlock_paravirt.h:508)\nHardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011\nRIP: 0010:__pv_queued_spin_unlock_slowpath (kernel/locking/qspinlock_paravirt.h:508)\nCode: 73 56 3a ff 90 c3 cc cc cc cc 8b 05 bb 1f 48 01 85 c0 74 05 c3 cc cc cc cc 8b 17 48 89 fe 48 c7 c7\n30 20 ce 8f e8 ad 56 42 ff <0f> 0b c3 cc cc cc cc 0f 0b 0f 1f 40 00 90 90 90 90 90 90 90 90 90\nRSP: 0018:ffffa8d200604cb8 EFLAGS: 00010282\nRAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff9d1ef60e0908\nRDX: 00000000ffffffd8 RSI: 0000000000000027 RDI: ffff9d1ef60e0900\nRBP: ffff9d181cd5c280 R08: 0000000000000000 R09: 00000000ffff7fff\nR10: ffffa8d200604b68 R11: ffffffff907dcdc8 R12: 0000000000000000\nR13: ffff9d181cd5c660 R14: ffff9d1813a3f330 R15: 0000000000001000\nFS: 00007fa110184640(0000) GS:ffff9d1ef60c0000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000020000000 CR3: 000000011f65e000 CR4: 00000000000006f0\nCall Trace:\n\n _raw_spin_unlock (kernel/locking/spinlock.c:186)\n inet_csk_reqsk_queue_add (net/ipv4/inet_connection_sock.c:1321)\n inet_csk_complete_hashdance (net/ipv4/inet_connection_sock.c:1358)\n tcp_check_req (net/ipv4/tcp_minisocks.c:868)\n tcp_v4_rcv (net/ipv4/tcp_ipv4.c:2260)\n ip_protocol_deliver_rcu (net/ipv4/ip_input.c:205)\n ip_local_deliver_finish (net/ipv4/ip_input.c:234)\n __netif_receive_skb_one_core (net/core/dev.c:5529)\n process_backlog (./include/linux/rcupdate.h:779)\n __napi_poll (net/core/dev.c:6533)\n net_rx_action (net/core/dev.c:6604)\n __do_softirq (./arch/x86/include/asm/jump_label.h:27)\n do_softirq (kernel/softirq.c:454 kernel/softirq.c:441)\n\n\n __local_bh_enable_ip (kernel/softirq.c:381)\n __dev_queue_xmit (net/core/dev.c:4374)\n ip_finish_output2 (./include/net/neighbour.h:540 net/ipv4/ip_output.c:235)\n __ip_queue_xmit (net/ipv4/ip_output.c:535)\n __tcp_transmit_skb (net/ipv4/tcp_output.c:1462)\n tcp_rcv_synsent_state_process (net/ipv4/tcp_input.c:6469)\n tcp_rcv_state_process (net/ipv4/tcp_input.c:6657)\n tcp_v4_do_rcv (net/ipv4/tcp_ipv4.c:1929)\n __release_sock (./include/net/sock.h:1121 net/core/sock.c:2968)\n release_sock (net/core/sock.c:3536)\n inet_wait_for_connect (net/ipv4/af_inet.c:609)\n __inet_stream_connect (net/ipv4/af_inet.c:702)\n inet_stream_connect (net/ipv4/af_inet.c:748)\n __sys_connect (./include/linux/file.h:45 net/socket.c:2064)\n __x64_sys_connect (net/socket.c:2073 net/socket.c:2070 net/socket.c:2070)\n do_syscall_64 (arch/x86/entry/common.c:51 arch/x86/entry/common.c:82)\n entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:129)\n RIP: 0033:0x7fa10ff05a3d\n Code: 5b 41 5c c3 66 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89\n c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ab a3 0e 00 f7 d8 64 89 01 48\n RSP: 002b:00007fa110183de8 EFLAGS: 00000202 ORIG_RAX: 000000000000002a\n RAX: ffffffffffffffda RBX: 0000000020000054 RCX: 00007fa10ff05a3d\n RDX: 000000000000001c RSI: 0000000020000040 RDI: 0000000000000003\n RBP: 00007fa110183e20 R08: 0000000000000000 R09: 0000000000000000\n R10: 0000000000000000 R11: 0000000000000202 R12: 00007fa110184640\n R13: 0000000000000000 R14: 00007fa10fe8b060 R15: 00007fff73e23b20\n\n\nThe issue triggering process is analyzed as follows:\nThread A Thread B\ntcp_v4_rcv\t//receive ack TCP packet inet_shutdown\n tcp_check_req tcp_disconnect //disconnect sock\n ... tcp_set_state(sk, TCP_CLOSE)\n inet_csk_complete_hashdance ...\n inet_csk_reqsk_queue_add \n---truncated---", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26614", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26614", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26614", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26614", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26614", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26614" } }, "CVE-2024-26615": { "affected_versions": "v4.19-rc1 to v6.8-rc2", "breaks": "4b1b7d3b30a6d32ac1a1dcede284e76ef8a8542d", "cmt_msg": "net/smc: fix illegal rmb_desc access in SMC-D connection dump", "fixes": "dbc153fd3c142909e564bb256da087e13fbf239c", "last_affected_version": "6.7.2", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/smc: fix illegal rmb_desc access in SMC-D connection dump\n\nA crash was found when dumping SMC-D connections. It can be reproduced\nby following steps:\n\n- run nginx/wrk test:\n smc_run nginx\n smc_run wrk -t 16 -c 1000 -d -H 'Connection: Close' \n\n- continuously dump SMC-D connections in parallel:\n watch -n 1 'smcss -D'\n\n BUG: kernel NULL pointer dereference, address: 0000000000000030\n CPU: 2 PID: 7204 Comm: smcss Kdump: loaded Tainted: G\tE 6.7.0+ #55\n RIP: 0010:__smc_diag_dump.constprop.0+0x5e5/0x620 [smc_diag]\n Call Trace:\n \n ? __die+0x24/0x70\n ? page_fault_oops+0x66/0x150\n ? exc_page_fault+0x69/0x140\n ? asm_exc_page_fault+0x26/0x30\n ? __smc_diag_dump.constprop.0+0x5e5/0x620 [smc_diag]\n ? __kmalloc_node_track_caller+0x35d/0x430\n ? __alloc_skb+0x77/0x170\n smc_diag_dump_proto+0xd0/0xf0 [smc_diag]\n smc_diag_dump+0x26/0x60 [smc_diag]\n netlink_dump+0x19f/0x320\n __netlink_dump_start+0x1dc/0x300\n smc_diag_handler_dump+0x6a/0x80 [smc_diag]\n ? __pfx_smc_diag_dump+0x10/0x10 [smc_diag]\n sock_diag_rcv_msg+0x121/0x140\n ? __pfx_sock_diag_rcv_msg+0x10/0x10\n netlink_rcv_skb+0x5a/0x110\n sock_diag_rcv+0x28/0x40\n netlink_unicast+0x22a/0x330\n netlink_sendmsg+0x1f8/0x420\n __sock_sendmsg+0xb0/0xc0\n ____sys_sendmsg+0x24e/0x300\n ? copy_msghdr_from_user+0x62/0x80\n ___sys_sendmsg+0x7c/0xd0\n ? __do_fault+0x34/0x160\n ? do_read_fault+0x5f/0x100\n ? do_fault+0xb0/0x110\n ? __handle_mm_fault+0x2b0/0x6c0\n __sys_sendmsg+0x4d/0x80\n do_syscall_64+0x69/0x180\n entry_SYSCALL_64_after_hwframe+0x6e/0x76\n\nIt is possible that the connection is in process of being established\nwhen we dump it. Assumed that the connection has been registered in a\nlink group by smc_conn_create() but the rmb_desc has not yet been\ninitialized by smc_buf_create(), thus causing the illegal access to\nconn->rmb_desc. So fix it by checking before dump.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26615", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26615", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26615", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26615", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26615", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26615" } }, "CVE-2024-26616": { "affected_versions": "v6.4-rc1 to v6.8-rc2", "breaks": "e02ee89baa66c40e1002cf8b09141fce7265e0f5", "cmt_msg": "btrfs: scrub: avoid use-after-free when chunk length is not 64K aligned", "fixes": "f546c4282673497a06ecb6190b50ae7f6c85b02f", "last_affected_version": "6.7.2", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: scrub: avoid use-after-free when chunk length is not 64K aligned\n\n[BUG]\nThere is a bug report that, on a ext4-converted btrfs, scrub leads to\nvarious problems, including:\n\n- \"unable to find chunk map\" errors\n BTRFS info (device vdb): scrub: started on devid 1\n BTRFS critical (device vdb): unable to find chunk map for logical 2214744064 length 4096\n BTRFS critical (device vdb): unable to find chunk map for logical 2214744064 length 45056\n\n This would lead to unrepariable errors.\n\n- Use-after-free KASAN reports:\n ==================================================================\n BUG: KASAN: slab-use-after-free in __blk_rq_map_sg+0x18f/0x7c0\n Read of size 8 at addr ffff8881013c9040 by task btrfs/909\n CPU: 0 PID: 909 Comm: btrfs Not tainted 6.7.0-x64v3-dbg #11 c50636e9419a8354555555245df535e380563b2b\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 2023.11-2 12/24/2023\n Call Trace:\n \n dump_stack_lvl+0x43/0x60\n print_report+0xcf/0x640\n kasan_report+0xa6/0xd0\n __blk_rq_map_sg+0x18f/0x7c0\n virtblk_prep_rq.isra.0+0x215/0x6a0 [virtio_blk 19a65eeee9ae6fcf02edfad39bb9ddee07dcdaff]\n virtio_queue_rqs+0xc4/0x310 [virtio_blk 19a65eeee9ae6fcf02edfad39bb9ddee07dcdaff]\n blk_mq_flush_plug_list.part.0+0x780/0x860\n __blk_flush_plug+0x1ba/0x220\n blk_finish_plug+0x3b/0x60\n submit_initial_group_read+0x10a/0x290 [btrfs e57987a360bed82fe8756dcd3e0de5406ccfe965]\n flush_scrub_stripes+0x38e/0x430 [btrfs e57987a360bed82fe8756dcd3e0de5406ccfe965]\n scrub_stripe+0x82a/0xae0 [btrfs e57987a360bed82fe8756dcd3e0de5406ccfe965]\n scrub_chunk+0x178/0x200 [btrfs e57987a360bed82fe8756dcd3e0de5406ccfe965]\n scrub_enumerate_chunks+0x4bc/0xa30 [btrfs e57987a360bed82fe8756dcd3e0de5406ccfe965]\n btrfs_scrub_dev+0x398/0x810 [btrfs e57987a360bed82fe8756dcd3e0de5406ccfe965]\n btrfs_ioctl+0x4b9/0x3020 [btrfs e57987a360bed82fe8756dcd3e0de5406ccfe965]\n __x64_sys_ioctl+0xbd/0x100\n do_syscall_64+0x5d/0xe0\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\n RIP: 0033:0x7f47e5e0952b\n\n- Crash, mostly due to above use-after-free\n\n[CAUSE]\nThe converted fs has the following data chunk layout:\n\n item 2 key (FIRST_CHUNK_TREE CHUNK_ITEM 2214658048) itemoff 16025 itemsize 80\n length 86016 owner 2 stripe_len 65536 type DATA|single\n\nFor above logical bytenr 2214744064, it's at the chunk end\n(2214658048 + 86016 = 2214744064).\n\nThis means btrfs_submit_bio() would split the bio, and trigger endio\nfunction for both of the two halves.\n\nHowever scrub_submit_initial_read() would only expect the endio function\nto be called once, not any more.\nThis means the first endio function would already free the bbio::bio,\nleaving the bvec freed, thus the 2nd endio call would lead to\nuse-after-free.\n\n[FIX]\n- Make sure scrub_read_endio() only updates bits in its range\n Since we may read less than 64K at the end of the chunk, we should not\n touch the bits beyond chunk boundary.\n\n- Make sure scrub_submit_initial_read() only to read the chunk range\n This is done by calculating the real number of sectors we need to\n read, and add sector-by-sector to the bio.\n\nThankfully the scrub read repair path won't need extra fixes:\n\n- scrub_stripe_submit_repair_read()\n With above fixes, we won't update error bit for range beyond chunk,\n thus scrub_stripe_submit_repair_read() should never submit any read\n beyond the chunk.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26616", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26616", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26616", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26616", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26616", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26616" } }, "CVE-2024-26617": { "affected_versions": "v6.7-rc1 to v6.8-rc1", "breaks": "52526ca7fdb905a768a93f8faa418e9b988fc34b", "cmt_msg": "fs/proc/task_mmu: move mmu notification mechanism inside mm lock", "fixes": "4cccb6221cae6d020270606b9e52b1678fc8b71a", "last_affected_version": "6.7.2", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/proc/task_mmu: move mmu notification mechanism inside mm lock\n\nMove mmu notification mechanism inside mm lock to prevent race condition\nin other components which depend on it. The notifier will invalidate\nmemory range. Depending upon the number of iterations, different memory\nranges would be invalidated.\n\nThe following warning would be removed by this patch:\nWARNING: CPU: 0 PID: 5067 at arch/x86/kvm/../../../virt/kvm/kvm_main.c:734 kvm_mmu_notifier_change_pte+0x860/0x960 arch/x86/kvm/../../../virt/kvm/kvm_main.c:734\n\nThere is no behavioural and performance change with this patch when\nthere is no component registered with the mmu notifier.\n\n[akpm@linux-foundation.org: narrow the scope of `range', per Sean]", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26617", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26617", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26617", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26617", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26617", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26617" } }, "CVE-2024-26618": { "affected_versions": "v6.5-rc7 to v6.8-rc1", "breaks": "5d0a8d2fba50e9c07cde4aad7fba28c008b07a5b", "cmt_msg": "arm64/sme: Always exit sme_alloc() early with existing storage", "fixes": "dc7eb8755797ed41a0d1b5c0c39df3c8f401b3d9", "last_affected_version": "6.7.2", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64/sme: Always exit sme_alloc() early with existing storage\n\nWhen sme_alloc() is called with existing storage and we are not flushing we\nwill always allocate new storage, both leaking the existing storage and\ncorrupting the state. Fix this by separating the checks for flushing and\nfor existing storage as we do for SVE.\n\nCallers that reallocate (eg, due to changing the vector length) should\ncall sme_free() themselves.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26618", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26618", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26618", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26618", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26618", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26618" } }, "CVE-2024-26619": { "affected_versions": "v6.7-rc5 to v6.8-rc1", "breaks": "d8792a5734b0f3e58b898c2e2f910bfac48e9ee3", "cmt_msg": "riscv: Fix module loading free order", "fixes": "78996eee79ebdfe8b6f0e54cb6dcc792d5129291", "last_affected_version": "6.7.2", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: Fix module loading free order\n\nReverse order of kfree calls to resolve use-after-free error.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26619", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26619", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26619", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26619", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26619", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26619" } }, "CVE-2024-26620": { "affected_versions": "v6.0-rc1 to v6.8-rc1", "breaks": "48cae940c31d2407d860d87c41d5f9871c0521db", "cmt_msg": "s390/vfio-ap: always filter entire AP matrix", "fixes": "850fb7fa8c684a4c6bf0e4b6978f4ddcc5d43d11", "last_affected_version": "6.7.2", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/vfio-ap: always filter entire AP matrix\n\nThe vfio_ap_mdev_filter_matrix function is called whenever a new adapter or\ndomain is assigned to the mdev. The purpose of the function is to update\nthe guest's AP configuration by filtering the matrix of adapters and\ndomains assigned to the mdev. When an adapter or domain is assigned, only\nthe APQNs associated with the APID of the new adapter or APQI of the new\ndomain are inspected. If an APQN does not reference a queue device bound to\nthe vfio_ap device driver, then it's APID will be filtered from the mdev's\nmatrix when updating the guest's AP configuration.\n\nInspecting only the APID of the new adapter or APQI of the new domain will\nresult in passing AP queues through to a guest that are not bound to the\nvfio_ap device driver under certain circumstances. Consider the following:\n\nguest's AP configuration (all also assigned to the mdev's matrix):\n14.0004\n14.0005\n14.0006\n16.0004\n16.0005\n16.0006\n\nunassign domain 4\nunbind queue 16.0005\nassign domain 4\n\nWhen domain 4 is re-assigned, since only domain 4 will be inspected, the\nAPQNs that will be examined will be:\n14.0004\n16.0004\n\nSince both of those APQNs reference queue devices that are bound to the\nvfio_ap device driver, nothing will get filtered from the mdev's matrix\nwhen updating the guest's AP configuration. Consequently, queue 16.0005\nwill get passed through despite not being bound to the driver. This\nviolates the linux device model requirement that a guest shall only be\ngiven access to devices bound to the device driver facilitating their\npass-through.\n\nTo resolve this problem, every adapter and domain assigned to the mdev will\nbe inspected when filtering the mdev's matrix.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26620", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26620", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26620", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26620", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26620", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26620" } }, "CVE-2024-26621": { "affected_versions": "v6.7 to v6.8-rc3", "breaks": "efa7df3e3bb5da8e6abbe37727417f32a37fba47", "cmt_msg": "mm: huge_memory: don't force huge page alignment on 32 bit", "fixes": "4ef9ad19e17676b9ef071309bc62020e2373705d", "last_affected_version": "6.7.5", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: huge_memory: don't force huge page alignment on 32 bit\n\ncommit efa7df3e3bb5 (\"mm: align larger anonymous mappings on THP\nboundaries\") caused two issues [1] [2] reported on 32 bit system or compat\nuserspace.\n\nIt doesn't make too much sense to force huge page alignment on 32 bit\nsystem due to the constrained virtual address space.\n\n[1] https://lore.kernel.org/linux-mm/d0a136a0-4a31-46bc-adf4-2db109a61672@kernel.org/\n[2] https://lore.kernel.org/linux-mm/CAJuCfpHXLdQy1a2B6xN2d7quTYwg2OoZseYPZTRpU0eHHKD-sQ@mail.gmail.com/", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26621", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26621", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26621", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26621", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26621", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26621" } }, "CVE-2024-26622": { "affected_versions": "unk to v6.8-rc7", "breaks": "", "cmt_msg": "tomoyo: fix UAF write bug in tomoyo_write_control()", "fixes": "2f03fc340cac9ea1dc63cbf8c93dd2eb0f227815", "last_affected_version": "6.7.8", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\ntomoyo: fix UAF write bug in tomoyo_write_control()\n\nSince tomoyo_write_control() updates head->write_buf when write()\nof long lines is requested, we need to fetch head->write_buf after\nhead->io_sem is held. Otherwise, concurrent write() requests can\ncause use-after-free-write and double-free problems.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26622", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26622", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26622", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26622", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26622", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26622" } }, "CVE-2024-26623": { "affected_versions": "unk to v6.8-rc3", "breaks": "", "cmt_msg": "pds_core: Prevent race issues involving the adminq", "fixes": "7e82a8745b951b1e794cc780d46f3fbee5e93447", "last_affected_version": "6.7.3", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\npds_core: Prevent race issues involving the adminq\n\nThere are multiple paths that can result in using the pdsc's\nadminq.\n\n[1] pdsc_adminq_isr and the resulting work from queue_work(),\n i.e. pdsc_work_thread()->pdsc_process_adminq()\n\n[2] pdsc_adminq_post()\n\nWhen the device goes through reset via PCIe reset and/or\na fw_down/fw_up cycle due to bad PCIe state or bad device\nstate the adminq is destroyed and recreated.\n\nA NULL pointer dereference can happen if [1] or [2] happens\nafter the adminq is already destroyed.\n\nIn order to fix this, add some further state checks and\nimplement reference counting for adminq uses. Reference\ncounting was used because multiple threads can attempt to\naccess the adminq at the same time via [1] or [2]. Additionally,\nmultiple clients (i.e. pds-vfio-pci) can be using [2]\nat the same time.\n\nThe adminq_refcnt is initialized to 1 when the adminq has been\nallocated and is ready to use. Users/clients of the adminq\n(i.e. [1] and [2]) will increment the refcnt when they are using\nthe adminq. When the driver goes into a fw_down cycle it will\nset the PDSC_S_FW_DEAD bit and then wait for the adminq_refcnt\nto hit 1. Setting the PDSC_S_FW_DEAD before waiting will prevent\nany further adminq_refcnt increments. Waiting for the\nadminq_refcnt to hit 1 allows for any current users of the adminq\nto finish before the driver frees the adminq. Once the\nadminq_refcnt hits 1 the driver clears the refcnt to signify that\nthe adminq is deleted and cannot be used. On the fw_up cycle the\ndriver will once again initialize the adminq_refcnt to 1 allowing\nthe adminq to be used again.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26623", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26623", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26623", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26623", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26623", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26623" } }, "CVE-2024-26625": { "affected_versions": "unk to v6.8-rc3", "breaks": "", "cmt_msg": "llc: call sock_orphan() at release time", "fixes": "aa2b2eb3934859904c287bf5434647ba72e14c1c", "last_affected_version": "6.7.3", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nllc: call sock_orphan() at release time\n\nsyzbot reported an interesting trace [1] caused by a stale sk->sk_wq\npointer in a closed llc socket.\n\nIn commit ff7b11aa481f (\"net: socket: set sock->sk to NULL after\ncalling proto_ops::release()\") Eric Biggers hinted that some protocols\nare missing a sock_orphan(), we need to perform a full audit.\n\nIn net-next, I plan to clear sock->sk from sock_orphan() and\namend Eric patch to add a warning.\n\n[1]\n BUG: KASAN: slab-use-after-free in list_empty include/linux/list.h:373 [inline]\n BUG: KASAN: slab-use-after-free in waitqueue_active include/linux/wait.h:127 [inline]\n BUG: KASAN: slab-use-after-free in sock_def_write_space_wfree net/core/sock.c:3384 [inline]\n BUG: KASAN: slab-use-after-free in sock_wfree+0x9a8/0x9d0 net/core/sock.c:2468\nRead of size 8 at addr ffff88802f4fc880 by task ksoftirqd/1/27\n\nCPU: 1 PID: 27 Comm: ksoftirqd/1 Not tainted 6.8.0-rc1-syzkaller-00049-g6098d87eaf31 #0\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106\n print_address_description mm/kasan/report.c:377 [inline]\n print_report+0xc4/0x620 mm/kasan/report.c:488\n kasan_report+0xda/0x110 mm/kasan/report.c:601\n list_empty include/linux/list.h:373 [inline]\n waitqueue_active include/linux/wait.h:127 [inline]\n sock_def_write_space_wfree net/core/sock.c:3384 [inline]\n sock_wfree+0x9a8/0x9d0 net/core/sock.c:2468\n skb_release_head_state+0xa3/0x2b0 net/core/skbuff.c:1080\n skb_release_all net/core/skbuff.c:1092 [inline]\n napi_consume_skb+0x119/0x2b0 net/core/skbuff.c:1404\n e1000_unmap_and_free_tx_resource+0x144/0x200 drivers/net/ethernet/intel/e1000/e1000_main.c:1970\n e1000_clean_tx_irq drivers/net/ethernet/intel/e1000/e1000_main.c:3860 [inline]\n e1000_clean+0x4a1/0x26e0 drivers/net/ethernet/intel/e1000/e1000_main.c:3801\n __napi_poll.constprop.0+0xb4/0x540 net/core/dev.c:6576\n napi_poll net/core/dev.c:6645 [inline]\n net_rx_action+0x956/0xe90 net/core/dev.c:6778\n __do_softirq+0x21a/0x8de kernel/softirq.c:553\n run_ksoftirqd kernel/softirq.c:921 [inline]\n run_ksoftirqd+0x31/0x60 kernel/softirq.c:913\n smpboot_thread_fn+0x660/0xa10 kernel/smpboot.c:164\n kthread+0x2c6/0x3a0 kernel/kthread.c:388\n ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242\n \n\nAllocated by task 5167:\n kasan_save_stack+0x33/0x50 mm/kasan/common.c:47\n kasan_save_track+0x14/0x30 mm/kasan/common.c:68\n unpoison_slab_object mm/kasan/common.c:314 [inline]\n __kasan_slab_alloc+0x81/0x90 mm/kasan/common.c:340\n kasan_slab_alloc include/linux/kasan.h:201 [inline]\n slab_post_alloc_hook mm/slub.c:3813 [inline]\n slab_alloc_node mm/slub.c:3860 [inline]\n kmem_cache_alloc_lru+0x142/0x6f0 mm/slub.c:3879\n alloc_inode_sb include/linux/fs.h:3019 [inline]\n sock_alloc_inode+0x25/0x1c0 net/socket.c:308\n alloc_inode+0x5d/0x220 fs/inode.c:260\n new_inode_pseudo+0x16/0x80 fs/inode.c:1005\n sock_alloc+0x40/0x270 net/socket.c:634\n __sock_create+0xbc/0x800 net/socket.c:1535\n sock_create net/socket.c:1622 [inline]\n __sys_socket_create net/socket.c:1659 [inline]\n __sys_socket+0x14c/0x260 net/socket.c:1706\n __do_sys_socket net/socket.c:1720 [inline]\n __se_sys_socket net/socket.c:1718 [inline]\n __x64_sys_socket+0x72/0xb0 net/socket.c:1718\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xd3/0x250 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\n\nFreed by task 0:\n kasan_save_stack+0x33/0x50 mm/kasan/common.c:47\n kasan_save_track+0x14/0x30 mm/kasan/common.c:68\n kasan_save_free_info+0x3f/0x60 mm/kasan/generic.c:640\n poison_slab_object mm/kasan/common.c:241 [inline]\n __kasan_slab_free+0x121/0x1b0 mm/kasan/common.c:257\n kasan_slab_free include/linux/kasan.h:184 [inline]\n slab_free_hook mm/slub.c:2121 [inlin\n---truncated---", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26625", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26625", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26625", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26625", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26625", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26625" } }, "CVE-2024-26626": { "affected_versions": "v6.8-rc1 to v6.8-rc3", "breaks": "bb7403655b3c3eb245d0ee330047cd3e20b3c4af", "fixes": "e622502c310f1069fd9f41cd38210553115f610a", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nipmr: fix kernel panic when forwarding mcast packets\n\nThe stacktrace was:\n[ 86.305548] BUG: kernel NULL pointer dereference, address: 0000000000000092\n[ 86.306815] #PF: supervisor read access in kernel mode\n[ 86.307717] #PF: error_code(0x0000) - not-present page\n[ 86.308624] PGD 0 P4D 0\n[ 86.309091] Oops: 0000 [#1] PREEMPT SMP NOPTI\n[ 86.309883] CPU: 2 PID: 3139 Comm: pimd Tainted: G U 6.8.0-6wind-knet #1\n[ 86.311027] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.11.1-0-g0551a4be2c-prebuilt.qemu-project.org 04/01/2014\n[ 86.312728] RIP: 0010:ip_mr_forward (/build/work/knet/net/ipv4/ipmr.c:1985)\n[ 86.313399] Code: f9 1f 0f 87 85 03 00 00 48 8d 04 5b 48 8d 04 83 49 8d 44 c5 00 48 8b 40 70 48 39 c2 0f 84 d9 00 00 00 49 8b 46 58 48 83 e0 fe <80> b8 92 00 00 00 00 0f 84 55 ff ff ff 49 83 47 38 01 45 85 e4 0f\n[ 86.316565] RSP: 0018:ffffad21c0583ae0 EFLAGS: 00010246\n[ 86.317497] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000\n[ 86.318596] RDX: ffff9559cb46c000 RSI: 0000000000000000 RDI: 0000000000000000\n[ 86.319627] RBP: ffffad21c0583b30 R08: 0000000000000000 R09: 0000000000000000\n[ 86.320650] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000001\n[ 86.321672] R13: ffff9559c093a000 R14: ffff9559cc00b800 R15: ffff9559c09c1d80\n[ 86.322873] FS: 00007f85db661980(0000) GS:ffff955a79d00000(0000) knlGS:0000000000000000\n[ 86.324291] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 86.325314] CR2: 0000000000000092 CR3: 000000002f13a000 CR4: 0000000000350ef0\n[ 86.326589] Call Trace:\n[ 86.327036] \n[ 86.327434] ? show_regs (/build/work/knet/arch/x86/kernel/dumpstack.c:479)\n[ 86.328049] ? __die (/build/work/knet/arch/x86/kernel/dumpstack.c:421 /build/work/knet/arch/x86/kernel/dumpstack.c:434)\n[ 86.328508] ? page_fault_oops (/build/work/knet/arch/x86/mm/fault.c:707)\n[ 86.329107] ? do_user_addr_fault (/build/work/knet/arch/x86/mm/fault.c:1264)\n[ 86.329756] ? srso_return_thunk (/build/work/knet/arch/x86/lib/retpoline.S:223)\n[ 86.330350] ? __irq_work_queue_local (/build/work/knet/kernel/irq_work.c:111 (discriminator 1))\n[ 86.331013] ? exc_page_fault (/build/work/knet/./arch/x86/include/asm/paravirt.h:693 /build/work/knet/arch/x86/mm/fault.c:1515 /build/work/knet/arch/x86/mm/fault.c:1563)\n[ 86.331702] ? asm_exc_page_fault (/build/work/knet/./arch/x86/include/asm/idtentry.h:570)\n[ 86.332468] ? ip_mr_forward (/build/work/knet/net/ipv4/ipmr.c:1985)\n[ 86.333183] ? srso_return_thunk (/build/work/knet/arch/x86/lib/retpoline.S:223)\n[ 86.333920] ipmr_mfc_add (/build/work/knet/./include/linux/rcupdate.h:782 /build/work/knet/net/ipv4/ipmr.c:1009 /build/work/knet/net/ipv4/ipmr.c:1273)\n[ 86.334583] ? __pfx_ipmr_hash_cmp (/build/work/knet/net/ipv4/ipmr.c:363)\n[ 86.335357] ip_mroute_setsockopt (/build/work/knet/net/ipv4/ipmr.c:1470)\n[ 86.336135] ? srso_return_thunk (/build/work/knet/arch/x86/lib/retpoline.S:223)\n[ 86.336854] ? ip_mroute_setsockopt (/build/work/knet/net/ipv4/ipmr.c:1470)\n[ 86.337679] do_ip_setsockopt (/build/work/knet/net/ipv4/ip_sockglue.c:944)\n[ 86.338408] ? __pfx_unix_stream_read_actor (/build/work/knet/net/unix/af_unix.c:2862)\n[ 86.339232] ? srso_return_thunk (/build/work/knet/arch/x86/lib/retpoline.S:223)\n[ 86.339809] ? aa_sk_perm (/build/work/knet/security/apparmor/include/cred.h:153 /build/work/knet/security/apparmor/net.c:181)\n[ 86.340342] ip_setsockopt (/build/work/knet/net/ipv4/ip_sockglue.c:1415)\n[ 86.340859] raw_setsockopt (/build/work/knet/net/ipv4/raw.c:836)\n[ 86.341408] ? security_socket_setsockopt (/build/work/knet/security/security.c:4561 (discriminator 13))\n[ 86.342116] sock_common_setsockopt (/build/work/knet/net/core/sock.c:3716)\n[ 86.342747] do_sock_setsockopt (/build/work/knet/net/socket.c:2313)\n[ 86.343363] __sys_setsockopt (/build/work/knet/./include/linux/file.h:32 /build/work/kn\n---truncated---", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26626", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26626", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26626", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26626", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26626", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26626" } }, "CVE-2024-26627": { "affected_versions": "unk to v6.8-rc3", "breaks": "", "cmt_msg": "scsi: core: Move scsi_host_busy() out of host lock for waking up EH handler", "fixes": "4373534a9850627a2695317944898eb1283a2db0", "last_affected_version": "6.7.3", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: core: Move scsi_host_busy() out of host lock for waking up EH handler\n\nInside scsi_eh_wakeup(), scsi_host_busy() is called & checked with host\nlock every time for deciding if error handler kthread needs to be waken up.\n\nThis can be too heavy in case of recovery, such as:\n\n - N hardware queues\n\n - queue depth is M for each hardware queue\n\n - each scsi_host_busy() iterates over (N * M) tag/requests\n\nIf recovery is triggered in case that all requests are in-flight, each\nscsi_eh_wakeup() is strictly serialized, when scsi_eh_wakeup() is called\nfor the last in-flight request, scsi_host_busy() has been run for (N * M -\n1) times, and request has been iterated for (N*M - 1) * (N * M) times.\n\nIf both N and M are big enough, hard lockup can be triggered on acquiring\nhost lock, and it is observed on mpi3mr(128 hw queues, queue depth 8169).\n\nFix the issue by calling scsi_host_busy() outside the host lock. We don't\nneed the host lock for getting busy count because host the lock never\ncovers that.\n\n[mkp: Drop unnecessary 'busy' variables pointed out by Bart]", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26627", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26627", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26627", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26627", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26627", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26627" } }, "CVE-2024-26629": { "affected_versions": "v5.19-rc1 to v6.8-rc2", "breaks": "ce3c4ad7f4ce5db7b4f08a1e237d8dd94b39180b", "cmt_msg": "nfsd: fix RELEASE_LOCKOWNER", "fixes": "edcf9725150e42beeca42d085149f4c88fa97afd", "last_affected_version": "6.7.2", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: fix RELEASE_LOCKOWNER\n\nThe test on so_count in nfsd4_release_lockowner() is nonsense and\nharmful. Revert to using check_for_locks(), changing that to not sleep.\n\nFirst: harmful.\nAs is documented in the kdoc comment for nfsd4_release_lockowner(), the\ntest on so_count can transiently return a false positive resulting in a\nreturn of NFS4ERR_LOCKS_HELD when in fact no locks are held. This is\nclearly a protocol violation and with the Linux NFS client it can cause\nincorrect behaviour.\n\nIf RELEASE_LOCKOWNER is sent while some other thread is still\nprocessing a LOCK request which failed because, at the time that request\nwas received, the given owner held a conflicting lock, then the nfsd\nthread processing that LOCK request can hold a reference (conflock) to\nthe lock owner that causes nfsd4_release_lockowner() to return an\nincorrect error.\n\nThe Linux NFS client ignores that NFS4ERR_LOCKS_HELD error because it\nnever sends NFS4_RELEASE_LOCKOWNER without first releasing any locks, so\nit knows that the error is impossible. It assumes the lock owner was in\nfact released so it feels free to use the same lock owner identifier in\nsome later locking request.\n\nWhen it does reuse a lock owner identifier for which a previous RELEASE\nfailed, it will naturally use a lock_seqid of zero. However the server,\nwhich didn't release the lock owner, will expect a larger lock_seqid and\nso will respond with NFS4ERR_BAD_SEQID.\n\nSo clearly it is harmful to allow a false positive, which testing\nso_count allows.\n\nThe test is nonsense because ... well... it doesn't mean anything.\n\nso_count is the sum of three different counts.\n1/ the set of states listed on so_stateids\n2/ the set of active vfs locks owned by any of those states\n3/ various transient counts such as for conflicting locks.\n\nWhen it is tested against '2' it is clear that one of these is the\ntransient reference obtained by find_lockowner_str_locked(). It is not\nclear what the other one is expected to be.\n\nIn practice, the count is often 2 because there is precisely one state\non so_stateids. If there were more, this would fail.\n\nIn my testing I see two circumstances when RELEASE_LOCKOWNER is called.\nIn one case, CLOSE is called before RELEASE_LOCKOWNER. That results in\nall the lock states being removed, and so the lockowner being discarded\n(it is removed when there are no more references which usually happens\nwhen the lock state is discarded). When nfsd4_release_lockowner() finds\nthat the lock owner doesn't exist, it returns success.\n\nThe other case shows an so_count of '2' and precisely one state listed\nin so_stateid. It appears that the Linux client uses a separate lock\nowner for each file resulting in one lock state per lock owner, so this\ntest on '2' is safe. For another client it might not be safe.\n\nSo this patch changes check_for_locks() to use the (newish)\nfind_any_file_locked() so that it doesn't take a reference on the\nnfs4_file and so never calls nfsd_file_put(), and so never sleeps. With\nthis check is it safe to restore the use of check_for_locks() rather\nthan testing so_count against the mysterious '2'.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26629", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26629", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26629", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26629", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26629", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26629" } }, "CVE-2024-26630": { "affected_versions": "v6.5-rc1 to v6.8-rc7", "breaks": "cf264e1329fb0307e044f7675849f9f38b44c11a", "cmt_msg": "mm: cachestat: fix folio read-after-free in cache walk", "fixes": "3a75cb05d53f4a6823a32deb078de1366954a804", "last_affected_version": "6.7.8", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: cachestat: fix folio read-after-free in cache walk\n\nIn cachestat, we access the folio from the page cache's xarray to compute\nits page offset, and check for its dirty and writeback flags. However, we\ndo not hold a reference to the folio before performing these actions,\nwhich means the folio can concurrently be released and reused as another\nfolio/page/slab.\n\nGet around this altogether by just using xarray's existing machinery for\nthe folio page offsets and dirty/writeback states.\n\nThis changes behavior for tmpfs files to now always report zeroes in their\ndirty and writeback counters. This is okay as tmpfs doesn't follow\nconventional writeback cache behavior: its pages get \"cleaned\" during\nswapout, after which they're no longer resident etc.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26630", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26630", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26630", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26630", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26630", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26630" } }, "CVE-2024-26631": { "affected_versions": "v5.13-rc1 to v6.8-rc1", "breaks": "2d9a93b4902be6a5504b5941dd15e9cd776aadca", "cmt_msg": "ipv6: mcast: fix data-race in ipv6_mc_down / mld_ifc_work", "fixes": "2e7ef287f07c74985f1bf2858bedc62bd9ebf155", "last_affected_version": "6.7.1", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: mcast: fix data-race in ipv6_mc_down / mld_ifc_work\n\nidev->mc_ifc_count can be written over without proper locking.\n\nOriginally found by syzbot [1], fix this issue by encapsulating calls\nto mld_ifc_stop_work() (and mld_gq_stop_work() for good measure) with\nmutex_lock() and mutex_unlock() accordingly as these functions\nshould only be called with mc_lock per their declarations.\n\n[1]\nBUG: KCSAN: data-race in ipv6_mc_down / mld_ifc_work\n\nwrite to 0xffff88813a80c832 of 1 bytes by task 3771 on cpu 0:\n mld_ifc_stop_work net/ipv6/mcast.c:1080 [inline]\n ipv6_mc_down+0x10a/0x280 net/ipv6/mcast.c:2725\n addrconf_ifdown+0xe32/0xf10 net/ipv6/addrconf.c:3949\n addrconf_notify+0x310/0x980\n notifier_call_chain kernel/notifier.c:93 [inline]\n raw_notifier_call_chain+0x6b/0x1c0 kernel/notifier.c:461\n __dev_notify_flags+0x205/0x3d0\n dev_change_flags+0xab/0xd0 net/core/dev.c:8685\n do_setlink+0x9f6/0x2430 net/core/rtnetlink.c:2916\n rtnl_group_changelink net/core/rtnetlink.c:3458 [inline]\n __rtnl_newlink net/core/rtnetlink.c:3717 [inline]\n rtnl_newlink+0xbb3/0x1670 net/core/rtnetlink.c:3754\n rtnetlink_rcv_msg+0x807/0x8c0 net/core/rtnetlink.c:6558\n netlink_rcv_skb+0x126/0x220 net/netlink/af_netlink.c:2545\n rtnetlink_rcv+0x1c/0x20 net/core/rtnetlink.c:6576\n netlink_unicast_kernel net/netlink/af_netlink.c:1342 [inline]\n netlink_unicast+0x589/0x650 net/netlink/af_netlink.c:1368\n netlink_sendmsg+0x66e/0x770 net/netlink/af_netlink.c:1910\n ...\n\nwrite to 0xffff88813a80c832 of 1 bytes by task 22 on cpu 1:\n mld_ifc_work+0x54c/0x7b0 net/ipv6/mcast.c:2653\n process_one_work kernel/workqueue.c:2627 [inline]\n process_scheduled_works+0x5b8/0xa30 kernel/workqueue.c:2700\n worker_thread+0x525/0x730 kernel/workqueue.c:2781\n ...", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26631", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26631", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26631", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26631", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26631", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26631" } }, "CVE-2024-26632": { "affected_versions": "v5.17-rc1 to v6.8-rc1", "breaks": "640d1930bef4f87ec8d8d2b05f0f6edc1dfcf662", "cmt_msg": "block: Fix iterating over an empty bio with bio_for_each_folio_all", "fixes": "7bed6f3d08b7af27b7015da8dc3acf2b9c1f21d7", "last_affected_version": "6.7.1", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: Fix iterating over an empty bio with bio_for_each_folio_all\n\nIf the bio contains no data, bio_first_folio() calls page_folio() on a\nNULL pointer and oopses. Move the test that we've reached the end of\nthe bio from bio_next_folio() to bio_first_folio().\n\n[axboe: add unlikely() to error case]", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26632", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26632", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26632", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26632", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26632", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26632" } }, "CVE-2024-26633": { "affected_versions": "unk to v6.8-rc1", "breaks": "", "cmt_msg": "ip6_tunnel: fix NEXTHDR_FRAGMENT handling in ip6_tnl_parse_tlv_enc_lim()", "fixes": "d375b98e0248980681e5e56b712026174d617198", "last_affected_version": "6.7.1", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nip6_tunnel: fix NEXTHDR_FRAGMENT handling in ip6_tnl_parse_tlv_enc_lim()\n\nsyzbot pointed out [1] that NEXTHDR_FRAGMENT handling is broken.\n\nReading frag_off can only be done if we pulled enough bytes\nto skb->head. Currently we might access garbage.\n\n[1]\nBUG: KMSAN: uninit-value in ip6_tnl_parse_tlv_enc_lim+0x94f/0xbb0\nip6_tnl_parse_tlv_enc_lim+0x94f/0xbb0\nipxip6_tnl_xmit net/ipv6/ip6_tunnel.c:1326 [inline]\nip6_tnl_start_xmit+0xab2/0x1a70 net/ipv6/ip6_tunnel.c:1432\n__netdev_start_xmit include/linux/netdevice.h:4940 [inline]\nnetdev_start_xmit include/linux/netdevice.h:4954 [inline]\nxmit_one net/core/dev.c:3548 [inline]\ndev_hard_start_xmit+0x247/0xa10 net/core/dev.c:3564\n__dev_queue_xmit+0x33b8/0x5130 net/core/dev.c:4349\ndev_queue_xmit include/linux/netdevice.h:3134 [inline]\nneigh_connected_output+0x569/0x660 net/core/neighbour.c:1592\nneigh_output include/net/neighbour.h:542 [inline]\nip6_finish_output2+0x23a9/0x2b30 net/ipv6/ip6_output.c:137\nip6_finish_output+0x855/0x12b0 net/ipv6/ip6_output.c:222\nNF_HOOK_COND include/linux/netfilter.h:303 [inline]\nip6_output+0x323/0x610 net/ipv6/ip6_output.c:243\ndst_output include/net/dst.h:451 [inline]\nip6_local_out+0xe9/0x140 net/ipv6/output_core.c:155\nip6_send_skb net/ipv6/ip6_output.c:1952 [inline]\nip6_push_pending_frames+0x1f9/0x560 net/ipv6/ip6_output.c:1972\nrawv6_push_pending_frames+0xbe8/0xdf0 net/ipv6/raw.c:582\nrawv6_sendmsg+0x2b66/0x2e70 net/ipv6/raw.c:920\ninet_sendmsg+0x105/0x190 net/ipv4/af_inet.c:847\nsock_sendmsg_nosec net/socket.c:730 [inline]\n__sock_sendmsg net/socket.c:745 [inline]\n____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584\n___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638\n__sys_sendmsg net/socket.c:2667 [inline]\n__do_sys_sendmsg net/socket.c:2676 [inline]\n__se_sys_sendmsg net/socket.c:2674 [inline]\n__x64_sys_sendmsg+0x307/0x490 net/socket.c:2674\ndo_syscall_x64 arch/x86/entry/common.c:52 [inline]\ndo_syscall_64+0x44/0x110 arch/x86/entry/common.c:83\nentry_SYSCALL_64_after_hwframe+0x63/0x6b\n\nUninit was created at:\nslab_post_alloc_hook+0x129/0xa70 mm/slab.h:768\nslab_alloc_node mm/slub.c:3478 [inline]\n__kmem_cache_alloc_node+0x5c9/0x970 mm/slub.c:3517\n__do_kmalloc_node mm/slab_common.c:1006 [inline]\n__kmalloc_node_track_caller+0x118/0x3c0 mm/slab_common.c:1027\nkmalloc_reserve+0x249/0x4a0 net/core/skbuff.c:582\npskb_expand_head+0x226/0x1a00 net/core/skbuff.c:2098\n__pskb_pull_tail+0x13b/0x2310 net/core/skbuff.c:2655\npskb_may_pull_reason include/linux/skbuff.h:2673 [inline]\npskb_may_pull include/linux/skbuff.h:2681 [inline]\nip6_tnl_parse_tlv_enc_lim+0x901/0xbb0 net/ipv6/ip6_tunnel.c:408\nipxip6_tnl_xmit net/ipv6/ip6_tunnel.c:1326 [inline]\nip6_tnl_start_xmit+0xab2/0x1a70 net/ipv6/ip6_tunnel.c:1432\n__netdev_start_xmit include/linux/netdevice.h:4940 [inline]\nnetdev_start_xmit include/linux/netdevice.h:4954 [inline]\nxmit_one net/core/dev.c:3548 [inline]\ndev_hard_start_xmit+0x247/0xa10 net/core/dev.c:3564\n__dev_queue_xmit+0x33b8/0x5130 net/core/dev.c:4349\ndev_queue_xmit include/linux/netdevice.h:3134 [inline]\nneigh_connected_output+0x569/0x660 net/core/neighbour.c:1592\nneigh_output include/net/neighbour.h:542 [inline]\nip6_finish_output2+0x23a9/0x2b30 net/ipv6/ip6_output.c:137\nip6_finish_output+0x855/0x12b0 net/ipv6/ip6_output.c:222\nNF_HOOK_COND include/linux/netfilter.h:303 [inline]\nip6_output+0x323/0x610 net/ipv6/ip6_output.c:243\ndst_output include/net/dst.h:451 [inline]\nip6_local_out+0xe9/0x140 net/ipv6/output_core.c:155\nip6_send_skb net/ipv6/ip6_output.c:1952 [inline]\nip6_push_pending_frames+0x1f9/0x560 net/ipv6/ip6_output.c:1972\nrawv6_push_pending_frames+0xbe8/0xdf0 net/ipv6/raw.c:582\nrawv6_sendmsg+0x2b66/0x2e70 net/ipv6/raw.c:920\ninet_sendmsg+0x105/0x190 net/ipv4/af_inet.c:847\nsock_sendmsg_nosec net/socket.c:730 [inline]\n__sock_sendmsg net/socket.c:745 [inline]\n____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584\n___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638\n__sys_sendmsg net/socket.c:2667 [inline]\n__do_sys_sendms\n---truncated---", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26633", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26633", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26633", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26633", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26633", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26633" } }, "CVE-2024-26634": { "affected_versions": "v6.6-rc7 to v6.8-rc2", "breaks": "7663d522099ecc464512164e660bc771b2ff7b64", "cmt_msg": "net: fix removing a namespace with conflicting altnames", "fixes": "d09486a04f5da0a812c26217213b89a3b1acf836", "last_affected_version": "6.7.2", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fix removing a namespace with conflicting altnames\n\nMark reports a BUG() when a net namespace is removed.\n\n kernel BUG at net/core/dev.c:11520!\n\nPhysical interfaces moved outside of init_net get \"refunded\"\nto init_net when that namespace disappears. The main interface\nname may get overwritten in the process if it would have\nconflicted. We need to also discard all conflicting altnames.\nRecent fixes addressed ensuring that altnames get moved\nwith the main interface, which surfaced this problem.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26634", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26634", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26634", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26634", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26634", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26634" } }, "CVE-2024-26635": { "affected_versions": "unk to v6.8-rc2", "breaks": "", "cmt_msg": "llc: Drop support for ETH_P_TR_802_2.", "fixes": "e3f9bed9bee261e3347131764e42aeedf1ffea61", "last_affected_version": "6.7.2", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nllc: Drop support for ETH_P_TR_802_2.\n\nsyzbot reported an uninit-value bug below. [0]\n\nllc supports ETH_P_802_2 (0x0004) and used to support ETH_P_TR_802_2\n(0x0011), and syzbot abused the latter to trigger the bug.\n\n write$tun(r0, &(0x7f0000000040)={@val={0x0, 0x11}, @val, @mpls={[], @llc={@snap={0xaa, 0x1, ')', \"90e5dd\"}}}}, 0x16)\n\nllc_conn_handler() initialises local variables {saddr,daddr}.mac\nbased on skb in llc_pdu_decode_sa()/llc_pdu_decode_da() and passes\nthem to __llc_lookup().\n\nHowever, the initialisation is done only when skb->protocol is\nhtons(ETH_P_802_2), otherwise, __llc_lookup_established() and\n__llc_lookup_listener() will read garbage.\n\nThe missing initialisation existed prior to commit 211ed865108e\n(\"net: delete all instances of special processing for token ring\").\n\nIt removed the part to kick out the token ring stuff but forgot to\nclose the door allowing ETH_P_TR_802_2 packets to sneak into llc_rcv().\n\nLet's remove llc_tr_packet_type and complete the deprecation.\n\n[0]:\nBUG: KMSAN: uninit-value in __llc_lookup_established+0xe9d/0xf90\n __llc_lookup_established+0xe9d/0xf90\n __llc_lookup net/llc/llc_conn.c:611 [inline]\n llc_conn_handler+0x4bd/0x1360 net/llc/llc_conn.c:791\n llc_rcv+0xfbb/0x14a0 net/llc/llc_input.c:206\n __netif_receive_skb_one_core net/core/dev.c:5527 [inline]\n __netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5641\n netif_receive_skb_internal net/core/dev.c:5727 [inline]\n netif_receive_skb+0x58/0x660 net/core/dev.c:5786\n tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1555\n tun_get_user+0x53af/0x66d0 drivers/net/tun.c:2002\n tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048\n call_write_iter include/linux/fs.h:2020 [inline]\n new_sync_write fs/read_write.c:491 [inline]\n vfs_write+0x8ef/0x1490 fs/read_write.c:584\n ksys_write+0x20f/0x4c0 fs/read_write.c:637\n __do_sys_write fs/read_write.c:649 [inline]\n __se_sys_write fs/read_write.c:646 [inline]\n __x64_sys_write+0x93/0xd0 fs/read_write.c:646\n do_syscall_x64 arch/x86/entry/common.c:51 [inline]\n do_syscall_64+0x44/0x110 arch/x86/entry/common.c:82\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\n\nLocal variable daddr created at:\n llc_conn_handler+0x53/0x1360 net/llc/llc_conn.c:783\n llc_rcv+0xfbb/0x14a0 net/llc/llc_input.c:206\n\nCPU: 1 PID: 5004 Comm: syz-executor994 Not tainted 6.6.0-syzkaller-14500-g1c41041124bd #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26635", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26635", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26635", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26635", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26635", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26635" } }, "CVE-2024-26636": { "affected_versions": "unk to v6.8-rc2", "breaks": "", "cmt_msg": "llc: make llc_ui_sendmsg() more robust against bonding changes", "fixes": "dad555c816a50c6a6a8a86be1f9177673918c647", "last_affected_version": "6.7.2", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nllc: make llc_ui_sendmsg() more robust against bonding changes\n\nsyzbot was able to trick llc_ui_sendmsg(), allocating an skb with no\nheadroom, but subsequently trying to push 14 bytes of Ethernet header [1]\n\nLike some others, llc_ui_sendmsg() releases the socket lock before\ncalling sock_alloc_send_skb().\nThen it acquires it again, but does not redo all the sanity checks\nthat were performed.\n\nThis fix:\n\n- Uses LL_RESERVED_SPACE() to reserve space.\n- Check all conditions again after socket lock is held again.\n- Do not account Ethernet header for mtu limitation.\n\n[1]\n\nskbuff: skb_under_panic: text:ffff800088baa334 len:1514 put:14 head:ffff0000c9c37000 data:ffff0000c9c36ff2 tail:0x5dc end:0x6c0 dev:bond0\n\n kernel BUG at net/core/skbuff.c:193 !\nInternal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP\nModules linked in:\nCPU: 0 PID: 6875 Comm: syz-executor.0 Not tainted 6.7.0-rc8-syzkaller-00101-g0802e17d9aca-dirty #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023\npstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : skb_panic net/core/skbuff.c:189 [inline]\n pc : skb_under_panic+0x13c/0x140 net/core/skbuff.c:203\n lr : skb_panic net/core/skbuff.c:189 [inline]\n lr : skb_under_panic+0x13c/0x140 net/core/skbuff.c:203\nsp : ffff800096f97000\nx29: ffff800096f97010 x28: ffff80008cc8d668 x27: dfff800000000000\nx26: ffff0000cb970c90 x25: 00000000000005dc x24: ffff0000c9c36ff2\nx23: ffff0000c9c37000 x22: 00000000000005ea x21: 00000000000006c0\nx20: 000000000000000e x19: ffff800088baa334 x18: 1fffe000368261ce\nx17: ffff80008e4ed000 x16: ffff80008a8310f8 x15: 0000000000000001\nx14: 1ffff00012df2d58 x13: 0000000000000000 x12: 0000000000000000\nx11: 0000000000000001 x10: 0000000000ff0100 x9 : e28a51f1087e8400\nx8 : e28a51f1087e8400 x7 : ffff80008028f8d0 x6 : 0000000000000000\nx5 : 0000000000000001 x4 : 0000000000000001 x3 : ffff800082b78714\nx2 : 0000000000000001 x1 : 0000000100000000 x0 : 0000000000000089\nCall trace:\n skb_panic net/core/skbuff.c:189 [inline]\n skb_under_panic+0x13c/0x140 net/core/skbuff.c:203\n skb_push+0xf0/0x108 net/core/skbuff.c:2451\n eth_header+0x44/0x1f8 net/ethernet/eth.c:83\n dev_hard_header include/linux/netdevice.h:3188 [inline]\n llc_mac_hdr_init+0x110/0x17c net/llc/llc_output.c:33\n llc_sap_action_send_xid_c+0x170/0x344 net/llc/llc_s_ac.c:85\n llc_exec_sap_trans_actions net/llc/llc_sap.c:153 [inline]\n llc_sap_next_state net/llc/llc_sap.c:182 [inline]\n llc_sap_state_process+0x1ec/0x774 net/llc/llc_sap.c:209\n llc_build_and_send_xid_pkt+0x12c/0x1c0 net/llc/llc_sap.c:270\n llc_ui_sendmsg+0x7bc/0xb1c net/llc/af_llc.c:997\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg net/socket.c:745 [inline]\n sock_sendmsg+0x194/0x274 net/socket.c:767\n splice_to_socket+0x7cc/0xd58 fs/splice.c:881\n do_splice_from fs/splice.c:933 [inline]\n direct_splice_actor+0xe4/0x1c0 fs/splice.c:1142\n splice_direct_to_actor+0x2a0/0x7e4 fs/splice.c:1088\n do_splice_direct+0x20c/0x348 fs/splice.c:1194\n do_sendfile+0x4bc/0xc70 fs/read_write.c:1254\n __do_sys_sendfile64 fs/read_write.c:1322 [inline]\n __se_sys_sendfile64 fs/read_write.c:1308 [inline]\n __arm64_sys_sendfile64+0x160/0x3b4 fs/read_write.c:1308\n __invoke_syscall arch/arm64/kernel/syscall.c:37 [inline]\n invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:51\n el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:136\n do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:155\n el0_svc+0x54/0x158 arch/arm64/kernel/entry-common.c:678\n el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:696\n el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:595\nCode: aa1803e6 aa1903e7 a90023f5 94792f6a (d4210000)", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26636", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26636", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26636", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26636", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26636", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26636" } }, "CVE-2024-26637": { "affected_versions": "v6.7 to v6.8-rc2", "breaks": "0a3d898ee9a8303d5b3982b97ef0703919c3ea76", "cmt_msg": "wifi: ath11k: rely on mac80211 debugfs handling for vif", "fixes": "556857aa1d0855aba02b1c63bc52b91ec63fc2cc", "last_affected_version": "6.7.2", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath11k: rely on mac80211 debugfs handling for vif\n\nmac80211 started to delete debugfs entries in certain cases, causing a\nath11k to crash when it tried to delete the entries later. Fix this by\nrelying on mac80211 to delete the entries when appropriate and adding\nthem from the vif_add_debugfs handler.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26637", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26637", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26637", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26637", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26637", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26637" } }, "CVE-2024-26638": { "affected_versions": "v5.19-rc1 to v6.8-rc1", "breaks": "f94fd25cb0aaf77fd7453f31c5d394a1a68ecf60", "cmt_msg": "nbd: always initialize struct msghdr completely", "fixes": "78fbb92af27d0982634116c7a31065f24d092826", "last_affected_version": "6.7.2", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnbd: always initialize struct msghdr completely\n\nsyzbot complains that msg->msg_get_inq value can be uninitialized [1]\n\nstruct msghdr got many new fields recently, we should always make\nsure their values is zero by default.\n\n[1]\n BUG: KMSAN: uninit-value in tcp_recvmsg+0x686/0xac0 net/ipv4/tcp.c:2571\n tcp_recvmsg+0x686/0xac0 net/ipv4/tcp.c:2571\n inet_recvmsg+0x131/0x580 net/ipv4/af_inet.c:879\n sock_recvmsg_nosec net/socket.c:1044 [inline]\n sock_recvmsg+0x12b/0x1e0 net/socket.c:1066\n __sock_xmit+0x236/0x5c0 drivers/block/nbd.c:538\n nbd_read_reply drivers/block/nbd.c:732 [inline]\n recv_work+0x262/0x3100 drivers/block/nbd.c:863\n process_one_work kernel/workqueue.c:2627 [inline]\n process_scheduled_works+0x104e/0x1e70 kernel/workqueue.c:2700\n worker_thread+0xf45/0x1490 kernel/workqueue.c:2781\n kthread+0x3ed/0x540 kernel/kthread.c:388\n ret_from_fork+0x66/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242\n\nLocal variable msg created at:\n __sock_xmit+0x4c/0x5c0 drivers/block/nbd.c:513\n nbd_read_reply drivers/block/nbd.c:732 [inline]\n recv_work+0x262/0x3100 drivers/block/nbd.c:863\n\nCPU: 1 PID: 7465 Comm: kworker/u5:1 Not tainted 6.7.0-rc7-syzkaller-00041-gf016f7547aee #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023\nWorkqueue: nbd5-recv recv_work", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26638", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26638", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26638", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26638", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26638", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26638" } }, "CVE-2024-26639": { "affected_versions": "v6.8-rc1 to v6.8-rc3", "breaks": "5ec8e8ea8b7783fab150cf86404fc38cb4db8800", "fixes": "f6564fce256a3944aa1bc76cb3c40e792d97c1eb", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm, kmsan: fix infinite recursion due to RCU critical section\n\nAlexander Potapenko writes in [1]: \"For every memory access in the code\ninstrumented by KMSAN we call kmsan_get_metadata() to obtain the metadata\nfor the memory being accessed. For virtual memory the metadata pointers\nare stored in the corresponding `struct page`, therefore we need to call\nvirt_to_page() to get them.\n\nAccording to the comment in arch/x86/include/asm/page.h,\nvirt_to_page(kaddr) returns a valid pointer iff virt_addr_valid(kaddr) is\ntrue, so KMSAN needs to call virt_addr_valid() as well.\n\nTo avoid recursion, kmsan_get_metadata() must not call instrumented code,\ntherefore ./arch/x86/include/asm/kmsan.h forks parts of\narch/x86/mm/physaddr.c to check whether a virtual address is valid or not.\n\nBut the introduction of rcu_read_lock() to pfn_valid() added instrumented\nRCU API calls to virt_to_page_or_null(), which is called by\nkmsan_get_metadata(), so there is an infinite recursion now. I do not\nthink it is correct to stop that recursion by doing\nkmsan_enter_runtime()/kmsan_exit_runtime() in kmsan_get_metadata(): that\nwould prevent instrumented functions called from within the runtime from\ntracking the shadow values, which might introduce false positives.\"\n\nFix the issue by switching pfn_valid() to the _sched() variant of\nrcu_read_lock/unlock(), which does not require calling into RCU. Given\nthe critical section in pfn_valid() is very small, this is a reasonable\ntrade-off (with preemptible RCU).\n\nKMSAN further needs to be careful to suppress calls into the scheduler,\nwhich would be another source of recursion. This can be done by wrapping\nthe call to pfn_valid() into preempt_disable/enable_no_resched(). The\ndownside is that this sacrifices breaking scheduling guarantees; however,\na kernel compiled with KMSAN has already given up any performance\nguarantees due to being heavily instrumented.\n\nNote, KMSAN code already disables tracing via Makefile, and since mmzone.h\nis included, it is not necessary to use the notrace variant, which is\ngenerally preferred in all other cases.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26639", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26639", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26639", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26639", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26639", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26639" } }, "CVE-2024-26640": { "affected_versions": "v4.18-rc1 to v6.8-rc3", "breaks": "93ab6cc69162775201587cc9da00d5016dc890e2", "cmt_msg": "tcp: add sanity checks to rx zerocopy", "fixes": "577e4432f3ac810049cb7e6b71f4d96ec7c6e894", "last_affected_version": "6.7.3", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: add sanity checks to rx zerocopy\n\nTCP rx zerocopy intent is to map pages initially allocated\nfrom NIC drivers, not pages owned by a fs.\n\nThis patch adds to can_map_frag() these additional checks:\n\n- Page must not be a compound one.\n- page->mapping must be NULL.\n\nThis fixes the panic reported by ZhangPeng.\n\nsyzbot was able to loopback packets built with sendfile(),\nmapping pages owned by an ext4 file to TCP rx zerocopy.\n\nr3 = socket$inet_tcp(0x2, 0x1, 0x0)\nmmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x12, r3, 0x0)\nr4 = socket$inet_tcp(0x2, 0x1, 0x0)\nbind$inet(r4, &(0x7f0000000000)={0x2, 0x4e24, @multicast1}, 0x10)\nconnect$inet(r4, &(0x7f00000006c0)={0x2, 0x4e24, @empty}, 0x10)\nr5 = openat$dir(0xffffffffffffff9c, &(0x7f00000000c0)='./file0\\x00',\n 0x181e42, 0x0)\nfallocate(r5, 0x0, 0x0, 0x85b8)\nsendfile(r4, r5, 0x0, 0x8ba0)\ngetsockopt$inet_tcp_TCP_ZEROCOPY_RECEIVE(r4, 0x6, 0x23,\n &(0x7f00000001c0)={&(0x7f0000ffb000/0x3000)=nil, 0x3000, 0x0, 0x0, 0x0,\n 0x0, 0x0, 0x0, 0x0}, &(0x7f0000000440)=0x40)\nr6 = openat$dir(0xffffffffffffff9c, &(0x7f00000000c0)='./file0\\x00',\n 0x181e42, 0x0)", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26640", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26640", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26640", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26640", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26640", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26640" } }, "CVE-2024-26641": { "affected_versions": "v4.7-rc1 to v6.8-rc3", "breaks": "0d3c703a9d1723c7707e0680019ac8ff5922db42", "cmt_msg": "ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv()", "fixes": "8d975c15c0cd744000ca386247432d57b21f9df0", "last_affected_version": "6.7.3", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv()\n\nsyzbot found __ip6_tnl_rcv() could access unitiliazed data [1].\n\nCall pskb_inet_may_pull() to fix this, and initialize ipv6h\nvariable after this call as it can change skb->head.\n\n[1]\n BUG: KMSAN: uninit-value in __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline]\n BUG: KMSAN: uninit-value in INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline]\n BUG: KMSAN: uninit-value in IP6_ECN_decapsulate+0x7df/0x1e50 include/net/inet_ecn.h:321\n __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline]\n INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline]\n IP6_ECN_decapsulate+0x7df/0x1e50 include/net/inet_ecn.h:321\n ip6ip6_dscp_ecn_decapsulate+0x178/0x1b0 net/ipv6/ip6_tunnel.c:727\n __ip6_tnl_rcv+0xd4e/0x1590 net/ipv6/ip6_tunnel.c:845\n ip6_tnl_rcv+0xce/0x100 net/ipv6/ip6_tunnel.c:888\n gre_rcv+0x143f/0x1870\n ip6_protocol_deliver_rcu+0xda6/0x2a60 net/ipv6/ip6_input.c:438\n ip6_input_finish net/ipv6/ip6_input.c:483 [inline]\n NF_HOOK include/linux/netfilter.h:314 [inline]\n ip6_input+0x15d/0x430 net/ipv6/ip6_input.c:492\n ip6_mc_input+0xa7e/0xc80 net/ipv6/ip6_input.c:586\n dst_input include/net/dst.h:461 [inline]\n ip6_rcv_finish+0x5db/0x870 net/ipv6/ip6_input.c:79\n NF_HOOK include/linux/netfilter.h:314 [inline]\n ipv6_rcv+0xda/0x390 net/ipv6/ip6_input.c:310\n __netif_receive_skb_one_core net/core/dev.c:5532 [inline]\n __netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5646\n netif_receive_skb_internal net/core/dev.c:5732 [inline]\n netif_receive_skb+0x58/0x660 net/core/dev.c:5791\n tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1555\n tun_get_user+0x53af/0x66d0 drivers/net/tun.c:2002\n tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048\n call_write_iter include/linux/fs.h:2084 [inline]\n new_sync_write fs/read_write.c:497 [inline]\n vfs_write+0x786/0x1200 fs/read_write.c:590\n ksys_write+0x20f/0x4c0 fs/read_write.c:643\n __do_sys_write fs/read_write.c:655 [inline]\n __se_sys_write fs/read_write.c:652 [inline]\n __x64_sys_write+0x93/0xd0 fs/read_write.c:652\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0x6d/0x140 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\n\nUninit was created at:\n slab_post_alloc_hook+0x129/0xa70 mm/slab.h:768\n slab_alloc_node mm/slub.c:3478 [inline]\n kmem_cache_alloc_node+0x5e9/0xb10 mm/slub.c:3523\n kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:560\n __alloc_skb+0x318/0x740 net/core/skbuff.c:651\n alloc_skb include/linux/skbuff.h:1286 [inline]\n alloc_skb_with_frags+0xc8/0xbd0 net/core/skbuff.c:6334\n sock_alloc_send_pskb+0xa80/0xbf0 net/core/sock.c:2787\n tun_alloc_skb drivers/net/tun.c:1531 [inline]\n tun_get_user+0x1e8a/0x66d0 drivers/net/tun.c:1846\n tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048\n call_write_iter include/linux/fs.h:2084 [inline]\n new_sync_write fs/read_write.c:497 [inline]\n vfs_write+0x786/0x1200 fs/read_write.c:590\n ksys_write+0x20f/0x4c0 fs/read_write.c:643\n __do_sys_write fs/read_write.c:655 [inline]\n __se_sys_write fs/read_write.c:652 [inline]\n __x64_sys_write+0x93/0xd0 fs/read_write.c:652\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0x6d/0x140 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\n\nCPU: 0 PID: 5034 Comm: syz-executor331 Not tainted 6.7.0-syzkaller-00562-g9f8413c4a66f #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26641", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26641", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26641", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26641", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26641", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26641" } }, "CVE-2024-26642": { "affected_versions": "v4.1-rc1 to v6.8", "breaks": "761da2935d6e18d178582dbdf315a3a458555505", "cmt_msg": "netfilter: nf_tables: disallow anonymous set with timeout flag", "fixes": "16603605b667b70da974bea8216c93e7db043bf1", "last_affected_version": "6.7.11", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: disallow anonymous set with timeout flag\n\nAnonymous sets are never used with timeout from userspace, reject this.\nException to this rule is NFT_SET_EVAL to ensure legacy meters still work.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26642", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26642", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26642", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26642", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26642", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26642" } }, "CVE-2024-26643": { "affected_versions": "v6.5-rc6 to v6.8", "breaks": "5f68718b34a531a556f2f50300ead2862278da26", "cmt_msg": "netfilter: nf_tables: mark set as dead when unbinding anonymous set with timeout", "fixes": "552705a3650bbf46a22b1adedc1b04181490fc36", "last_affected_version": "6.7.11", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: mark set as dead when unbinding anonymous set with timeout\n\nWhile the rhashtable set gc runs asynchronously, a race allows it to\ncollect elements from anonymous sets with timeouts while it is being\nreleased from the commit path.\n\nMingi Cho originally reported this issue in a different path in 6.1.x\nwith a pipapo set with low timeouts which is not possible upstream since\n7395dfacfff6 (\"netfilter: nf_tables: use timestamp to check for set\nelement timeout\").\n\nFix this by setting on the dead flag for anonymous sets to skip async gc\nin this case.\n\nAccording to 08e4c8c5919f (\"netfilter: nf_tables: mark newset as dead on\ntransaction abort\"), Florian plans to accelerate abort path by releasing\nobjects via workqueue, therefore, this sets on the dead flag for abort\npath too.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26643", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26643", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26643", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26643", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26643", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26643" } }, "CVE-2024-26644": { "affected_versions": "v2.6.12-rc2 to v6.8-rc2", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "btrfs: don't abort filesystem when attempting to snapshot deleted subvolume", "fixes": "7081929ab2572920e94d70be3d332e5c9f97095a", "last_affected_version": "6.7.2", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: don't abort filesystem when attempting to snapshot deleted subvolume\n\nIf the source file descriptor to the snapshot ioctl refers to a deleted\nsubvolume, we get the following abort:\n\n BTRFS: Transaction aborted (error -2)\n WARNING: CPU: 0 PID: 833 at fs/btrfs/transaction.c:1875 create_pending_snapshot+0x1040/0x1190 [btrfs]\n Modules linked in: pata_acpi btrfs ata_piix libata scsi_mod virtio_net blake2b_generic xor net_failover virtio_rng failover scsi_common rng_core raid6_pq libcrc32c\n CPU: 0 PID: 833 Comm: t_snapshot_dele Not tainted 6.7.0-rc6 #2\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-1.fc39 04/01/2014\n RIP: 0010:create_pending_snapshot+0x1040/0x1190 [btrfs]\n RSP: 0018:ffffa09c01337af8 EFLAGS: 00010282\n RAX: 0000000000000000 RBX: ffff9982053e7c78 RCX: 0000000000000027\n RDX: ffff99827dc20848 RSI: 0000000000000001 RDI: ffff99827dc20840\n RBP: ffffa09c01337c00 R08: 0000000000000000 R09: ffffa09c01337998\n R10: 0000000000000003 R11: ffffffffb96da248 R12: fffffffffffffffe\n R13: ffff99820535bb28 R14: ffff99820b7bd000 R15: ffff99820381ea80\n FS: 00007fe20aadabc0(0000) GS:ffff99827dc00000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000559a120b502f CR3: 00000000055b6000 CR4: 00000000000006f0\n Call Trace:\n \n ? create_pending_snapshot+0x1040/0x1190 [btrfs]\n ? __warn+0x81/0x130\n ? create_pending_snapshot+0x1040/0x1190 [btrfs]\n ? report_bug+0x171/0x1a0\n ? handle_bug+0x3a/0x70\n ? exc_invalid_op+0x17/0x70\n ? asm_exc_invalid_op+0x1a/0x20\n ? create_pending_snapshot+0x1040/0x1190 [btrfs]\n ? create_pending_snapshot+0x1040/0x1190 [btrfs]\n create_pending_snapshots+0x92/0xc0 [btrfs]\n btrfs_commit_transaction+0x66b/0xf40 [btrfs]\n btrfs_mksubvol+0x301/0x4d0 [btrfs]\n btrfs_mksnapshot+0x80/0xb0 [btrfs]\n __btrfs_ioctl_snap_create+0x1c2/0x1d0 [btrfs]\n btrfs_ioctl_snap_create_v2+0xc4/0x150 [btrfs]\n btrfs_ioctl+0x8a6/0x2650 [btrfs]\n ? kmem_cache_free+0x22/0x340\n ? do_sys_openat2+0x97/0xe0\n __x64_sys_ioctl+0x97/0xd0\n do_syscall_64+0x46/0xf0\n entry_SYSCALL_64_after_hwframe+0x6e/0x76\n RIP: 0033:0x7fe20abe83af\n RSP: 002b:00007ffe6eff1360 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\n RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007fe20abe83af\n RDX: 00007ffe6eff23c0 RSI: 0000000050009417 RDI: 0000000000000003\n RBP: 0000000000000003 R08: 0000000000000000 R09: 00007fe20ad16cd0\n R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\n R13: 00007ffe6eff13c0 R14: 00007fe20ad45000 R15: 0000559a120b6d58\n \n ---[ end trace 0000000000000000 ]---\n BTRFS: error (device vdc: state A) in create_pending_snapshot:1875: errno=-2 No such entry\n BTRFS info (device vdc: state EA): forced readonly\n BTRFS warning (device vdc: state EA): Skipping commit of aborted transaction.\n BTRFS: error (device vdc: state EA) in cleanup_transaction:2055: errno=-2 No such entry\n\nThis happens because create_pending_snapshot() initializes the new root\nitem as a copy of the source root item. This includes the refs field,\nwhich is 0 for a deleted subvolume. The call to btrfs_insert_root()\ntherefore inserts a root with refs == 0. btrfs_get_new_fs_root() then\nfinds the root and returns -ENOENT if refs == 0, which causes\ncreate_pending_snapshot() to abort.\n\nFix it by checking the source root's refs before attempting the\nsnapshot, but after locking subvol_sem to avoid racing with deletion.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26644", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26644", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26644", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26644", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26644", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26644" } }, "CVE-2024-26645": { "affected_versions": "v4.17-rc1 to v6.8-rc2", "breaks": "c193707dde77ace92a649cd59a17e105e2fbeaef", "cmt_msg": "tracing: Ensure visibility when inserting an element into tracing_map", "fixes": "2b44760609e9eaafc9d234a6883d042fc21132a7", "last_affected_version": "6.7.2", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Ensure visibility when inserting an element into tracing_map\n\nRunning the following two commands in parallel on a multi-processor\nAArch64 machine can sporadically produce an unexpected warning about\nduplicate histogram entries:\n\n $ while true; do\n echo hist:key=id.syscall:val=hitcount > \\\n /sys/kernel/debug/tracing/events/raw_syscalls/sys_enter/trigger\n cat /sys/kernel/debug/tracing/events/raw_syscalls/sys_enter/hist\n sleep 0.001\n done\n $ stress-ng --sysbadaddr $(nproc)\n\nThe warning looks as follows:\n\n[ 2911.172474] ------------[ cut here ]------------\n[ 2911.173111] Duplicates detected: 1\n[ 2911.173574] WARNING: CPU: 2 PID: 12247 at kernel/trace/tracing_map.c:983 tracing_map_sort_entries+0x3e0/0x408\n[ 2911.174702] Modules linked in: iscsi_ibft(E) iscsi_boot_sysfs(E) rfkill(E) af_packet(E) nls_iso8859_1(E) nls_cp437(E) vfat(E) fat(E) ena(E) tiny_power_button(E) qemu_fw_cfg(E) button(E) fuse(E) efi_pstore(E) ip_tables(E) x_tables(E) xfs(E) libcrc32c(E) aes_ce_blk(E) aes_ce_cipher(E) crct10dif_ce(E) polyval_ce(E) polyval_generic(E) ghash_ce(E) gf128mul(E) sm4_ce_gcm(E) sm4_ce_ccm(E) sm4_ce(E) sm4_ce_cipher(E) sm4(E) sm3_ce(E) sm3(E) sha3_ce(E) sha512_ce(E) sha512_arm64(E) sha2_ce(E) sha256_arm64(E) nvme(E) sha1_ce(E) nvme_core(E) nvme_auth(E) t10_pi(E) sg(E) scsi_mod(E) scsi_common(E) efivarfs(E)\n[ 2911.174738] Unloaded tainted modules: cppc_cpufreq(E):1\n[ 2911.180985] CPU: 2 PID: 12247 Comm: cat Kdump: loaded Tainted: G E 6.7.0-default #2 1b58bbb22c97e4399dc09f92d309344f69c44a01\n[ 2911.182398] Hardware name: Amazon EC2 c7g.8xlarge/, BIOS 1.0 11/1/2018\n[ 2911.183208] pstate: 61400005 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)\n[ 2911.184038] pc : tracing_map_sort_entries+0x3e0/0x408\n[ 2911.184667] lr : tracing_map_sort_entries+0x3e0/0x408\n[ 2911.185310] sp : ffff8000a1513900\n[ 2911.185750] x29: ffff8000a1513900 x28: ffff0003f272fe80 x27: 0000000000000001\n[ 2911.186600] x26: ffff0003f272fe80 x25: 0000000000000030 x24: 0000000000000008\n[ 2911.187458] x23: ffff0003c5788000 x22: ffff0003c16710c8 x21: ffff80008017f180\n[ 2911.188310] x20: ffff80008017f000 x19: ffff80008017f180 x18: ffffffffffffffff\n[ 2911.189160] x17: 0000000000000000 x16: 0000000000000000 x15: ffff8000a15134b8\n[ 2911.190015] x14: 0000000000000000 x13: 205d373432323154 x12: 5b5d313131333731\n[ 2911.190844] x11: 00000000fffeffff x10: 00000000fffeffff x9 : ffffd1b78274a13c\n[ 2911.191716] x8 : 000000000017ffe8 x7 : c0000000fffeffff x6 : 000000000057ffa8\n[ 2911.192554] x5 : ffff0012f6c24ec0 x4 : 0000000000000000 x3 : ffff2e5b72b5d000\n[ 2911.193404] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff0003ff254480\n[ 2911.194259] Call trace:\n[ 2911.194626] tracing_map_sort_entries+0x3e0/0x408\n[ 2911.195220] hist_show+0x124/0x800\n[ 2911.195692] seq_read_iter+0x1d4/0x4e8\n[ 2911.196193] seq_read+0xe8/0x138\n[ 2911.196638] vfs_read+0xc8/0x300\n[ 2911.197078] ksys_read+0x70/0x108\n[ 2911.197534] __arm64_sys_read+0x24/0x38\n[ 2911.198046] invoke_syscall+0x78/0x108\n[ 2911.198553] el0_svc_common.constprop.0+0xd0/0xf8\n[ 2911.199157] do_el0_svc+0x28/0x40\n[ 2911.199613] el0_svc+0x40/0x178\n[ 2911.200048] el0t_64_sync_handler+0x13c/0x158\n[ 2911.200621] el0t_64_sync+0x1a8/0x1b0\n[ 2911.201115] ---[ end trace 0000000000000000 ]---\n\nThe problem appears to be caused by CPU reordering of writes issued from\n__tracing_map_insert().\n\nThe check for the presence of an element with a given key in this\nfunction is:\n\n val = READ_ONCE(entry->val);\n if (val && keys_match(key, val->key, map->key_size)) ...\n\nThe write of a new entry is:\n\n elt = get_free_elt(map);\n memcpy(elt->key, key, map->key_size);\n entry->val = elt;\n\nThe \"memcpy(elt->key, key, map->key_size);\" and \"entry->val = elt;\"\nstores may become visible in the reversed order on another CPU. This\nsecond CPU might then incorrectly determine that a new key doesn't match\nan already present val->key and subse\n---truncated---", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26645", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26645", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26645", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26645", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26645", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26645" } }, "CVE-2024-26646": { "affected_versions": "v2.6.12-rc2 to v6.8-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "thermal: intel: hfi: Add syscore callbacks for system-wide PM", "fixes": "97566d09fd02d2ab329774bb89a2cdf2267e86d9", "last_affected_version": "6.7.2", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nthermal: intel: hfi: Add syscore callbacks for system-wide PM\n\nThe kernel allocates a memory buffer and provides its location to the\nhardware, which uses it to update the HFI table. This allocation occurs\nduring boot and remains constant throughout runtime.\n\nWhen resuming from hibernation, the restore kernel allocates a second\nmemory buffer and reprograms the HFI hardware with the new location as\npart of a normal boot. The location of the second memory buffer may\ndiffer from the one allocated by the image kernel.\n\nWhen the restore kernel transfers control to the image kernel, its HFI\nbuffer becomes invalid, potentially leading to memory corruption if the\nhardware writes to it (the hardware continues to use the buffer from the\nrestore kernel).\n\nIt is also possible that the hardware \"forgets\" the address of the memory\nbuffer when resuming from \"deep\" suspend. Memory corruption may also occur\nin such a scenario.\n\nTo prevent the described memory corruption, disable HFI when preparing to\nsuspend or hibernate. Enable it when resuming.\n\nAdd syscore callbacks to handle the package of the boot CPU (packages of\nnon-boot CPUs are handled via CPU offline). Syscore ops always run on the\nboot CPU. Additionally, HFI only needs to be disabled during \"deep\" suspend\nand hibernation. Syscore ops only run in these cases.\n\n[ rjw: Comment adjustment, subject and changelog edits ]", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26646", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26646", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26646", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26646", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26646", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26646" } }, "CVE-2024-26647": { "affected_versions": "v2.6.12-rc2 to v6.8-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "drm/amd/display: Fix late derefrence 'dsc' check in 'link_set_dsc_pps_packet()'", "fixes": "3bb9b1f958c3d986ed90a3ff009f1e77e9553207", "last_affected_version": "6.7.2", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix late derefrence 'dsc' check in 'link_set_dsc_pps_packet()'\n\nIn link_set_dsc_pps_packet(), 'struct display_stream_compressor *dsc'\nwas dereferenced in a DC_LOGGER_INIT(dsc->ctx->logger); before the 'dsc'\nNULL pointer check.\n\nFixes the below:\ndrivers/gpu/drm/amd/amdgpu/../display/dc/link/link_dpms.c:905 link_set_dsc_pps_packet() warn: variable dereferenced before check 'dsc' (see line 903)", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26647", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26647", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26647", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26647", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26647", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26647" } }, "CVE-2024-26648": { "affected_versions": "v2.6.12-rc2 to v6.8-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "drm/amd/display: Fix variable deferencing before NULL check in edp_setup_replay()", "fixes": "7073934f5d73f8b53308963cee36f0d389ea857c", "last_affected_version": "6.7.2", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix variable deferencing before NULL check in edp_setup_replay()\n\nIn edp_setup_replay(), 'struct dc *dc' & 'struct dmub_replay *replay'\nwas dereferenced before the pointer 'link' & 'replay' NULL check.\n\nFixes the below:\ndrivers/gpu/drm/amd/amdgpu/../display/dc/link/protocols/link_edp_panel_control.c:947 edp_setup_replay() warn: variable dereferenced before check 'link' (see line 933)", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26648", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26648", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26648", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26648", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26648", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26648" } }, "CVE-2024-26649": { "affected_versions": "v6.3-rc1 to v6.8-rc1", "breaks": "3da9b71563cbb7281875adab1d7c4132679da987", "cmt_msg": "drm/amdgpu: Fix the null pointer when load rlc firmware", "fixes": "bc03c02cc1991a066b23e69bbcc0f66e8f1f7453", "last_affected_version": "6.7.2", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Fix the null pointer when load rlc firmware\n\nIf the RLC firmware is invalid because of wrong header size,\nthe pointer to the rlc firmware is released in function\namdgpu_ucode_request. There will be a null pointer error\nin subsequent use. So skip validation to fix it.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26649", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26649", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26649", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26649", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26649", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26649" } }, "CVE-2024-26650": { "affected_versions": "unk to v6.8-rc2", "breaks": "", "cmt_msg": "platform/x86: p2sb: Allow p2sb_bar() calls during PCI device probe", "fixes": "5913320eb0b3ec88158cfcb0fa5e996bf4ef681b", "last_affected_version": "6.7.2", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/x86: p2sb: Allow p2sb_bar() calls during PCI device probe\n\np2sb_bar() unhides P2SB device to get resources from the device. It\nguards the operation by locking pci_rescan_remove_lock so that parallel\nrescans do not find the P2SB device. However, this lock causes deadlock\nwhen PCI bus rescan is triggered by /sys/bus/pci/rescan. The rescan\nlocks pci_rescan_remove_lock and probes PCI devices. When PCI devices\ncall p2sb_bar() during probe, it locks pci_rescan_remove_lock again.\nHence the deadlock.\n\nTo avoid the deadlock, do not lock pci_rescan_remove_lock in p2sb_bar().\nInstead, do the lock at fs_initcall. Introduce p2sb_cache_resources()\nfor fs_initcall which gets and caches the P2SB resources. At p2sb_bar(),\nrefer the cache and return to the caller.\n\nBefore operating the device at P2SB DEVFN for resource cache, check\nthat its device class is PCI_CLASS_MEMORY_OTHER 0x0580 that PCH\nspecifications define. This avoids unexpected operation to other devices\nat the same DEVFN.\n\nTested-by Klara Modin ", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26650", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26650", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26650", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26650", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26650", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26650" } }, "CVE-2024-26651": { "affected_versions": "unk to v6.9-rc1", "breaks": "", "cmt_msg": "sr9800: Add check for usbnet_get_endpoints", "fixes": "07161b2416f740a2cb87faa5566873f401440a61", "last_affected_version": "6.7.10", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nsr9800: Add check for usbnet_get_endpoints\n\nAdd check for usbnet_get_endpoints() and return the error if it fails\nin order to transfer the error.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26651", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26651", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26651", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26651", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26651", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26651" } }, "CVE-2024-26652": { "affected_versions": "v6.4-rc1 to v6.8", "breaks": "4569cce43bc61e4cdd76597a1cf9b608846c18cc", "cmt_msg": "net: pds_core: Fix possible double free in error handling path", "fixes": "ba18deddd6d502da71fd6b6143c53042271b82bd", "last_affected_version": "6.7.9", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: pds_core: Fix possible double free in error handling path\n\nWhen auxiliary_device_add() returns error and then calls\nauxiliary_device_uninit(), Callback function pdsc_auxbus_dev_release\ncalls kfree(padev) to free memory. We shouldn't call kfree(padev)\nagain in the error handling path.\n\nFix this by cleaning up the redundant kfree() and putting\nthe error handling back to where the errors happened.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26652", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26652", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26652", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26652", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26652", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26652" } }, "CVE-2024-26653": { "affected_versions": "v6.7-rc1 to v6.9-rc2", "breaks": "acd6199f195d6de814ac4090ce0864a613b1580e", "cmt_msg": "usb: misc: ljca: Fix double free in error handling path", "fixes": "7c9631969287a5366bc8e39cd5abff154b35fb80", "last_affected_version": "6.7.11", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: misc: ljca: Fix double free in error handling path\n\nWhen auxiliary_device_add() returns error and then calls\nauxiliary_device_uninit(), callback function ljca_auxdev_release\ncalls kfree(auxdev->dev.platform_data) to free the parameter data\nof the function ljca_new_client_device. The callers of\nljca_new_client_device shouldn't call kfree() again\nin the error handling path to free the platform data.\n\nFix this by cleaning up the redundant kfree() in all callers and\nadding kfree() the passed in platform_data on errors which happen\nbefore auxiliary_device_init() succeeds .", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26653", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26653", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26653", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26653", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26653", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26653" } }, "CVE-2024-26654": { "affected_versions": "unk to v6.9-rc2", "breaks": "", "cmt_msg": "ALSA: sh: aica: reorder cleanup operations to avoid UAF bugs", "fixes": "051e0840ffa8ab25554d6b14b62c9ab9e4901457", "last_affected_version": "6.7.11", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: sh: aica: reorder cleanup operations to avoid UAF bugs\n\nThe dreamcastcard->timer could schedule the spu_dma_work and the\nspu_dma_work could also arm the dreamcastcard->timer.\n\nWhen the snd_pcm_substream is closing, the aica_channel will be\ndeallocated. But it could still be dereferenced in the worker\nthread. The reason is that del_timer() will return directly\nregardless of whether the timer handler is running or not and\nthe worker could be rescheduled in the timer handler. As a result,\nthe UAF bug will happen. The racy situation is shown below:\n\n (Thread 1) | (Thread 2)\nsnd_aicapcm_pcm_close() |\n ... | run_spu_dma() //worker\n | mod_timer()\n flush_work() |\n del_timer() | aica_period_elapsed() //timer\n kfree(dreamcastcard->channel) | schedule_work()\n | run_spu_dma() //worker\n ... | dreamcastcard->channel-> //USE\n\nIn order to mitigate this bug and other possible corner cases,\ncall mod_timer() conditionally in run_spu_dma(), then implement\nPCM sync_stop op to cancel both the timer and worker. The sync_stop\nop will be called from PCM core appropriately when needed.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26654", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26654", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26654", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26654", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26654", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26654" } }, "CVE-2024-26655": { "affected_versions": "unk to v6.9-rc2", "breaks": "", "cmt_msg": "Fix memory leak in posix_clock_open()", "fixes": "5b4cdd9c5676559b8a7c944ac5269b914b8c0bb8", "last_affected_version": "6.7.11", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nFix memory leak in posix_clock_open()\n\nIf the clk ops.open() function returns an error, we don't release the\npccontext we allocated for this clock.\n\nRe-organize the code slightly to make it all more obvious.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26655", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26655", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26655", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26655", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26655", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26655" } }, "CVE-2024-26656": { "affected_versions": "v2.6.12-rc2 to v6.9-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "drm/amdgpu: fix use-after-free bug", "fixes": "22207fd5c80177b860279653d017474b2812af5e", "last_affected_version": "6.7.11", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: fix use-after-free bug\n\nThe bug can be triggered by sending a single amdgpu_gem_userptr_ioctl\nto the AMDGPU DRM driver on any ASICs with an invalid address and size.\nThe bug was reported by Joonkyo Jung .\nFor example the following code:\n\nstatic void Syzkaller1(int fd)\n{\n\tstruct drm_amdgpu_gem_userptr arg;\n\tint ret;\n\n\targ.addr = 0xffffffffffff0000;\n\targ.size = 0x80000000; /*2 Gb*/\n\targ.flags = 0x7;\n\tret = drmIoctl(fd, 0xc1186451/*amdgpu_gem_userptr_ioctl*/, &arg);\n}\n\nDue to the address and size are not valid there is a failure in\namdgpu_hmm_register->mmu_interval_notifier_insert->__mmu_interval_notifier_insert->\ncheck_shl_overflow, but we even the amdgpu_hmm_register failure we still call\namdgpu_hmm_unregister into amdgpu_gem_object_free which causes access to a bad address.\nThe following stack is below when the issue is reproduced when Kazan is enabled:\n\n[ +0.000014] Hardware name: ASUS System Product Name/ROG STRIX B550-F GAMING (WI-FI), BIOS 1401 12/03/2020\n[ +0.000009] RIP: 0010:mmu_interval_notifier_remove+0x327/0x340\n[ +0.000017] Code: ff ff 49 89 44 24 08 48 b8 00 01 00 00 00 00 ad de 4c 89 f7 49 89 47 40 48 83 c0 22 49 89 47 48 e8 ce d1 2d 01 e9 32 ff ff ff <0f> 0b e9 16 ff ff ff 4c 89 ef e8 fa 14 b3 ff e9 36 ff ff ff e8 80\n[ +0.000014] RSP: 0018:ffffc90002657988 EFLAGS: 00010246\n[ +0.000013] RAX: 0000000000000000 RBX: 1ffff920004caf35 RCX: ffffffff8160565b\n[ +0.000011] RDX: dffffc0000000000 RSI: 0000000000000004 RDI: ffff8881a9f78260\n[ +0.000010] RBP: ffffc90002657a70 R08: 0000000000000001 R09: fffff520004caf25\n[ +0.000010] R10: 0000000000000003 R11: ffffffff8161d1d6 R12: ffff88810e988c00\n[ +0.000010] R13: ffff888126fb5a00 R14: ffff88810e988c0c R15: ffff8881a9f78260\n[ +0.000011] FS: 00007ff9ec848540(0000) GS:ffff8883cc880000(0000) knlGS:0000000000000000\n[ +0.000012] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ +0.000010] CR2: 000055b3f7e14328 CR3: 00000001b5770000 CR4: 0000000000350ef0\n[ +0.000010] Call Trace:\n[ +0.000006] \n[ +0.000007] ? show_regs+0x6a/0x80\n[ +0.000018] ? __warn+0xa5/0x1b0\n[ +0.000019] ? mmu_interval_notifier_remove+0x327/0x340\n[ +0.000018] ? report_bug+0x24a/0x290\n[ +0.000022] ? handle_bug+0x46/0x90\n[ +0.000015] ? exc_invalid_op+0x19/0x50\n[ +0.000016] ? asm_exc_invalid_op+0x1b/0x20\n[ +0.000017] ? kasan_save_stack+0x26/0x50\n[ +0.000017] ? mmu_interval_notifier_remove+0x23b/0x340\n[ +0.000019] ? mmu_interval_notifier_remove+0x327/0x340\n[ +0.000019] ? mmu_interval_notifier_remove+0x23b/0x340\n[ +0.000020] ? __pfx_mmu_interval_notifier_remove+0x10/0x10\n[ +0.000017] ? kasan_save_alloc_info+0x1e/0x30\n[ +0.000018] ? srso_return_thunk+0x5/0x5f\n[ +0.000014] ? __kasan_kmalloc+0xb1/0xc0\n[ +0.000018] ? srso_return_thunk+0x5/0x5f\n[ +0.000013] ? __kasan_check_read+0x11/0x20\n[ +0.000020] amdgpu_hmm_unregister+0x34/0x50 [amdgpu]\n[ +0.004695] amdgpu_gem_object_free+0x66/0xa0 [amdgpu]\n[ +0.004534] ? __pfx_amdgpu_gem_object_free+0x10/0x10 [amdgpu]\n[ +0.004291] ? do_syscall_64+0x5f/0xe0\n[ +0.000023] ? srso_return_thunk+0x5/0x5f\n[ +0.000017] drm_gem_object_free+0x3b/0x50 [drm]\n[ +0.000489] amdgpu_gem_userptr_ioctl+0x306/0x500 [amdgpu]\n[ +0.004295] ? __pfx_amdgpu_gem_userptr_ioctl+0x10/0x10 [amdgpu]\n[ +0.004270] ? srso_return_thunk+0x5/0x5f\n[ +0.000014] ? __this_cpu_preempt_check+0x13/0x20\n[ +0.000015] ? srso_return_thunk+0x5/0x5f\n[ +0.000013] ? sysvec_apic_timer_interrupt+0x57/0xc0\n[ +0.000020] ? srso_return_thunk+0x5/0x5f\n[ +0.000014] ? asm_sysvec_apic_timer_interrupt+0x1b/0x20\n[ +0.000022] ? drm_ioctl_kernel+0x17b/0x1f0 [drm]\n[ +0.000496] ? __pfx_amdgpu_gem_userptr_ioctl+0x10/0x10 [amdgpu]\n[ +0.004272] ? drm_ioctl_kernel+0x190/0x1f0 [drm]\n[ +0.000492] drm_ioctl_kernel+0x140/0x1f0 [drm]\n[ +0.000497] ? __pfx_amdgpu_gem_userptr_ioctl+0x10/0x10 [amdgpu]\n[ +0.004297] ? __pfx_drm_ioctl_kernel+0x10/0x10 [d\n---truncated---", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26656", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26656", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26656", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26656", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26656", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26656" } }, "CVE-2024-26657": { "affected_versions": "v6.7-rc1 to v6.9-rc2", "breaks": "56e449603f0ac580700621a356d35d5716a62ce5", "cmt_msg": "drm/sched: fix null-ptr-deref in init entity", "fixes": "f34e8bb7d6c6626933fe993e03ed59ae85e16abb", "last_affected_version": "6.7.11", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/sched: fix null-ptr-deref in init entity\n\nThe bug can be triggered by sending an amdgpu_cs_wait_ioctl\nto the AMDGPU DRM driver on any ASICs with valid context.\nThe bug was reported by Joonkyo Jung .\nFor example the following code:\n\n static void Syzkaller2(int fd)\n {\n\tunion drm_amdgpu_ctx arg1;\n\tunion drm_amdgpu_wait_cs arg2;\n\n\targ1.in.op = AMDGPU_CTX_OP_ALLOC_CTX;\n\tret = drmIoctl(fd, 0x140106442 /* amdgpu_ctx_ioctl */, &arg1);\n\n\targ2.in.handle = 0x0;\n\targ2.in.timeout = 0x2000000000000;\n\targ2.in.ip_type = AMD_IP_VPE /* 0x9 */;\n\targ2->in.ip_instance = 0x0;\n\targ2.in.ring = 0x0;\n\targ2.in.ctx_id = arg1.out.alloc.ctx_id;\n\n\tdrmIoctl(fd, 0xc0206449 /* AMDGPU_WAIT_CS * /, &arg2);\n }\n\nThe ioctl AMDGPU_WAIT_CS without previously submitted job could be assumed that\nthe error should be returned, but the following commit 1decbf6bb0b4dc56c9da6c5e57b994ebfc2be3aa\nmodified the logic and allowed to have sched_rq equal to NULL.\n\nAs a result when there is no job the ioctl AMDGPU_WAIT_CS returns success.\nThe change fixes null-ptr-deref in init entity and the stack below demonstrates\nthe error condition:\n\n[ +0.000007] BUG: kernel NULL pointer dereference, address: 0000000000000028\n[ +0.007086] #PF: supervisor read access in kernel mode\n[ +0.005234] #PF: error_code(0x0000) - not-present page\n[ +0.005232] PGD 0 P4D 0\n[ +0.002501] Oops: 0000 [#1] PREEMPT SMP KASAN NOPTI\n[ +0.005034] CPU: 10 PID: 9229 Comm: amd_basic Tainted: G B W L 6.7.0+ #4\n[ +0.007797] Hardware name: ASUS System Product Name/ROG STRIX B550-F GAMING (WI-FI), BIOS 1401 12/03/2020\n[ +0.009798] RIP: 0010:drm_sched_entity_init+0x2d3/0x420 [gpu_sched]\n[ +0.006426] Code: 80 00 00 00 00 00 00 00 e8 1a 81 82 e0 49 89 9c 24 c0 00 00 00 4c 89 ef e8 4a 80 82 e0 49 8b 5d 00 48 8d 7b 28 e8 3d 80 82 e0 <48> 83 7b 28 00 0f 84 28 01 00 00 4d 8d ac 24 98 00 00 00 49 8d 5c\n[ +0.019094] RSP: 0018:ffffc90014c1fa40 EFLAGS: 00010282\n[ +0.005237] RAX: 0000000000000001 RBX: 0000000000000000 RCX: ffffffff8113f3fa\n[ +0.007326] RDX: fffffbfff0a7889d RSI: 0000000000000008 RDI: ffffffff853c44e0\n[ +0.007264] RBP: ffffc90014c1fa80 R08: 0000000000000001 R09: fffffbfff0a7889c\n[ +0.007266] R10: ffffffff853c44e7 R11: 0000000000000001 R12: ffff8881a719b010\n[ +0.007263] R13: ffff88810d412748 R14: 0000000000000002 R15: 0000000000000000\n[ +0.007264] FS: 00007ffff7045540(0000) GS:ffff8883cc900000(0000) knlGS:0000000000000000\n[ +0.008236] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ +0.005851] CR2: 0000000000000028 CR3: 000000011912e000 CR4: 0000000000350ef0\n[ +0.007175] Call Trace:\n[ +0.002561] \n[ +0.002141] ? show_regs+0x6a/0x80\n[ +0.003473] ? __die+0x25/0x70\n[ +0.003124] ? page_fault_oops+0x214/0x720\n[ +0.004179] ? preempt_count_sub+0x18/0xc0\n[ +0.004093] ? __pfx_page_fault_oops+0x10/0x10\n[ +0.004590] ? srso_return_thunk+0x5/0x5f\n[ +0.004000] ? vprintk_default+0x1d/0x30\n[ +0.004063] ? srso_return_thunk+0x5/0x5f\n[ +0.004087] ? vprintk+0x5c/0x90\n[ +0.003296] ? drm_sched_entity_init+0x2d3/0x420 [gpu_sched]\n[ +0.005807] ? srso_return_thunk+0x5/0x5f\n[ +0.004090] ? _printk+0xb3/0xe0\n[ +0.003293] ? __pfx__printk+0x10/0x10\n[ +0.003735] ? asm_sysvec_apic_timer_interrupt+0x1b/0x20\n[ +0.005482] ? do_user_addr_fault+0x345/0x770\n[ +0.004361] ? exc_page_fault+0x64/0xf0\n[ +0.003972] ? asm_exc_page_fault+0x27/0x30\n[ +0.004271] ? add_taint+0x2a/0xa0\n[ +0.003476] ? drm_sched_entity_init+0x2d3/0x420 [gpu_sched]\n[ +0.005812] amdgpu_ctx_get_entity+0x3f9/0x770 [amdgpu]\n[ +0.009530] ? finish_task_switch.isra.0+0x129/0x470\n[ +0.005068] ? __pfx_amdgpu_ctx_get_entity+0x10/0x10 [amdgpu]\n[ +0.010063] ? __kasan_check_write+0x14/0x20\n[ +0.004356] ? srso_return_thunk+0x5/0x5f\n[ +0.004001] ? mutex_unlock+0x81/0xd0\n[ +0.003802] ? srso_return_thunk+0x5/0x5f\n[ +0.004096] amdgpu_cs_wait_ioctl+0xf6/0x270 [amdgpu]\n[ +0.009355] ? __pfx_\n---truncated---", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26657", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26657", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26657", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26657", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26657", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26657" } }, "CVE-2024-26658": { "affected_versions": "unk to v6.8-rc1", "breaks": "", "cmt_msg": "bcachefs: grab s_umount only if snapshotting", "fixes": "2acc59dd88d27ad69b66ded80df16c042b04eeec", "last_affected_version": "6.7.4", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nbcachefs: grab s_umount only if snapshotting\n\nWhen I was testing mongodb over bcachefs with compression,\nthere is a lockdep warning when snapshotting mongodb data volume.\n\n$ cat test.sh\nprog=bcachefs\n\n$prog subvolume create /mnt/data\n$prog subvolume create /mnt/data/snapshots\n\nwhile true;do\n $prog subvolume snapshot /mnt/data /mnt/data/snapshots/$(date +%s)\n sleep 1s\ndone\n\n$ cat /etc/mongodb.conf\nsystemLog:\n destination: file\n logAppend: true\n path: /mnt/data/mongod.log\n\nstorage:\n dbPath: /mnt/data/\n\nlockdep reports:\n[ 3437.452330] ======================================================\n[ 3437.452750] WARNING: possible circular locking dependency detected\n[ 3437.453168] 6.7.0-rc7-custom+ #85 Tainted: G E\n[ 3437.453562] ------------------------------------------------------\n[ 3437.453981] bcachefs/35533 is trying to acquire lock:\n[ 3437.454325] ffffa0a02b2b1418 (sb_writers#10){.+.+}-{0:0}, at: filename_create+0x62/0x190\n[ 3437.454875]\n but task is already holding lock:\n[ 3437.455268] ffffa0a02b2b10e0 (&type->s_umount_key#48){.+.+}-{3:3}, at: bch2_fs_file_ioctl+0x232/0xc90 [bcachefs]\n[ 3437.456009]\n which lock already depends on the new lock.\n\n[ 3437.456553]\n the existing dependency chain (in reverse order) is:\n[ 3437.457054]\n -> #3 (&type->s_umount_key#48){.+.+}-{3:3}:\n[ 3437.457507] down_read+0x3e/0x170\n[ 3437.457772] bch2_fs_file_ioctl+0x232/0xc90 [bcachefs]\n[ 3437.458206] __x64_sys_ioctl+0x93/0xd0\n[ 3437.458498] do_syscall_64+0x42/0xf0\n[ 3437.458779] entry_SYSCALL_64_after_hwframe+0x6e/0x76\n[ 3437.459155]\n -> #2 (&c->snapshot_create_lock){++++}-{3:3}:\n[ 3437.459615] down_read+0x3e/0x170\n[ 3437.459878] bch2_truncate+0x82/0x110 [bcachefs]\n[ 3437.460276] bchfs_truncate+0x254/0x3c0 [bcachefs]\n[ 3437.460686] notify_change+0x1f1/0x4a0\n[ 3437.461283] do_truncate+0x7f/0xd0\n[ 3437.461555] path_openat+0xa57/0xce0\n[ 3437.461836] do_filp_open+0xb4/0x160\n[ 3437.462116] do_sys_openat2+0x91/0xc0\n[ 3437.462402] __x64_sys_openat+0x53/0xa0\n[ 3437.462701] do_syscall_64+0x42/0xf0\n[ 3437.462982] entry_SYSCALL_64_after_hwframe+0x6e/0x76\n[ 3437.463359]\n -> #1 (&sb->s_type->i_mutex_key#15){+.+.}-{3:3}:\n[ 3437.463843] down_write+0x3b/0xc0\n[ 3437.464223] bch2_write_iter+0x5b/0xcc0 [bcachefs]\n[ 3437.464493] vfs_write+0x21b/0x4c0\n[ 3437.464653] ksys_write+0x69/0xf0\n[ 3437.464839] do_syscall_64+0x42/0xf0\n[ 3437.465009] entry_SYSCALL_64_after_hwframe+0x6e/0x76\n[ 3437.465231]\n -> #0 (sb_writers#10){.+.+}-{0:0}:\n[ 3437.465471] __lock_acquire+0x1455/0x21b0\n[ 3437.465656] lock_acquire+0xc6/0x2b0\n[ 3437.465822] mnt_want_write+0x46/0x1a0\n[ 3437.465996] filename_create+0x62/0x190\n[ 3437.466175] user_path_create+0x2d/0x50\n[ 3437.466352] bch2_fs_file_ioctl+0x2ec/0xc90 [bcachefs]\n[ 3437.466617] __x64_sys_ioctl+0x93/0xd0\n[ 3437.466791] do_syscall_64+0x42/0xf0\n[ 3437.466957] entry_SYSCALL_64_after_hwframe+0x6e/0x76\n[ 3437.467180]\n other info that might help us debug this:\n\n[ 3437.469670] 2 locks held by bcachefs/35533:\n other info that might help us debug this:\n\n[ 3437.467507] Chain exists of:\n sb_writers#10 --> &c->snapshot_create_lock --> &type->s_umount_key#48\n\n[ 3437.467979] Possible unsafe locking scenario:\n\n[ 3437.468223] CPU0 CPU1\n[ 3437.468405] ---- ----\n[ 3437.468585] rlock(&type->s_umount_key#48);\n[ 3437.468758] lock(&c->snapshot_create_lock);\n[ 3437.469030] lock(&type->s_umount_key#48);\n[ 3437.469291] rlock(sb_writers#10);\n[ 3437.469434]\n *** DEADLOCK ***\n\n[ 3437.469\n---truncated---", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26658", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26658", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26658", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26658", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26658", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26658" } }, "CVE-2024-26659": { "affected_versions": "v2.6.12-rc2 to v6.8-rc3", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "xhci: handle isoc Babble and Buffer Overrun events properly", "fixes": "7c4650ded49e5b88929ecbbb631efb8b0838e811", "last_affected_version": "6.7.4", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nxhci: handle isoc Babble and Buffer Overrun events properly\n\nxHCI 4.9 explicitly forbids assuming that the xHC has released its\nownership of a multi-TRB TD when it reports an error on one of the\nearly TRBs. Yet the driver makes such assumption and releases the TD,\nallowing the remaining TRBs to be freed or overwritten by new TDs.\n\nThe xHC should also report completion of the final TRB due to its IOC\nflag being set by us, regardless of prior errors. This event cannot\nbe recognized if the TD has already been freed earlier, resulting in\n\"Transfer event TRB DMA ptr not part of current TD\" error message.\n\nFix this by reusing the logic for processing isoc Transaction Errors.\nThis also handles hosts which fail to report the final completion.\n\nFix transfer length reporting on Babble errors. They may be caused by\ndevice malfunction, no guarantee that the buffer has been filled.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26659", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26659", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26659", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26659", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26659", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26659" } }, "CVE-2024-26660": { "affected_versions": "v5.11-rc1 to v6.8-rc4", "breaks": "3a83e4e64bb1522ddac67ffc787d1c38291e1a65", "cmt_msg": "drm/amd/display: Implement bounds check for stream encoder creation in DCN301", "fixes": "58fca355ad37dcb5f785d9095db5f748b79c5dc2", "last_affected_version": "6.7.4", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Implement bounds check for stream encoder creation in DCN301\n\n'stream_enc_regs' array is an array of dcn10_stream_enc_registers\nstructures. The array is initialized with four elements, corresponding\nto the four calls to stream_enc_regs() in the array initializer. This\nmeans that valid indices for this array are 0, 1, 2, and 3.\n\nThe error message 'stream_enc_regs' 4 <= 5 below, is indicating that\nthere is an attempt to access this array with an index of 5, which is\nout of bounds. This could lead to undefined behavior\n\nHere, eng_id is used as an index to access the stream_enc_regs array. If\neng_id is 5, this would result in an out-of-bounds access on the\nstream_enc_regs array.\n\nThus fixing Buffer overflow error in dcn301_stream_encoder_create\nreported by Smatch:\ndrivers/gpu/drm/amd/amdgpu/../display/dc/resource/dcn301/dcn301_resource.c:1011 dcn301_stream_encoder_create() error: buffer overflow 'stream_enc_regs' 4 <= 5", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26660", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26660", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26660", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26660", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26660", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26660" } }, "CVE-2024-26661": { "affected_versions": "v5.9-rc1 to v6.8-rc4", "breaks": "474ac4a875ca6fea3fc5183d3ad22ef7523dca53", "cmt_msg": "drm/amd/display: Add NULL test for 'timing generator' in 'dcn21_set_pipe()'", "fixes": "66951d98d9bf45ba25acf37fe0747253fafdf298", "last_affected_version": "6.7.4", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Add NULL test for 'timing generator' in 'dcn21_set_pipe()'\n\nIn \"u32 otg_inst = pipe_ctx->stream_res.tg->inst;\"\npipe_ctx->stream_res.tg could be NULL, it is relying on the caller to\nensure the tg is not NULL.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26661", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26661", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26661", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26661", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26661", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26661" } }, "CVE-2024-26662": { "affected_versions": "v5.9-rc1 to v6.8-rc4", "breaks": "474ac4a875ca6fea3fc5183d3ad22ef7523dca53", "cmt_msg": "drm/amd/display: Fix 'panel_cntl' could be null in 'dcn21_set_backlight_level()'", "fixes": "e96fddb32931d007db12b1fce9b5e8e4c080401b", "last_affected_version": "6.7.4", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix 'panel_cntl' could be null in 'dcn21_set_backlight_level()'\n\n'panel_cntl' structure used to control the display panel could be null,\ndereferencing it could lead to a null pointer access.\n\nFixes the below:\ndrivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn21/dcn21_hwseq.c:269 dcn21_set_backlight_level() error: we previously assumed 'panel_cntl' could be null (see line 250)", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26662", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26662", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26662", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26662", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26662", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26662" } }, "CVE-2024-26663": { "affected_versions": "v4.9-rc1 to v6.8-rc4", "breaks": "ef20cd4dd1633987bcf46ac34ace2c8af212361f", "cmt_msg": "tipc: Check the bearer type before calling tipc_udp_nl_bearer_add()", "fixes": "3871aa01e1a779d866fa9dfdd5a836f342f4eb87", "last_affected_version": "6.7.4", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\ntipc: Check the bearer type before calling tipc_udp_nl_bearer_add()\n\nsyzbot reported the following general protection fault [1]:\n\ngeneral protection fault, probably for non-canonical address 0xdffffc0000000010: 0000 [#1] PREEMPT SMP KASAN\nKASAN: null-ptr-deref in range [0x0000000000000080-0x0000000000000087]\n...\nRIP: 0010:tipc_udp_is_known_peer+0x9c/0x250 net/tipc/udp_media.c:291\n...\nCall Trace:\n \n tipc_udp_nl_bearer_add+0x212/0x2f0 net/tipc/udp_media.c:646\n tipc_nl_bearer_add+0x21e/0x360 net/tipc/bearer.c:1089\n genl_family_rcv_msg_doit+0x1fc/0x2e0 net/netlink/genetlink.c:972\n genl_family_rcv_msg net/netlink/genetlink.c:1052 [inline]\n genl_rcv_msg+0x561/0x800 net/netlink/genetlink.c:1067\n netlink_rcv_skb+0x16b/0x440 net/netlink/af_netlink.c:2544\n genl_rcv+0x28/0x40 net/netlink/genetlink.c:1076\n netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline]\n netlink_unicast+0x53b/0x810 net/netlink/af_netlink.c:1367\n netlink_sendmsg+0x8b7/0xd70 net/netlink/af_netlink.c:1909\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0xd5/0x180 net/socket.c:745\n ____sys_sendmsg+0x6ac/0x940 net/socket.c:2584\n ___sys_sendmsg+0x135/0x1d0 net/socket.c:2638\n __sys_sendmsg+0x117/0x1e0 net/socket.c:2667\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\n\nThe cause of this issue is that when tipc_nl_bearer_add() is called with\nthe TIPC_NLA_BEARER_UDP_OPTS attribute, tipc_udp_nl_bearer_add() is called\neven if the bearer is not UDP.\n\ntipc_udp_is_known_peer() called by tipc_udp_nl_bearer_add() assumes that\nthe media_ptr field of the tipc_bearer has an udp_bearer type object, so\nthe function goes crazy for non-UDP bearers.\n\nThis patch fixes the issue by checking the bearer type before calling\ntipc_udp_nl_bearer_add() in tipc_nl_bearer_add().", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26663", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26663", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26663", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26663", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26663", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26663" } }, "CVE-2024-26664": { "affected_versions": "unk to v6.8-rc4", "breaks": "", "cmt_msg": "hwmon: (coretemp) Fix out-of-bounds memory access", "fixes": "4e440abc894585a34c2904a32cd54af1742311b3", "last_affected_version": "6.7.4", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nhwmon: (coretemp) Fix out-of-bounds memory access\n\nFix a bug that pdata->cpu_map[] is set before out-of-bounds check.\nThe problem might be triggered on systems with more than 128 cores per\npackage.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26664", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26664", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26664", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26664", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26664", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26664" } }, "CVE-2024-26665": { "affected_versions": "v5.9-rc1 to v6.8-rc4", "breaks": "4cb47a8644cc9eb8ec81190a50e79e6530d0297f", "cmt_msg": "tunnels: fix out of bounds access when building IPv6 PMTU error", "fixes": "d75abeec401f8c86b470e7028a13fcdc87e5dd06", "last_affected_version": "6.7.4", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\ntunnels: fix out of bounds access when building IPv6 PMTU error\n\nIf the ICMPv6 error is built from a non-linear skb we get the following\nsplat,\n\n BUG: KASAN: slab-out-of-bounds in do_csum+0x220/0x240\n Read of size 4 at addr ffff88811d402c80 by task netperf/820\n CPU: 0 PID: 820 Comm: netperf Not tainted 6.8.0-rc1+ #543\n ...\n kasan_report+0xd8/0x110\n do_csum+0x220/0x240\n csum_partial+0xc/0x20\n skb_tunnel_check_pmtu+0xeb9/0x3280\n vxlan_xmit_one+0x14c2/0x4080\n vxlan_xmit+0xf61/0x5c00\n dev_hard_start_xmit+0xfb/0x510\n __dev_queue_xmit+0x7cd/0x32a0\n br_dev_queue_push_xmit+0x39d/0x6a0\n\nUse skb_checksum instead of csum_partial who cannot deal with non-linear\nSKBs.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26665", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26665", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26665", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26665", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26665", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26665" } }, "CVE-2024-26666": { "affected_versions": "v6.5-rc1 to v6.8-rc4", "breaks": "8cc07265b69141f8ed9597d0f27185239c241c80", "cmt_msg": "wifi: mac80211: fix RCU use in TDLS fast-xmit", "fixes": "9480adfe4e0f0319b9da04b44e4eebd5ad07e0cd", "last_affected_version": "6.7.4", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: fix RCU use in TDLS fast-xmit\n\nThis looks up the link under RCU protection, but isn't\nguaranteed to actually have protection. Fix that.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26666", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26666", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26666", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26666", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26666", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26666" } }, "CVE-2024-26667": { "affected_versions": "v5.19-rc1 to v6.8-rc4", "breaks": "ae4d721ce10057a4aa9f0d253e0d460518a9ef75", "cmt_msg": "drm/msm/dpu: check for valid hw_pp in dpu_encoder_helper_phys_cleanup", "fixes": "7f3d03c48b1eb6bc45ab20ca98b8b11be25f9f52", "last_affected_version": "6.7.4", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm/dpu: check for valid hw_pp in dpu_encoder_helper_phys_cleanup\n\nThe commit 8b45a26f2ba9 (\"drm/msm/dpu: reserve cdm blocks for writeback\nin case of YUV output\") introduced a smatch warning about another\nconditional block in dpu_encoder_helper_phys_cleanup() which had assumed\nhw_pp will always be valid which may not necessarily be true.\n\nLets fix the other conditional block by making sure hw_pp is valid\nbefore dereferencing it.\n\nPatchwork: https://patchwork.freedesktop.org/patch/574878/", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26667", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26667", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26667", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26667", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26667", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26667" } }, "CVE-2024-26668": { "affected_versions": "v4.3-rc1 to v6.8-rc2", "breaks": "d2168e849ebf617b2b7feae44c0c0baf739cb610", "cmt_msg": "netfilter: nft_limit: reject configurations that cause integer overflow", "fixes": "c9d9eb9c53d37cdebbad56b91e40baf42d5a97aa", "last_affected_version": "6.7.2", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_limit: reject configurations that cause integer overflow\n\nReject bogus configs where internal token counter wraps around.\nThis only occurs with very very large requests, such as 17gbyte/s.\n\nIts better to reject this rather than having incorrect ratelimit.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26668", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26668", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26668", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26668", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26668", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26668" } }, "CVE-2024-26669": { "affected_versions": "v5.1-rc1 to v6.8-rc2", "breaks": "bbf73830cd48cff1599811d4f69c7cfd49c7b869", "cmt_msg": "net/sched: flower: Fix chain template offload", "fixes": "32f2a0afa95fae0d1ceec2ff06e0e816939964b8", "last_affected_version": "6.7.2", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: flower: Fix chain template offload\n\nWhen a qdisc is deleted from a net device the stack instructs the\nunderlying driver to remove its flow offload callback from the\nassociated filter block using the 'FLOW_BLOCK_UNBIND' command. The stack\nthen continues to replay the removal of the filters in the block for\nthis driver by iterating over the chains in the block and invoking the\n'reoffload' operation of the classifier being used. In turn, the\nclassifier in its 'reoffload' operation prepares and emits a\n'FLOW_CLS_DESTROY' command for each filter.\n\nHowever, the stack does not do the same for chain templates and the\nunderlying driver never receives a 'FLOW_CLS_TMPLT_DESTROY' command when\na qdisc is deleted. This results in a memory leak [1] which can be\nreproduced using [2].\n\nFix by introducing a 'tmplt_reoffload' operation and have the stack\ninvoke it with the appropriate arguments as part of the replay.\nImplement the operation in the sole classifier that supports chain\ntemplates (flower) by emitting the 'FLOW_CLS_TMPLT_{CREATE,DESTROY}'\ncommand based on whether a flow offload callback is being bound to a\nfilter block or being unbound from one.\n\nAs far as I can tell, the issue happens since cited commit which\nreordered tcf_block_offload_unbind() before tcf_block_flush_all_chains()\nin __tcf_block_put(). The order cannot be reversed as the filter block\nis expected to be freed after flushing all the chains.\n\n[1]\nunreferenced object 0xffff888107e28800 (size 2048):\n comm \"tc\", pid 1079, jiffies 4294958525 (age 3074.287s)\n hex dump (first 32 bytes):\n b1 a6 7c 11 81 88 ff ff e0 5b b3 10 81 88 ff ff ..|......[......\n 01 00 00 00 00 00 00 00 e0 aa b0 84 ff ff ff ff ................\n backtrace:\n [] __kmem_cache_alloc_node+0x1e8/0x320\n [] __kmalloc+0x4e/0x90\n [] mlxsw_sp_acl_ruleset_get+0x34d/0x7a0\n [] mlxsw_sp_flower_tmplt_create+0x145/0x180\n [] mlxsw_sp_flow_block_cb+0x1ea/0x280\n [] tc_setup_cb_call+0x183/0x340\n [] fl_tmplt_create+0x3da/0x4c0\n [] tc_ctl_chain+0xa15/0x1170\n [] rtnetlink_rcv_msg+0x3cc/0xed0\n [] netlink_rcv_skb+0x170/0x440\n [] netlink_unicast+0x540/0x820\n [] netlink_sendmsg+0x8d8/0xda0\n [] ____sys_sendmsg+0x30f/0xa80\n [] ___sys_sendmsg+0x13a/0x1e0\n [] __sys_sendmsg+0x11c/0x1f0\n [] do_syscall_64+0x40/0xe0\nunreferenced object 0xffff88816d2c0400 (size 1024):\n comm \"tc\", pid 1079, jiffies 4294958525 (age 3074.287s)\n hex dump (first 32 bytes):\n 40 00 00 00 00 00 00 00 57 f6 38 be 00 00 00 00 @.......W.8.....\n 10 04 2c 6d 81 88 ff ff 10 04 2c 6d 81 88 ff ff ..,m......,m....\n backtrace:\n [] __kmem_cache_alloc_node+0x1e8/0x320\n [] __kmalloc_node+0x51/0x90\n [] kvmalloc_node+0xa6/0x1f0\n [] bucket_table_alloc.isra.0+0x83/0x460\n [] rhashtable_init+0x43b/0x7c0\n [] mlxsw_sp_acl_ruleset_get+0x428/0x7a0\n [] mlxsw_sp_flower_tmplt_create+0x145/0x180\n [] mlxsw_sp_flow_block_cb+0x1ea/0x280\n [] tc_setup_cb_call+0x183/0x340\n [] fl_tmplt_create+0x3da/0x4c0\n [] tc_ctl_chain+0xa15/0x1170\n [] rtnetlink_rcv_msg+0x3cc/0xed0\n [] netlink_rcv_skb+0x170/0x440\n [] netlink_unicast+0x540/0x820\n [] netlink_sendmsg+0x8d8/0xda0\n [] ____sys_sendmsg+0x30f/0xa80\n\n[2]\n # tc qdisc add dev swp1 clsact\n # tc chain add dev swp1 ingress proto ip chain 1 flower dst_ip 0.0.0.0/32\n # tc qdisc del dev\n---truncated---", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26669", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26669", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26669", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26669", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26669", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26669" } }, "CVE-2024-26670": { "affected_versions": "v6.6-rc5 to v6.8-rc1", "breaks": "471470bc7052d28ce125901877dd10e4c048e513", "cmt_msg": "arm64: entry: fix ARM64_WORKAROUND_SPECULATIVE_UNPRIV_LOAD", "fixes": "832dd634bd1b4e3bbe9f10b9c9ba5db6f6f2b97f", "last_affected_version": "6.7.2", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: entry: fix ARM64_WORKAROUND_SPECULATIVE_UNPRIV_LOAD\n\nCurrently the ARM64_WORKAROUND_SPECULATIVE_UNPRIV_LOAD workaround isn't\nquite right, as it is supposed to be applied after the last explicit\nmemory access, but is immediately followed by an LDR.\n\nThe ARM64_WORKAROUND_SPECULATIVE_UNPRIV_LOAD workaround is used to\nhandle Cortex-A520 erratum 2966298 and Cortex-A510 erratum 3117295,\nwhich are described in:\n\n* https://developer.arm.com/documentation/SDEN2444153/0600/?lang=en\n* https://developer.arm.com/documentation/SDEN1873361/1600/?lang=en\n\nIn both cases the workaround is described as:\n\n| If pagetable isolation is disabled, the context switch logic in the\n| kernel can be updated to execute the following sequence on affected\n| cores before exiting to EL0, and after all explicit memory accesses:\n|\n| 1. A non-shareable TLBI to any context and/or address, including\n| unused contexts or addresses, such as a `TLBI VALE1 Xzr`.\n|\n| 2. A DSB NSH to guarantee completion of the TLBI.\n\nThe important part being that the TLBI+DSB must be placed \"after all\nexplicit memory accesses\".\n\nUnfortunately, as-implemented, the TLBI+DSB is immediately followed by\nan LDR, as we have:\n\n| alternative_if ARM64_WORKAROUND_SPECULATIVE_UNPRIV_LOAD\n| \ttlbi\tvale1, xzr\n| \tdsb\tnsh\n| alternative_else_nop_endif\n| alternative_if_not ARM64_UNMAP_KERNEL_AT_EL0\n| \tldr\tlr, [sp, #S_LR]\n| \tadd\tsp, sp, #PT_REGS_SIZE\t\t// restore sp\n| \teret\n| alternative_else_nop_endif\n|\n| [ ... KPTI exception return path ... ]\n\nThis patch fixes this by reworking the logic to place the TLBI+DSB\nimmediately before the ERET, after all explicit memory accesses.\n\nThe ERET is currently in a separate alternative block, and alternatives\ncannot be nested. To account for this, the alternative block for\nARM64_UNMAP_KERNEL_AT_EL0 is replaced with a single alternative branch\nto skip the KPTI logic, with the new shape of the logic being:\n\n| alternative_insn \"b .L_skip_tramp_exit_\\@\", nop, ARM64_UNMAP_KERNEL_AT_EL0\n| \t[ ... KPTI exception return path ... ]\n| .L_skip_tramp_exit_\\@:\n|\n| \tldr\tlr, [sp, #S_LR]\n| \tadd\tsp, sp, #PT_REGS_SIZE\t\t// restore sp\n|\n| alternative_if ARM64_WORKAROUND_SPECULATIVE_UNPRIV_LOAD\n| \ttlbi\tvale1, xzr\n| \tdsb\tnsh\n| alternative_else_nop_endif\n| \teret\n\nThe new structure means that the workaround is only applied when KPTI is\nnot in use; this is fine as noted in the documented implications of the\nerratum:\n\n| Pagetable isolation between EL0 and higher level ELs prevents the\n| issue from occurring.\n\n... and as per the workaround description quoted above, the workaround\nis only necessary \"If pagetable isolation is disabled\".", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26670", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26670", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26670", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26670", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26670", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26670" } }, "CVE-2024-26671": { "affected_versions": "v2.6.12-rc2 to v6.8-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "blk-mq: fix IO hang from sbitmap wakeup race", "fixes": "5266caaf5660529e3da53004b8b7174cab6374ed", "last_affected_version": "6.7.3", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nblk-mq: fix IO hang from sbitmap wakeup race\n\nIn blk_mq_mark_tag_wait(), __add_wait_queue() may be re-ordered\nwith the following blk_mq_get_driver_tag() in case of getting driver\ntag failure.\n\nThen in __sbitmap_queue_wake_up(), waitqueue_active() may not observe\nthe added waiter in blk_mq_mark_tag_wait() and wake up nothing, meantime\nblk_mq_mark_tag_wait() can't get driver tag successfully.\n\nThis issue can be reproduced by running the following test in loop, and\nfio hang can be observed in < 30min when running it on my test VM\nin laptop.\n\n\tmodprobe -r scsi_debug\n\tmodprobe scsi_debug delay=0 dev_size_mb=4096 max_queue=1 host_max_queue=1 submit_queues=4\n\tdev=`ls -d /sys/bus/pseudo/drivers/scsi_debug/adapter*/host*/target*/*/block/* | head -1 | xargs basename`\n\tfio --filename=/dev/\"$dev\" --direct=1 --rw=randrw --bs=4k --iodepth=1 \\\n \t\t--runtime=100 --numjobs=40 --time_based --name=test \\\n \t--ioengine=libaio\n\nFix the issue by adding one explicit barrier in blk_mq_mark_tag_wait(), which\nis just fine in case of running out of tag.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26671", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26671", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26671", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26671", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26671", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26671" } }, "CVE-2024-26672": { "affected_versions": "v2.6.12-rc2 to v6.8-rc1", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "drm/amdgpu: Fix variable 'mca_funcs' dereferenced before NULL check in 'amdgpu_mca_smu_get_mca_entry()'", "fixes": "4f32504a2f85a7b40fe149436881381f48e9c0c0", "last_affected_version": "6.7.3", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Fix variable 'mca_funcs' dereferenced before NULL check in 'amdgpu_mca_smu_get_mca_entry()'\n\nFixes the below:\n\ndrivers/gpu/drm/amd/amdgpu/amdgpu_mca.c:377 amdgpu_mca_smu_get_mca_entry() warn: variable dereferenced before check 'mca_funcs' (see line 368)\n\n357 int amdgpu_mca_smu_get_mca_entry(struct amdgpu_device *adev,\n\t\t\t\t enum amdgpu_mca_error_type type,\n358 int idx, struct mca_bank_entry *entry)\n359 {\n360 const struct amdgpu_mca_smu_funcs *mca_funcs =\n\t\t\t\t\t\tadev->mca.mca_funcs;\n361 int count;\n362\n363 switch (type) {\n364 case AMDGPU_MCA_ERROR_TYPE_UE:\n365 count = mca_funcs->max_ue_count;\n\nmca_funcs is dereferenced here.\n\n366 break;\n367 case AMDGPU_MCA_ERROR_TYPE_CE:\n368 count = mca_funcs->max_ce_count;\n\nmca_funcs is dereferenced here.\n\n369 break;\n370 default:\n371 return -EINVAL;\n372 }\n373\n374 if (idx >= count)\n375 return -EINVAL;\n376\n377 if (mca_funcs && mca_funcs->mca_get_mca_entry)\n\t ^^^^^^^^^\n\nChecked too late!", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26672", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26672", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26672", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26672", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26672", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26672" } }, "CVE-2024-26673": { "affected_versions": "v5.3-rc1 to v6.8-rc3", "breaks": "857b46027d6f91150797295752581b7155b9d0e1", "cmt_msg": "netfilter: nft_ct: sanitize layer 3 and 4 protocol number in custom expectations", "fixes": "8059918a1377f2f1fff06af4f5a4ed3d5acd6bc4", "last_affected_version": "6.7.3", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_ct: sanitize layer 3 and 4 protocol number in custom expectations\n\n- Disallow families other than NFPROTO_{IPV4,IPV6,INET}.\n- Disallow layer 4 protocol with no ports, since destination port is a\n mandatory attribute for this object.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26673", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26673", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26673", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26673", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26673", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26673" } }, "CVE-2024-26674": { "affected_versions": "v6.4-rc1 to v6.8-rc4", "breaks": "b19b74bc99b1501a550f4448d04d59b946dc617a", "cmt_msg": "x86/lib: Revert to _ASM_EXTABLE_UA() for {get,put}_user() fixups", "fixes": "8eed4e00a370b37b4e5985ed983dccedd555ea9d", "last_affected_version": "6.7.4", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/lib: Revert to _ASM_EXTABLE_UA() for {get,put}_user() fixups\n\nDuring memory error injection test on kernels >= v6.4, the kernel panics\nlike below. However, this issue couldn't be reproduced on kernels <= v6.3.\n\n mce: [Hardware Error]: CPU 296: Machine Check Exception: f Bank 1: bd80000000100134\n mce: [Hardware Error]: RIP 10: {__get_user_nocheck_4+0x6/0x20}\n mce: [Hardware Error]: TSC 411a93533ed ADDR 346a8730040 MISC 86\n mce: [Hardware Error]: PROCESSOR 0:a06d0 TIME 1706000767 SOCKET 1 APIC 211 microcode 80001490\n mce: [Hardware Error]: Run the above through 'mcelog --ascii'\n mce: [Hardware Error]: Machine check: Data load in unrecoverable area of kernel\n Kernel panic - not syncing: Fatal local machine check\n\nThe MCA code can recover from an in-kernel #MC if the fixup type is\nEX_TYPE_UACCESS, explicitly indicating that the kernel is attempting to\naccess userspace memory. However, if the fixup type is EX_TYPE_DEFAULT\nthe only thing that is raised for an in-kernel #MC is a panic.\n\nex_handler_uaccess() would warn if users gave a non-canonical addresses\n(with bit 63 clear) to {get, put}_user(), which was unexpected.\n\nTherefore, commit\n\n b19b74bc99b1 (\"x86/mm: Rework address range check in get_user() and put_user()\")\n\nreplaced _ASM_EXTABLE_UA() with _ASM_EXTABLE() for {get, put}_user()\nfixups. However, the new fixup type EX_TYPE_DEFAULT results in a panic.\n\nCommit\n\n 6014bc27561f (\"x86-64: make access_ok() independent of LAM\")\n\nadded the check gp_fault_address_ok() right before the WARN_ONCE() in\nex_handler_uaccess() to not warn about non-canonical user addresses due\nto LAM.\n\nWith that in place, revert back to _ASM_EXTABLE_UA() for {get,put}_user()\nexception fixups in order to be able to handle in-kernel MCEs correctly\nagain.\n\n [ bp: Massage commit message. ]", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26674", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26674", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26674", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26674", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26674", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26674" } }, "CVE-2024-26675": { "affected_versions": "v2.6.12-rc2 to v6.8-rc4", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "ppp_async: limit MRU to 64K", "fixes": "cb88cb53badb8aeb3955ad6ce80b07b598e310b8", "last_affected_version": "6.7.4", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nppp_async: limit MRU to 64K\n\nsyzbot triggered a warning [1] in __alloc_pages():\n\nWARN_ON_ONCE_GFP(order > MAX_PAGE_ORDER, gfp)\n\nWillem fixed a similar issue in commit c0a2a1b0d631 (\"ppp: limit MRU to 64K\")\n\nAdopt the same sanity check for ppp_async_ioctl(PPPIOCSMRU)\n\n[1]:\n\n WARNING: CPU: 1 PID: 11 at mm/page_alloc.c:4543 __alloc_pages+0x308/0x698 mm/page_alloc.c:4543\nModules linked in:\nCPU: 1 PID: 11 Comm: kworker/u4:0 Not tainted 6.8.0-rc2-syzkaller-g41bccc98fb79 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023\nWorkqueue: events_unbound flush_to_ldisc\npstate: 204000c5 (nzCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : __alloc_pages+0x308/0x698 mm/page_alloc.c:4543\n lr : __alloc_pages+0xc8/0x698 mm/page_alloc.c:4537\nsp : ffff800093967580\nx29: ffff800093967660 x28: ffff8000939675a0 x27: dfff800000000000\nx26: ffff70001272ceb4 x25: 0000000000000000 x24: ffff8000939675c0\nx23: 0000000000000000 x22: 0000000000060820 x21: 1ffff0001272ceb8\nx20: ffff8000939675e0 x19: 0000000000000010 x18: ffff800093967120\nx17: ffff800083bded5c x16: ffff80008ac97500 x15: 0000000000000005\nx14: 1ffff0001272cebc x13: 0000000000000000 x12: 0000000000000000\nx11: ffff70001272cec1 x10: 1ffff0001272cec0 x9 : 0000000000000001\nx8 : ffff800091c91000 x7 : 0000000000000000 x6 : 000000000000003f\nx5 : 00000000ffffffff x4 : 0000000000000000 x3 : 0000000000000020\nx2 : 0000000000000008 x1 : 0000000000000000 x0 : ffff8000939675e0\nCall trace:\n __alloc_pages+0x308/0x698 mm/page_alloc.c:4543\n __alloc_pages_node include/linux/gfp.h:238 [inline]\n alloc_pages_node include/linux/gfp.h:261 [inline]\n __kmalloc_large_node+0xbc/0x1fc mm/slub.c:3926\n __do_kmalloc_node mm/slub.c:3969 [inline]\n __kmalloc_node_track_caller+0x418/0x620 mm/slub.c:4001\n kmalloc_reserve+0x17c/0x23c net/core/skbuff.c:590\n __alloc_skb+0x1c8/0x3d8 net/core/skbuff.c:651\n __netdev_alloc_skb+0xb8/0x3e8 net/core/skbuff.c:715\n netdev_alloc_skb include/linux/skbuff.h:3235 [inline]\n dev_alloc_skb include/linux/skbuff.h:3248 [inline]\n ppp_async_input drivers/net/ppp/ppp_async.c:863 [inline]\n ppp_asynctty_receive+0x588/0x186c drivers/net/ppp/ppp_async.c:341\n tty_ldisc_receive_buf+0x12c/0x15c drivers/tty/tty_buffer.c:390\n tty_port_default_receive_buf+0x74/0xac drivers/tty/tty_port.c:37\n receive_buf drivers/tty/tty_buffer.c:444 [inline]\n flush_to_ldisc+0x284/0x6e4 drivers/tty/tty_buffer.c:494\n process_one_work+0x694/0x1204 kernel/workqueue.c:2633\n process_scheduled_works kernel/workqueue.c:2706 [inline]\n worker_thread+0x938/0xef4 kernel/workqueue.c:2787\n kthread+0x288/0x310 kernel/kthread.c:388\n ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26675", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26675", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26675", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26675", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26675", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26675" } }, "CVE-2024-26676": { "affected_versions": "unk to v6.8-rc4", "breaks": "", "cmt_msg": "af_unix: Call kfree_skb() for dead unix_(sk)->oob_skb in GC.", "fixes": "1279f9d9dec2d7462823a18c29ad61359e0a007d", "last_affected_version": "6.7.4", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\naf_unix: Call kfree_skb() for dead unix_(sk)->oob_skb in GC.\n\nsyzbot reported a warning [0] in __unix_gc() with a repro, which\ncreates a socketpair and sends one socket's fd to itself using the\npeer.\n\n socketpair(AF_UNIX, SOCK_STREAM, 0, [3, 4]) = 0\n sendmsg(4, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base=\"\\360\", iov_len=1}],\n msg_iovlen=1, msg_control=[{cmsg_len=20, cmsg_level=SOL_SOCKET,\n cmsg_type=SCM_RIGHTS, cmsg_data=[3]}],\n msg_controllen=24, msg_flags=0}, MSG_OOB|MSG_PROBE|MSG_DONTWAIT|MSG_ZEROCOPY) = 1\n\nThis forms a self-cyclic reference that GC should finally untangle\nbut does not due to lack of MSG_OOB handling, resulting in memory\nleak.\n\nRecently, commit 11498715f266 (\"af_unix: Remove io_uring code for\nGC.\") removed io_uring's dead code in GC and revealed the problem.\n\nThe code was executed at the final stage of GC and unconditionally\nmoved all GC candidates from gc_candidates to gc_inflight_list.\nThat papered over the reported problem by always making the following\nWARN_ON_ONCE(!list_empty(&gc_candidates)) false.\n\nThe problem has been there since commit 2aab4b969002 (\"af_unix: fix\nstruct pid leaks in OOB support\") added full scm support for MSG_OOB\nwhile fixing another bug.\n\nTo fix this problem, we must call kfree_skb() for unix_sk(sk)->oob_skb\nif the socket still exists in gc_candidates after purging collected skb.\n\nThen, we need to set NULL to oob_skb before calling kfree_skb() because\nit calls last fput() and triggers unix_release_sock(), where we call\nduplicate kfree_skb(u->oob_skb) if not NULL.\n\nNote that the leaked socket remained being linked to a global list, so\nkmemleak also could not detect it. We need to check /proc/net/protocol\nto notice the unfreed socket.\n\n[0]:\nWARNING: CPU: 0 PID: 2863 at net/unix/garbage.c:345 __unix_gc+0xc74/0xe80 net/unix/garbage.c:345\nModules linked in:\nCPU: 0 PID: 2863 Comm: kworker/u4:11 Not tainted 6.8.0-rc1-syzkaller-00583-g1701940b1a02 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024\nWorkqueue: events_unbound __unix_gc\nRIP: 0010:__unix_gc+0xc74/0xe80 net/unix/garbage.c:345\nCode: 8b 5c 24 50 e9 86 f8 ff ff e8 f8 e4 22 f8 31 d2 48 c7 c6 30 6a 69 89 4c 89 ef e8 97 ef ff ff e9 80 f9 ff ff e8 dd e4 22 f8 90 <0f> 0b 90 e9 7b fd ff ff 48 89 df e8 5c e7 7c f8 e9 d3 f8 ff ff e8\nRSP: 0018:ffffc9000b03fba0 EFLAGS: 00010293\nRAX: 0000000000000000 RBX: ffffc9000b03fc10 RCX: ffffffff816c493e\nRDX: ffff88802c02d940 RSI: ffffffff896982f3 RDI: ffffc9000b03fb30\nRBP: ffffc9000b03fce0 R08: 0000000000000001 R09: fffff52001607f66\nR10: 0000000000000003 R11: 0000000000000002 R12: dffffc0000000000\nR13: ffffc9000b03fc10 R14: ffffc9000b03fc10 R15: 0000000000000001\nFS: 0000000000000000(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00005559c8677a60 CR3: 000000000d57a000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n process_one_work+0x889/0x15e0 kernel/workqueue.c:2633\n process_scheduled_works kernel/workqueue.c:2706 [inline]\n worker_thread+0x8b9/0x12a0 kernel/workqueue.c:2787\n kthread+0x2c6/0x3b0 kernel/kthread.c:388\n ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:242\n ", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26676", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26676", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26676", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26676", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26676", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26676" } }, "CVE-2024-26677": { "affected_versions": "unk to v6.8-rc4", "breaks": "", "cmt_msg": "rxrpc: Fix delayed ACKs to not set the reference serial number", "fixes": "e7870cf13d20f56bfc19f9c3e89707c69cf104ef", "last_affected_version": "6.7.4", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: Fix delayed ACKs to not set the reference serial number\n\nFix the construction of delayed ACKs to not set the reference serial number\nas they can't be used as an RTT reference.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26677", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26677", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26677", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26677", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26677", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26677" } }, "CVE-2024-26678": { "affected_versions": "v6.7-rc1 to v6.8-rc4", "breaks": "3e3eabe26dc88692d34cf76ca0e0dd331481cc15", "cmt_msg": "x86/efistub: Use 1:1 file:memory mapping for PE/COFF .compat section", "fixes": "1ad55cecf22f05f1c884adf63cc09d3c3e609ebf", "last_affected_version": "6.7.4", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/efistub: Use 1:1 file:memory mapping for PE/COFF .compat section\n\nThe .compat section is a dummy PE section that contains the address of\nthe 32-bit entrypoint of the 64-bit kernel image if it is bootable from\n32-bit firmware (i.e., CONFIG_EFI_MIXED=y)\n\nThis section is only 8 bytes in size and is only referenced from the\nloader, and so it is placed at the end of the memory view of the image,\nto avoid the need for padding it to 4k, which is required for sections\nappearing in the middle of the image.\n\nUnfortunately, this violates the PE/COFF spec, and even if most EFI\nloaders will work correctly (including the Tianocore reference\nimplementation), PE loaders do exist that reject such images, on the\nbasis that both the file and memory views of the file contents should be\ndescribed by the section headers in a monotonically increasing manner\nwithout leaving any gaps.\n\nSo reorganize the sections to avoid this issue. This results in a slight\npadding overhead (< 4k) which can be avoided if desired by disabling\nCONFIG_EFI_MIXED (which is only needed in rare cases these days)", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26678", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26678", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26678", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26678", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26678", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26678" } }, "CVE-2024-26679": { "affected_versions": "v3.18-rc7 to v6.8-rc4", "breaks": "f4713a3dfad045d46afcb9c2a7d0bba288920ed4", "cmt_msg": "inet: read sk->sk_family once in inet_recv_error()", "fixes": "eef00a82c568944f113f2de738156ac591bbd5cd", "last_affected_version": "6.7.4", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\ninet: read sk->sk_family once in inet_recv_error()\n\ninet_recv_error() is called without holding the socket lock.\n\nIPv6 socket could mutate to IPv4 with IPV6_ADDRFORM\nsocket option and trigger a KCSAN warning.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26679", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26679", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26679", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26679", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26679", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26679" } }, "CVE-2024-26680": { "affected_versions": "v5.5-rc1 to v6.8-rc4", "breaks": "94ad94558b0fbf18dd6fb0987540af1693157556", "cmt_msg": "net: atlantic: Fix DMA mapping for PTP hwts ring", "fixes": "2e7d3b67630dfd8f178c41fa2217aa00e79a5887", "last_affected_version": "6.7.4", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: atlantic: Fix DMA mapping for PTP hwts ring\n\nFunction aq_ring_hwts_rx_alloc() maps extra AQ_CFG_RXDS_DEF bytes\nfor PTP HWTS ring but then generic aq_ring_free() does not take this\ninto account.\nCreate and use a specific function to free HWTS ring to fix this\nissue.\n\nTrace:\n[ 215.351607] ------------[ cut here ]------------\n[ 215.351612] DMA-API: atlantic 0000:4b:00.0: device driver frees DMA memory with different size [device address=0x00000000fbdd0000] [map size=34816 bytes] [unmap size=32768 bytes]\n[ 215.351635] WARNING: CPU: 33 PID: 10759 at kernel/dma/debug.c:988 check_unmap+0xa6f/0x2360\n...\n[ 215.581176] Call Trace:\n[ 215.583632] \n[ 215.585745] ? show_trace_log_lvl+0x1c4/0x2df\n[ 215.590114] ? show_trace_log_lvl+0x1c4/0x2df\n[ 215.594497] ? debug_dma_free_coherent+0x196/0x210\n[ 215.599305] ? check_unmap+0xa6f/0x2360\n[ 215.603147] ? __warn+0xca/0x1d0\n[ 215.606391] ? check_unmap+0xa6f/0x2360\n[ 215.610237] ? report_bug+0x1ef/0x370\n[ 215.613921] ? handle_bug+0x3c/0x70\n[ 215.617423] ? exc_invalid_op+0x14/0x50\n[ 215.621269] ? asm_exc_invalid_op+0x16/0x20\n[ 215.625480] ? check_unmap+0xa6f/0x2360\n[ 215.629331] ? mark_lock.part.0+0xca/0xa40\n[ 215.633445] debug_dma_free_coherent+0x196/0x210\n[ 215.638079] ? __pfx_debug_dma_free_coherent+0x10/0x10\n[ 215.643242] ? slab_free_freelist_hook+0x11d/0x1d0\n[ 215.648060] dma_free_attrs+0x6d/0x130\n[ 215.651834] aq_ring_free+0x193/0x290 [atlantic]\n[ 215.656487] aq_ptp_ring_free+0x67/0x110 [atlantic]\n...\n[ 216.127540] ---[ end trace 6467e5964dd2640b ]---\n[ 216.132160] DMA-API: Mapped at:\n[ 216.132162] debug_dma_alloc_coherent+0x66/0x2f0\n[ 216.132165] dma_alloc_attrs+0xf5/0x1b0\n[ 216.132168] aq_ring_hwts_rx_alloc+0x150/0x1f0 [atlantic]\n[ 216.132193] aq_ptp_ring_alloc+0x1bb/0x540 [atlantic]\n[ 216.132213] aq_nic_init+0x4a1/0x760 [atlantic]", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26680", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26680", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26680", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26680", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26680", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26680" } }, "CVE-2024-26681": { "affected_versions": "v6.0-rc1 to v6.8-rc4", "breaks": "012ec02ae4410207f796a9b280a60b80b6cc790a", "cmt_msg": "netdevsim: avoid potential loop in nsim_dev_trap_report_work()", "fixes": "ba5e1272142d051dcc57ca1d3225ad8a089f9858", "last_affected_version": "6.7.4", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetdevsim: avoid potential loop in nsim_dev_trap_report_work()\n\nMany syzbot reports include the following trace [1]\n\nIf nsim_dev_trap_report_work() can not grab the mutex,\nit should rearm itself at least one jiffie later.\n\n[1]\nSending NMI from CPU 1 to CPUs 0:\nNMI backtrace for cpu 0\nCPU: 0 PID: 32383 Comm: kworker/0:2 Not tainted 6.8.0-rc2-syzkaller-00031-g861c0981648f #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023\nWorkqueue: events nsim_dev_trap_report_work\n RIP: 0010:bytes_is_nonzero mm/kasan/generic.c:89 [inline]\n RIP: 0010:memory_is_nonzero mm/kasan/generic.c:104 [inline]\n RIP: 0010:memory_is_poisoned_n mm/kasan/generic.c:129 [inline]\n RIP: 0010:memory_is_poisoned mm/kasan/generic.c:161 [inline]\n RIP: 0010:check_region_inline mm/kasan/generic.c:180 [inline]\n RIP: 0010:kasan_check_range+0x101/0x190 mm/kasan/generic.c:189\nCode: 07 49 39 d1 75 0a 45 3a 11 b8 01 00 00 00 7c 0b 44 89 c2 e8 21 ed ff ff 83 f0 01 5b 5d 41 5c c3 48 85 d2 74 4f 48 01 ea eb 09 <48> 83 c0 01 48 39 d0 74 41 80 38 00 74 f2 eb b6 41 bc 08 00 00 00\nRSP: 0018:ffffc90012dcf998 EFLAGS: 00000046\nRAX: fffffbfff258af1e RBX: fffffbfff258af1f RCX: ffffffff8168eda3\nRDX: fffffbfff258af1f RSI: 0000000000000004 RDI: ffffffff92c578f0\nRBP: fffffbfff258af1e R08: 0000000000000000 R09: fffffbfff258af1e\nR10: ffffffff92c578f3 R11: ffffffff8acbcbc0 R12: 0000000000000002\nR13: ffff88806db38400 R14: 1ffff920025b9f42 R15: ffffffff92c578e8\nFS: 0000000000000000(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 000000c00994e078 CR3: 000000002c250000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n \n \n instrument_atomic_read include/linux/instrumented.h:68 [inline]\n atomic_read include/linux/atomic/atomic-instrumented.h:32 [inline]\n queued_spin_is_locked include/asm-generic/qspinlock.h:57 [inline]\n debug_spin_unlock kernel/locking/spinlock_debug.c:101 [inline]\n do_raw_spin_unlock+0x53/0x230 kernel/locking/spinlock_debug.c:141\n __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:150 [inline]\n _raw_spin_unlock_irqrestore+0x22/0x70 kernel/locking/spinlock.c:194\n debug_object_activate+0x349/0x540 lib/debugobjects.c:726\n debug_work_activate kernel/workqueue.c:578 [inline]\n insert_work+0x30/0x230 kernel/workqueue.c:1650\n __queue_work+0x62e/0x11d0 kernel/workqueue.c:1802\n __queue_delayed_work+0x1bf/0x270 kernel/workqueue.c:1953\n queue_delayed_work_on+0x106/0x130 kernel/workqueue.c:1989\n queue_delayed_work include/linux/workqueue.h:563 [inline]\n schedule_delayed_work include/linux/workqueue.h:677 [inline]\n nsim_dev_trap_report_work+0x9c0/0xc80 drivers/net/netdevsim/dev.c:842\n process_one_work+0x886/0x15d0 kernel/workqueue.c:2633\n process_scheduled_works kernel/workqueue.c:2706 [inline]\n worker_thread+0x8b9/0x1290 kernel/workqueue.c:2787\n kthread+0x2c6/0x3a0 kernel/kthread.c:388\n ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242\n ", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26681", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26681", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26681", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26681", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26681", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26681" } }, "CVE-2024-26682": { "affected_versions": "v6.7-rc1 to v6.8-rc4", "breaks": "c09c4f31998bac6d73508e38812518aceb069b68", "cmt_msg": "wifi: mac80211: improve CSA/ECSA connection refusal", "fixes": "35e2385dbe787936c793d70755a5177d267a40aa", "last_affected_version": "6.7.4", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: improve CSA/ECSA connection refusal\n\nAs mentioned in the previous commit, we pretty quickly found\nthat some APs have ECSA elements stuck in their probe response,\nso using that to not attempt to connect while CSA is happening\nwe never connect to such an AP.\n\nImprove this situation by checking more carefully and ignoring\nthe ECSA if cfg80211 has previously detected the ECSA element\nbeing stuck in the probe response.\n\nAdditionally, allow connecting to an AP that's switching to a\nchannel it's already using, unless it's using quiet mode. In\nthis case, we may just have to adjust bandwidth later. If it's\nactually switching channels, it's better not to try to connect\nin the middle of that.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26682", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26682", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26682", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26682", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26682", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26682" } }, "CVE-2024-26683": { "affected_versions": "v6.7-rc1 to v6.8-rc4", "breaks": "c09c4f31998bac6d73508e38812518aceb069b68", "cmt_msg": "wifi: cfg80211: detect stuck ECSA element in probe resp", "fixes": "177fbbcb4ed6b306c1626a277fac3fb1c495a4c7", "last_affected_version": "6.7.4", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: cfg80211: detect stuck ECSA element in probe resp\n\nWe recently added some validation that we don't try to\nconnect to an AP that is currently in a channel switch\nprocess, since that might want the channel to be quiet\nor we might not be able to connect in time to hear the\nswitching in a beacon. This was in commit c09c4f31998b\n(\"wifi: mac80211: don't connect to an AP while it's in\na CSA process\").\n\nHowever, we promptly got a report that this caused new\nconnection failures, and it turns out that the AP that\nwe now cannot connect to is permanently advertising an\nextended channel switch announcement, even with quiet.\nThe AP in question was an Asus RT-AC53, with firmware\n3.0.0.4.380_10760-g21a5898.\n\nAs a first step, attempt to detect that we're dealing\nwith such a situation, so mac80211 can use this later.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26683", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26683", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26683", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26683", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26683", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26683" } }, "CVE-2024-26684": { "affected_versions": "v5.4-rc1 to v6.8-rc4", "breaks": "56e58d6c8a5640eb708e85866e9d243d0357ee54", "cmt_msg": "net: stmmac: xgmac: fix handling of DPP safety error for DMA channels", "fixes": "46eba193d04f8bd717e525eb4110f3c46c12aec3", "last_affected_version": "6.7.4", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: stmmac: xgmac: fix handling of DPP safety error for DMA channels\n\nCommit 56e58d6c8a56 (\"net: stmmac: Implement Safety Features in\nXGMAC core\") checks and reports safety errors, but leaves the\nData Path Parity Errors for each channel in DMA unhandled at all, lead to\na storm of interrupt.\nFix it by checking and clearing the DMA_DPP_Interrupt_Status register.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26684", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26684", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26684", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26684", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26684", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26684" } }, "CVE-2024-26685": { "affected_versions": "v3.12-rc4 to v6.8-rc4", "breaks": "7f42ec3941560f0902fe3671e36f2c20ffd3af0a", "cmt_msg": "nilfs2: fix potential bug in end_buffer_async_write", "fixes": "5bc09b397cbf1221f8a8aacb1152650c9195b02b", "last_affected_version": "6.7.5", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix potential bug in end_buffer_async_write\n\nAccording to a syzbot report, end_buffer_async_write(), which handles the\ncompletion of block device writes, may detect abnormal condition of the\nbuffer async_write flag and cause a BUG_ON failure when using nilfs2.\n\nNilfs2 itself does not use end_buffer_async_write(). But, the async_write\nflag is now used as a marker by commit 7f42ec394156 (\"nilfs2: fix issue\nwith race condition of competition between segments for dirty blocks\") as\na means of resolving double list insertion of dirty blocks in\nnilfs_lookup_dirty_data_buffers() and nilfs_lookup_node_buffers() and the\nresulting crash.\n\nThis modification is safe as long as it is used for file data and b-tree\nnode blocks where the page caches are independent. However, it was\nirrelevant and redundant to also introduce async_write for segment summary\nand super root blocks that share buffers with the backing device. This\nled to the possibility that the BUG_ON check in end_buffer_async_write\nwould fail as described above, if independent writebacks of the backing\ndevice occurred in parallel.\n\nThe use of async_write for segment summary buffers has already been\nremoved in a previous change.\n\nFix this issue by removing the manipulation of the async_write flag for\nthe remaining super root block buffer.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26685", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26685", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26685", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26685", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26685", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26685" } }, "CVE-2024-26686": { "affected_versions": "v2.6.12-rc2 to v6.8-rc4", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "fs/proc: do_task_stat: use sig->stats_lock to gather the threads/children stats", "fixes": "7601df8031fd67310af891897ef6cc0df4209305", "last_affected_version": "6.7.5", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/proc: do_task_stat: use sig->stats_lock to gather the threads/children stats\n\nlock_task_sighand() can trigger a hard lockup. If NR_CPUS threads call\ndo_task_stat() at the same time and the process has NR_THREADS, it will\nspin with irqs disabled O(NR_CPUS * NR_THREADS) time.\n\nChange do_task_stat() to use sig->stats_lock to gather the statistics\noutside of ->siglock protected section, in the likely case this code will\nrun lockless.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26686", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26686", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26686", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26686", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26686", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26686" } }, "CVE-2024-26687": { "affected_versions": "v2.6.37-rc1 to v6.8-rc5", "breaks": "d46a78b05c0e37f76ddf4a7a67bf0b6c68bada55", "cmt_msg": "xen/events: close evtchn after mapping cleanup", "fixes": "fa765c4b4aed2d64266b694520ecb025c862c5a9", "last_affected_version": "6.7.5", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nxen/events: close evtchn after mapping cleanup\n\nshutdown_pirq and startup_pirq are not taking the\nirq_mapping_update_lock because they can't due to lock inversion. Both\nare called with the irq_desc->lock being taking. The lock order,\nhowever, is first irq_mapping_update_lock and then irq_desc->lock.\n\nThis opens multiple races:\n- shutdown_pirq can be interrupted by a function that allocates an event\n channel:\n\n CPU0 CPU1\n shutdown_pirq {\n xen_evtchn_close(e)\n __startup_pirq {\n EVTCHNOP_bind_pirq\n -> returns just freed evtchn e\n set_evtchn_to_irq(e, irq)\n }\n xen_irq_info_cleanup() {\n set_evtchn_to_irq(e, -1)\n }\n }\n\n Assume here event channel e refers here to the same event channel\n number.\n After this race the evtchn_to_irq mapping for e is invalid (-1).\n\n- __startup_pirq races with __unbind_from_irq in a similar way. Because\n __startup_pirq doesn't take irq_mapping_update_lock it can grab the\n evtchn that __unbind_from_irq is currently freeing and cleaning up. In\n this case even though the event channel is allocated, its mapping can\n be unset in evtchn_to_irq.\n\nThe fix is to first cleanup the mappings and then close the event\nchannel. In this way, when an event channel gets allocated it's\npotential previous evtchn_to_irq mappings are guaranteed to be unset already.\nThis is also the reverse order of the allocation where first the event\nchannel is allocated and then the mappings are setup.\n\nOn a 5.10 kernel prior to commit 3fcdaf3d7634 (\"xen/events: modify internal\n[un]bind interfaces\"), we hit a BUG like the following during probing of NVMe\ndevices. The issue is that during nvme_setup_io_queues, pci_free_irq\nis called for every device which results in a call to shutdown_pirq.\nWith many nvme devices it's therefore likely to hit this race during\nboot because there will be multiple calls to shutdown_pirq and\nstartup_pirq are running potentially in parallel.\n\n ------------[ cut here ]------------\n blkfront: xvda: barrier or flush: disabled; persistent grants: enabled; indirect descriptors: enabled; bounce buffer: enabled\n kernel BUG at drivers/xen/events/events_base.c:499!\n invalid opcode: 0000 [#1] SMP PTI\n CPU: 44 PID: 375 Comm: kworker/u257:23 Not tainted 5.10.201-191.748.amzn2.x86_64 #1\n Hardware name: Xen HVM domU, BIOS 4.11.amazon 08/24/2006\n Workqueue: nvme-reset-wq nvme_reset_work\n RIP: 0010:bind_evtchn_to_cpu+0xdf/0xf0\n Code: 5d 41 5e c3 cc cc cc cc 44 89 f7 e8 2b 55 ad ff 49 89 c5 48 85 c0 0f 84 64 ff ff ff 4c 8b 68 30 41 83 fe ff 0f 85 60 ff ff ff <0f> 0b 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 0f 1f 44 00 00\n RSP: 0000:ffffc9000d533b08 EFLAGS: 00010046\n RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000006\n RDX: 0000000000000028 RSI: 00000000ffffffff RDI: 00000000ffffffff\n RBP: ffff888107419680 R08: 0000000000000000 R09: ffffffff82d72b00\n R10: 0000000000000000 R11: 0000000000000000 R12: 00000000000001ed\n R13: 0000000000000000 R14: 00000000ffffffff R15: 0000000000000002\n FS: 0000000000000000(0000) GS:ffff88bc8b500000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000000000 CR3: 0000000002610001 CR4: 00000000001706e0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n ? show_trace_log_lvl+0x1c1/0x2d9\n ? show_trace_log_lvl+0x1c1/0x2d9\n ? set_affinity_irq+0xdc/0x1c0\n ? __die_body.cold+0x8/0xd\n ? die+0x2b/0x50\n ? do_trap+0x90/0x110\n ? bind_evtchn_to_cpu+0xdf/0xf0\n ? do_error_trap+0x65/0x80\n ? bind_evtchn_to_cpu+0xdf/0xf0\n ? exc_invalid_op+0x4e/0x70\n ? bind_evtchn_to_cpu+0xdf/0xf0\n ? asm_exc_invalid_op+0x12/0x20\n ? bind_evtchn_to_cpu+0xdf/0x\n---truncated---", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26687", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26687", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26687", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26687", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26687", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26687" } }, "CVE-2024-26688": { "affected_versions": "v5.1-rc1 to v6.8-rc4", "breaks": "32021982a324dce93b4ae00c06213bf45fb319c8", "cmt_msg": "fs,hugetlb: fix NULL pointer dereference in hugetlbs_fill_super", "fixes": "79d72c68c58784a3e1cd2378669d51bfd0cb7498", "last_affected_version": "6.7.5", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs,hugetlb: fix NULL pointer dereference in hugetlbs_fill_super\n\nWhen configuring a hugetlb filesystem via the fsconfig() syscall, there is\na possible NULL dereference in hugetlbfs_fill_super() caused by assigning\nNULL to ctx->hstate in hugetlbfs_parse_param() when the requested pagesize\nis non valid.\n\nE.g: Taking the following steps:\n\n fd = fsopen(\"hugetlbfs\", FSOPEN_CLOEXEC);\n fsconfig(fd, FSCONFIG_SET_STRING, \"pagesize\", \"1024\", 0);\n fsconfig(fd, FSCONFIG_CMD_CREATE, NULL, NULL, 0);\n\nGiven that the requested \"pagesize\" is invalid, ctxt->hstate will be replaced\nwith NULL, losing its previous value, and we will print an error:\n\n ...\n ...\n case Opt_pagesize:\n ps = memparse(param->string, &rest);\n ctx->hstate = h;\n if (!ctx->hstate) {\n pr_err(\"Unsupported page size %lu MB\\n\", ps / SZ_1M);\n return -EINVAL;\n }\n return 0;\n ...\n ...\n\nThis is a problem because later on, we will dereference ctxt->hstate in\nhugetlbfs_fill_super()\n\n ...\n ...\n sb->s_blocksize = huge_page_size(ctx->hstate);\n ...\n ...\n\nCausing below Oops.\n\nFix this by replacing cxt->hstate value only when then pagesize is known\nto be valid.\n\n kernel: hugetlbfs: Unsupported page size 0 MB\n kernel: BUG: kernel NULL pointer dereference, address: 0000000000000028\n kernel: #PF: supervisor read access in kernel mode\n kernel: #PF: error_code(0x0000) - not-present page\n kernel: PGD 800000010f66c067 P4D 800000010f66c067 PUD 1b22f8067 PMD 0\n kernel: Oops: 0000 [#1] PREEMPT SMP PTI\n kernel: CPU: 4 PID: 5659 Comm: syscall Tainted: G E 6.8.0-rc2-default+ #22 5a47c3fef76212addcc6eb71344aabc35190ae8f\n kernel: Hardware name: Intel Corp. GROVEPORT/GROVEPORT, BIOS GVPRCRB1.86B.0016.D04.1705030402 05/03/2017\n kernel: RIP: 0010:hugetlbfs_fill_super+0xb4/0x1a0\n kernel: Code: 48 8b 3b e8 3e c6 ed ff 48 85 c0 48 89 45 20 0f 84 d6 00 00 00 48 b8 ff ff ff ff ff ff ff 7f 4c 89 e7 49 89 44 24 20 48 8b 03 <8b> 48 28 b8 00 10 00 00 48 d3 e0 49 89 44 24 18 48 8b 03 8b 40 28\n kernel: RSP: 0018:ffffbe9960fcbd48 EFLAGS: 00010246\n kernel: RAX: 0000000000000000 RBX: ffff9af5272ae780 RCX: 0000000000372004\n kernel: RDX: ffffffffffffffff RSI: ffffffffffffffff RDI: ffff9af555e9b000\n kernel: RBP: ffff9af52ee66b00 R08: 0000000000000040 R09: 0000000000370004\n kernel: R10: ffffbe9960fcbd48 R11: 0000000000000040 R12: ffff9af555e9b000\n kernel: R13: ffffffffa66b86c0 R14: ffff9af507d2f400 R15: ffff9af507d2f400\n kernel: FS: 00007ffbc0ba4740(0000) GS:ffff9b0bd7000000(0000) knlGS:0000000000000000\n kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n kernel: CR2: 0000000000000028 CR3: 00000001b1ee0000 CR4: 00000000001506f0\n kernel: Call Trace:\n kernel: \n kernel: ? __die_body+0x1a/0x60\n kernel: ? page_fault_oops+0x16f/0x4a0\n kernel: ? search_bpf_extables+0x65/0x70\n kernel: ? fixup_exception+0x22/0x310\n kernel: ? exc_page_fault+0x69/0x150\n kernel: ? asm_exc_page_fault+0x22/0x30\n kernel: ? __pfx_hugetlbfs_fill_super+0x10/0x10\n kernel: ? hugetlbfs_fill_super+0xb4/0x1a0\n kernel: ? hugetlbfs_fill_super+0x28/0x1a0\n kernel: ? __pfx_hugetlbfs_fill_super+0x10/0x10\n kernel: vfs_get_super+0x40/0xa0\n kernel: ? __pfx_bpf_lsm_capable+0x10/0x10\n kernel: vfs_get_tree+0x25/0xd0\n kernel: vfs_cmd_create+0x64/0xe0\n kernel: __x64_sys_fsconfig+0x395/0x410\n kernel: do_syscall_64+0x80/0x160\n kernel: ? syscall_exit_to_user_mode+0x82/0x240\n kernel: ? do_syscall_64+0x8d/0x160\n kernel: ? syscall_exit_to_user_mode+0x82/0x240\n kernel: ? do_syscall_64+0x8d/0x160\n kernel: ? exc_page_fault+0x69/0x150\n kernel: entry_SYSCALL_64_after_hwframe+0x6e/0x76\n kernel: RIP: 0033:0x7ffbc0cb87c9\n kernel: Code: 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 97 96 0d 00 f7 d8 64 89 01 48\n kernel: RSP: 002b:00007ffc29d2f388 EFLAGS: 00000206 ORIG_RAX: 00000000000001af\n kernel: RAX: fffffffffff\n---truncated---", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26688", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26688", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26688", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26688", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26688", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26688" } }, "CVE-2024-26689": { "affected_versions": "v2.6.12-rc2 to v6.8-rc4", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "ceph: prevent use-after-free in encode_cap_msg()", "fixes": "cda4672da1c26835dcbd7aec2bfed954eda9b5ef", "last_affected_version": "6.7.5", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nceph: prevent use-after-free in encode_cap_msg()\n\nIn fs/ceph/caps.c, in encode_cap_msg(), \"use after free\" error was\ncaught by KASAN at this line - 'ceph_buffer_get(arg->xattr_buf);'. This\nimplies before the refcount could be increment here, it was freed.\n\nIn same file, in \"handle_cap_grant()\" refcount is decremented by this\nline - 'ceph_buffer_put(ci->i_xattrs.blob);'. It appears that a race\noccurred and resource was freed by the latter line before the former\nline could increment it.\n\nencode_cap_msg() is called by __send_cap() and __send_cap() is called by\nceph_check_caps() after calling __prep_cap(). __prep_cap() is where\narg->xattr_buf is assigned to ci->i_xattrs.blob. This is the spot where\nthe refcount must be increased to prevent \"use after free\" error.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26689", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26689", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26689", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26689", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26689", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26689" } }, "CVE-2024-26690": { "affected_versions": "v6.6-rc1 to v6.8-rc4", "breaks": "133466c3bbe171f826294161db203f7670bb30c8", "cmt_msg": "net: stmmac: protect updates of 64-bit statistics counters", "fixes": "38cc3c6dcc09dc3a1800b5ec22aef643ca11eab8", "last_affected_version": "6.7.5", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: stmmac: protect updates of 64-bit statistics counters\n\nAs explained by a comment in , write side of struct\nu64_stats_sync must ensure mutual exclusion, or one seqcount update could\nbe lost on 32-bit platforms, thus blocking readers forever. Such lockups\nhave been observed in real world after stmmac_xmit() on one CPU raced with\nstmmac_napi_poll_tx() on another CPU.\n\nTo fix the issue without introducing a new lock, split the statics into\nthree parts:\n\n1. fields updated only under the tx queue lock,\n2. fields updated only during NAPI poll,\n3. fields updated only from interrupt context,\n\nUpdates to fields in the first two groups are already serialized through\nother locks. It is sufficient to split the existing struct u64_stats_sync\nso that each group has its own.\n\nNote that tx_set_ic_bit is updated from both contexts. Split this counter\nso that each context gets its own, and calculate their sum to get the total\nvalue in stmmac_get_ethtool_stats().\n\nFor the third group, multiple interrupts may be processed by different CPUs\nat the same time, but interrupts on the same CPU will not nest. Move fields\nfrom this group to a newly created per-cpu struct stmmac_pcpu_stats.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26690", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26690", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26690", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26690", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26690", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26690" } }, "CVE-2024-26691": { "affected_versions": "unk to v6.8-rc5", "breaks": "", "cmt_msg": "KVM: arm64: Fix circular locking dependency", "fixes": "10c02aad111df02088d1a81792a709f6a7eca6cc", "last_affected_version": "6.7.5", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: arm64: Fix circular locking dependency\n\nThe rule inside kvm enforces that the vcpu->mutex is taken *inside*\nkvm->lock. The rule is violated by the pkvm_create_hyp_vm() which acquires\nthe kvm->lock while already holding the vcpu->mutex lock from\nkvm_vcpu_ioctl(). Avoid the circular locking dependency altogether by\nprotecting the hyp vm handle with the config_lock, much like we already\ndo for other forms of VM-scoped data.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26691", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26691", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26691", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26691", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26691", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26691" } }, "CVE-2024-26692": { "affected_versions": "v6.3-rc1 to v6.8-rc5", "breaks": "d08089f649a0cfb2099c8551ac47eef0cc23fdf2", "cmt_msg": "smb: Fix regression in writes when non-standard maximum write size negotiated", "fixes": "4860abb91f3d7fbaf8147d54782149bb1fc45892", "last_affected_version": "6.7.5", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: Fix regression in writes when non-standard maximum write size negotiated\n\nThe conversion to netfs in the 6.3 kernel caused a regression when\nmaximum write size is set by the server to an unexpected value which is\nnot a multiple of 4096 (similarly if the user overrides the maximum\nwrite size by setting mount parm \"wsize\", but sets it to a value that\nis not a multiple of 4096). When negotiated write size is not a\nmultiple of 4096 the netfs code can skip the end of the final\npage when doing large sequential writes, causing data corruption.\n\nThis section of code is being rewritten/removed due to a large\nnetfs change, but until that point (ie for the 6.3 kernel until now)\nwe can not support non-standard maximum write sizes.\n\nAdd a warning if a user specifies a wsize on mount that is not\na multiple of 4096 (and round down), also add a change where we\nround down the maximum write size if the server negotiates a value\nthat is not a multiple of 4096 (we also have to check to make sure that\nwe do not round it down to zero).", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26692", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26692", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26692", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26692", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26692", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26692" } }, "CVE-2024-26693": { "affected_versions": "v6.4-rc1 to v6.8-rc5", "breaks": "57974a55d995468a9a476e24693eb741c649b25f", "cmt_msg": "wifi: iwlwifi: mvm: fix a crash when we run out of stations", "fixes": "b7198383ef2debe748118996f627452281cf27d7", "last_affected_version": "6.7.5", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: mvm: fix a crash when we run out of stations\n\nA DoS tool that injects loads of authentication frames made our AP\ncrash. The iwl_mvm_is_dup() function couldn't find the per-queue\ndup_data which was not allocated.\n\nThe root cause for that is that we ran out of stations in the firmware\nand we didn't really add the station to the firmware, yet we didn't\nreturn an error to mac80211.\nMac80211 was thinking that we have the station and because of that,\nsta_info::uploaded was set to 1. This allowed\nieee80211_find_sta_by_ifaddr() to return a valid station object, but\nthat ieee80211_sta didn't have any iwl_mvm_sta object initialized and\nthat caused the crash mentioned earlier when we got Rx on that station.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26693", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26693", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26693", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26693", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26693", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26693" } }, "CVE-2024-26694": { "affected_versions": "v6.4-rc1 to v6.8-rc4", "breaks": "5e31b3df86ec6fbb925eee77fe2c450099c61dff", "cmt_msg": "wifi: iwlwifi: fix double-free bug", "fixes": "353d321f63f7dbfc9ef58498cc732c9fe886a596", "last_affected_version": "6.7.5", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: fix double-free bug\n\nThe storage for the TLV PC register data wasn't done like all\nthe other storage in the drv->fw area, which is cleared at the\nend of deallocation. Therefore, the freeing must also be done\ndifferently, explicitly NULL'ing it out after the free, since\notherwise there's a nasty double-free bug here if a file fails\nto load after this has been parsed, and we get another free\nlater (e.g. because no other file exists.) Fix that by adding\nthe missing NULL assignment.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26694", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26694", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26694", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26694", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26694", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26694" } }, "CVE-2024-26695": { "affected_versions": "v6.0-rc1 to v6.8-rc4", "breaks": "1b05ece0c931536c0a38a9385e243a7962e933f6", "cmt_msg": "crypto: ccp - Fix null pointer dereference in __sev_platform_shutdown_locked", "fixes": "ccb88e9549e7cfd8bcd511c538f437e20026e983", "last_affected_version": "6.7.5", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: ccp - Fix null pointer dereference in __sev_platform_shutdown_locked\n\nThe SEV platform device can be shutdown with a null psp_master,\ne.g., using DEBUG_TEST_DRIVER_REMOVE. Found using KASAN:\n\n[ 137.148210] ccp 0000:23:00.1: enabling device (0000 -> 0002)\n[ 137.162647] ccp 0000:23:00.1: no command queues available\n[ 137.170598] ccp 0000:23:00.1: sev enabled\n[ 137.174645] ccp 0000:23:00.1: psp enabled\n[ 137.178890] general protection fault, probably for non-canonical address 0xdffffc000000001e: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC KASAN NOPTI\n[ 137.182693] KASAN: null-ptr-deref in range [0x00000000000000f0-0x00000000000000f7]\n[ 137.182693] CPU: 93 PID: 1 Comm: swapper/0 Not tainted 6.8.0-rc1+ #311\n[ 137.182693] RIP: 0010:__sev_platform_shutdown_locked+0x51/0x180\n[ 137.182693] Code: 08 80 3c 08 00 0f 85 0e 01 00 00 48 8b 1d 67 b6 01 08 48 b8 00 00 00 00 00 fc ff df 48 8d bb f0 00 00 00 48 89 f9 48 c1 e9 03 <80> 3c 01 00 0f 85 fe 00 00 00 48 8b 9b f0 00 00 00 48 85 db 74 2c\n[ 137.182693] RSP: 0018:ffffc900000cf9b0 EFLAGS: 00010216\n[ 137.182693] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 000000000000001e\n[ 137.182693] RDX: 0000000000000000 RSI: 0000000000000008 RDI: 00000000000000f0\n[ 137.182693] RBP: ffffc900000cf9c8 R08: 0000000000000000 R09: fffffbfff58f5a66\n[ 137.182693] R10: ffffc900000cf9c8 R11: ffffffffac7ad32f R12: ffff8881e5052c28\n[ 137.182693] R13: ffff8881e5052c28 R14: ffff8881758e43e8 R15: ffffffffac64abf8\n[ 137.182693] FS: 0000000000000000(0000) GS:ffff889de7000000(0000) knlGS:0000000000000000\n[ 137.182693] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 137.182693] CR2: 0000000000000000 CR3: 0000001cf7c7e000 CR4: 0000000000350ef0\n[ 137.182693] Call Trace:\n[ 137.182693] \n[ 137.182693] ? show_regs+0x6c/0x80\n[ 137.182693] ? __die_body+0x24/0x70\n[ 137.182693] ? die_addr+0x4b/0x80\n[ 137.182693] ? exc_general_protection+0x126/0x230\n[ 137.182693] ? asm_exc_general_protection+0x2b/0x30\n[ 137.182693] ? __sev_platform_shutdown_locked+0x51/0x180\n[ 137.182693] sev_firmware_shutdown.isra.0+0x1e/0x80\n[ 137.182693] sev_dev_destroy+0x49/0x100\n[ 137.182693] psp_dev_destroy+0x47/0xb0\n[ 137.182693] sp_destroy+0xbb/0x240\n[ 137.182693] sp_pci_remove+0x45/0x60\n[ 137.182693] pci_device_remove+0xaa/0x1d0\n[ 137.182693] device_remove+0xc7/0x170\n[ 137.182693] really_probe+0x374/0xbe0\n[ 137.182693] ? srso_return_thunk+0x5/0x5f\n[ 137.182693] __driver_probe_device+0x199/0x460\n[ 137.182693] driver_probe_device+0x4e/0xd0\n[ 137.182693] __driver_attach+0x191/0x3d0\n[ 137.182693] ? __pfx___driver_attach+0x10/0x10\n[ 137.182693] bus_for_each_dev+0x100/0x190\n[ 137.182693] ? __pfx_bus_for_each_dev+0x10/0x10\n[ 137.182693] ? __kasan_check_read+0x15/0x20\n[ 137.182693] ? srso_return_thunk+0x5/0x5f\n[ 137.182693] ? _raw_spin_unlock+0x27/0x50\n[ 137.182693] driver_attach+0x41/0x60\n[ 137.182693] bus_add_driver+0x2a8/0x580\n[ 137.182693] driver_register+0x141/0x480\n[ 137.182693] __pci_register_driver+0x1d6/0x2a0\n[ 137.182693] ? srso_return_thunk+0x5/0x5f\n[ 137.182693] ? esrt_sysfs_init+0x1cd/0x5d0\n[ 137.182693] ? __pfx_sp_mod_init+0x10/0x10\n[ 137.182693] sp_pci_init+0x22/0x30\n[ 137.182693] sp_mod_init+0x14/0x30\n[ 137.182693] ? __pfx_sp_mod_init+0x10/0x10\n[ 137.182693] do_one_initcall+0xd1/0x470\n[ 137.182693] ? __pfx_do_one_initcall+0x10/0x10\n[ 137.182693] ? parameq+0x80/0xf0\n[ 137.182693] ? srso_return_thunk+0x5/0x5f\n[ 137.182693] ? __kmalloc+0x3b0/0x4e0\n[ 137.182693] ? kernel_init_freeable+0x92d/0x1050\n[ 137.182693] ? kasan_populate_vmalloc_pte+0x171/0x190\n[ 137.182693] ? srso_return_thunk+0x5/0x5f\n[ 137.182693] kernel_init_freeable+0xa64/0x1050\n[ 137.182693] ? __pfx_kernel_init+0x10/0x10\n[ 137.182693] kernel_init+0x24/0x160\n[ 137.182693] ? __switch_to_asm+0x3e/0x70\n[ 137.182693] ret_from_fork+0x40/0x80\n[ 137.182693] ? __pfx_kernel_init+0x1\n---truncated---", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26695", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26695", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26695", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26695", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26695", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26695" } }, "CVE-2024-26696": { "affected_versions": "v3.9-rc1 to v6.8-rc4", "breaks": "1d1d1a767206fbe5d4c69493b7e6d2a8d08cc0a0", "cmt_msg": "nilfs2: fix hang in nilfs_lookup_dirty_data_buffers()", "fixes": "38296afe3c6ee07319e01bb249aa4bb47c07b534", "last_affected_version": "6.7.5", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix hang in nilfs_lookup_dirty_data_buffers()\n\nSyzbot reported a hang issue in migrate_pages_batch() called by mbind()\nand nilfs_lookup_dirty_data_buffers() called in the log writer of nilfs2.\n\nWhile migrate_pages_batch() locks a folio and waits for the writeback to\ncomplete, the log writer thread that should bring the writeback to\ncompletion picks up the folio being written back in\nnilfs_lookup_dirty_data_buffers() that it calls for subsequent log\ncreation and was trying to lock the folio. Thus causing a deadlock.\n\nIn the first place, it is unexpected that folios/pages in the middle of\nwriteback will be updated and become dirty. Nilfs2 adds a checksum to\nverify the validity of the log being written and uses it for recovery at\nmount, so data changes during writeback are suppressed. Since this is\nbroken, an unclean shutdown could potentially cause recovery to fail.\n\nInvestigation revealed that the root cause is that the wait for writeback\ncompletion in nilfs_page_mkwrite() is conditional, and if the backing\ndevice does not require stable writes, data may be modified without\nwaiting.\n\nFix these issues by making nilfs_page_mkwrite() wait for writeback to\nfinish regardless of the stable write requirement of the backing device.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26696", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26696", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26696", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26696", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26696", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26696" } }, "CVE-2024-26697": { "affected_versions": "v2.6.12-rc2 to v6.8-rc4", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "nilfs2: fix data corruption in dsync block recovery for small block sizes", "fixes": "67b8bcbaed4777871bb0dcc888fb02a614a98ab1", "last_affected_version": "6.7.5", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix data corruption in dsync block recovery for small block sizes\n\nThe helper function nilfs_recovery_copy_block() of\nnilfs_recovery_dsync_blocks(), which recovers data from logs created by\ndata sync writes during a mount after an unclean shutdown, incorrectly\ncalculates the on-page offset when copying repair data to the file's page\ncache. In environments where the block size is smaller than the page\nsize, this flaw can cause data corruption and leak uninitialized memory\nbytes during the recovery process.\n\nFix these issues by correcting this byte offset calculation on the page.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26697", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26697", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26697", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26697", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26697", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26697" } }, "CVE-2024-26698": { "affected_versions": "v5.8-rc1 to v6.8-rc3", "breaks": "ac5047671758ad4be9f93898247b3a8b6dfde4c7", "cmt_msg": "hv_netvsc: Fix race condition between netvsc_probe and netvsc_remove", "fixes": "e0526ec5360a48ad3ab2e26e802b0532302a7e11", "last_affected_version": "6.7.5", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nhv_netvsc: Fix race condition between netvsc_probe and netvsc_remove\n\nIn commit ac5047671758 (\"hv_netvsc: Disable NAPI before closing the\nVMBus channel\"), napi_disable was getting called for all channels,\nincluding all subchannels without confirming if they are enabled or not.\n\nThis caused hv_netvsc getting hung at napi_disable, when netvsc_probe()\nhas finished running but nvdev->subchan_work has not started yet.\nnetvsc_subchan_work() -> rndis_set_subchannel() has not created the\nsub-channels and because of that netvsc_sc_open() is not running.\nnetvsc_remove() calls cancel_work_sync(&nvdev->subchan_work), for which\nnetvsc_subchan_work did not run.\n\nnetif_napi_add() sets the bit NAPI_STATE_SCHED because it ensures NAPI\ncannot be scheduled. Then netvsc_sc_open() -> napi_enable will clear the\nNAPIF_STATE_SCHED bit, so it can be scheduled. napi_disable() does the\nopposite.\n\nNow during netvsc_device_remove(), when napi_disable is called for those\nsubchannels, napi_disable gets stuck on infinite msleep.\n\nThis fix addresses this problem by ensuring that napi_disable() is not\ngetting called for non-enabled NAPI struct.\nBut netif_napi_del() is still necessary for these non-enabled NAPI struct\nfor cleanup purpose.\n\nCall trace:\n[ 654.559417] task:modprobe state:D stack: 0 pid: 2321 ppid: 1091 flags:0x00004002\n[ 654.568030] Call Trace:\n[ 654.571221] \n[ 654.573790] __schedule+0x2d6/0x960\n[ 654.577733] schedule+0x69/0xf0\n[ 654.581214] schedule_timeout+0x87/0x140\n[ 654.585463] ? __bpf_trace_tick_stop+0x20/0x20\n[ 654.590291] msleep+0x2d/0x40\n[ 654.593625] napi_disable+0x2b/0x80\n[ 654.597437] netvsc_device_remove+0x8a/0x1f0 [hv_netvsc]\n[ 654.603935] rndis_filter_device_remove+0x194/0x1c0 [hv_netvsc]\n[ 654.611101] ? do_wait_intr+0xb0/0xb0\n[ 654.615753] netvsc_remove+0x7c/0x120 [hv_netvsc]\n[ 654.621675] vmbus_remove+0x27/0x40 [hv_vmbus]", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26698", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26698", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26698", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26698", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26698", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26698" } }, "CVE-2024-26699": { "affected_versions": "v2.6.12-rc2 to v6.8-rc5", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "drm/amd/display: Fix array-index-out-of-bounds in dcn35_clkmgr", "fixes": "46806e59a87790760870d216f54951a5b4d545bc", "last_affected_version": "6.7.5", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix array-index-out-of-bounds in dcn35_clkmgr\n\n[Why]\nThere is a potential memory access violation while\niterating through array of dcn35 clks.\n\n[How]\nLimit iteration per array size.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26699", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26699", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26699", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26699", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26699", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26699" } }, "CVE-2024-26700": { "affected_versions": "v2.6.12-rc2 to v6.8-rc4", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "drm/amd/display: Fix MST Null Ptr for RV", "fixes": "e6a7df96facdcf5b1f71eb3ec26f2f9f6ad61e57", "last_affected_version": "6.7.5", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix MST Null Ptr for RV\n\nThe change try to fix below error specific to RV platform:\n\nBUG: kernel NULL pointer dereference, address: 0000000000000008\nPGD 0 P4D 0\nOops: 0000 [#1] PREEMPT SMP NOPTI\nCPU: 4 PID: 917 Comm: sway Not tainted 6.3.9-arch1-1 #1 124dc55df4f5272ccb409f39ef4872fc2b3376a2\nHardware name: LENOVO 20NKS01Y00/20NKS01Y00, BIOS R12ET61W(1.31 ) 07/28/2022\nRIP: 0010:drm_dp_atomic_find_time_slots+0x5e/0x260 [drm_display_helper]\nCode: 01 00 00 48 8b 85 60 05 00 00 48 63 80 88 00 00 00 3b 43 28 0f 8d 2e 01 00 00 48 8b 53 30 48 8d 04 80 48 8d 04 c2 48 8b 40 18 <48> 8>\nRSP: 0018:ffff960cc2df77d8 EFLAGS: 00010293\nRAX: 0000000000000000 RBX: ffff8afb87e81280 RCX: 0000000000000224\nRDX: ffff8afb9ee37c00 RSI: ffff8afb8da1a578 RDI: ffff8afb87e81280\nRBP: ffff8afb83d67000 R08: 0000000000000001 R09: ffff8afb9652f850\nR10: ffff960cc2df7908 R11: 0000000000000002 R12: 0000000000000000\nR13: ffff8afb8d7688a0 R14: ffff8afb8da1a578 R15: 0000000000000224\nFS: 00007f4dac35ce00(0000) GS:ffff8afe30b00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000008 CR3: 000000010ddc6000 CR4: 00000000003506e0\nCall Trace:\n \n ? __die+0x23/0x70\n ? page_fault_oops+0x171/0x4e0\n ? plist_add+0xbe/0x100\n ? exc_page_fault+0x7c/0x180\n ? asm_exc_page_fault+0x26/0x30\n ? drm_dp_atomic_find_time_slots+0x5e/0x260 [drm_display_helper 0e67723696438d8e02b741593dd50d80b44c2026]\n ? drm_dp_atomic_find_time_slots+0x28/0x260 [drm_display_helper 0e67723696438d8e02b741593dd50d80b44c2026]\n compute_mst_dsc_configs_for_link+0x2ff/0xa40 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054]\n ? fill_plane_buffer_attributes+0x419/0x510 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054]\n compute_mst_dsc_configs_for_state+0x1e1/0x250 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054]\n amdgpu_dm_atomic_check+0xecd/0x1190 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054]\n drm_atomic_check_only+0x5c5/0xa40\n drm_mode_atomic_ioctl+0x76e/0xbc0\n ? _copy_to_user+0x25/0x30\n ? drm_ioctl+0x296/0x4b0\n ? __pfx_drm_mode_atomic_ioctl+0x10/0x10\n drm_ioctl_kernel+0xcd/0x170\n drm_ioctl+0x26d/0x4b0\n ? __pfx_drm_mode_atomic_ioctl+0x10/0x10\n amdgpu_drm_ioctl+0x4e/0x90 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054]\n __x64_sys_ioctl+0x94/0xd0\n do_syscall_64+0x60/0x90\n ? do_syscall_64+0x6c/0x90\n entry_SYSCALL_64_after_hwframe+0x72/0xdc\nRIP: 0033:0x7f4dad17f76f\nCode: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c>\nRSP: 002b:00007ffd9ae859f0 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\nRAX: ffffffffffffffda RBX: 000055e255a55900 RCX: 00007f4dad17f76f\nRDX: 00007ffd9ae85a90 RSI: 00000000c03864bc RDI: 000000000000000b\nRBP: 00007ffd9ae85a90 R08: 0000000000000003 R09: 0000000000000003\nR10: 0000000000000000 R11: 0000000000000246 R12: 00000000c03864bc\nR13: 000000000000000b R14: 000055e255a7fc60 R15: 000055e255a01eb0\n \nModules linked in: rfcomm snd_seq_dummy snd_hrtimer snd_seq snd_seq_device ccm cmac algif_hash algif_skcipher af_alg joydev mousedev bnep >\n typec libphy k10temp ipmi_msghandler roles i2c_scmi acpi_cpufreq mac_hid nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_mas>\nCR2: 0000000000000008\n---[ end trace 0000000000000000 ]---\nRIP: 0010:drm_dp_atomic_find_time_slots+0x5e/0x260 [drm_display_helper]\nCode: 01 00 00 48 8b 85 60 05 00 00 48 63 80 88 00 00 00 3b 43 28 0f 8d 2e 01 00 00 48 8b 53 30 48 8d 04 80 48 8d 04 c2 48 8b 40 18 <48> 8>\nRSP: 0018:ffff960cc2df77d8 EFLAGS: 00010293\nRAX: 0000000000000000 RBX: ffff8afb87e81280 RCX: 0000000000000224\nRDX: ffff8afb9ee37c00 RSI: ffff8afb8da1a578 RDI: ffff8afb87e81280\nRBP: ffff8afb83d67000 R08: 0000000000000001 R09: ffff8afb9652f850\nR10: ffff960cc2df7908 R11: 0000000000000002 R12: 0000000000000000\nR13: ffff8afb8d7688a0 R14: ffff8afb8da1a578 R15: 0000000000000224\nFS: 00007f4dac35ce00(0000) GS:ffff8afe30b00000(0000\n---truncated---", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26700", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26700", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26700", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26700", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26700", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26700" } }, "CVE-2024-26702": { "affected_versions": "v5.0-rc1 to v6.8-rc5", "breaks": "121354b2eceb2669ebdffa76b105ad6c03413966", "cmt_msg": "iio: magnetometer: rm3100: add boundary check for the value read from RM3100_REG_TMRC", "fixes": "792595bab4925aa06532a14dd256db523eb4fa5e", "last_affected_version": "6.7.5", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: magnetometer: rm3100: add boundary check for the value read from RM3100_REG_TMRC\n\nRecently, we encounter kernel crash in function rm3100_common_probe\ncaused by out of bound access of array rm3100_samp_rates (because of\nunderlying hardware failures). Add boundary check to prevent out of\nbound access.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26702", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26702", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26702", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26702", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26702", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26702" } }, "CVE-2024-26703": { "affected_versions": "v6.5-rc1 to v6.8-rc3", "breaks": "e88ed227f639ebcb31ed4e5b88756b47d904584b", "cmt_msg": "tracing/timerlat: Move hrtimer_init to timerlat_fd open()", "fixes": "1389358bb008e7625942846e9f03554319b7fecc", "last_affected_version": "6.7.5", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing/timerlat: Move hrtimer_init to timerlat_fd open()\n\nCurrently, the timerlat's hrtimer is initialized at the first read of\ntimerlat_fd, and destroyed at close(). It works, but it causes an error\nif the user program open() and close() the file without reading.\n\nHere's an example:\n\n # echo NO_OSNOISE_WORKLOAD > /sys/kernel/debug/tracing/osnoise/options\n # echo timerlat > /sys/kernel/debug/tracing/current_tracer\n\n # cat < ./timerlat_load.py\n # !/usr/bin/env python3\n\n timerlat_fd = open(\"/sys/kernel/tracing/osnoise/per_cpu/cpu0/timerlat_fd\", 'r')\n timerlat_fd.close();\n EOF\n\n # ./taskset -c 0 ./timerlat_load.py\n\n\n BUG: kernel NULL pointer dereference, address: 0000000000000010\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: 0000 [#1] PREEMPT SMP NOPTI\n CPU: 1 PID: 2673 Comm: python3 Not tainted 6.6.13-200.fc39.x86_64 #1\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-1.fc39 04/01/2014\n RIP: 0010:hrtimer_active+0xd/0x50\n Code: 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 0f 1f 44 00 00 48 8b 57 30 <8b> 42 10 a8 01 74 09 f3 90 8b 42 10 a8 01 75 f7 80 7f 38 00 75 1d\n RSP: 0018:ffffb031009b7e10 EFLAGS: 00010286\n RAX: 000000000002db00 RBX: ffff9118f786db08 RCX: 0000000000000000\n RDX: 0000000000000000 RSI: ffff9117a0e64400 RDI: ffff9118f786db08\n RBP: ffff9118f786db80 R08: ffff9117a0ddd420 R09: ffff9117804d4f70\n R10: 0000000000000000 R11: 0000000000000000 R12: ffff9118f786db08\n R13: ffff91178fdd5e20 R14: ffff9117840978c0 R15: 0000000000000000\n FS: 00007f2ffbab1740(0000) GS:ffff9118f7840000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000000010 CR3: 00000001b402e000 CR4: 0000000000750ee0\n PKRU: 55555554\n Call Trace:\n \n ? __die+0x23/0x70\n ? page_fault_oops+0x171/0x4e0\n ? srso_alias_return_thunk+0x5/0x7f\n ? avc_has_extended_perms+0x237/0x520\n ? exc_page_fault+0x7f/0x180\n ? asm_exc_page_fault+0x26/0x30\n ? hrtimer_active+0xd/0x50\n hrtimer_cancel+0x15/0x40\n timerlat_fd_release+0x48/0xe0\n __fput+0xf5/0x290\n __x64_sys_close+0x3d/0x80\n do_syscall_64+0x60/0x90\n ? srso_alias_return_thunk+0x5/0x7f\n ? __x64_sys_ioctl+0x72/0xd0\n ? srso_alias_return_thunk+0x5/0x7f\n ? syscall_exit_to_user_mode+0x2b/0x40\n ? srso_alias_return_thunk+0x5/0x7f\n ? do_syscall_64+0x6c/0x90\n ? srso_alias_return_thunk+0x5/0x7f\n ? exit_to_user_mode_prepare+0x142/0x1f0\n ? srso_alias_return_thunk+0x5/0x7f\n ? syscall_exit_to_user_mode+0x2b/0x40\n ? srso_alias_return_thunk+0x5/0x7f\n ? do_syscall_64+0x6c/0x90\n entry_SYSCALL_64_after_hwframe+0x6e/0xd8\n RIP: 0033:0x7f2ffb321594\n Code: 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 80 3d d5 cd 0d 00 00 74 13 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 3c c3 0f 1f 00 55 48 89 e5 48 83 ec 10 89 7d\n RSP: 002b:00007ffe8d8eef18 EFLAGS: 00000202 ORIG_RAX: 0000000000000003\n RAX: ffffffffffffffda RBX: 00007f2ffba4e668 RCX: 00007f2ffb321594\n RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003\n RBP: 00007ffe8d8eef40 R08: 0000000000000000 R09: 0000000000000000\n R10: 55c926e3167eae79 R11: 0000000000000202 R12: 0000000000000003\n R13: 00007ffe8d8ef030 R14: 0000000000000000 R15: 00007f2ffba4e668\n \n CR2: 0000000000000010\n ---[ end trace 0000000000000000 ]---\n\nMove hrtimer_init to timerlat_fd open() to avoid this problem.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26703", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26703", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26703", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26703", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26703", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26703" } }, "CVE-2024-26704": { "affected_versions": "v3.18-rc2 to v6.8-rc3", "breaks": "fcf6b1b729bcd23f2b49a84fb33ffbb44712ee6a", "cmt_msg": "ext4: fix double-free of blocks due to wrong extents moved_len", "fixes": "55583e899a5357308274601364741a83e78d6ac4", "last_affected_version": "6.7.5", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix double-free of blocks due to wrong extents moved_len\n\nIn ext4_move_extents(), moved_len is only updated when all moves are\nsuccessfully executed, and only discards orig_inode and donor_inode\npreallocations when moved_len is not zero. When the loop fails to exit\nafter successfully moving some extents, moved_len is not updated and\nremains at 0, so it does not discard the preallocations.\n\nIf the moved extents overlap with the preallocated extents, the\noverlapped extents are freed twice in ext4_mb_release_inode_pa() and\next4_process_freed_data() (as described in commit 94d7c16cbbbd (\"ext4:\nFix double-free of blocks with EXT4_IOC_MOVE_EXT\")), and bb_free is\nincremented twice. Hence when trim is executed, a zero-division bug is\ntriggered in mb_update_avg_fragment_size() because bb_free is not zero\nand bb_fragments is zero.\n\nTherefore, update move_len after each extent move to avoid the issue.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26704", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26704", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26704", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26704", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26704", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26704" } }, "CVE-2024-26705": { "affected_versions": "v6.6-rc2 to v6.8-rc3", "breaks": "e5ef93d02d6c9cc3a14e7348481c9e41a528caa1", "cmt_msg": "parisc: BTLB: Fix crash when setting up BTLB at CPU bringup", "fixes": "913b9d443a0180cf0de3548f1ab3149378998486", "last_affected_version": "6.7.5", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nparisc: BTLB: Fix crash when setting up BTLB at CPU bringup\n\nWhen using hotplug and bringing up a 32-bit CPU, ask the firmware about the\nBTLB information to set up the static (block) TLB entries.\n\nFor that write access to the static btlb_info struct is needed, but\nsince it is marked __ro_after_init the kernel segfaults with missing\nwrite permissions.\n\nFix the crash by dropping the __ro_after_init annotation.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26705", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26705", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26705", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26705", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26705", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26705" } }, "CVE-2024-26706": { "affected_versions": "v2.6.12-rc2 to v6.8-rc3", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "parisc: Fix random data corruption from exception handler", "fixes": "8b1d72395635af45410b66cc4c4ab37a12c4a831", "last_affected_version": "6.7.5", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nparisc: Fix random data corruption from exception handler\n\nThe current exception handler implementation, which assists when accessing\nuser space memory, may exhibit random data corruption if the compiler decides\nto use a different register than the specified register %r29 (defined in\nASM_EXCEPTIONTABLE_REG) for the error code. If the compiler choose another\nregister, the fault handler will nevertheless store -EFAULT into %r29 and thus\ntrash whatever this register is used for.\nLooking at the assembly I found that this happens sometimes in emulate_ldd().\n\nTo solve the issue, the easiest solution would be if it somehow is\npossible to tell the fault handler which register is used to hold the error\ncode. Using %0 or %1 in the inline assembly is not posssible as it will show\nup as e.g. %r29 (with the \"%r\" prefix), which the GNU assembler can not\nconvert to an integer.\n\nThis patch takes another, better and more flexible approach:\nWe extend the __ex_table (which is out of the execution path) by one 32-word.\nIn this word we tell the compiler to insert the assembler instruction\n\"or %r0,%r0,%reg\", where %reg references the register which the compiler\nchoosed for the error return code.\nIn case of an access failure, the fault handler finds the __ex_table entry and\ncan examine the opcode. The used register is encoded in the lowest 5 bits, and\nthe fault handler can then store -EFAULT into this register.\n\nSince we extend the __ex_table to 3 words we can't use the BUILDTIME_TABLE_SORT\nconfig option any longer.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26706", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26706", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26706", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26706", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26706", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26706" } }, "CVE-2024-26707": { "affected_versions": "v5.9-rc1 to v6.8-rc3", "breaks": "121c33b07b3127f501b366bc23d2a590e2f2b8ef", "cmt_msg": "net: hsr: remove WARN_ONCE() in send_hsr_supervision_frame()", "fixes": "37e8c97e539015637cb920d3e6f1e404f707a06e", "last_affected_version": "6.7.5", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: hsr: remove WARN_ONCE() in send_hsr_supervision_frame()\n\nSyzkaller reported [1] hitting a warning after failing to allocate\nresources for skb in hsr_init_skb(). Since a WARN_ONCE() call will\nnot help much in this case, it might be prudent to switch to\nnetdev_warn_once(). At the very least it will suppress syzkaller\nreports such as [1].\n\nJust in case, use netdev_warn_once() in send_prp_supervision_frame()\nfor similar reasons.\n\n[1]\nHSR: Could not send supervision frame\nWARNING: CPU: 1 PID: 85 at net/hsr/hsr_device.c:294 send_hsr_supervision_frame+0x60a/0x810 net/hsr/hsr_device.c:294\nRIP: 0010:send_hsr_supervision_frame+0x60a/0x810 net/hsr/hsr_device.c:294\n...\nCall Trace:\n \n hsr_announce+0x114/0x370 net/hsr/hsr_device.c:382\n call_timer_fn+0x193/0x590 kernel/time/timer.c:1700\n expire_timers kernel/time/timer.c:1751 [inline]\n __run_timers+0x764/0xb20 kernel/time/timer.c:2022\n run_timer_softirq+0x58/0xd0 kernel/time/timer.c:2035\n __do_softirq+0x21a/0x8de kernel/softirq.c:553\n invoke_softirq kernel/softirq.c:427 [inline]\n __irq_exit_rcu kernel/softirq.c:632 [inline]\n irq_exit_rcu+0xb7/0x120 kernel/softirq.c:644\n sysvec_apic_timer_interrupt+0x95/0xb0 arch/x86/kernel/apic/apic.c:1076\n \n \n asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:649\n...\n\nThis issue is also found in older kernels (at least up to 5.10).", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26707", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26707", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26707", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26707", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26707", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26707" } }, "CVE-2024-26708": { "affected_versions": "v6.2-rc1 to v6.8-rc5", "breaks": "1e777f39b4d75e599a3aac8e0f67d739474f198c", "cmt_msg": "mptcp: really cope with fastopen race", "fixes": "337cebbd850f94147cee05252778f8f78b8c337f", "last_affected_version": "6.7.5", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: really cope with fastopen race\n\nFastopen and PM-trigger subflow shutdown can race, as reported by\nsyzkaller.\n\nIn my first attempt to close such race, I missed the fact that\nthe subflow status can change again before the subflow_state_change\ncallback is invoked.\n\nAddress the issue additionally copying with all the states directly\nreachable from TCP_FIN_WAIT1.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26708", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26708", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26708", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26708", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26708", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26708" } }, "CVE-2024-26709": { "affected_versions": "v6.7-rc1 to v6.8-rc5", "breaks": "a8ca9fc9134c1a43e6d4db7ff59496bbd7075def", "cmt_msg": "powerpc/iommu: Fix the missing iommu_group_put() during platform domain attach", "fixes": "0846dd77c8349ec92ca0079c9c71d130f34cb192", "last_affected_version": "6.7.5", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/iommu: Fix the missing iommu_group_put() during platform domain attach\n\nThe function spapr_tce_platform_iommu_attach_dev() is missing to call\niommu_group_put() when the domain is already set. This refcount leak\nshows up with BUG_ON() during DLPAR remove operation as:\n\n KernelBug: Kernel bug in state 'None': kernel BUG at arch/powerpc/platforms/pseries/iommu.c:100!\n Oops: Exception in kernel mode, sig: 5 [#1]\n LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=8192 NUMA pSeries\n \n Hardware name: IBM,9080-HEX POWER10 (raw) 0x800200 0xf000006 of:IBM,FW1060.00 (NH1060_016) hv:phyp pSeries\n NIP: c0000000000ff4d4 LR: c0000000000ff4cc CTR: 0000000000000000\n REGS: c0000013aed5f840 TRAP: 0700 Tainted: G I (6.8.0-rc3-autotest-g99bd3cb0d12e)\n MSR: 8000000000029033 CR: 44002402 XER: 20040000\n CFAR: c000000000a0d170 IRQMASK: 0\n ...\n NIP iommu_reconfig_notifier+0x94/0x200\n LR iommu_reconfig_notifier+0x8c/0x200\n Call Trace:\n iommu_reconfig_notifier+0x8c/0x200 (unreliable)\n notifier_call_chain+0xb8/0x19c\n blocking_notifier_call_chain+0x64/0x98\n of_reconfig_notify+0x44/0xdc\n of_detach_node+0x78/0xb0\n ofdt_write.part.0+0x86c/0xbb8\n proc_reg_write+0xf4/0x150\n vfs_write+0xf8/0x488\n ksys_write+0x84/0x140\n system_call_exception+0x138/0x330\n system_call_vectored_common+0x15c/0x2ec\n\nThe patch adds the missing iommu_group_put() call.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26709", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26709", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26709", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26709", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26709", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26709" } }, "CVE-2024-26710": { "affected_versions": "v6.8-rc1 to v6.8-rc5", "breaks": "18f14afe281648e31ed35c9ad2fcb724c4838ad9", "fixes": "f1acb109505d983779bbb7e20a1ee6244d2b5736", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/kasan: Limit KASAN thread size increase to 32KB\n\nKASAN is seen to increase stack usage, to the point that it was reported\nto lead to stack overflow on some 32-bit machines (see link).\n\nTo avoid overflows the stack size was doubled for KASAN builds in\ncommit 3e8635fb2e07 (\"powerpc/kasan: Force thread size increase with\nKASAN\").\n\nHowever with a 32KB stack size to begin with, the doubling leads to a\n64KB stack, which causes build errors:\n arch/powerpc/kernel/switch.S:249: Error: operand out of range (0x000000000000fe50 is not between 0xffffffffffff8000 and 0x0000000000007fff)\n\nAlthough the asm could be reworked, in practice a 32KB stack seems\nsufficient even for KASAN builds - the additional usage seems to be in\nthe 2-3KB range for a 64-bit KASAN build.\n\nSo only increase the stack for KASAN if the stack size is < 32KB.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26710", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26710", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26710", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26710", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26710", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26710" } }, "CVE-2024-26711": { "affected_versions": "v6.2-rc1 to v6.8-rc5", "breaks": "62094060cf3acaf52e277457d807ea753269b89e", "cmt_msg": "iio: adc: ad4130: zero-initialize clock init data", "fixes": "a22b0a2be69a36511cb5b37d948b651ddf7debf3", "last_affected_version": "6.7.5", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: adc: ad4130: zero-initialize clock init data\n\nThe clk_init_data struct does not have all its members\ninitialized, causing issues when trying to expose the internal\nclock on the CLK pin.\n\nFix this by zero-initializing the clk_init_data struct.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26711", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26711", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26711", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26711", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26711", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26711" } }, "CVE-2024-26712": { "affected_versions": "v5.4-rc1 to v6.8-rc5", "breaks": "663c0c9496a69f80011205ba3194049bcafd681d", "cmt_msg": "powerpc/kasan: Fix addr error caused by page alignment", "fixes": "4a7aee96200ad281a5cc4cf5c7a2e2a49d2b97b0", "last_affected_version": "6.7.5", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/kasan: Fix addr error caused by page alignment\n\nIn kasan_init_region, when k_start is not page aligned, at the begin of\nfor loop, k_cur = k_start & PAGE_MASK is less than k_start, and then\n`va = block + k_cur - k_start` is less than block, the addr va is invalid,\nbecause the memory address space from va to block is not alloced by\nmemblock_alloc, which will not be reserved by memblock_reserve later, it\nwill be used by other places.\n\nAs a result, memory overwriting occurs.\n\nfor example:\nint __init __weak kasan_init_region(void *start, size_t size)\n{\n[...]\n\t/* if say block(dcd97000) k_start(feef7400) k_end(feeff3fe) */\n\tblock = memblock_alloc(k_end - k_start, PAGE_SIZE);\n\t[...]\n\tfor (k_cur = k_start & PAGE_MASK; k_cur < k_end; k_cur += PAGE_SIZE) {\n\t\t/* at the begin of for loop\n\t\t * block(dcd97000) va(dcd96c00) k_cur(feef7000) k_start(feef7400)\n\t\t * va(dcd96c00) is less than block(dcd97000), va is invalid\n\t\t */\n\t\tvoid *va = block + k_cur - k_start;\n\t\t[...]\n\t}\n[...]\n}\n\nTherefore, page alignment is performed on k_start before\nmemblock_alloc() to ensure the validity of the VA address.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26712", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26712", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26712", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26712", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26712", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26712" } }, "CVE-2024-26713": { "affected_versions": "unk to v6.8-rc5", "breaks": "", "cmt_msg": "powerpc/pseries/iommu: Fix iommu initialisation during DLPAR add", "fixes": "ed8b94f6e0acd652ce69bd69d678a0c769172df8", "last_affected_version": "6.7.5", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/pseries/iommu: Fix iommu initialisation during DLPAR add\n\nWhen a PCI device is dynamically added, the kernel oopses with a NULL\npointer dereference:\n\n BUG: Kernel NULL pointer dereference on read at 0x00000030\n Faulting instruction address: 0xc0000000006bbe5c\n Oops: Kernel access of bad area, sig: 11 [#1]\n LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA pSeries\n Modules linked in: rpadlpar_io rpaphp rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace fscache netfs xsk_diag bonding nft_compat nf_tables nfnetlink rfkill binfmt_misc dm_multipath rpcrdma sunrpc rdma_ucm ib_srpt ib_isert iscsi_target_mod target_core_mod ib_umad ib_iser libiscsi scsi_transport_iscsi ib_ipoib rdma_cm iw_cm ib_cm mlx5_ib ib_uverbs ib_core pseries_rng drm drm_panel_orientation_quirks xfs libcrc32c mlx5_core mlxfw sd_mod t10_pi sg tls ibmvscsi ibmveth scsi_transport_srp vmx_crypto pseries_wdt psample dm_mirror dm_region_hash dm_log dm_mod fuse\n CPU: 17 PID: 2685 Comm: drmgr Not tainted 6.7.0-203405+ #66\n Hardware name: IBM,9080-HEX POWER10 (raw) 0x800200 0xf000006 of:IBM,FW1060.00 (NH1060_008) hv:phyp pSeries\n NIP: c0000000006bbe5c LR: c000000000a13e68 CTR: c0000000000579f8\n REGS: c00000009924f240 TRAP: 0300 Not tainted (6.7.0-203405+)\n MSR: 8000000000009033 CR: 24002220 XER: 20040006\n CFAR: c000000000a13e64 DAR: 0000000000000030 DSISR: 40000000 IRQMASK: 0\n ...\n NIP sysfs_add_link_to_group+0x34/0x94\n LR iommu_device_link+0x5c/0x118\n Call Trace:\n iommu_init_device+0x26c/0x318 (unreliable)\n iommu_device_link+0x5c/0x118\n iommu_init_device+0xa8/0x318\n iommu_probe_device+0xc0/0x134\n iommu_bus_notifier+0x44/0x104\n notifier_call_chain+0xb8/0x19c\n blocking_notifier_call_chain+0x64/0x98\n bus_notify+0x50/0x7c\n device_add+0x640/0x918\n pci_device_add+0x23c/0x298\n of_create_pci_dev+0x400/0x884\n of_scan_pci_dev+0x124/0x1b0\n __of_scan_bus+0x78/0x18c\n pcibios_scan_phb+0x2a4/0x3b0\n init_phb_dynamic+0xb8/0x110\n dlpar_add_slot+0x170/0x3b8 [rpadlpar_io]\n add_slot_store.part.0+0xb4/0x130 [rpadlpar_io]\n kobj_attr_store+0x2c/0x48\n sysfs_kf_write+0x64/0x78\n kernfs_fop_write_iter+0x1b0/0x290\n vfs_write+0x350/0x4a0\n ksys_write+0x84/0x140\n system_call_exception+0x124/0x330\n system_call_vectored_common+0x15c/0x2ec\n\nCommit a940904443e4 (\"powerpc/iommu: Add iommu_ops to report capabilities\nand allow blocking domains\") broke DLPAR add of PCI devices.\n\nThe above added iommu_device structure to pci_controller. During\nsystem boot, PCI devices are discovered and this newly added iommu_device\nstructure is initialized by a call to iommu_device_register().\n\nDuring DLPAR add of a PCI device, a new pci_controller structure is\nallocated but there are no calls made to iommu_device_register()\ninterface.\n\nFix is to register the iommu device during DLPAR add as well.\n\n[mpe: Trim oops and tweak some change log wording]", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26713", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26713", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26713", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26713", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26713", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26713" } }, "CVE-2024-26714": { "affected_versions": "v5.15-rc1 to v6.8-rc5", "breaks": "9c8c6bac1ae86f6902baa938101902fb3a0a100b", "cmt_msg": "interconnect: qcom: sc8180x: Mark CO0 BCM keepalive", "fixes": "85e985a4f46e462a37f1875cb74ed380e7c0c2e0", "last_affected_version": "6.7.5", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\ninterconnect: qcom: sc8180x: Mark CO0 BCM keepalive\n\nThe CO0 BCM needs to be up at all times, otherwise some hardware (like\nthe UFS controller) loses its connection to the rest of the SoC,\nresulting in a hang of the platform, accompanied by a spectacular\nlogspam.\n\nMark it as keepalive to prevent such cases.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26714", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26714", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26714", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26714", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26714", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26714" } }, "CVE-2024-26715": { "affected_versions": "v4.6-rc5 to v6.8-rc3", "breaks": "9772b47a4c2916d645c551228b6085ea24acbe5d", "cmt_msg": "usb: dwc3: gadget: Fix NULL pointer dereference in dwc3_gadget_suspend", "fixes": "61a348857e869432e6a920ad8ea9132e8d44c316", "last_affected_version": "6.7.5", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: dwc3: gadget: Fix NULL pointer dereference in dwc3_gadget_suspend\n\nIn current scenario if Plug-out and Plug-In performed continuously\nthere could be a chance while checking for dwc->gadget_driver in\ndwc3_gadget_suspend, a NULL pointer dereference may occur.\n\nCall Stack:\n\n\tCPU1: CPU2:\n\tgadget_unbind_driver dwc3_suspend_common\n\tdwc3_gadget_stop dwc3_gadget_suspend\n dwc3_disconnect_gadget\n\nCPU1 basically clears the variable and CPU2 checks the variable.\nConsider CPU1 is running and right before gadget_driver is cleared\nand in parallel CPU2 executes dwc3_gadget_suspend where it finds\ndwc->gadget_driver which is not NULL and resumes execution and then\nCPU1 completes execution. CPU2 executes dwc3_disconnect_gadget where\nit checks dwc->gadget_driver is already NULL because of which the\nNULL pointer deference occur.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26715", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26715", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26715", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26715", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26715", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26715" } }, "CVE-2024-26716": { "affected_versions": "v6.5-rc1 to v6.8-rc3", "breaks": "83cb2604f641cecadc275ca18adbba4bf262320f", "cmt_msg": "usb: core: Prevent null pointer dereference in update_port_device_state", "fixes": "12783c0b9e2c7915a50d5ec829630ff2da50472c", "last_affected_version": "6.7.5", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: core: Prevent null pointer dereference in update_port_device_state\n\nCurrently, the function update_port_device_state gets the usb_hub from\nudev->parent by calling usb_hub_to_struct_hub.\nHowever, in case the actconfig or the maxchild is 0, the usb_hub would\nbe NULL and upon further accessing to get port_dev would result in null\npointer dereference.\n\nFix this by introducing an if check after the usb_hub is populated.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26716", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26716", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26716", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26716", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26716", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26716" } }, "CVE-2024-26717": { "affected_versions": "v5.12-rc1-dontuse to v6.8-rc3", "breaks": "b33752c300232d7f95dd9a4353947d0c9e6a0e52", "cmt_msg": "HID: i2c-hid-of: fix NULL-deref on failed power up", "fixes": "00aab7dcb2267f2aef59447602f34501efe1a07f", "last_affected_version": "6.7.5", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: i2c-hid-of: fix NULL-deref on failed power up\n\nA while back the I2C HID implementation was split in an ACPI and OF\npart, but the new OF driver never initialises the client pointer which\nis dereferenced on power-up failures.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26717", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26717", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26717", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26717", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26717", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26717" } }, "CVE-2024-26718": { "affected_versions": "v5.9-rc1 to v6.8-rc3", "breaks": "39d42fa96ba1b7d2544db3f8ed5da8fb0d5cb877", "cmt_msg": "dm-crypt, dm-verity: disable tasklets", "fixes": "0a9bab391e336489169b95cb0d4553d921302189", "last_affected_version": "6.7.5", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm-crypt, dm-verity: disable tasklets\n\nTasklets have an inherent problem with memory corruption. The function\ntasklet_action_common calls tasklet_trylock, then it calls the tasklet\ncallback and then it calls tasklet_unlock. If the tasklet callback frees\nthe structure that contains the tasklet or if it calls some code that may\nfree it, tasklet_unlock will write into free memory.\n\nThe commits 8e14f610159d and d9a02e016aaf try to fix it for dm-crypt, but\nit is not a sufficient fix and the data corruption can still happen [1].\nThere is no fix for dm-verity and dm-verity will write into free memory\nwith every tasklet-processed bio.\n\nThere will be atomic workqueues implemented in the kernel 6.9 [2]. They\nwill have better interface and they will not suffer from the memory\ncorruption problem.\n\nBut we need something that stops the memory corruption now and that can be\nbackported to the stable kernels. So, I'm proposing this commit that\ndisables tasklets in both dm-crypt and dm-verity. This commit doesn't\nremove the tasklet support, because the tasklet code will be reused when\natomic workqueues will be implemented.\n\n[1] https://lore.kernel.org/all/d390d7ee-f142-44d3-822a-87949e14608b@suse.de/T/\n[2] https://lore.kernel.org/lkml/20240130091300.2968534-1-tj@kernel.org/", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26718", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26718", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26718", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26718", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26718", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26718" } }, "CVE-2024-26719": { "affected_versions": "v2.6.12-rc2 to v6.8-rc3", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "nouveau: offload fence uevents work to workqueue", "fixes": "39126abc5e20611579602f03b66627d7cd1422f0", "last_affected_version": "6.7.5", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnouveau: offload fence uevents work to workqueue\n\nThis should break the deadlock between the fctx lock and the irq lock.\n\nThis offloads the processing off the work from the irq into a workqueue.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26719", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26719", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26719", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26719", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26719", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26719" } }, "CVE-2024-26720": { "affected_versions": "v3.16 to v6.8-rc3", "breaks": "f6789593d5cea42a4ecb1cbeab6a23ade5ebbba7", "cmt_msg": "mm/writeback: fix possible divide-by-zero in wb_dirty_limits(), again", "fixes": "9319b647902cbd5cc884ac08a8a6d54ce111fc78", "last_affected_version": "6.7.5", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/writeback: fix possible divide-by-zero in wb_dirty_limits(), again\n\n(struct dirty_throttle_control *)->thresh is an unsigned long, but is\npassed as the u32 divisor argument to div_u64(). On architectures where\nunsigned long is 64 bytes, the argument will be implicitly truncated.\n\nUse div64_u64() instead of div_u64() so that the value used in the \"is\nthis a safe division\" check is the same as the divisor.\n\nAlso, remove redundant cast of the numerator to u64, as that should happen\nimplicitly.\n\nThis would be difficult to exploit in memcg domain, given the ratio-based\narithmetic domain_drity_limits() uses, but is much easier in global\nwriteback domain with a BDI_CAP_STRICTLIMIT-backing device, using e.g. \nvm.dirty_bytes=(1<<32)*PAGE_SIZE so that dtc->thresh == (1<<32)", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26720", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26720", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26720", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26720", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26720", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26720" } }, "CVE-2024-26721": { "affected_versions": "v6.7-rc1 to v6.8-rc5", "breaks": "bd077259d0a9c9bf453e7e9751bf41f1996e6585", "cmt_msg": "drm/i915/dsc: Fix the macro that calculates DSCC_/DSCA_ PPS reg address", "fixes": "962ac2dce56bb3aad1f82a4bbe3ada57a020287c", "last_affected_version": "6.7.5", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915/dsc: Fix the macro that calculates DSCC_/DSCA_ PPS reg address\n\nCommit bd077259d0a9 (\"drm/i915/vdsc: Add function to read any PPS\nregister\") defines a new macro to calculate the DSC PPS register\naddresses with PPS number as an input. This macro correctly calculates\nthe addresses till PPS 11 since the addresses increment by 4. So in that\ncase the following macro works correctly to give correct register\naddress:\n\n_MMIO(_DSCA_PPS_0 + (pps) * 4)\n\nHowever after PPS 11, the register address for PPS 12 increments by 12\nbecause of RC Buffer memory allocation in between. Because of this\ndiscontinuity in the address space, the macro calculates wrong addresses\nfor PPS 12 - 16 resulting into incorrect DSC PPS parameter value\nread/writes causing DSC corruption.\n\nThis fixes it by correcting this macro to add the offset of 12 for PPS\n>=12.\n\nv3: Add correct paranthesis for pps argument (Jani Nikula)\n\n(cherry picked from commit 6074be620c31dc2ae11af96a1a5ea95580976fb5)", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26721", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26721", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26721", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26721", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26721", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26721" } }, "CVE-2024-26722": { "affected_versions": "v6.7-rc5 to v6.8-rc5", "breaks": "cdba4301adda7c60a2064bf808e48fccd352aaa9", "cmt_msg": "ASoC: rt5645: Fix deadlock in rt5645_jack_detect_work()", "fixes": "6ef5d5b92f7117b324efaac72b3db27ae8bb3082", "last_affected_version": "6.7.5", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: rt5645: Fix deadlock in rt5645_jack_detect_work()\n\nThere is a path in rt5645_jack_detect_work(), where rt5645->jd_mutex\nis left locked forever. That may lead to deadlock\nwhen rt5645_jack_detect_work() is called for the second time.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26722", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26722", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26722", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26722", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26722", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26722" } }, "CVE-2024-26723": { "affected_versions": "v6.1-rc1 to v6.8-rc5", "breaks": "cabc9d49333df72fe0f6d58bdcf9057ba341e701", "cmt_msg": "lan966x: Fix crash when adding interface under a lag", "fixes": "15faa1f67ab405d47789d4702f587ec7df7ef03e", "last_affected_version": "6.7.5", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nlan966x: Fix crash when adding interface under a lag\n\nThere is a crash when adding one of the lan966x interfaces under a lag\ninterface. The issue can be reproduced like this:\nip link add name bond0 type bond miimon 100 mode balance-xor\nip link set dev eth0 master bond0\n\nThe reason is because when adding a interface under the lag it would go\nthrough all the ports and try to figure out which other ports are under\nthat lag interface. And the issue is that lan966x can have ports that are\nNULL pointer as they are not probed. So then iterating over these ports\nit would just crash as they are NULL pointers.\nThe fix consists in actually checking for NULL pointers before accessing\nsomething from the ports. Like we do in other places.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26723", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26723", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26723", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26723", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26723", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26723" } }, "CVE-2024-26724": { "affected_versions": "v6.7-rc1 to v6.8-rc5", "breaks": "496fd0a26bbf73b6b12407ee4fbe5ff49d659a6d", "cmt_msg": "net/mlx5: DPLL, Fix possible use after free after delayed work timer triggers", "fixes": "aa1eec2f546f2afa8c98ec41e5d8ee488165d685", "last_affected_version": "6.7.5", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: DPLL, Fix possible use after free after delayed work timer triggers\n\nI managed to hit following use after free warning recently:\n\n[ 2169.711665] ==================================================================\n[ 2169.714009] BUG: KASAN: slab-use-after-free in __run_timers.part.0+0x179/0x4c0\n[ 2169.716293] Write of size 8 at addr ffff88812b326a70 by task swapper/4/0\n\n[ 2169.719022] CPU: 4 PID: 0 Comm: swapper/4 Not tainted 6.8.0-rc2jiri+ #2\n[ 2169.720974] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n[ 2169.722457] Call Trace:\n[ 2169.722756] \n[ 2169.723024] dump_stack_lvl+0x58/0xb0\n[ 2169.723417] print_report+0xc5/0x630\n[ 2169.723807] ? __virt_addr_valid+0x126/0x2b0\n[ 2169.724268] kasan_report+0xbe/0xf0\n[ 2169.724667] ? __run_timers.part.0+0x179/0x4c0\n[ 2169.725116] ? __run_timers.part.0+0x179/0x4c0\n[ 2169.725570] __run_timers.part.0+0x179/0x4c0\n[ 2169.726003] ? call_timer_fn+0x320/0x320\n[ 2169.726404] ? lock_downgrade+0x3a0/0x3a0\n[ 2169.726820] ? kvm_clock_get_cycles+0x14/0x20\n[ 2169.727257] ? ktime_get+0x92/0x150\n[ 2169.727630] ? lapic_next_deadline+0x35/0x60\n[ 2169.728069] run_timer_softirq+0x40/0x80\n[ 2169.728475] __do_softirq+0x1a1/0x509\n[ 2169.728866] irq_exit_rcu+0x95/0xc0\n[ 2169.729241] sysvec_apic_timer_interrupt+0x6b/0x80\n[ 2169.729718] \n[ 2169.729993] \n[ 2169.730259] asm_sysvec_apic_timer_interrupt+0x16/0x20\n[ 2169.730755] RIP: 0010:default_idle+0x13/0x20\n[ 2169.731190] Code: c0 08 00 00 00 4d 29 c8 4c 01 c7 4c 29 c2 e9 72 ff ff ff cc cc cc cc 8b 05 9a 7f 1f 02 85 c0 7e 07 0f 00 2d cf 69 43 00 fb f4 c3 66 66 2e 0f 1f 84 00 00 00 00 00 65 48 8b 04 25 c0 93 04 00\n[ 2169.732759] RSP: 0018:ffff888100dbfe10 EFLAGS: 00000242\n[ 2169.733264] RAX: 0000000000000001 RBX: ffff888100d9c200 RCX: ffffffff8241bd62\n[ 2169.733925] RDX: ffffed109a848b15 RSI: 0000000000000004 RDI: ffffffff8127ac55\n[ 2169.734566] RBP: 0000000000000004 R08: 0000000000000000 R09: ffffed109a848b14\n[ 2169.735200] R10: ffff8884d42458a3 R11: 000000000000ba7e R12: ffffffff83d7d3a0\n[ 2169.735835] R13: 1ffff110201b7fc6 R14: 0000000000000000 R15: ffff888100d9c200\n[ 2169.736478] ? ct_kernel_exit.constprop.0+0xa2/0xc0\n[ 2169.736954] ? do_idle+0x285/0x290\n[ 2169.737323] default_idle_call+0x63/0x90\n[ 2169.737730] do_idle+0x285/0x290\n[ 2169.738089] ? arch_cpu_idle_exit+0x30/0x30\n[ 2169.738511] ? mark_held_locks+0x1a/0x80\n[ 2169.738917] ? lockdep_hardirqs_on_prepare+0x12e/0x200\n[ 2169.739417] cpu_startup_entry+0x30/0x40\n[ 2169.739825] start_secondary+0x19a/0x1c0\n[ 2169.740229] ? set_cpu_sibling_map+0xbd0/0xbd0\n[ 2169.740673] secondary_startup_64_no_verify+0x15d/0x16b\n[ 2169.741179] \n\n[ 2169.741686] Allocated by task 1098:\n[ 2169.742058] kasan_save_stack+0x1c/0x40\n[ 2169.742456] kasan_save_track+0x10/0x30\n[ 2169.742852] __kasan_kmalloc+0x83/0x90\n[ 2169.743246] mlx5_dpll_probe+0xf5/0x3c0 [mlx5_dpll]\n[ 2169.743730] auxiliary_bus_probe+0x62/0xb0\n[ 2169.744148] really_probe+0x127/0x590\n[ 2169.744534] __driver_probe_device+0xd2/0x200\n[ 2169.744973] device_driver_attach+0x6b/0xf0\n[ 2169.745402] bind_store+0x90/0xe0\n[ 2169.745761] kernfs_fop_write_iter+0x1df/0x2a0\n[ 2169.746210] vfs_write+0x41f/0x790\n[ 2169.746579] ksys_write+0xc7/0x160\n[ 2169.746947] do_syscall_64+0x6f/0x140\n[ 2169.747333] entry_SYSCALL_64_after_hwframe+0x46/0x4e\n\n[ 2169.748049] Freed by task 1220:\n[ 2169.748393] kasan_save_stack+0x1c/0x40\n[ 2169.748789] kasan_save_track+0x10/0x30\n[ 2169.749188] kasan_save_free_info+0x3b/0x50\n[ 2169.749621] poison_slab_object+0x106/0x180\n[ 2169.750044] __kasan_slab_free+0x14/0x50\n[ 2169.750451] kfree+0x118/0x330\n[ 2169.750792] mlx5_dpll_remove+0xf5/0x110 [mlx5_dpll]\n[ 2169.751271] auxiliary_bus_remove+0x2e/0x40\n[ 2169.751694] device_release_driver_internal+0x24b/0x2e0\n[ 2169.752191] unbind_store+0xa6/0xb0\n[ 2169.752563] kernfs_fo\n---truncated---", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26724", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26724", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26724", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26724", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26724", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26724" } }, "CVE-2024-26725": { "affected_versions": "v6.7-rc1 to v6.8-rc5", "breaks": "9d71b54b65b1fb6c0d3a6c5c88ba9b915c783fbc", "cmt_msg": "dpll: fix possible deadlock during netlink dump operation", "fixes": "53c0441dd2c44ee93fddb5473885fd41e4bc2361", "last_affected_version": "6.7.5", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\ndpll: fix possible deadlock during netlink dump operation\n\nRecently, I've been hitting following deadlock warning during dpll pin\ndump:\n\n[52804.637962] ======================================================\n[52804.638536] WARNING: possible circular locking dependency detected\n[52804.639111] 6.8.0-rc2jiri+ #1 Not tainted\n[52804.639529] ------------------------------------------------------\n[52804.640104] python3/2984 is trying to acquire lock:\n[52804.640581] ffff88810e642678 (nlk_cb_mutex-GENERIC){+.+.}-{3:3}, at: netlink_dump+0xb3/0x780\n[52804.641417]\n but task is already holding lock:\n[52804.642010] ffffffff83bde4c8 (dpll_lock){+.+.}-{3:3}, at: dpll_lock_dumpit+0x13/0x20\n[52804.642747]\n which lock already depends on the new lock.\n\n[52804.643551]\n the existing dependency chain (in reverse order) is:\n[52804.644259]\n -> #1 (dpll_lock){+.+.}-{3:3}:\n[52804.644836] lock_acquire+0x174/0x3e0\n[52804.645271] __mutex_lock+0x119/0x1150\n[52804.645723] dpll_lock_dumpit+0x13/0x20\n[52804.646169] genl_start+0x266/0x320\n[52804.646578] __netlink_dump_start+0x321/0x450\n[52804.647056] genl_family_rcv_msg_dumpit+0x155/0x1e0\n[52804.647575] genl_rcv_msg+0x1ed/0x3b0\n[52804.648001] netlink_rcv_skb+0xdc/0x210\n[52804.648440] genl_rcv+0x24/0x40\n[52804.648831] netlink_unicast+0x2f1/0x490\n[52804.649290] netlink_sendmsg+0x36d/0x660\n[52804.649742] __sock_sendmsg+0x73/0xc0\n[52804.650165] __sys_sendto+0x184/0x210\n[52804.650597] __x64_sys_sendto+0x72/0x80\n[52804.651045] do_syscall_64+0x6f/0x140\n[52804.651474] entry_SYSCALL_64_after_hwframe+0x46/0x4e\n[52804.652001]\n -> #0 (nlk_cb_mutex-GENERIC){+.+.}-{3:3}:\n[52804.652650] check_prev_add+0x1ae/0x1280\n[52804.653107] __lock_acquire+0x1ed3/0x29a0\n[52804.653559] lock_acquire+0x174/0x3e0\n[52804.653984] __mutex_lock+0x119/0x1150\n[52804.654423] netlink_dump+0xb3/0x780\n[52804.654845] __netlink_dump_start+0x389/0x450\n[52804.655321] genl_family_rcv_msg_dumpit+0x155/0x1e0\n[52804.655842] genl_rcv_msg+0x1ed/0x3b0\n[52804.656272] netlink_rcv_skb+0xdc/0x210\n[52804.656721] genl_rcv+0x24/0x40\n[52804.657119] netlink_unicast+0x2f1/0x490\n[52804.657570] netlink_sendmsg+0x36d/0x660\n[52804.658022] __sock_sendmsg+0x73/0xc0\n[52804.658450] __sys_sendto+0x184/0x210\n[52804.658877] __x64_sys_sendto+0x72/0x80\n[52804.659322] do_syscall_64+0x6f/0x140\n[52804.659752] entry_SYSCALL_64_after_hwframe+0x46/0x4e\n[52804.660281]\n other info that might help us debug this:\n\n[52804.661077] Possible unsafe locking scenario:\n\n[52804.661671] CPU0 CPU1\n[52804.662129] ---- ----\n[52804.662577] lock(dpll_lock);\n[52804.662924] lock(nlk_cb_mutex-GENERIC);\n[52804.663538] lock(dpll_lock);\n[52804.664073] lock(nlk_cb_mutex-GENERIC);\n[52804.664490]\n\nThe issue as follows: __netlink_dump_start() calls control->start(cb)\nwith nlk->cb_mutex held. In control->start(cb) the dpll_lock is taken.\nThen nlk->cb_mutex is released and taken again in netlink_dump(), while\ndpll_lock still being held. That leads to ABBA deadlock when another\nCPU races with the same operation.\n\nFix this by moving dpll_lock taking into dumpit() callback which ensures\ncorrect lock taking order.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26725", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26725", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26725", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26725", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26725", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26725" } }, "CVE-2024-26726": { "affected_versions": "v2.6.12-rc2 to v6.8-rc5", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "btrfs: don't drop extent_map for free space inode on write error", "fixes": "5571e41ec6e56e35f34ae9f5b3a335ef510e0ade", "last_affected_version": "6.7.5", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: don't drop extent_map for free space inode on write error\n\nWhile running the CI for an unrelated change I hit the following panic\nwith generic/648 on btrfs_holes_spacecache.\n\nassertion failed: block_start != EXTENT_MAP_HOLE, in fs/btrfs/extent_io.c:1385\n------------[ cut here ]------------\nkernel BUG at fs/btrfs/extent_io.c:1385!\ninvalid opcode: 0000 [#1] PREEMPT SMP NOPTI\nCPU: 1 PID: 2695096 Comm: fsstress Kdump: loaded Tainted: G W 6.8.0-rc2+ #1\nRIP: 0010:__extent_writepage_io.constprop.0+0x4c1/0x5c0\nCall Trace:\n \n extent_write_cache_pages+0x2ac/0x8f0\n extent_writepages+0x87/0x110\n do_writepages+0xd5/0x1f0\n filemap_fdatawrite_wbc+0x63/0x90\n __filemap_fdatawrite_range+0x5c/0x80\n btrfs_fdatawrite_range+0x1f/0x50\n btrfs_write_out_cache+0x507/0x560\n btrfs_write_dirty_block_groups+0x32a/0x420\n commit_cowonly_roots+0x21b/0x290\n btrfs_commit_transaction+0x813/0x1360\n btrfs_sync_file+0x51a/0x640\n __x64_sys_fdatasync+0x52/0x90\n do_syscall_64+0x9c/0x190\n entry_SYSCALL_64_after_hwframe+0x6e/0x76\n\nThis happens because we fail to write out the free space cache in one\ninstance, come back around and attempt to write it again. However on\nthe second pass through we go to call btrfs_get_extent() on the inode to\nget the extent mapping. Because this is a new block group, and with the\nfree space inode we always search the commit root to avoid deadlocking\nwith the tree, we find nothing and return a EXTENT_MAP_HOLE for the\nrequested range.\n\nThis happens because the first time we try to write the space cache out\nwe hit an error, and on an error we drop the extent mapping. This is\nnormal for normal files, but the free space cache inode is special. We\nalways expect the extent map to be correct. Thus the second time\nthrough we end up with a bogus extent map.\n\nSince we're deprecating this feature, the most straightforward way to\nfix this is to simply skip dropping the extent map range for this failed\nrange.\n\nI shortened the test by using error injection to stress the area to make\nit easier to reproduce. With this patch in place we no longer panic\nwith my error injection test.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26726", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26726", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26726", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26726", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26726", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26726" } }, "CVE-2024-26727": { "affected_versions": "v5.9-rc1 to v6.8-rc4", "breaks": "2dfb1e43f57dd3aeaa66f7cf05d068db2d4c8788", "cmt_msg": "btrfs: do not ASSERT() if the newly created subvolume already got read", "fixes": "e03ee2fe873eb68c1f9ba5112fee70303ebf9dfb", "last_affected_version": "6.7.5", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: do not ASSERT() if the newly created subvolume already got read\n\n[BUG]\nThere is a syzbot crash, triggered by the ASSERT() during subvolume\ncreation:\n\n assertion failed: !anon_dev, in fs/btrfs/disk-io.c:1319\n ------------[ cut here ]------------\n kernel BUG at fs/btrfs/disk-io.c:1319!\n invalid opcode: 0000 [#1] PREEMPT SMP KASAN\n RIP: 0010:btrfs_get_root_ref.part.0+0x9aa/0xa60\n \n btrfs_get_new_fs_root+0xd3/0xf0\n create_subvol+0xd02/0x1650\n btrfs_mksubvol+0xe95/0x12b0\n __btrfs_ioctl_snap_create+0x2f9/0x4f0\n btrfs_ioctl_snap_create+0x16b/0x200\n btrfs_ioctl+0x35f0/0x5cf0\n __x64_sys_ioctl+0x19d/0x210\n do_syscall_64+0x3f/0xe0\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\n ---[ end trace 0000000000000000 ]---\n\n[CAUSE]\nDuring create_subvol(), after inserting root item for the newly created\nsubvolume, we would trigger btrfs_get_new_fs_root() to get the\nbtrfs_root of that subvolume.\n\nThe idea here is, we have preallocated an anonymous device number for\nthe subvolume, thus we can assign it to the new subvolume.\n\nBut there is really nothing preventing things like backref walk to read\nthe new subvolume.\nIf that happens before we call btrfs_get_new_fs_root(), the subvolume\nwould be read out, with a new anonymous device number assigned already.\n\nIn that case, we would trigger ASSERT(), as we really expect no one to\nread out that subvolume (which is not yet accessible from the fs).\nBut things like backref walk is still possible to trigger the read on\nthe subvolume.\n\nThus our assumption on the ASSERT() is not correct in the first place.\n\n[FIX]\nFix it by removing the ASSERT(), and just free the @anon_dev, reset it\nto 0, and continue.\n\nIf the subvolume tree is read out by something else, it should have\nalready get a new anon_dev assigned thus we only need to free the\npreallocated one.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26727", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26727", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26727", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26727", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26727", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26727" } }, "CVE-2024-26728": { "affected_versions": "v6.7-rc1 to v6.8-rc6", "breaks": "0e859faf8670a78ce206977dcf1a31a0231e9ca5", "cmt_msg": "drm/amd/display: fix null-pointer dereference on edid reading", "fixes": "9671761792156f2339627918bafcd713a8a6f777", "last_affected_version": "6.7.6", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: fix null-pointer dereference on edid reading\n\nUse i2c adapter when there isn't aux_mode in dc_link to fix a\nnull-pointer derefence that happens when running\nigt@kms_force_connector_basic in a system with DCN2.1 and HDMI connector\ndetected as below:\n\n[ +0.178146] BUG: kernel NULL pointer dereference, address: 00000000000004c0\n[ +0.000010] #PF: supervisor read access in kernel mode\n[ +0.000005] #PF: error_code(0x0000) - not-present page\n[ +0.000004] PGD 0 P4D 0\n[ +0.000006] Oops: 0000 [#1] PREEMPT SMP NOPTI\n[ +0.000006] CPU: 15 PID: 2368 Comm: kms_force_conne Not tainted 6.5.0-asdn+ #152\n[ +0.000005] Hardware name: HP HP ENVY x360 Convertible 13-ay1xxx/8929, BIOS F.01 07/14/2021\n[ +0.000004] RIP: 0010:i2c_transfer+0xd/0x100\n[ +0.000011] Code: ea fc ff ff 66 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 0f 1f 44 00 00 41 54 55 53 <48> 8b 47 10 48 89 fb 48 83 38 00 0f 84 b3 00 00 00 83 3d 2f 80 16\n[ +0.000004] RSP: 0018:ffff9c4f89c0fad0 EFLAGS: 00010246\n[ +0.000005] RAX: 0000000000000000 RBX: 0000000000000005 RCX: 0000000000000080\n[ +0.000003] RDX: 0000000000000002 RSI: ffff9c4f89c0fb20 RDI: 00000000000004b0\n[ +0.000003] RBP: ffff9c4f89c0fb80 R08: 0000000000000080 R09: ffff8d8e0b15b980\n[ +0.000003] R10: 00000000000380e0 R11: 0000000000000000 R12: 0000000000000080\n[ +0.000002] R13: 0000000000000002 R14: ffff9c4f89c0fb0e R15: ffff9c4f89c0fb0f\n[ +0.000004] FS: 00007f9ad2176c40(0000) GS:ffff8d90fe9c0000(0000) knlGS:0000000000000000\n[ +0.000003] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ +0.000004] CR2: 00000000000004c0 CR3: 0000000121bc4000 CR4: 0000000000750ee0\n[ +0.000003] PKRU: 55555554\n[ +0.000003] Call Trace:\n[ +0.000006] \n[ +0.000006] ? __die+0x23/0x70\n[ +0.000011] ? page_fault_oops+0x17d/0x4c0\n[ +0.000008] ? preempt_count_add+0x6e/0xa0\n[ +0.000008] ? srso_alias_return_thunk+0x5/0x7f\n[ +0.000011] ? exc_page_fault+0x7f/0x180\n[ +0.000009] ? asm_exc_page_fault+0x26/0x30\n[ +0.000013] ? i2c_transfer+0xd/0x100\n[ +0.000010] drm_do_probe_ddc_edid+0xc2/0x140 [drm]\n[ +0.000067] ? srso_alias_return_thunk+0x5/0x7f\n[ +0.000006] ? _drm_do_get_edid+0x97/0x3c0 [drm]\n[ +0.000043] ? __pfx_drm_do_probe_ddc_edid+0x10/0x10 [drm]\n[ +0.000042] edid_block_read+0x3b/0xd0 [drm]\n[ +0.000043] _drm_do_get_edid+0xb6/0x3c0 [drm]\n[ +0.000041] ? __pfx_drm_do_probe_ddc_edid+0x10/0x10 [drm]\n[ +0.000043] drm_edid_read_custom+0x37/0xd0 [drm]\n[ +0.000044] amdgpu_dm_connector_mode_valid+0x129/0x1d0 [amdgpu]\n[ +0.000153] drm_connector_mode_valid+0x3b/0x60 [drm_kms_helper]\n[ +0.000000] __drm_helper_update_and_validate+0xfe/0x3c0 [drm_kms_helper]\n[ +0.000000] ? amdgpu_dm_connector_get_modes+0xb6/0x520 [amdgpu]\n[ +0.000000] ? srso_alias_return_thunk+0x5/0x7f\n[ +0.000000] drm_helper_probe_single_connector_modes+0x2ab/0x540 [drm_kms_helper]\n[ +0.000000] status_store+0xb2/0x1f0 [drm]\n[ +0.000000] kernfs_fop_write_iter+0x136/0x1d0\n[ +0.000000] vfs_write+0x24d/0x440\n[ +0.000000] ksys_write+0x6f/0xf0\n[ +0.000000] do_syscall_64+0x60/0xc0\n[ +0.000000] ? srso_alias_return_thunk+0x5/0x7f\n[ +0.000000] ? syscall_exit_to_user_mode+0x2b/0x40\n[ +0.000000] ? srso_alias_return_thunk+0x5/0x7f\n[ +0.000000] ? do_syscall_64+0x6c/0xc0\n[ +0.000000] ? do_syscall_64+0x6c/0xc0\n[ +0.000000] entry_SYSCALL_64_after_hwframe+0x6e/0xd8\n[ +0.000000] RIP: 0033:0x7f9ad46b4b00\n[ +0.000000] Code: 40 00 48 8b 15 19 b3 0d 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 80 3d e1 3a 0e 00 00 74 17 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 58 c3 0f 1f 80 00 00 00 00 48 83 ec 28 48 89\n[ +0.000000] RSP: 002b:00007ffcbd3bd6d8 EFLAGS: 00000202 ORIG_RAX: 0000000000000001\n[ +0.000000] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f9ad46b4b00\n[ +0.000000] RDX: 0000000000000002 RSI: 00007f9ad48a7417 RDI: 0000000000000009\n[ +0.000000] RBP: 0000000000000002 R08\n---truncated---", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26728", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26728", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26728", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26728", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26728", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26728" } }, "CVE-2024-26729": { "affected_versions": "v6.7-rc1 to v6.8-rc6", "breaks": "028bac5834495f4f4036bf8b3206fcdafe99a393", "cmt_msg": "drm/amd/display: Fix potential null pointer dereference in dc_dmub_srv", "fixes": "d2b48f340d9e4a8fbeb1cdc84cd8da6ad143a907", "last_affected_version": "6.7.6", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix potential null pointer dereference in dc_dmub_srv\n\nFixes potential null pointer dereference warnings in the\ndc_dmub_srv_cmd_list_queue_execute() and dc_dmub_srv_is_hw_pwr_up()\nfunctions.\n\nIn both functions, the 'dc_dmub_srv' variable was being dereferenced\nbefore it was checked for null. This could lead to a null pointer\ndereference if 'dc_dmub_srv' is null. The fix is to check if\n'dc_dmub_srv' is null before dereferencing it.\n\nThus moving the null checks for 'dc_dmub_srv' to the beginning of the\nfunctions to ensure that 'dc_dmub_srv' is not null when it is\ndereferenced.\n\nFound by smatch & thus fixing the below:\ndrivers/gpu/drm/amd/amdgpu/../display/dc/dc_dmub_srv.c:133 dc_dmub_srv_cmd_list_queue_execute() warn: variable dereferenced before check 'dc_dmub_srv' (see line 128)\ndrivers/gpu/drm/amd/amdgpu/../display/dc/dc_dmub_srv.c:1167 dc_dmub_srv_is_hw_pwr_up() warn: variable dereferenced before check 'dc_dmub_srv' (see line 1164)", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26729", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26729", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26729", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26729", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26729", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26729" } }, "CVE-2024-26730": { "affected_versions": "v6.6-rc1 to v6.8-rc6", "breaks": "b7f1f7b2523a6a4382f12fe953380b847b80e09d", "cmt_msg": "hwmon: (nct6775) Fix access to temperature configuration registers", "fixes": "d56e460e19ea8382f813eb489730248ec8d7eb73", "last_affected_version": "6.7.6", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nhwmon: (nct6775) Fix access to temperature configuration registers\n\nThe number of temperature configuration registers does\nnot always match the total number of temperature registers.\nThis can result in access errors reported if KASAN is enabled.\n\nBUG: KASAN: global-out-of-bounds in nct6775_probe+0x5654/0x6fe9 nct6775_core", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26730", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26730", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26730", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26730", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26730", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26730" } }, "CVE-2024-26731": { "affected_versions": "v6.4-rc4 to v6.8-rc6", "breaks": "6df7f764cd3cf5a03a4a47b23be47e57e41fcd85", "cmt_msg": "bpf, sockmap: Fix NULL pointer dereference in sk_psock_verdict_data_ready()", "fixes": "4cd12c6065dfcdeba10f49949bffcf383b3952d8", "last_affected_version": "6.7.6", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, sockmap: Fix NULL pointer dereference in sk_psock_verdict_data_ready()\n\nsyzbot reported the following NULL pointer dereference issue [1]:\n\n BUG: kernel NULL pointer dereference, address: 0000000000000000\n [...]\n RIP: 0010:0x0\n [...]\n Call Trace:\n \n sk_psock_verdict_data_ready+0x232/0x340 net/core/skmsg.c:1230\n unix_stream_sendmsg+0x9b4/0x1230 net/unix/af_unix.c:2293\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0x221/0x270 net/socket.c:745\n ____sys_sendmsg+0x525/0x7d0 net/socket.c:2584\n ___sys_sendmsg net/socket.c:2638 [inline]\n __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2667\n do_syscall_64+0xf9/0x240\n entry_SYSCALL_64_after_hwframe+0x6f/0x77\n\nIf sk_psock_verdict_data_ready() and sk_psock_stop_verdict() are called\nconcurrently, psock->saved_data_ready can be NULL, causing the above issue.\n\nThis patch fixes this issue by calling the appropriate data ready function\nusing the sk_psock_data_ready() helper and protecting it from concurrency\nwith sk->sk_callback_lock.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26731", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26731", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26731", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26731", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26731", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26731" } }, "CVE-2024-26732": { "affected_versions": "v6.7-rc1 to v6.8-rc6", "breaks": "859051dd165ec6cc915f0f2114699021144fd249", "cmt_msg": "net: implement lockless setsockopt(SO_PEEK_OFF)", "fixes": "56667da7399eb19af857e30f41bea89aa6fa812c", "last_affected_version": "6.7.6", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: implement lockless setsockopt(SO_PEEK_OFF)\n\nsyzbot reported a lockdep violation [1] involving af_unix\nsupport of SO_PEEK_OFF.\n\nSince SO_PEEK_OFF is inherently not thread safe (it uses a per-socket\nsk_peek_off field), there is really no point to enforce a pointless\nthread safety in the kernel.\n\nAfter this patch :\n\n- setsockopt(SO_PEEK_OFF) no longer acquires the socket lock.\n\n- skb_consume_udp() no longer has to acquire the socket lock.\n\n- af_unix no longer needs a special version of sk_set_peek_off(),\n because it does not lock u->iolock anymore.\n\nAs a followup, we could replace prot->set_peek_off to be a boolean\nand avoid an indirect call, since we always use sk_set_peek_off().\n\n[1]\n\nWARNING: possible circular locking dependency detected\n6.8.0-rc4-syzkaller-00267-g0f1dd5e91e2b #0 Not tainted\n\nsyz-executor.2/30025 is trying to acquire lock:\n ffff8880765e7d80 (&u->iolock){+.+.}-{3:3}, at: unix_set_peek_off+0x26/0xa0 net/unix/af_unix.c:789\n\nbut task is already holding lock:\n ffff8880765e7930 (sk_lock-AF_UNIX){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1691 [inline]\n ffff8880765e7930 (sk_lock-AF_UNIX){+.+.}-{0:0}, at: sockopt_lock_sock net/core/sock.c:1060 [inline]\n ffff8880765e7930 (sk_lock-AF_UNIX){+.+.}-{0:0}, at: sk_setsockopt+0xe52/0x3360 net/core/sock.c:1193\n\nwhich lock already depends on the new lock.\n\nthe existing dependency chain (in reverse order) is:\n\n-> #1 (sk_lock-AF_UNIX){+.+.}-{0:0}:\n lock_acquire+0x1e3/0x530 kernel/locking/lockdep.c:5754\n lock_sock_nested+0x48/0x100 net/core/sock.c:3524\n lock_sock include/net/sock.h:1691 [inline]\n __unix_dgram_recvmsg+0x1275/0x12c0 net/unix/af_unix.c:2415\n sock_recvmsg_nosec+0x18e/0x1d0 net/socket.c:1046\n ____sys_recvmsg+0x3c0/0x470 net/socket.c:2801\n ___sys_recvmsg net/socket.c:2845 [inline]\n do_recvmmsg+0x474/0xae0 net/socket.c:2939\n __sys_recvmmsg net/socket.c:3018 [inline]\n __do_sys_recvmmsg net/socket.c:3041 [inline]\n __se_sys_recvmmsg net/socket.c:3034 [inline]\n __x64_sys_recvmmsg+0x199/0x250 net/socket.c:3034\n do_syscall_64+0xf9/0x240\n entry_SYSCALL_64_after_hwframe+0x6f/0x77\n\n-> #0 (&u->iolock){+.+.}-{3:3}:\n check_prev_add kernel/locking/lockdep.c:3134 [inline]\n check_prevs_add kernel/locking/lockdep.c:3253 [inline]\n validate_chain+0x18ca/0x58e0 kernel/locking/lockdep.c:3869\n __lock_acquire+0x1345/0x1fd0 kernel/locking/lockdep.c:5137\n lock_acquire+0x1e3/0x530 kernel/locking/lockdep.c:5754\n __mutex_lock_common kernel/locking/mutex.c:608 [inline]\n __mutex_lock+0x136/0xd70 kernel/locking/mutex.c:752\n unix_set_peek_off+0x26/0xa0 net/unix/af_unix.c:789\n sk_setsockopt+0x207e/0x3360\n do_sock_setsockopt+0x2fb/0x720 net/socket.c:2307\n __sys_setsockopt+0x1ad/0x250 net/socket.c:2334\n __do_sys_setsockopt net/socket.c:2343 [inline]\n __se_sys_setsockopt net/socket.c:2340 [inline]\n __x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340\n do_syscall_64+0xf9/0x240\n entry_SYSCALL_64_after_hwframe+0x6f/0x77\n\nother info that might help us debug this:\n\n Possible unsafe locking scenario:\n\n CPU0 CPU1\n ---- ----\n lock(sk_lock-AF_UNIX);\n lock(&u->iolock);\n lock(sk_lock-AF_UNIX);\n lock(&u->iolock);\n\n *** DEADLOCK ***\n\n1 lock held by syz-executor.2/30025:\n #0: ffff8880765e7930 (sk_lock-AF_UNIX){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1691 [inline]\n #0: ffff8880765e7930 (sk_lock-AF_UNIX){+.+.}-{0:0}, at: sockopt_lock_sock net/core/sock.c:1060 [inline]\n #0: ffff8880765e7930 (sk_lock-AF_UNIX){+.+.}-{0:0}, at: sk_setsockopt+0xe52/0x3360 net/core/sock.c:1193\n\nstack backtrace:\nCPU: 0 PID: 30025 Comm: syz-executor.2 Not tainted 6.8.0-rc4-syzkaller-00267-g0f1dd5e91e2b #0\nHardware name: Google Google C\n---truncated---", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26732", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26732", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26732", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26732", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26732", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26732" } }, "CVE-2024-26733": { "affected_versions": "v2.6.12-rc2 to v6.8-rc6", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "arp: Prevent overflow in arp_req_get().", "fixes": "a7d6027790acea24446ddd6632d394096c0f4667", "last_affected_version": "6.7.6", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\narp: Prevent overflow in arp_req_get().\n\nsyzkaller reported an overflown write in arp_req_get(). [0]\n\nWhen ioctl(SIOCGARP) is issued, arp_req_get() looks up an neighbour\nentry and copies neigh->ha to struct arpreq.arp_ha.sa_data.\n\nThe arp_ha here is struct sockaddr, not struct sockaddr_storage, so\nthe sa_data buffer is just 14 bytes.\n\nIn the splat below, 2 bytes are overflown to the next int field,\narp_flags. We initialise the field just after the memcpy(), so it's\nnot a problem.\n\nHowever, when dev->addr_len is greater than 22 (e.g. MAX_ADDR_LEN),\narp_netmask is overwritten, which could be set as htonl(0xFFFFFFFFUL)\nin arp_ioctl() before calling arp_req_get().\n\nTo avoid the overflow, let's limit the max length of memcpy().\n\nNote that commit b5f0de6df6dc (\"net: dev: Convert sa_data to flexible\narray in struct sockaddr\") just silenced syzkaller.\n\n[0]:\nmemcpy: detected field-spanning write (size 16) of single field \"r->arp_ha.sa_data\" at net/ipv4/arp.c:1128 (size 14)\nWARNING: CPU: 0 PID: 144638 at net/ipv4/arp.c:1128 arp_req_get+0x411/0x4a0 net/ipv4/arp.c:1128\nModules linked in:\nCPU: 0 PID: 144638 Comm: syz-executor.4 Not tainted 6.1.74 #31\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-debian-1.16.0-5 04/01/2014\nRIP: 0010:arp_req_get+0x411/0x4a0 net/ipv4/arp.c:1128\nCode: fd ff ff e8 41 42 de fb b9 0e 00 00 00 4c 89 fe 48 c7 c2 20 6d ab 87 48 c7 c7 80 6d ab 87 c6 05 25 af 72 04 01 e8 5f 8d ad fb <0f> 0b e9 6c fd ff ff e8 13 42 de fb be 03 00 00 00 4c 89 e7 e8 a6\nRSP: 0018:ffffc900050b7998 EFLAGS: 00010286\nRAX: 0000000000000000 RBX: ffff88803a815000 RCX: 0000000000000000\nRDX: 0000000000000000 RSI: ffffffff8641a44a RDI: 0000000000000001\nRBP: ffffc900050b7a98 R08: 0000000000000001 R09: 0000000000000000\nR10: 0000000000000000 R11: 203a7970636d656d R12: ffff888039c54000\nR13: 1ffff92000a16f37 R14: ffff88803a815084 R15: 0000000000000010\nFS: 00007f172bf306c0(0000) GS:ffff88805aa00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f172b3569f0 CR3: 0000000057f12005 CR4: 0000000000770ef0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nPKRU: 55555554\nCall Trace:\n \n arp_ioctl+0x33f/0x4b0 net/ipv4/arp.c:1261\n inet_ioctl+0x314/0x3a0 net/ipv4/af_inet.c:981\n sock_do_ioctl+0xdf/0x260 net/socket.c:1204\n sock_ioctl+0x3ef/0x650 net/socket.c:1321\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:870 [inline]\n __se_sys_ioctl fs/ioctl.c:856 [inline]\n __x64_sys_ioctl+0x18e/0x220 fs/ioctl.c:856\n do_syscall_x64 arch/x86/entry/common.c:51 [inline]\n do_syscall_64+0x37/0x90 arch/x86/entry/common.c:81\n entry_SYSCALL_64_after_hwframe+0x64/0xce\nRIP: 0033:0x7f172b262b8d\nCode: 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007f172bf300b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\nRAX: ffffffffffffffda RBX: 00007f172b3abf80 RCX: 00007f172b262b8d\nRDX: 0000000020000000 RSI: 0000000000008954 RDI: 0000000000000003\nRBP: 00007f172b2d3493 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 000000000000000b R14: 00007f172b3abf80 R15: 00007f172bf10000\n ", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26733", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26733", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26733", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26733", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26733", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26733" } }, "CVE-2024-26734": { "affected_versions": "v6.3-rc1 to v6.8-rc6", "breaks": "687125b5799cd5120437fa455cfccbe8537916ff", "cmt_msg": "devlink: fix possible use-after-free and memory leaks in devlink_init()", "fixes": "def689fc26b9a9622d2e2cb0c4933dd3b1c8071c", "last_affected_version": "6.7.6", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\ndevlink: fix possible use-after-free and memory leaks in devlink_init()\n\nThe pernet operations structure for the subsystem must be registered\nbefore registering the generic netlink family.\n\nMake an unregister in case of unsuccessful registration.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26734", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26734", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26734", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26734", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26734", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26734" } }, "CVE-2024-26735": { "affected_versions": "v4.10-rc1 to v6.8-rc6", "breaks": "915d7e5e5930b4f01d0971d93b9b25ed17d221aa", "cmt_msg": "ipv6: sr: fix possible use-after-free and null-ptr-deref", "fixes": "5559cea2d5aa3018a5f00dd2aca3427ba09b386b", "last_affected_version": "6.7.6", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: sr: fix possible use-after-free and null-ptr-deref\n\nThe pernet operations structure for the subsystem must be registered\nbefore registering the generic netlink family.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26735", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26735", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26735", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26735", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26735", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26735" } }, "CVE-2024-26736": { "affected_versions": "v4.15-rc1 to v6.8-rc6", "breaks": "d2ddc776a4581d900fc3bdc7803b403daae64d88", "cmt_msg": "afs: Increase buffer size in afs_update_volume_status()", "fixes": "6ea38e2aeb72349cad50e38899b0ba6fbcb2af3d", "last_affected_version": "6.7.6", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nafs: Increase buffer size in afs_update_volume_status()\n\nThe max length of volume->vid value is 20 characters.\nSo increase idbuf[] size up to 24 to avoid overflow.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.\n\n[DH: Actually, it's 20 + NUL, so increase it to 24 and use snprintf()]", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26736", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26736", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26736", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26736", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26736", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26736" } }, "CVE-2024-26737": { "affected_versions": "v5.15-rc1 to v6.8-rc6", "breaks": "b00628b1c7d595ae5b544e059c27b1f5828314b4", "cmt_msg": "bpf: Fix racing between bpf_timer_cancel_and_free and bpf_timer_cancel", "fixes": "0281b919e175bb9c3128bd3872ac2903e9436e3f", "last_affected_version": "6.7.6", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix racing between bpf_timer_cancel_and_free and bpf_timer_cancel\n\nThe following race is possible between bpf_timer_cancel_and_free\nand bpf_timer_cancel. It will lead a UAF on the timer->timer.\n\nbpf_timer_cancel();\n\tspin_lock();\n\tt = timer->time;\n\tspin_unlock();\n\n\t\t\t\t\tbpf_timer_cancel_and_free();\n\t\t\t\t\t\tspin_lock();\n\t\t\t\t\t\tt = timer->timer;\n\t\t\t\t\t\ttimer->timer = NULL;\n\t\t\t\t\t\tspin_unlock();\n\t\t\t\t\t\thrtimer_cancel(&t->timer);\n\t\t\t\t\t\tkfree(t);\n\n\t/* UAF on t */\n\thrtimer_cancel(&t->timer);\n\nIn bpf_timer_cancel_and_free, this patch frees the timer->timer\nafter a rcu grace period. This requires a rcu_head addition\nto the \"struct bpf_hrtimer\". Another kfree(t) happens in bpf_timer_init,\nthis does not need a kfree_rcu because it is still under the\nspin_lock and timer->timer has not been visible by others yet.\n\nIn bpf_timer_cancel, rcu_read_lock() is added because this helper\ncan be used in a non rcu critical section context (e.g. from\na sleepable bpf prog). Other timer->timer usages in helpers.c\nhave been audited, bpf_timer_cancel() is the only place where\ntimer->timer is used outside of the spin_lock.\n\nAnother solution considered is to mark a t->flag in bpf_timer_cancel\nand clear it after hrtimer_cancel() is done. In bpf_timer_cancel_and_free,\nit busy waits for the flag to be cleared before kfree(t). This patch\ngoes with a straight forward solution and frees timer->timer after\na rcu grace period.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26737", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26737", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26737", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26737", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26737", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26737" } }, "CVE-2024-26738": { "affected_versions": "unk to v6.8-rc6", "breaks": "", "cmt_msg": "powerpc/pseries/iommu: DLPAR add doesn't completely initialize pci_controller", "fixes": "a5c57fd2e9bd1c8ea8613a8f94fd0be5eccbf321", "last_affected_version": "6.7.6", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/pseries/iommu: DLPAR add doesn't completely initialize pci_controller\n\nWhen a PCI device is dynamically added, the kernel oopses with a NULL\npointer dereference:\n\n BUG: Kernel NULL pointer dereference on read at 0x00000030\n Faulting instruction address: 0xc0000000006bbe5c\n Oops: Kernel access of bad area, sig: 11 [#1]\n LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA pSeries\n Modules linked in: rpadlpar_io rpaphp rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace fscache netfs xsk_diag bonding nft_compat nf_tables nfnetlink rfkill binfmt_misc dm_multipath rpcrdma sunrpc rdma_ucm ib_srpt ib_isert iscsi_target_mod target_core_mod ib_umad ib_iser libiscsi scsi_transport_iscsi ib_ipoib rdma_cm iw_cm ib_cm mlx5_ib ib_uverbs ib_core pseries_rng drm drm_panel_orientation_quirks xfs libcrc32c mlx5_core mlxfw sd_mod t10_pi sg tls ibmvscsi ibmveth scsi_transport_srp vmx_crypto pseries_wdt psample dm_mirror dm_region_hash dm_log dm_mod fuse\n CPU: 17 PID: 2685 Comm: drmgr Not tainted 6.7.0-203405+ #66\n Hardware name: IBM,9080-HEX POWER10 (raw) 0x800200 0xf000006 of:IBM,FW1060.00 (NH1060_008) hv:phyp pSeries\n NIP: c0000000006bbe5c LR: c000000000a13e68 CTR: c0000000000579f8\n REGS: c00000009924f240 TRAP: 0300 Not tainted (6.7.0-203405+)\n MSR: 8000000000009033 CR: 24002220 XER: 20040006\n CFAR: c000000000a13e64 DAR: 0000000000000030 DSISR: 40000000 IRQMASK: 0\n ...\n NIP sysfs_add_link_to_group+0x34/0x94\n LR iommu_device_link+0x5c/0x118\n Call Trace:\n iommu_init_device+0x26c/0x318 (unreliable)\n iommu_device_link+0x5c/0x118\n iommu_init_device+0xa8/0x318\n iommu_probe_device+0xc0/0x134\n iommu_bus_notifier+0x44/0x104\n notifier_call_chain+0xb8/0x19c\n blocking_notifier_call_chain+0x64/0x98\n bus_notify+0x50/0x7c\n device_add+0x640/0x918\n pci_device_add+0x23c/0x298\n of_create_pci_dev+0x400/0x884\n of_scan_pci_dev+0x124/0x1b0\n __of_scan_bus+0x78/0x18c\n pcibios_scan_phb+0x2a4/0x3b0\n init_phb_dynamic+0xb8/0x110\n dlpar_add_slot+0x170/0x3b8 [rpadlpar_io]\n add_slot_store.part.0+0xb4/0x130 [rpadlpar_io]\n kobj_attr_store+0x2c/0x48\n sysfs_kf_write+0x64/0x78\n kernfs_fop_write_iter+0x1b0/0x290\n vfs_write+0x350/0x4a0\n ksys_write+0x84/0x140\n system_call_exception+0x124/0x330\n system_call_vectored_common+0x15c/0x2ec\n\nCommit a940904443e4 (\"powerpc/iommu: Add iommu_ops to report capabilities\nand allow blocking domains\") broke DLPAR add of PCI devices.\n\nThe above added iommu_device structure to pci_controller. During\nsystem boot, PCI devices are discovered and this newly added iommu_device\nstructure is initialized by a call to iommu_device_register().\n\nDuring DLPAR add of a PCI device, a new pci_controller structure is\nallocated but there are no calls made to iommu_device_register()\ninterface.\n\nFix is to register the iommu device during DLPAR add as well.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26738", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26738", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26738", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26738", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26738", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26738" } }, "CVE-2024-26739": { "affected_versions": "unk to v6.8-rc6", "breaks": "", "cmt_msg": "net/sched: act_mirred: don't override retval if we already lost the skb", "fixes": "166c2c8a6a4dc2e4ceba9e10cfe81c3e469e3210", "last_affected_version": "6.7.6", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: act_mirred: don't override retval if we already lost the skb\n\nIf we're redirecting the skb, and haven't called tcf_mirred_forward(),\nyet, we need to tell the core to drop the skb by setting the retcode\nto SHOT. If we have called tcf_mirred_forward(), however, the skb\nis out of our hands and returning SHOT will lead to UaF.\n\nMove the retval override to the error path which actually need it.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26739", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26739", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26739", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26739", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26739", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26739" } }, "CVE-2024-26740": { "affected_versions": "v4.10-rc1 to v6.8-rc6", "breaks": "53592b3640019f2834701093e38272fdfd367ad8", "cmt_msg": "net/sched: act_mirred: use the backlog for mirred ingress", "fixes": "52f671db18823089a02f07efc04efdb2272ddc17", "last_affected_version": "6.7.6", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: act_mirred: use the backlog for mirred ingress\n\nThe test Davide added in commit ca22da2fbd69 (\"act_mirred: use the backlog\nfor nested calls to mirred ingress\") hangs our testing VMs every 10 or so\nruns, with the familiar tcp_v4_rcv -> tcp_v4_rcv deadlock reported by\nlockdep.\n\nThe problem as previously described by Davide (see Link) is that\nif we reverse flow of traffic with the redirect (egress -> ingress)\nwe may reach the same socket which generated the packet. And we may\nstill be holding its socket lock. The common solution to such deadlocks\nis to put the packet in the Rx backlog, rather than run the Rx path\ninline. Do that for all egress -> ingress reversals, not just once\nwe started to nest mirred calls.\n\nIn the past there was a concern that the backlog indirection will\nlead to loss of error reporting / less accurate stats. But the current\nworkaround does not seem to address the issue.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26740", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26740", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26740", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26740", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26740", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26740" } }, "CVE-2024-26741": { "affected_versions": "v6.1-rc1 to v6.8-rc6", "breaks": "28044fc1d4953b07acec0da4d2fc4784c57ea6fb", "cmt_msg": "dccp/tcp: Unhash sk from ehash for tb2 alloc failure after check_estalblished().", "fixes": "66b60b0c8c4a163b022a9f0ad6769b0fd3dc662f", "last_affected_version": "6.7.6", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\ndccp/tcp: Unhash sk from ehash for tb2 alloc failure after check_estalblished().\n\nsyzkaller reported a warning [0] in inet_csk_destroy_sock() with no\nrepro.\n\n WARN_ON(inet_sk(sk)->inet_num && !inet_csk(sk)->icsk_bind_hash);\n\nHowever, the syzkaller's log hinted that connect() failed just before\nthe warning due to FAULT_INJECTION. [1]\n\nWhen connect() is called for an unbound socket, we search for an\navailable ephemeral port. If a bhash bucket exists for the port, we\ncall __inet_check_established() or __inet6_check_established() to check\nif the bucket is reusable.\n\nIf reusable, we add the socket into ehash and set inet_sk(sk)->inet_num.\n\nLater, we look up the corresponding bhash2 bucket and try to allocate\nit if it does not exist.\n\nAlthough it rarely occurs in real use, if the allocation fails, we must\nrevert the changes by check_established(). Otherwise, an unconnected\nsocket could illegally occupy an ehash entry.\n\nNote that we do not put tw back into ehash because sk might have\nalready responded to a packet for tw and it would be better to free\ntw earlier under such memory presure.\n\n[0]:\nWARNING: CPU: 0 PID: 350830 at net/ipv4/inet_connection_sock.c:1193 inet_csk_destroy_sock (net/ipv4/inet_connection_sock.c:1193)\nModules linked in:\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\nRIP: 0010:inet_csk_destroy_sock (net/ipv4/inet_connection_sock.c:1193)\nCode: 41 5c 41 5d 41 5e e9 2d 4a 3d fd e8 28 4a 3d fd 48 89 ef e8 f0 cd 7d ff 5b 5d 41 5c 41 5d 41 5e e9 13 4a 3d fd e8 0e 4a 3d fd <0f> 0b e9 61 fe ff ff e8 02 4a 3d fd 4c 89 e7 be 03 00 00 00 e8 05\nRSP: 0018:ffffc9000b21fd38 EFLAGS: 00010293\nRAX: 0000000000000000 RBX: 0000000000009e78 RCX: ffffffff840bae40\nRDX: ffff88806e46c600 RSI: ffffffff840bb012 RDI: ffff88811755cca8\nRBP: ffff88811755c880 R08: 0000000000000003 R09: 0000000000000000\nR10: 0000000000009e78 R11: 0000000000000000 R12: ffff88811755c8e0\nR13: ffff88811755c892 R14: ffff88811755c918 R15: 0000000000000000\nFS: 00007f03e5243800(0000) GS:ffff88811ae00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000001b32f21000 CR3: 0000000112ffe001 CR4: 0000000000770ef0\nPKRU: 55555554\nCall Trace:\n \n ? inet_csk_destroy_sock (net/ipv4/inet_connection_sock.c:1193)\n dccp_close (net/dccp/proto.c:1078)\n inet_release (net/ipv4/af_inet.c:434)\n __sock_release (net/socket.c:660)\n sock_close (net/socket.c:1423)\n __fput (fs/file_table.c:377)\n __fput_sync (fs/file_table.c:462)\n __x64_sys_close (fs/open.c:1557 fs/open.c:1539 fs/open.c:1539)\n do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83)\n entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:129)\nRIP: 0033:0x7f03e53852bb\nCode: 03 00 00 00 0f 05 48 3d 00 f0 ff ff 77 41 c3 48 83 ec 18 89 7c 24 0c e8 43 c9 f5 ff 8b 7c 24 0c 41 89 c0 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 35 44 89 c7 89 44 24 0c e8 a1 c9 f5 ff 8b 44\nRSP: 002b:00000000005dfba0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003\nRAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007f03e53852bb\nRDX: 0000000000000002 RSI: 0000000000000002 RDI: 0000000000000003\nRBP: 0000000000000000 R08: 0000000000000000 R09: 000000000000167c\nR10: 0000000008a79680 R11: 0000000000000293 R12: 00007f03e4e43000\nR13: 00007f03e4e43170 R14: 00007f03e4e43178 R15: 00007f03e4e43170\n \n\n[1]:\nFAULT_INJECTION: forcing a failure.\nname failslab, interval 1, probability 0, space 0, times 0\nCPU: 0 PID: 350833 Comm: syz-executor.1 Not tainted 6.7.0-12272-g2121c43f88f5 #9\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\nCall Trace:\n \n dump_stack_lvl (lib/dump_stack.c:107 (discriminator 1))\n should_fail_ex (lib/fault-inject.c:52 lib/fault-inject.c:153)\n should_failslab (mm/slub.c:3748)\n kmem_cache_alloc (mm/slub.c:3763 mm/slub.c:3842 mm/slub.c:3867)\n inet_bind2_bucket_create \n---truncated---", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26741", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26741", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26741", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26741", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26741", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26741" } }, "CVE-2024-26742": { "affected_versions": "v6.0-rc1 to v6.8-rc6", "breaks": "cf15c3e734e8d25de7b4d9170f5a69ace633a583", "cmt_msg": "scsi: smartpqi: Fix disable_managed_interrupts", "fixes": "5761eb9761d2d5fe8248a9b719efc4d8baf1f24a", "last_affected_version": "6.7.6", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: smartpqi: Fix disable_managed_interrupts\n\nCorrect blk-mq registration issue with module parameter\ndisable_managed_interrupts enabled.\n\nWhen we turn off the default PCI_IRQ_AFFINITY flag, the driver needs to\nregister with blk-mq using blk_mq_map_queues(). The driver is currently\ncalling blk_mq_pci_map_queues() which results in a stack trace and possibly\nundefined behavior.\n\nStack Trace:\n[ 7.860089] scsi host2: smartpqi\n[ 7.871934] WARNING: CPU: 0 PID: 238 at block/blk-mq-pci.c:52 blk_mq_pci_map_queues+0xca/0xd0\n[ 7.889231] Modules linked in: sd_mod t10_pi sg uas smartpqi(+) crc32c_intel scsi_transport_sas usb_storage dm_mirror dm_region_hash dm_log dm_mod ipmi_devintf ipmi_msghandler fuse\n[ 7.924755] CPU: 0 PID: 238 Comm: kworker/0:3 Not tainted 4.18.0-372.88.1.el8_6_smartpqi_test.x86_64 #1\n[ 7.944336] Hardware name: HPE ProLiant DL380 Gen10/ProLiant DL380 Gen10, BIOS U30 03/08/2022\n[ 7.963026] Workqueue: events work_for_cpu_fn\n[ 7.978275] RIP: 0010:blk_mq_pci_map_queues+0xca/0xd0\n[ 7.978278] Code: 48 89 de 89 c7 e8 f6 0f 4f 00 3b 05 c4 b7 8e 01 72 e1 5b 31 c0 5d 41 5c 41 5d 41 5e 41 5f e9 7d df 73 00 31 c0 e9 76 df 73 00 <0f> 0b eb bc 90 90 0f 1f 44 00 00 41 57 49 89 ff 41 56 41 55 41 54\n[ 7.978280] RSP: 0018:ffffa95fc3707d50 EFLAGS: 00010216\n[ 7.978283] RAX: 00000000ffffffff RBX: 0000000000000000 RCX: 0000000000000010\n[ 7.978284] RDX: 0000000000000004 RSI: 0000000000000000 RDI: ffff9190c32d4310\n[ 7.978286] RBP: 0000000000000000 R08: ffffa95fc3707d38 R09: ffff91929b81ac00\n[ 7.978287] R10: 0000000000000001 R11: ffffa95fc3707ac0 R12: 0000000000000000\n[ 7.978288] R13: ffff9190c32d4000 R14: 00000000ffffffff R15: ffff9190c4c950a8\n[ 7.978290] FS: 0000000000000000(0000) GS:ffff9193efc00000(0000) knlGS:0000000000000000\n[ 7.978292] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 8.172814] CR2: 000055d11166c000 CR3: 00000002dae10002 CR4: 00000000007706f0\n[ 8.172816] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 8.172817] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 8.172818] PKRU: 55555554\n[ 8.172819] Call Trace:\n[ 8.172823] blk_mq_alloc_tag_set+0x12e/0x310\n[ 8.264339] scsi_add_host_with_dma.cold.9+0x30/0x245\n[ 8.279302] pqi_ctrl_init+0xacf/0xc8e [smartpqi]\n[ 8.294085] ? pqi_pci_probe+0x480/0x4c8 [smartpqi]\n[ 8.309015] pqi_pci_probe+0x480/0x4c8 [smartpqi]\n[ 8.323286] local_pci_probe+0x42/0x80\n[ 8.337855] work_for_cpu_fn+0x16/0x20\n[ 8.351193] process_one_work+0x1a7/0x360\n[ 8.364462] ? create_worker+0x1a0/0x1a0\n[ 8.379252] worker_thread+0x1ce/0x390\n[ 8.392623] ? create_worker+0x1a0/0x1a0\n[ 8.406295] kthread+0x10a/0x120\n[ 8.418428] ? set_kthread_struct+0x50/0x50\n[ 8.431532] ret_from_fork+0x1f/0x40\n[ 8.444137] ---[ end trace 1bf0173d39354506 ]---", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26742", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26742", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26742", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26742", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26742", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26742" } }, "CVE-2024-26743": { "affected_versions": "v2.6.12-rc2 to v6.8-rc6", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "RDMA/qedr: Fix qedr_create_user_qp error flow", "fixes": "5ba4e6d5863c53e937f49932dee0ecb004c65928", "last_affected_version": "6.7.6", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/qedr: Fix qedr_create_user_qp error flow\n\nAvoid the following warning by making sure to free the allocated\nresources in case that qedr_init_user_queue() fail.\n\n-----------[ cut here ]-----------\nWARNING: CPU: 0 PID: 143192 at drivers/infiniband/core/rdma_core.c:874 uverbs_destroy_ufile_hw+0xcf/0xf0 [ib_uverbs]\nModules linked in: tls target_core_user uio target_core_pscsi target_core_file target_core_iblock ib_srpt ib_srp scsi_transport_srp nfsd nfs_acl rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace fscache netfs 8021q garp mrp stp llc ext4 mbcache jbd2 opa_vnic ib_umad ib_ipoib sunrpc rdma_ucm ib_isert iscsi_target_mod target_core_mod ib_iser libiscsi scsi_transport_iscsi rdma_cm iw_cm ib_cm hfi1 intel_rapl_msr intel_rapl_common mgag200 qedr sb_edac drm_shmem_helper rdmavt x86_pkg_temp_thermal drm_kms_helper intel_powerclamp ib_uverbs coretemp i2c_algo_bit kvm_intel dell_wmi_descriptor ipmi_ssif sparse_keymap kvm ib_core rfkill syscopyarea sysfillrect video sysimgblt irqbypass ipmi_si ipmi_devintf fb_sys_fops rapl iTCO_wdt mxm_wmi iTCO_vendor_support intel_cstate pcspkr dcdbas intel_uncore ipmi_msghandler lpc_ich acpi_power_meter mei_me mei fuse drm xfs libcrc32c qede sd_mod ahci libahci t10_pi sg crct10dif_pclmul crc32_pclmul crc32c_intel qed libata tg3\nghash_clmulni_intel megaraid_sas crc8 wmi [last unloaded: ib_srpt]\nCPU: 0 PID: 143192 Comm: fi_rdm_tagged_p Kdump: loaded Not tainted 5.14.0-408.el9.x86_64 #1\nHardware name: Dell Inc. PowerEdge R430/03XKDV, BIOS 2.14.0 01/25/2022\nRIP: 0010:uverbs_destroy_ufile_hw+0xcf/0xf0 [ib_uverbs]\nCode: 5d 41 5c 41 5d 41 5e e9 0f 26 1b dd 48 89 df e8 67 6a ff ff 49 8b 86 10 01 00 00 48 85 c0 74 9c 4c 89 e7 e8 83 c0 cb dd eb 92 <0f> 0b eb be 0f 0b be 04 00 00 00 48 89 df e8 8e f5 ff ff e9 6d ff\nRSP: 0018:ffffb7c6cadfbc60 EFLAGS: 00010286\nRAX: ffff8f0889ee3f60 RBX: ffff8f088c1a5200 RCX: 00000000802a0016\nRDX: 00000000802a0017 RSI: 0000000000000001 RDI: ffff8f0880042600\nRBP: 0000000000000001 R08: 0000000000000001 R09: 0000000000000000\nR10: ffff8f11fffd5000 R11: 0000000000039000 R12: ffff8f0d5b36cd80\nR13: ffff8f088c1a5250 R14: ffff8f1206d91000 R15: 0000000000000000\nFS: 0000000000000000(0000) GS:ffff8f11d7c00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000147069200e20 CR3: 00000001c7210002 CR4: 00000000001706f0\nCall Trace:\n\n? show_trace_log_lvl+0x1c4/0x2df\n? show_trace_log_lvl+0x1c4/0x2df\n? ib_uverbs_close+0x1f/0xb0 [ib_uverbs]\n? uverbs_destroy_ufile_hw+0xcf/0xf0 [ib_uverbs]\n? __warn+0x81/0x110\n? uverbs_destroy_ufile_hw+0xcf/0xf0 [ib_uverbs]\n? report_bug+0x10a/0x140\n? handle_bug+0x3c/0x70\n? exc_invalid_op+0x14/0x70\n? asm_exc_invalid_op+0x16/0x20\n? uverbs_destroy_ufile_hw+0xcf/0xf0 [ib_uverbs]\nib_uverbs_close+0x1f/0xb0 [ib_uverbs]\n__fput+0x94/0x250\ntask_work_run+0x5c/0x90\ndo_exit+0x270/0x4a0\ndo_group_exit+0x2d/0x90\nget_signal+0x87c/0x8c0\narch_do_signal_or_restart+0x25/0x100\n? ib_uverbs_ioctl+0xc2/0x110 [ib_uverbs]\nexit_to_user_mode_loop+0x9c/0x130\nexit_to_user_mode_prepare+0xb6/0x100\nsyscall_exit_to_user_mode+0x12/0x40\ndo_syscall_64+0x69/0x90\n? syscall_exit_work+0x103/0x130\n? syscall_exit_to_user_mode+0x22/0x40\n? do_syscall_64+0x69/0x90\n? syscall_exit_work+0x103/0x130\n? syscall_exit_to_user_mode+0x22/0x40\n? do_syscall_64+0x69/0x90\n? do_syscall_64+0x69/0x90\n? common_interrupt+0x43/0xa0\nentry_SYSCALL_64_after_hwframe+0x72/0xdc\nRIP: 0033:0x1470abe3ec6b\nCode: Unable to access opcode bytes at RIP 0x1470abe3ec41.\nRSP: 002b:00007fff13ce9108 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\nRAX: fffffffffffffffc RBX: 00007fff13ce9218 RCX: 00001470abe3ec6b\nRDX: 00007fff13ce9200 RSI: 00000000c0181b01 RDI: 0000000000000004\nRBP: 00007fff13ce91e0 R08: 0000558d9655da10 R09: 0000558d9655dd00\nR10: 00007fff13ce95c0 R11: 0000000000000246 R12: 00007fff13ce9358\nR13: 0000000000000013 R14: 0000558d9655db50 R15: 00007fff13ce9470\n\n--[ end trace 888a9b92e04c5c97 ]--", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26743", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26743", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26743", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26743", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26743", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26743" } }, "CVE-2024-26744": { "affected_versions": "v3.3-rc1 to v6.8-rc6", "breaks": "a42d985bd5b234da8b61347a78dc3057bf7bb94d", "cmt_msg": "RDMA/srpt: Support specifying the srpt_service_guid parameter", "fixes": "fdfa083549de5d50ebf7f6811f33757781e838c0", "last_affected_version": "6.7.6", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/srpt: Support specifying the srpt_service_guid parameter\n\nMake loading ib_srpt with this parameter set work. The current behavior is\nthat setting that parameter while loading the ib_srpt kernel module\ntriggers the following kernel crash:\n\nBUG: kernel NULL pointer dereference, address: 0000000000000000\nCall Trace:\n \n parse_one+0x18c/0x1d0\n parse_args+0xe1/0x230\n load_module+0x8de/0xa60\n init_module_from_file+0x8b/0xd0\n idempotent_init_module+0x181/0x240\n __x64_sys_finit_module+0x5a/0xb0\n do_syscall_64+0x5f/0xe0\n entry_SYSCALL_64_after_hwframe+0x6e/0x76", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26744", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26744", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26744", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26744", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26744", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26744" } }, "CVE-2024-26745": { "affected_versions": "unk to v6.8-rc7", "breaks": "", "cmt_msg": "powerpc/pseries/iommu: IOMMU table is not initialized for kdump over SR-IOV", "fixes": "09a3c1e46142199adcee372a420b024b4fc61051", "last_affected_version": "6.7.8", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/pseries/iommu: IOMMU table is not initialized for kdump over SR-IOV\n\nWhen kdump kernel tries to copy dump data over SR-IOV, LPAR panics due\nto NULL pointer exception:\n\n Kernel attempted to read user page (0) - exploit attempt? (uid: 0)\n BUG: Kernel NULL pointer dereference on read at 0x00000000\n Faulting instruction address: 0xc000000020847ad4\n Oops: Kernel access of bad area, sig: 11 [#1]\n LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA pSeries\n Modules linked in: mlx5_core(+) vmx_crypto pseries_wdt papr_scm libnvdimm mlxfw tls psample sunrpc fuse overlay squashfs loop\n CPU: 12 PID: 315 Comm: systemd-udevd Not tainted 6.4.0-Test102+ #12\n Hardware name: IBM,9080-HEX POWER10 (raw) 0x800200 0xf000006 of:IBM,FW1060.00 (NH1060_008) hv:phyp pSeries\n NIP: c000000020847ad4 LR: c00000002083b2dc CTR: 00000000006cd18c\n REGS: c000000029162ca0 TRAP: 0300 Not tainted (6.4.0-Test102+)\n MSR: 800000000280b033 CR: 48288244 XER: 00000008\n CFAR: c00000002083b2d8 DAR: 0000000000000000 DSISR: 40000000 IRQMASK: 1\n ...\n NIP _find_next_zero_bit+0x24/0x110\n LR bitmap_find_next_zero_area_off+0x5c/0xe0\n Call Trace:\n dev_printk_emit+0x38/0x48 (unreliable)\n iommu_area_alloc+0xc4/0x180\n iommu_range_alloc+0x1e8/0x580\n iommu_alloc+0x60/0x130\n iommu_alloc_coherent+0x158/0x2b0\n dma_iommu_alloc_coherent+0x3c/0x50\n dma_alloc_attrs+0x170/0x1f0\n mlx5_cmd_init+0xc0/0x760 [mlx5_core]\n mlx5_function_setup+0xf0/0x510 [mlx5_core]\n mlx5_init_one+0x84/0x210 [mlx5_core]\n probe_one+0x118/0x2c0 [mlx5_core]\n local_pci_probe+0x68/0x110\n pci_call_probe+0x68/0x200\n pci_device_probe+0xbc/0x1a0\n really_probe+0x104/0x540\n __driver_probe_device+0xb4/0x230\n driver_probe_device+0x54/0x130\n __driver_attach+0x158/0x2b0\n bus_for_each_dev+0xa8/0x130\n driver_attach+0x34/0x50\n bus_add_driver+0x16c/0x300\n driver_register+0xa4/0x1b0\n __pci_register_driver+0x68/0x80\n mlx5_init+0xb8/0x100 [mlx5_core]\n do_one_initcall+0x60/0x300\n do_init_module+0x7c/0x2b0\n\nAt the time of LPAR dump, before kexec hands over control to kdump\nkernel, DDWs (Dynamic DMA Windows) are scanned and added to the FDT.\nFor the SR-IOV case, default DMA window \"ibm,dma-window\" is removed from\nthe FDT and DDW added, for the device.\n\nNow, kexec hands over control to the kdump kernel.\n\nWhen the kdump kernel initializes, PCI busses are scanned and IOMMU\ngroup/tables created, in pci_dma_bus_setup_pSeriesLP(). For the SR-IOV\ncase, there is no \"ibm,dma-window\". The original commit: b1fc44eaa9ba,\nfixes the path where memory is pre-mapped (direct mapped) to the DDW.\nWhen TCEs are direct mapped, there is no need to initialize IOMMU\ntables.\n\niommu_table_setparms_lpar() only considers \"ibm,dma-window\" property\nwhen initiallizing IOMMU table. In the scenario where TCEs are\ndynamically allocated for SR-IOV, newly created IOMMU table is not\ninitialized. Later, when the device driver tries to enter TCEs for the\nSR-IOV device, NULL pointer execption is thrown from iommu_area_alloc().\n\nThe fix is to initialize the IOMMU table with DDW property stored in the\nFDT. There are 2 points to remember:\n\n\t1. For the dedicated adapter, kdump kernel would encounter both\n\t default and DDW in FDT. In this case, DDW property is used to\n\t initialize the IOMMU table.\n\n\t2. A DDW could be direct or dynamic mapped. kdump kernel would\n\t initialize IOMMU table and mark the existing DDW as\n\t \"dynamic\". This works fine since, at the time of table\n\t initialization, iommu_table_clear() makes some space in the\n\t DDW, for some predefined number of TCEs which are needed for\n\t kdump to succeed.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26745", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26745", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26745", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26745", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26745", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26745" } }, "CVE-2024-26746": { "affected_versions": "v6.4-rc1 to v6.8-rc7", "breaks": "c2f156bf168fb42cd6ecd0a8e2204dbe542b8516", "cmt_msg": "dmaengine: idxd: Ensure safe user copy of completion record", "fixes": "d3ea125df37dc37972d581b74a5d3785c3f283ab", "last_affected_version": "6.7.8", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: idxd: Ensure safe user copy of completion record\n\nIf CONFIG_HARDENED_USERCOPY is enabled, copying completion record from\nevent log cache to user triggers a kernel bug.\n\n[ 1987.159822] usercopy: Kernel memory exposure attempt detected from SLUB object 'dsa0' (offset 74, size 31)!\n[ 1987.170845] ------------[ cut here ]------------\n[ 1987.176086] kernel BUG at mm/usercopy.c:102!\n[ 1987.180946] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\n[ 1987.186866] CPU: 17 PID: 528 Comm: kworker/17:1 Not tainted 6.8.0-rc2+ #5\n[ 1987.194537] Hardware name: Intel Corporation AvenueCity/AvenueCity, BIOS BHSDCRB1.86B.2492.D03.2307181620 07/18/2023\n[ 1987.206405] Workqueue: wq0.0 idxd_evl_fault_work [idxd]\n[ 1987.212338] RIP: 0010:usercopy_abort+0x72/0x90\n[ 1987.217381] Code: 58 65 9c 50 48 c7 c2 17 85 61 9c 57 48 c7 c7 98 fd 6b 9c 48 0f 44 d6 48 c7 c6 b3 08 62 9c 4c 89 d1 49 0f 44 f3 e8 1e 2e d5 ff <0f> 0b 49 c7 c1 9e 42 61 9c 4c 89 cf 4d 89 c8 eb a9 66 66 2e 0f 1f\n[ 1987.238505] RSP: 0018:ff62f5cf20607d60 EFLAGS: 00010246\n[ 1987.244423] RAX: 000000000000005f RBX: 000000000000001f RCX: 0000000000000000\n[ 1987.252480] RDX: 0000000000000000 RSI: ffffffff9c61429e RDI: 00000000ffffffff\n[ 1987.260538] RBP: ff62f5cf20607d78 R08: ff2a6a89ef3fffe8 R09: 00000000fffeffff\n[ 1987.268595] R10: ff2a6a89eed00000 R11: 0000000000000003 R12: ff2a66934849c89a\n[ 1987.276652] R13: 0000000000000001 R14: ff2a66934849c8b9 R15: ff2a66934849c899\n[ 1987.284710] FS: 0000000000000000(0000) GS:ff2a66b22fe40000(0000) knlGS:0000000000000000\n[ 1987.293850] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 1987.300355] CR2: 00007fe291a37000 CR3: 000000010fbd4005 CR4: 0000000000f71ef0\n[ 1987.308413] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 1987.316470] DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400\n[ 1987.324527] PKRU: 55555554\n[ 1987.327622] Call Trace:\n[ 1987.330424] \n[ 1987.332826] ? show_regs+0x6e/0x80\n[ 1987.336703] ? die+0x3c/0xa0\n[ 1987.339988] ? do_trap+0xd4/0xf0\n[ 1987.343662] ? do_error_trap+0x75/0xa0\n[ 1987.347922] ? usercopy_abort+0x72/0x90\n[ 1987.352277] ? exc_invalid_op+0x57/0x80\n[ 1987.356634] ? usercopy_abort+0x72/0x90\n[ 1987.360988] ? asm_exc_invalid_op+0x1f/0x30\n[ 1987.365734] ? usercopy_abort+0x72/0x90\n[ 1987.370088] __check_heap_object+0xb7/0xd0\n[ 1987.374739] __check_object_size+0x175/0x2d0\n[ 1987.379588] idxd_copy_cr+0xa9/0x130 [idxd]\n[ 1987.384341] idxd_evl_fault_work+0x127/0x390 [idxd]\n[ 1987.389878] process_one_work+0x13e/0x300\n[ 1987.394435] ? __pfx_worker_thread+0x10/0x10\n[ 1987.399284] worker_thread+0x2f7/0x420\n[ 1987.403544] ? _raw_spin_unlock_irqrestore+0x2b/0x50\n[ 1987.409171] ? __pfx_worker_thread+0x10/0x10\n[ 1987.414019] kthread+0x107/0x140\n[ 1987.417693] ? __pfx_kthread+0x10/0x10\n[ 1987.421954] ret_from_fork+0x3d/0x60\n[ 1987.426019] ? __pfx_kthread+0x10/0x10\n[ 1987.430281] ret_from_fork_asm+0x1b/0x30\n[ 1987.434744] \n\nThe issue arises because event log cache is created using\nkmem_cache_create() which is not suitable for user copy.\n\nFix the issue by creating event log cache with\nkmem_cache_create_usercopy(), ensuring safe user copy.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26746", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26746", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26746", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26746", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26746", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26746" } }, "CVE-2024-26747": { "affected_versions": "v4.19-rc6 to v6.8-rc6", "breaks": "5c54fcac9a9de559b444ac63ec3cd82f1d157a0b", "cmt_msg": "usb: roles: fix NULL pointer issue when put module's reference", "fixes": "1c9be13846c0b2abc2480602f8ef421360e1ad9e", "last_affected_version": "6.7.6", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: roles: fix NULL pointer issue when put module's reference\n\nIn current design, usb role class driver will get usb_role_switch parent's\nmodule reference after the user get usb_role_switch device and put the\nreference after the user put the usb_role_switch device. However, the\nparent device of usb_role_switch may be removed before the user put the\nusb_role_switch. If so, then, NULL pointer issue will be met when the user\nput the parent module's reference.\n\nThis will save the module pointer in structure of usb_role_switch. Then,\nwe don't need to find module by iterating long relations.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26747", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26747", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26747", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26747", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26747", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26747" } }, "CVE-2024-26748": { "affected_versions": "unk to v6.8-rc6", "breaks": "", "cmt_msg": "usb: cdns3: fix memory double free when handle zero packet", "fixes": "5fd9e45f1ebcd57181358af28506e8a661a260b3", "last_affected_version": "6.7.6", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: cdns3: fix memory double free when handle zero packet\n\n829 if (request->complete) {\n830 spin_unlock(&priv_dev->lock);\n831 usb_gadget_giveback_request(&priv_ep->endpoint,\n832 request);\n833 spin_lock(&priv_dev->lock);\n834 }\n835\n836 if (request->buf == priv_dev->zlp_buf)\n837 cdns3_gadget_ep_free_request(&priv_ep->endpoint, request);\n\nDriver append an additional zero packet request when queue a packet, which\nlength mod max packet size is 0. When transfer complete, run to line 831,\nusb_gadget_giveback_request() will free this requestion. 836 condition is\ntrue, so cdns3_gadget_ep_free_request() free this request again.\n\nLog:\n\n[ 1920.140696][ T150] BUG: KFENCE: use-after-free read in cdns3_gadget_giveback+0x134/0x2c0 [cdns3]\n[ 1920.140696][ T150]\n[ 1920.151837][ T150] Use-after-free read at 0x000000003d1cd10b (in kfence-#36):\n[ 1920.159082][ T150] cdns3_gadget_giveback+0x134/0x2c0 [cdns3]\n[ 1920.164988][ T150] cdns3_transfer_completed+0x438/0x5f8 [cdns3]\n\nAdd check at line 829, skip call usb_gadget_giveback_request() if it is\nadditional zero length packet request. Needn't call\nusb_gadget_giveback_request() because it is allocated in this driver.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26748", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26748", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26748", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26748", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26748", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26748" } }, "CVE-2024-26749": { "affected_versions": "v5.4-rc1 to v6.8-rc6", "breaks": "7733f6c32e36ff9d7adadf40001039bf219b1cbe", "cmt_msg": "usb: cdns3: fixed memory use after free at cdns3_gadget_ep_disable()", "fixes": "cd45f99034b0c8c9cb346dd0d6407a95ca3d36f6", "last_affected_version": "6.7.6", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: cdns3: fixed memory use after free at cdns3_gadget_ep_disable()\n\n ...\n cdns3_gadget_ep_free_request(&priv_ep->endpoint, &priv_req->request);\n list_del_init(&priv_req->list);\n ...\n\n'priv_req' actually free at cdns3_gadget_ep_free_request(). But\nlist_del_init() use priv_req->list after it.\n\n[ 1542.642868][ T534] BUG: KFENCE: use-after-free read in __list_del_entry_valid+0x10/0xd4\n[ 1542.642868][ T534]\n[ 1542.653162][ T534] Use-after-free read at 0x000000009ed0ba99 (in kfence-#3):\n[ 1542.660311][ T534] __list_del_entry_valid+0x10/0xd4\n[ 1542.665375][ T534] cdns3_gadget_ep_disable+0x1f8/0x388 [cdns3]\n[ 1542.671571][ T534] usb_ep_disable+0x44/0xe4\n[ 1542.675948][ T534] ffs_func_eps_disable+0x64/0xc8\n[ 1542.680839][ T534] ffs_func_set_alt+0x74/0x368\n[ 1542.685478][ T534] ffs_func_disable+0x18/0x28\n\nMove list_del_init() before cdns3_gadget_ep_free_request() to resolve this\nproblem.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26749", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26749", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26749", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26749", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26749", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26749" } }, "CVE-2024-26750": { "affected_versions": "v6.8-rc5 to v6.8-rc6", "breaks": "25236c91b5ab4a26a56ba2e79b8060cf4e047839", "fixes": "aa82ac51d63328714645c827775d64dbfd9941f3", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\naf_unix: Drop oob_skb ref before purging queue in GC.\n\nsyzbot reported another task hung in __unix_gc(). [0]\n\nThe current while loop assumes that all of the left candidates\nhave oob_skb and calling kfree_skb(oob_skb) releases the remaining\ncandidates.\n\nHowever, I missed a case that oob_skb has self-referencing fd and\nanother fd and the latter sk is placed before the former in the\ncandidate list. Then, the while loop never proceeds, resulting\nthe task hung.\n\n__unix_gc() has the same loop just before purging the collected skb,\nso we can call kfree_skb(oob_skb) there and let __skb_queue_purge()\nrelease all inflight sockets.\n\n[0]:\nSending NMI from CPU 0 to CPUs 1:\nNMI backtrace for cpu 1\nCPU: 1 PID: 2784 Comm: kworker/u4:8 Not tainted 6.8.0-rc4-syzkaller-01028-g71b605d32017 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024\nWorkqueue: events_unbound __unix_gc\nRIP: 0010:__sanitizer_cov_trace_pc+0x0/0x70 kernel/kcov.c:200\nCode: 89 fb e8 23 00 00 00 48 8b 3d 84 f5 1a 0c 48 89 de 5b e9 43 26 57 00 0f 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1e fa 48 8b 04 24 65 48 8b 0d 90 52 70 7e 65 8b 15 91 52 70\nRSP: 0018:ffffc9000a17fa78 EFLAGS: 00000287\nRAX: ffffffff8a0a6108 RBX: ffff88802b6c2640 RCX: ffff88802c0b3b80\nRDX: 0000000000000000 RSI: 0000000000000002 RDI: 0000000000000000\nRBP: ffffc9000a17fbf0 R08: ffffffff89383f1d R09: 1ffff1100ee5ff84\nR10: dffffc0000000000 R11: ffffed100ee5ff85 R12: 1ffff110056d84ee\nR13: ffffc9000a17fae0 R14: 0000000000000000 R15: ffffffff8f47b840\nFS: 0000000000000000(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007ffef5687ff8 CR3: 0000000029b34000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n \n \n __unix_gc+0xe69/0xf40 net/unix/garbage.c:343\n process_one_work kernel/workqueue.c:2633 [inline]\n process_scheduled_works+0x913/0x1420 kernel/workqueue.c:2706\n worker_thread+0xa5f/0x1000 kernel/workqueue.c:2787\n kthread+0x2ef/0x390 kernel/kthread.c:388\n ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:242\n ", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26750", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26750", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26750", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26750", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26750", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26750" } }, "CVE-2024-26751": { "affected_versions": "v4.15-rc1 to v6.8-rc6", "breaks": "b2e63555592f81331c8da3afaa607d8cf83e8138", "cmt_msg": "ARM: ep93xx: Add terminator to gpiod_lookup_table", "fixes": "fdf87a0dc26d0550c60edc911cda42f9afec3557", "last_affected_version": "6.7.6", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nARM: ep93xx: Add terminator to gpiod_lookup_table\n\nWithout the terminator, if a con_id is passed to gpio_find() that\ndoes not exist in the lookup table the function will not stop looping\ncorrectly, and eventually cause an oops.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26751", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26751", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26751", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26751", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26751", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26751" } }, "CVE-2024-26752": { "affected_versions": "unk to v6.8-rc6", "breaks": "", "cmt_msg": "l2tp: pass correct message length to ip6_append_data", "fixes": "359e54a93ab43d32ee1bff3c2f9f10cb9f6b6e79", "last_affected_version": "6.7.6", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nl2tp: pass correct message length to ip6_append_data\n\nl2tp_ip6_sendmsg needs to avoid accounting for the transport header\ntwice when splicing more data into an already partially-occupied skbuff.\n\nTo manage this, we check whether the skbuff contains data using\nskb_queue_empty when deciding how much data to append using\nip6_append_data.\n\nHowever, the code which performed the calculation was incorrect:\n\n ulen = len + skb_queue_empty(&sk->sk_write_queue) ? transhdrlen : 0;\n\n...due to C operator precedence, this ends up setting ulen to\ntranshdrlen for messages with a non-zero length, which results in\ncorrupted packets on the wire.\n\nAdd parentheses to correct the calculation in line with the original\nintent.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26752", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26752", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26752", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26752", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26752", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26752" } }, "CVE-2024-26753": { "affected_versions": "v5.18-rc1 to v6.8-rc6", "breaks": "59ca6c93387d325e96577d8bd4c23c78c1491c11", "cmt_msg": "crypto: virtio/akcipher - Fix stack overflow on memcpy", "fixes": "c0ec2a712daf133d9996a8a1b7ee2d4996080363", "last_affected_version": "6.7.6", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: virtio/akcipher - Fix stack overflow on memcpy\n\nsizeof(struct virtio_crypto_akcipher_session_para) is less than\nsizeof(struct virtio_crypto_op_ctrl_req::u), copying more bytes from\nstack variable leads stack overflow. Clang reports this issue by\ncommands:\nmake -j CC=clang-14 mrproper >/dev/null 2>&1\nmake -j O=/tmp/crypto-build CC=clang-14 allmodconfig >/dev/null 2>&1\nmake -j O=/tmp/crypto-build W=1 CC=clang-14 drivers/crypto/virtio/\n virtio_crypto_akcipher_algs.o", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26753", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26753", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26753", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26753", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26753", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26753" } }, "CVE-2024-26754": { "affected_versions": "v4.7-rc1 to v6.8-rc6", "breaks": "459aa660eb1d8ce67080da1983bb81d716aa5a69", "cmt_msg": "gtp: fix use-after-free and null-ptr-deref in gtp_genl_dump_pdp()", "fixes": "136cfaca22567a03bbb3bf53a43d8cb5748b80ec", "last_affected_version": "6.7.6", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\ngtp: fix use-after-free and null-ptr-deref in gtp_genl_dump_pdp()\n\nThe gtp_net_ops pernet operations structure for the subsystem must be\nregistered before registering the generic netlink family.\n\nSyzkaller hit 'general protection fault in gtp_genl_dump_pdp' bug:\n\ngeneral protection fault, probably for non-canonical address\n0xdffffc0000000002: 0000 [#1] PREEMPT SMP KASAN NOPTI\nKASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]\nCPU: 1 PID: 5826 Comm: gtp Not tainted 6.8.0-rc3-std-def-alt1 #1\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.0-alt1 04/01/2014\nRIP: 0010:gtp_genl_dump_pdp+0x1be/0x800 [gtp]\nCode: c6 89 c6 e8 64 e9 86 df 58 45 85 f6 0f 85 4e 04 00 00 e8 c5 ee 86\n df 48 8b 54 24 18 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80>\n 3c 02 00 0f 85 de 05 00 00 48 8b 44 24 18 4c 8b 30 4c 39 f0 74\nRSP: 0018:ffff888014107220 EFLAGS: 00010202\nRAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000\nRDX: 0000000000000002 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000\nR13: ffff88800fcda588 R14: 0000000000000001 R15: 0000000000000000\nFS: 00007f1be4eb05c0(0000) GS:ffff88806ce80000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f1be4e766cf CR3: 000000000c33e000 CR4: 0000000000750ef0\nPKRU: 55555554\nCall Trace:\n \n ? show_regs+0x90/0xa0\n ? die_addr+0x50/0xd0\n ? exc_general_protection+0x148/0x220\n ? asm_exc_general_protection+0x22/0x30\n ? gtp_genl_dump_pdp+0x1be/0x800 [gtp]\n ? __alloc_skb+0x1dd/0x350\n ? __pfx___alloc_skb+0x10/0x10\n genl_dumpit+0x11d/0x230\n netlink_dump+0x5b9/0xce0\n ? lockdep_hardirqs_on_prepare+0x253/0x430\n ? __pfx_netlink_dump+0x10/0x10\n ? kasan_save_track+0x10/0x40\n ? __kasan_kmalloc+0x9b/0xa0\n ? genl_start+0x675/0x970\n __netlink_dump_start+0x6fc/0x9f0\n genl_family_rcv_msg_dumpit+0x1bb/0x2d0\n ? __pfx_genl_family_rcv_msg_dumpit+0x10/0x10\n ? genl_op_from_small+0x2a/0x440\n ? cap_capable+0x1d0/0x240\n ? __pfx_genl_start+0x10/0x10\n ? __pfx_genl_dumpit+0x10/0x10\n ? __pfx_genl_done+0x10/0x10\n ? security_capable+0x9d/0xe0", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26754", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26754", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26754", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26754", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26754", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26754" } }, "CVE-2024-26755": { "affected_versions": "v6.7-rc1 to v6.8-rc6", "breaks": "bc08041b32abe6c9824f78735bac22018eabfc06", "cmt_msg": "md: Don't suspend the array for interrupted reshape", "fixes": "9e46c70e829bddc24e04f963471e9983a11598b7", "last_affected_version": "6.7.6", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd: Don't suspend the array for interrupted reshape\n\nmd_start_sync() will suspend the array if there are spares that can be\nadded or removed from conf, however, if reshape is still in progress,\nthis won't happen at all or data will be corrupted(remove_and_add_spares\nwon't be called from md_choose_sync_action for reshape), hence there is\nno need to suspend the array if reshape is not done yet.\n\nMeanwhile, there is a potential deadlock for raid456:\n\n1) reshape is interrupted;\n\n2) set one of the disk WantReplacement, and add a new disk to the array,\n however, recovery won't start until the reshape is finished;\n\n3) then issue an IO across reshpae position, this IO will wait for\n reshape to make progress;\n\n4) continue to reshape, then md_start_sync() found there is a spare disk\n that can be added to conf, mddev_suspend() is called;\n\nStep 4 and step 3 is waiting for each other, deadlock triggered. Noted\nthis problem is found by code review, and it's not reporduced yet.\n\nFix this porblem by don't suspend the array for interrupted reshape,\nthis is safe because conf won't be changed until reshape is done.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26755", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26755", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26755", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26755", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26755", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26755" } }, "CVE-2024-26756": { "affected_versions": "v2.6.17-rc1 to v6.8-rc6", "breaks": "f67055780caac6a99f43834795c43acf99eba6a6", "cmt_msg": "md: Don't register sync_thread for reshape directly", "fixes": "ad39c08186f8a0f221337985036ba86731d6aafe", "last_affected_version": "6.7.6", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd: Don't register sync_thread for reshape directly\n\nCurrently, if reshape is interrupted, then reassemble the array will\nregister sync_thread directly from pers->run(), in this case\n'MD_RECOVERY_RUNNING' is set directly, however, there is no guarantee\nthat md_do_sync() will be executed, hence stop_sync_thread() will hang\nbecause 'MD_RECOVERY_RUNNING' can't be cleared.\n\nLast patch make sure that md_do_sync() will set MD_RECOVERY_DONE,\nhowever, following hang can still be triggered by dm-raid test\nshell/lvconvert-raid-reshape.sh occasionally:\n\n[root@fedora ~]# cat /proc/1982/stack\n[<0>] stop_sync_thread+0x1ab/0x270 [md_mod]\n[<0>] md_frozen_sync_thread+0x5c/0xa0 [md_mod]\n[<0>] raid_presuspend+0x1e/0x70 [dm_raid]\n[<0>] dm_table_presuspend_targets+0x40/0xb0 [dm_mod]\n[<0>] __dm_destroy+0x2a5/0x310 [dm_mod]\n[<0>] dm_destroy+0x16/0x30 [dm_mod]\n[<0>] dev_remove+0x165/0x290 [dm_mod]\n[<0>] ctl_ioctl+0x4bb/0x7b0 [dm_mod]\n[<0>] dm_ctl_ioctl+0x11/0x20 [dm_mod]\n[<0>] vfs_ioctl+0x21/0x60\n[<0>] __x64_sys_ioctl+0xb9/0xe0\n[<0>] do_syscall_64+0xc6/0x230\n[<0>] entry_SYSCALL_64_after_hwframe+0x6c/0x74\n\nMeanwhile mddev->recovery is:\nMD_RECOVERY_RUNNING |\nMD_RECOVERY_INTR |\nMD_RECOVERY_RESHAPE |\nMD_RECOVERY_FROZEN\n\nFix this problem by remove the code to register sync_thread directly\nfrom raid10 and raid5. And let md_check_recovery() to register\nsync_thread.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26756", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26756", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26756", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26756", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26756", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26756" } }, "CVE-2024-26757": { "affected_versions": "v4.8-rc1 to v6.8-rc6", "breaks": "ecbfb9f118bce49f571675929160e4ecef91cc8a", "cmt_msg": "md: Don't ignore read-only array in md_check_recovery()", "fixes": "55a48ad2db64737f7ffc0407634218cc6e4c513b", "last_affected_version": "6.7.6", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd: Don't ignore read-only array in md_check_recovery()\n\nUsually if the array is not read-write, md_check_recovery() won't\nregister new sync_thread in the first place. And if the array is\nread-write and sync_thread is registered, md_set_readonly() will\nunregister sync_thread before setting the array read-only. md/raid\nfollow this behavior hence there is no problem.\n\nAfter commit f52f5c71f3d4 (\"md: fix stopping sync thread\"), following\nhang can be triggered by test shell/integrity-caching.sh:\n\n1) array is read-only. dm-raid update super block:\nrs_update_sbs\n ro = mddev->ro\n mddev->ro = 0\n -> set array read-write\n md_update_sb\n\n2) register new sync thread concurrently.\n\n3) dm-raid set array back to read-only:\nrs_update_sbs\n mddev->ro = ro\n\n4) stop the array:\nraid_dtr\n md_stop\n stop_sync_thread\n set_bit(MD_RECOVERY_INTR, &mddev->recovery);\n md_wakeup_thread_directly(mddev->sync_thread);\n wait_event(..., !test_bit(MD_RECOVERY_RUNNING, &mddev->recovery))\n\n5) sync thread done:\n md_do_sync\n set_bit(MD_RECOVERY_DONE, &mddev->recovery);\n md_wakeup_thread(mddev->thread);\n\n6) daemon thread can't unregister sync thread:\n md_check_recovery\n if (!md_is_rdwr(mddev) &&\n !test_bit(MD_RECOVERY_NEEDED, &mddev->recovery))\n return;\n -> -> MD_RECOVERY_RUNNING can't be cleared, hence step 4 hang;\n\nThe root cause is that dm-raid manipulate 'mddev->ro' by itself,\nhowever, dm-raid really should stop sync thread before setting the\narray read-only. Unfortunately, I need to read more code before I\ncan refacter the handler of 'mddev->ro' in dm-raid, hence let's fix\nthe problem the easy way for now to prevent dm-raid regression.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26757", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26757", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26757", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26757", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26757", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26757" } }, "CVE-2024-26758": { "affected_versions": "v3.0-rc4 to v6.8-rc6", "breaks": "68866e425be2ef2664aa5c691bb3ab789736acf5", "cmt_msg": "md: Don't ignore suspended array in md_check_recovery()", "fixes": "1baae052cccd08daf9a9d64c3f959d8cdb689757", "last_affected_version": "6.7.6", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd: Don't ignore suspended array in md_check_recovery()\n\nmddev_suspend() never stop sync_thread, hence it doesn't make sense to\nignore suspended array in md_check_recovery(), which might cause\nsync_thread can't be unregistered.\n\nAfter commit f52f5c71f3d4 (\"md: fix stopping sync thread\"), following\nhang can be triggered by test shell/integrity-caching.sh:\n\n1) suspend the array:\nraid_postsuspend\n mddev_suspend\n\n2) stop the array:\nraid_dtr\n md_stop\n __md_stop_writes\n stop_sync_thread\n set_bit(MD_RECOVERY_INTR, &mddev->recovery);\n md_wakeup_thread_directly(mddev->sync_thread);\n wait_event(..., !test_bit(MD_RECOVERY_RUNNING, &mddev->recovery))\n\n3) sync thread done:\nmd_do_sync\n set_bit(MD_RECOVERY_DONE, &mddev->recovery);\n md_wakeup_thread(mddev->thread);\n\n4) daemon thread can't unregister sync thread:\nmd_check_recovery\n if (mddev->suspended)\n return; -> return directly\n md_read_sync_thread\n clear_bit(MD_RECOVERY_RUNNING, &mddev->recovery);\n -> MD_RECOVERY_RUNNING can't be cleared, hence step 2 hang;\n\nThis problem is not just related to dm-raid, fix it by ignoring\nsuspended array in md_check_recovery(). And follow up patches will\nimprove dm-raid better to frozen sync thread during suspend.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26758", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26758", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26758", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26758", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26758", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26758" } }, "CVE-2024-26759": { "affected_versions": "unk to v6.8-rc6", "breaks": "", "cmt_msg": "mm/swap: fix race when skipping swapcache", "fixes": "13ddaf26be324a7f951891ecd9ccd04466d27458", "last_affected_version": "6.7.6", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/swap: fix race when skipping swapcache\n\nWhen skipping swapcache for SWP_SYNCHRONOUS_IO, if two or more threads\nswapin the same entry at the same time, they get different pages (A, B). \nBefore one thread (T0) finishes the swapin and installs page (A) to the\nPTE, another thread (T1) could finish swapin of page (B), swap_free the\nentry, then swap out the possibly modified page reusing the same entry. \nIt breaks the pte_same check in (T0) because PTE value is unchanged,\ncausing ABA problem. Thread (T0) will install a stalled page (A) into the\nPTE and cause data corruption.\n\nOne possible callstack is like this:\n\nCPU0 CPU1\n---- ----\ndo_swap_page() do_swap_page() with same entry\n \n \nswap_read_folio() <- read to page A swap_read_folio() <- read to page B\n \n... set_pte_at()\n swap_free() <- entry is free\n \n \npte_same() <- Check pass, PTE seems\n unchanged, but page A\n is stalled!\nswap_free() <- page B content lost!\nset_pte_at() <- staled page A installed!\n\nAnd besides, for ZRAM, swap_free() allows the swap device to discard the\nentry content, so even if page (B) is not modified, if swap_read_folio()\non CPU0 happens later than swap_free() on CPU1, it may also cause data\nloss.\n\nTo fix this, reuse swapcache_prepare which will pin the swap entry using\nthe cache flag, and allow only one thread to swap it in, also prevent any\nparallel code from putting the entry in the cache. Release the pin after\nPT unlocked.\n\nRacers just loop and wait since it's a rare and very short event. A\nschedule_timeout_uninterruptible(1) call is added to avoid repeated page\nfaults wasting too much CPU, causing livelock or adding too much noise to\nperf statistics. A similar livelock issue was described in commit\n029c4628b2eb (\"mm: swap: get rid of livelock in swapin readahead\")\n\nReproducer:\n\nThis race issue can be triggered easily using a well constructed\nreproducer and patched brd (with a delay in read path) [1]:\n\nWith latest 6.8 mainline, race caused data loss can be observed easily:\n$ gcc -g -lpthread test-thread-swap-race.c && ./a.out\n Polulating 32MB of memory region...\n Keep swapping out...\n Starting round 0...\n Spawning 65536 workers...\n 32746 workers spawned, wait for done...\n Round 0: Error on 0x5aa00, expected 32746, got 32743, 3 data loss!\n Round 0: Error on 0x395200, expected 32746, got 32743, 3 data loss!\n Round 0: Error on 0x3fd000, expected 32746, got 32737, 9 data loss!\n Round 0 Failed, 15 data loss!\n\nThis reproducer spawns multiple threads sharing the same memory region\nusing a small swap device. Every two threads updates mapped pages one by\none in opposite direction trying to create a race, with one dedicated\nthread keep swapping out the data out using madvise.\n\nThe reproducer created a reproduce rate of about once every 5 minutes, so\nthe race should be totally possible in production.\n\nAfter this patch, I ran the reproducer for over a few hundred rounds and\nno data loss observed.\n\nPerformance overhead is minimal, microbenchmark swapin 10G from 32G\nzram:\n\nBefore: 10934698 us\nAfter: 11157121 us\nCached: 13155355 us (Dropping SWP_SYNCHRONOUS_IO flag)\n\n[kasong@tencent.com: v4]\n Link: https://lkml.kernel.org/r/20240219082040.7495-1-ryncsn@gmail.com", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26759", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26759", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26759", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26759", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26759", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26759" } }, "CVE-2024-26760": { "affected_versions": "v5.19-rc1 to v6.8-rc6", "breaks": "066ff571011d8416e903d3d4f1f41e0b5eb91e1d", "cmt_msg": "scsi: target: pscsi: Fix bio_put() for error case", "fixes": "de959094eb2197636f7c803af0943cb9d3b35804", "last_affected_version": "6.7.6", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: target: pscsi: Fix bio_put() for error case\n\nAs of commit 066ff571011d (\"block: turn bio_kmalloc into a simple kmalloc\nwrapper\"), a bio allocated by bio_kmalloc() must be freed by bio_uninit()\nand kfree(). That is not done properly for the error case, hitting WARN and\nNULL pointer dereference in bio_free().", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26760", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26760", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26760", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26760", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26760", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26760" } }, "CVE-2024-26761": { "affected_versions": "v5.19-rc1 to v6.8-rc6", "breaks": "34e37b4c432cd0f1842b352fde4b8878b4166888", "cmt_msg": "cxl/pci: Fix disabling memory if DVSEC CXL Range does not match a CFMWS window", "fixes": "0cab687205986491302cd2e440ef1d253031c221", "last_affected_version": "6.7.6", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\ncxl/pci: Fix disabling memory if DVSEC CXL Range does not match a CFMWS window\n\nThe Linux CXL subsystem is built on the assumption that HPA == SPA.\nThat is, the host physical address (HPA) the HDM decoder registers are\nprogrammed with are system physical addresses (SPA).\n\nDuring HDM decoder setup, the DVSEC CXL range registers (cxl-3.1,\n8.1.3.8) are checked if the memory is enabled and the CXL range is in\na HPA window that is described in a CFMWS structure of the CXL host\nbridge (cxl-3.1, 9.18.1.3).\n\nNow, if the HPA is not an SPA, the CXL range does not match a CFMWS\nwindow and the CXL memory range will be disabled then. The HDM decoder\nstops working which causes system memory being disabled and further a\nsystem hang during HDM decoder initialization, typically when a CXL\nenabled kernel boots.\n\nPrevent a system hang and do not disable the HDM decoder if the\ndecoder's CXL range is not found in a CFMWS window.\n\nNote the change only fixes a hardware hang, but does not implement\nHPA/SPA translation. Support for this can be added in a follow on\npatch series.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26761", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26761", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26761", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26761", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26761", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26761" } }, "CVE-2024-26762": { "affected_versions": "v6.7-rc1 to v6.8-rc6", "breaks": "6ac07883dbb5f60f7bc56a13b7a84a382aa9c1ab", "cmt_msg": "cxl/pci: Skip to handle RAS errors if CXL.mem device is detached", "fixes": "eef5c7b28dbecd6b141987a96db6c54e49828102", "last_affected_version": "6.7.6", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\ncxl/pci: Skip to handle RAS errors if CXL.mem device is detached\n\nThe PCI AER model is an awkward fit for CXL error handling. While the\nexpectation is that a PCI device can escalate to link reset to recover\nfrom an AER event, the same reset on CXL amounts to a surprise memory\nhotplug of massive amounts of memory.\n\nAt present, the CXL error handler attempts some optimistic error\nhandling to unbind the device from the cxl_mem driver after reaping some\nRAS register values. This results in a \"hopeful\" attempt to unplug the\nmemory, but there is no guarantee that will succeed.\n\nA subsequent AER notification after the memdev unbind event can no\nlonger assume the registers are mapped. Check for memdev bind before\nreaping status register values to avoid crashes of the form:\n\n BUG: unable to handle page fault for address: ffa00000195e9100\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n [...]\n RIP: 0010:__cxl_handle_ras+0x30/0x110 [cxl_core]\n [...]\n Call Trace:\n \n ? __die+0x24/0x70\n ? page_fault_oops+0x82/0x160\n ? kernelmode_fixup_or_oops+0x84/0x110\n ? exc_page_fault+0x113/0x170\n ? asm_exc_page_fault+0x26/0x30\n ? __pfx_dpc_reset_link+0x10/0x10\n ? __cxl_handle_ras+0x30/0x110 [cxl_core]\n ? find_cxl_port+0x59/0x80 [cxl_core]\n cxl_handle_rp_ras+0xbc/0xd0 [cxl_core]\n cxl_error_detected+0x6c/0xf0 [cxl_core]\n report_error_detected+0xc7/0x1c0\n pci_walk_bus+0x73/0x90\n pcie_do_recovery+0x23f/0x330\n\nLonger term, the unbind and PCI_ERS_RESULT_DISCONNECT behavior might\nneed to be replaced with a new PCI_ERS_RESULT_PANIC.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26762", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26762", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26762", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26762", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26762", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26762" } }, "CVE-2024-26763": { "affected_versions": "v2.6.12-rc2 to v6.8-rc6", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "dm-crypt: don't modify the data when using authenticated encryption", "fixes": "50c70240097ce41fe6bce6478b80478281e4d0f7", "last_affected_version": "6.7.6", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm-crypt: don't modify the data when using authenticated encryption\n\nIt was said that authenticated encryption could produce invalid tag when\nthe data that is being encrypted is modified [1]. So, fix this problem by\ncopying the data into the clone bio first and then encrypt them inside the\nclone bio.\n\nThis may reduce performance, but it is needed to prevent the user from\ncorrupting the device by writing data with O_DIRECT and modifying them at\nthe same time.\n\n[1] https://lore.kernel.org/all/20240207004723.GA35324@sol.localdomain/T/", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26763", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26763", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26763", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26763", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26763", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26763" } }, "CVE-2024-26764": { "affected_versions": "v2.6.12-rc2 to v6.8-rc6", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "fs/aio: Restrict kiocb_set_cancel_fn() to I/O submitted via libaio", "fixes": "b820de741ae48ccf50dd95e297889c286ff4f760", "last_affected_version": "6.7.6", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/aio: Restrict kiocb_set_cancel_fn() to I/O submitted via libaio\n\nIf kiocb_set_cancel_fn() is called for I/O submitted via io_uring, the\nfollowing kernel warning appears:\n\nWARNING: CPU: 3 PID: 368 at fs/aio.c:598 kiocb_set_cancel_fn+0x9c/0xa8\nCall trace:\n kiocb_set_cancel_fn+0x9c/0xa8\n ffs_epfile_read_iter+0x144/0x1d0\n io_read+0x19c/0x498\n io_issue_sqe+0x118/0x27c\n io_submit_sqes+0x25c/0x5fc\n __arm64_sys_io_uring_enter+0x104/0xab0\n invoke_syscall+0x58/0x11c\n el0_svc_common+0xb4/0xf4\n do_el0_svc+0x2c/0xb0\n el0_svc+0x2c/0xa4\n el0t_64_sync_handler+0x68/0xb4\n el0t_64_sync+0x1a4/0x1a8\n\nFix this by setting the IOCB_AIO_RW flag for read and write I/O that is\nsubmitted by libaio.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26764", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26764", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26764", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26764", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26764", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26764" } }, "CVE-2024-26765": { "affected_versions": "v2.6.12-rc2 to v6.8-rc6", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "LoongArch: Disable IRQ before init_fn() for nonboot CPUs", "fixes": "1001db6c42e4012b55e5ee19405490f23e033b5a", "last_affected_version": "6.7.6", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nLoongArch: Disable IRQ before init_fn() for nonboot CPUs\n\nDisable IRQ before init_fn() for nonboot CPUs when hotplug, in order to\nsilence such warnings (and also avoid potential errors due to unexpected\ninterrupts):\n\nWARNING: CPU: 1 PID: 0 at kernel/rcu/tree.c:4503 rcu_cpu_starting+0x214/0x280\nCPU: 1 PID: 0 Comm: swapper/1 Not tainted 6.6.17+ #1198\npc 90000000048e3334 ra 90000000047bd56c tp 900000010039c000 sp 900000010039fdd0\na0 0000000000000001 a1 0000000000000006 a2 900000000802c040 a3 0000000000000000\na4 0000000000000001 a5 0000000000000004 a6 0000000000000000 a7 90000000048e3f4c\nt0 0000000000000001 t1 9000000005c70968 t2 0000000004000000 t3 000000000005e56e\nt4 00000000000002e4 t5 0000000000001000 t6 ffffffff80000000 t7 0000000000040000\nt8 9000000007931638 u0 0000000000000006 s9 0000000000000004 s0 0000000000000001\ns1 9000000006356ac0 s2 9000000007244000 s3 0000000000000001 s4 0000000000000001\ns5 900000000636f000 s6 7fffffffffffffff s7 9000000002123940 s8 9000000001ca55f8\n ra: 90000000047bd56c tlb_init+0x24c/0x528\n ERA: 90000000048e3334 rcu_cpu_starting+0x214/0x280\n CRMD: 000000b0 (PLV0 -IE -DA +PG DACF=CC DACM=CC -WE)\n PRMD: 00000000 (PPLV0 -PIE -PWE)\n EUEN: 00000000 (-FPE -SXE -ASXE -BTE)\n ECFG: 00071000 (LIE=12 VS=7)\nESTAT: 000c0000 [BRK] (IS= ECode=12 EsubCode=0)\n PRID: 0014c010 (Loongson-64bit, Loongson-3A5000)\nCPU: 1 PID: 0 Comm: swapper/1 Not tainted 6.6.17+ #1198\nStack : 0000000000000000 9000000006375000 9000000005b61878 900000010039c000\n 900000010039fa30 0000000000000000 900000010039fa38 900000000619a140\n 9000000006456888 9000000006456880 900000010039f950 0000000000000001\n 0000000000000001 cb0cb028ec7e52e1 0000000002b90000 9000000100348700\n 0000000000000000 0000000000000001 ffffffff916d12f1 0000000000000003\n 0000000000040000 9000000007930370 0000000002b90000 0000000000000004\n 9000000006366000 900000000619a140 0000000000000000 0000000000000004\n 0000000000000000 0000000000000009 ffffffffffc681f2 9000000002123940\n 9000000001ca55f8 9000000006366000 90000000047a4828 00007ffff057ded8\n 00000000000000b0 0000000000000000 0000000000000000 0000000000071000\n ...\nCall Trace:\n[<90000000047a4828>] show_stack+0x48/0x1a0\n[<9000000005b61874>] dump_stack_lvl+0x84/0xcc\n[<90000000047f60ac>] __warn+0x8c/0x1e0\n[<9000000005b0ab34>] report_bug+0x1b4/0x280\n[<9000000005b63110>] do_bp+0x2d0/0x480\n[<90000000047a2e20>] handle_bp+0x120/0x1c0\n[<90000000048e3334>] rcu_cpu_starting+0x214/0x280\n[<90000000047bd568>] tlb_init+0x248/0x528\n[<90000000047a4c44>] per_cpu_trap_init+0x124/0x160\n[<90000000047a19f4>] cpu_probe+0x494/0xa00\n[<90000000047b551c>] start_secondary+0x3c/0xc0\n[<9000000005b66134>] smpboot_entry+0x50/0x58", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26765", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26765", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26765", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26765", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26765", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26765" } }, "CVE-2024-26766": { "affected_versions": "unk to v6.8-rc6", "breaks": "", "cmt_msg": "IB/hfi1: Fix sdma.h tx->num_descs off-by-one error", "fixes": "e6f57c6881916df39db7d95981a8ad2b9c3458d6", "last_affected_version": "6.7.6", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nIB/hfi1: Fix sdma.h tx->num_descs off-by-one error\n\nUnfortunately the commit `fd8958efe877` introduced another error\ncausing the `descs` array to overflow. This reults in further crashes\neasily reproducible by `sendmsg` system call.\n\n[ 1080.836473] general protection fault, probably for non-canonical address 0x400300015528b00a: 0000 [#1] PREEMPT SMP PTI\n[ 1080.869326] RIP: 0010:hfi1_ipoib_build_ib_tx_headers.constprop.0+0xe1/0x2b0 [hfi1]\n--\n[ 1080.974535] Call Trace:\n[ 1080.976990] \n[ 1081.021929] hfi1_ipoib_send_dma_common+0x7a/0x2e0 [hfi1]\n[ 1081.027364] hfi1_ipoib_send_dma_list+0x62/0x270 [hfi1]\n[ 1081.032633] hfi1_ipoib_send+0x112/0x300 [hfi1]\n[ 1081.042001] ipoib_start_xmit+0x2a9/0x2d0 [ib_ipoib]\n[ 1081.046978] dev_hard_start_xmit+0xc4/0x210\n--\n[ 1081.148347] __sys_sendmsg+0x59/0xa0\n\ncrash> ipoib_txreq 0xffff9cfeba229f00\nstruct ipoib_txreq {\n txreq = {\n list = {\n next = 0xffff9cfeba229f00,\n prev = 0xffff9cfeba229f00\n },\n descp = 0xffff9cfeba229f40,\n coalesce_buf = 0x0,\n wait = 0xffff9cfea4e69a48,\n complete = 0xffffffffc0fe0760 ,\n packet_len = 0x46d,\n tlen = 0x0,\n num_desc = 0x0,\n desc_limit = 0x6,\n next_descq_idx = 0x45c,\n coalesce_idx = 0x0,\n flags = 0x0,\n descs = {{\n qw = {0x8024000120dffb00, 0x4} # SDMA_DESC0_FIRST_DESC_FLAG (bit 63)\n }, {\n qw = { 0x3800014231b108, 0x4}\n }, {\n qw = { 0x310000e4ee0fcf0, 0x8}\n }, {\n qw = { 0x3000012e9f8000, 0x8}\n }, {\n qw = { 0x59000dfb9d0000, 0x8}\n }, {\n qw = { 0x78000e02e40000, 0x8}\n }}\n },\n sdma_hdr = 0x400300015528b000, <<< invalid pointer in the tx request structure\n sdma_status = 0x0, SDMA_DESC0_LAST_DESC_FLAG (bit 62)\n complete = 0x0,\n priv = 0x0,\n txq = 0xffff9cfea4e69880,\n skb = 0xffff9d099809f400\n}\n\nIf an SDMA send consists of exactly 6 descriptors and requires dword\npadding (in the 7th descriptor), the sdma_txreq descriptor array is not\nproperly expanded and the packet will overflow into the container\nstructure. This results in a panic when the send completion runs. The\nexact panic varies depending on what elements of the container structure\nget corrupted. The fix is to use the correct expression in\n_pad_sdma_tx_descs() to test the need to expand the descriptor array.\n\nWith this patch the crashes are no longer reproducible and the machine is\nstable.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26766", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26766", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26766", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26766", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26766", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26766" } }, "CVE-2024-26767": { "affected_versions": "v2.6.12-rc2 to v6.8-rc5", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "drm/amd/display: fixed integer types and null check locations", "fixes": "0484e05d048b66d01d1f3c1d2306010bb57d8738", "last_affected_version": "6.7.6", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: fixed integer types and null check locations\n\n[why]:\nissues fixed:\n- comparison with wider integer type in loop condition which can cause\ninfinite loops\n- pointer dereference before null check", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26767", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26767", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26767", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26767", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26767", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26767" } }, "CVE-2024-26768": { "affected_versions": "v2.6.12-rc2 to v6.8-rc4", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "LoongArch: Change acpi_core_pic[NR_CPUS] to acpi_core_pic[MAX_CORE_PIC]", "fixes": "4551b30525cf3d2f026b92401ffe241eb04dfebe", "last_affected_version": "6.7.6", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nLoongArch: Change acpi_core_pic[NR_CPUS] to acpi_core_pic[MAX_CORE_PIC]\n\nWith default config, the value of NR_CPUS is 64. When HW platform has\nmore then 64 cpus, system will crash on these platforms. MAX_CORE_PIC\nis the maximum cpu number in MADT table (max physical number) which can\nexceed the supported maximum cpu number (NR_CPUS, max logical number),\nbut kernel should not crash. Kernel should boot cpus with NR_CPUS, let\nthe remainder cpus stay in BIOS.\n\nThe potential crash reason is that the array acpi_core_pic[NR_CPUS] can\nbe overflowed when parsing MADT table, and it is obvious that CORE_PIC\nshould be corresponding to physical core rather than logical core, so it\nis better to define the array as acpi_core_pic[MAX_CORE_PIC].\n\nWith the patch, system can boot up 64 vcpus with qemu parameter -smp 128,\notherwise system will crash with the following message.\n\n[ 0.000000] CPU 0 Unable to handle kernel paging request at virtual address 0000420000004259, era == 90000000037a5f0c, ra == 90000000037a46ec\n[ 0.000000] Oops[#1]:\n[ 0.000000] CPU: 0 PID: 0 Comm: swapper Not tainted 6.8.0-rc2+ #192\n[ 0.000000] Hardware name: QEMU QEMU Virtual Machine, BIOS unknown 2/2/2022\n[ 0.000000] pc 90000000037a5f0c ra 90000000037a46ec tp 9000000003c90000 sp 9000000003c93d60\n[ 0.000000] a0 0000000000000019 a1 9000000003d93bc0 a2 0000000000000000 a3 9000000003c93bd8\n[ 0.000000] a4 9000000003c93a74 a5 9000000083c93a67 a6 9000000003c938f0 a7 0000000000000005\n[ 0.000000] t0 0000420000004201 t1 0000000000000000 t2 0000000000000001 t3 0000000000000001\n[ 0.000000] t4 0000000000000003 t5 0000000000000000 t6 0000000000000030 t7 0000000000000063\n[ 0.000000] t8 0000000000000014 u0 ffffffffffffffff s9 0000000000000000 s0 9000000003caee98\n[ 0.000000] s1 90000000041b0480 s2 9000000003c93da0 s3 9000000003c93d98 s4 9000000003c93d90\n[ 0.000000] s5 9000000003caa000 s6 000000000a7fd000 s7 000000000f556b60 s8 000000000e0a4330\n[ 0.000000] ra: 90000000037a46ec platform_init+0x214/0x250\n[ 0.000000] ERA: 90000000037a5f0c efi_runtime_init+0x30/0x94\n[ 0.000000] CRMD: 000000b0 (PLV0 -IE -DA +PG DACF=CC DACM=CC -WE)\n[ 0.000000] PRMD: 00000000 (PPLV0 -PIE -PWE)\n[ 0.000000] EUEN: 00000000 (-FPE -SXE -ASXE -BTE)\n[ 0.000000] ECFG: 00070800 (LIE=11 VS=7)\n[ 0.000000] ESTAT: 00010000 [PIL] (IS= ECode=1 EsubCode=0)\n[ 0.000000] BADV: 0000420000004259\n[ 0.000000] PRID: 0014c010 (Loongson-64bit, Loongson-3A5000)\n[ 0.000000] Modules linked in:\n[ 0.000000] Process swapper (pid: 0, threadinfo=(____ptrval____), task=(____ptrval____))\n[ 0.000000] Stack : 9000000003c93a14 9000000003800898 90000000041844f8 90000000037a46ec\n[ 0.000000] 000000000a7fd000 0000000008290000 0000000000000000 0000000000000000\n[ 0.000000] 0000000000000000 0000000000000000 00000000019d8000 000000000f556b60\n[ 0.000000] 000000000a7fd000 000000000f556b08 9000000003ca7700 9000000003800000\n[ 0.000000] 9000000003c93e50 9000000003800898 9000000003800108 90000000037a484c\n[ 0.000000] 000000000e0a4330 000000000f556b60 000000000a7fd000 000000000f556b08\n[ 0.000000] 9000000003ca7700 9000000004184000 0000000000200000 000000000e02b018\n[ 0.000000] 000000000a7fd000 90000000037a0790 9000000003800108 0000000000000000\n[ 0.000000] 0000000000000000 000000000e0a4330 000000000f556b60 000000000a7fd000\n[ 0.000000] 000000000f556b08 000000000eaae298 000000000eaa5040 0000000000200000\n[ 0.000000] ...\n[ 0.000000] Call Trace:\n[ 0.000000] [<90000000037a5f0c>] efi_runtime_init+0x30/0x94\n[ 0.000000] [<90000000037a46ec>] platform_init+0x214/0x250\n[ 0.000000] [<90000000037a484c>] setup_arch+0x124/0x45c\n[ 0.000000] [<90000000037a0790>] start_kernel+0x90/0x670\n[ 0.000000] [<900000000378b0d8>] kernel_entry+0xd8/0xdc", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26768", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26768", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26768", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26768", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26768", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26768" } }, "CVE-2024-26769": { "affected_versions": "v2.6.12-rc2 to v6.8-rc3", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "nvmet-fc: avoid deadlock on delete association path", "fixes": "710c69dbaccdac312e32931abcb8499c1525d397", "last_affected_version": "6.7.6", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvmet-fc: avoid deadlock on delete association path\n\nWhen deleting an association the shutdown path is deadlocking because we\ntry to flush the nvmet_wq nested. Avoid this by deadlock by deferring\nthe put work into its own work item.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26769", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26769", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26769", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26769", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26769", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26769" } }, "CVE-2024-26770": { "affected_versions": "v2.6.12-rc2 to v6.8-rc3", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "HID: nvidia-shield: Add missing null pointer checks to LED initialization", "fixes": "b6eda11c44dc89a681e1c105f0f4660e69b1e183", "last_affected_version": "6.7.6", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: nvidia-shield: Add missing null pointer checks to LED initialization\n\ndevm_kasprintf() returns a pointer to dynamically allocated memory\nwhich can be NULL upon failure. Ensure the allocation was successful\nby checking the pointer validity.\n\n[jkosina@suse.com: tweak changelog a bit]", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26770", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26770", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26770", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26770", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26770", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26770" } }, "CVE-2024-26771": { "affected_versions": "v2.6.12-rc2 to v6.8-rc3", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "dmaengine: ti: edma: Add some null pointer checks to the edma_probe", "fixes": "6e2276203ac9ff10fc76917ec9813c660f627369", "last_affected_version": "6.7.6", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: ti: edma: Add some null pointer checks to the edma_probe\n\ndevm_kasprintf() returns a pointer to dynamically allocated memory\nwhich can be NULL upon failure. Ensure the allocation was successful\nby checking the pointer validity.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26771", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26771", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26771", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26771", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26771", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26771" } }, "CVE-2024-26772": { "affected_versions": "v2.6.12-rc2 to v6.8-rc3", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "ext4: avoid allocating blocks from corrupted group in ext4_mb_find_by_goal()", "fixes": "832698373a25950942c04a512daa652c18a9b513", "last_affected_version": "6.7.6", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: avoid allocating blocks from corrupted group in ext4_mb_find_by_goal()\n\nPlaces the logic for checking if the group's block bitmap is corrupt under\nthe protection of the group lock to avoid allocating blocks from the group\nwith a corrupted block bitmap.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26772", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26772", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26772", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26772", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26772", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26772" } }, "CVE-2024-26773": { "affected_versions": "v2.6.12-rc2 to v6.8-rc3", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "ext4: avoid allocating blocks from corrupted group in ext4_mb_try_best_found()", "fixes": "4530b3660d396a646aad91a787b6ab37cf604b53", "last_affected_version": "6.7.6", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: avoid allocating blocks from corrupted group in ext4_mb_try_best_found()\n\nDetermine if the group block bitmap is corrupted before using ac_b_ex in\next4_mb_try_best_found() to avoid allocating blocks from a group with a\ncorrupted block bitmap in the following concurrency and making the\nsituation worse.\n\next4_mb_regular_allocator\n ext4_lock_group(sb, group)\n ext4_mb_good_group\n // check if the group bbitmap is corrupted\n ext4_mb_complex_scan_group\n // Scan group gets ac_b_ex but doesn't use it\n ext4_unlock_group(sb, group)\n ext4_mark_group_bitmap_corrupted(group)\n // The block bitmap was corrupted during\n // the group unlock gap.\n ext4_mb_try_best_found\n ext4_lock_group(ac->ac_sb, group)\n ext4_mb_use_best_found\n mb_mark_used\n // Allocating blocks in block bitmap corrupted group", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26773", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26773", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26773", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26773", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26773", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26773" } }, "CVE-2024-26774": { "affected_versions": "v2.6.12-rc2 to v6.8-rc3", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "ext4: avoid dividing by 0 in mb_update_avg_fragment_size() when block bitmap corrupt", "fixes": "993bf0f4c393b3667830918f9247438a8f6fdb5b", "last_affected_version": "6.7.6", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: avoid dividing by 0 in mb_update_avg_fragment_size() when block bitmap corrupt\n\nDetermine if bb_fragments is 0 instead of determining bb_free to eliminate\nthe risk of dividing by zero when the block bitmap is corrupted.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26774", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26774", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26774", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26774", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26774", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26774" } }, "CVE-2024-26775": { "affected_versions": "v2.6.12-rc2 to v6.8-rc2", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "aoe: avoid potential deadlock at set_capacity", "fixes": "e169bd4fb2b36c4b2bee63c35c740c85daeb2e86", "last_affected_version": "6.7.6", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\naoe: avoid potential deadlock at set_capacity\n\nMove set_capacity() outside of the section procected by (&d->lock).\nTo avoid possible interrupt unsafe locking scenario:\n\n CPU0 CPU1\n ---- ----\n[1] lock(&bdev->bd_size_lock);\n local_irq_disable();\n [2] lock(&d->lock);\n [3] lock(&bdev->bd_size_lock);\n \n[4] lock(&d->lock);\n\n *** DEADLOCK ***\n\nWhere [1](&bdev->bd_size_lock) hold by zram_add()->set_capacity().\n[2]lock(&d->lock) hold by aoeblk_gdalloc(). And aoeblk_gdalloc()\nis trying to acquire [3](&bdev->bd_size_lock) at set_capacity() call.\nIn this situation an attempt to acquire [4]lock(&d->lock) from\naoecmd_cfg_rsp() will lead to deadlock.\n\nSo the simplest solution is breaking lock dependency\n[2](&d->lock) -> [3](&bdev->bd_size_lock) by moving set_capacity()\noutside.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26775", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26775", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26775", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26775", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26775", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26775" } }, "CVE-2024-26776": { "affected_versions": "unk to v6.8-rc2", "breaks": "", "cmt_msg": "spi: hisi-sfc-v3xx: Return IRQ_NONE if no interrupts were detected", "fixes": "de8b6e1c231a95abf95ad097b993d34b31458ec9", "last_affected_version": "6.7.6", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: hisi-sfc-v3xx: Return IRQ_NONE if no interrupts were detected\n\nReturn IRQ_NONE from the interrupt handler when no interrupt was\ndetected. Because an empty interrupt will cause a null pointer error:\n\n Unable to handle kernel NULL pointer dereference at virtual\n address 0000000000000008\n Call trace:\n complete+0x54/0x100\n hisi_sfc_v3xx_isr+0x2c/0x40 [spi_hisi_sfc_v3xx]\n __handle_irq_event_percpu+0x64/0x1e0\n handle_irq_event+0x7c/0x1cc", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26776", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26776", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26776", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26776", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26776", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26776" } }, "CVE-2024-26777": { "affected_versions": "v2.6.12-rc2 to v6.8-rc2", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "fbdev: sis: Error out if pixclock equals zero", "fixes": "e421946be7d9bf545147bea8419ef8239cb7ca52", "last_affected_version": "6.7.6", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: sis: Error out if pixclock equals zero\n\nThe userspace program could pass any values to the driver through\nioctl() interface. If the driver doesn't check the value of pixclock,\nit may cause divide-by-zero error.\n\nIn sisfb_check_var(), var->pixclock is used as a divisor to caculate\ndrate before it is checked against zero. Fix this by checking it\nat the beginning.\n\nThis is similar to CVE-2022-3061 in i740fb which was fixed by\ncommit 15cf0b8.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26777", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26777", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26777", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26777", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26777", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26777" } }, "CVE-2024-26778": { "affected_versions": "v2.6.12-rc2 to v6.8-rc2", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "fbdev: savage: Error out if pixclock equals zero", "fixes": "04e5eac8f3ab2ff52fa191c187a46d4fdbc1e288", "last_affected_version": "6.7.6", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: savage: Error out if pixclock equals zero\n\nThe userspace program could pass any values to the driver through\nioctl() interface. If the driver doesn't check the value of pixclock,\nit may cause divide-by-zero error.\n\nAlthough pixclock is checked in savagefb_decode_var(), but it is not\nchecked properly in savagefb_probe(). Fix this by checking whether\npixclock is zero in the function savagefb_check_var() before\ninfo->var.pixclock is used as the divisor.\n\nThis is similar to CVE-2022-3061 in i740fb which was fixed by\ncommit 15cf0b8.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26778", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26778", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26778", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26778", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26778", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26778" } }, "CVE-2024-26779": { "affected_versions": "unk to v6.8-rc2", "breaks": "", "cmt_msg": "wifi: mac80211: fix race condition on enabling fast-xmit", "fixes": "bcbc84af1183c8cf3d1ca9b78540c2185cd85e7f", "last_affected_version": "6.7.6", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: fix race condition on enabling fast-xmit\n\nfast-xmit must only be enabled after the sta has been uploaded to the driver,\notherwise it could end up passing the not-yet-uploaded sta via drv_tx calls\nto the driver, leading to potential crashes because of uninitialized drv_priv\ndata.\nAdd a missing sta->uploaded check and re-check fast xmit after inserting a sta.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26779", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26779", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26779", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26779", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26779", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26779" } }, "CVE-2024-26780": { "affected_versions": "v6.8-rc4 to v6.8-rc5", "breaks": "1279f9d9dec2d7462823a18c29ad61359e0a007d", "fixes": "25236c91b5ab4a26a56ba2e79b8060cf4e047839", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\naf_unix: Fix task hung while purging oob_skb in GC.\n\nsyzbot reported a task hung; at the same time, GC was looping infinitely\nin list_for_each_entry_safe() for OOB skb. [0]\n\nsyzbot demonstrated that the list_for_each_entry_safe() was not actually\nsafe in this case.\n\nA single skb could have references for multiple sockets. If we free such\na skb in the list_for_each_entry_safe(), the current and next sockets could\nbe unlinked in a single iteration.\n\nunix_notinflight() uses list_del_init() to unlink the socket, so the\nprefetched next socket forms a loop itself and list_for_each_entry_safe()\nnever stops.\n\nHere, we must use while() and make sure we always fetch the first socket.\n\n[0]:\nSending NMI from CPU 0 to CPUs 1:\nNMI backtrace for cpu 1\nCPU: 1 PID: 5065 Comm: syz-executor236 Not tainted 6.8.0-rc3-syzkaller-00136-g1f719a2f3fa6 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024\nRIP: 0010:preempt_count arch/x86/include/asm/preempt.h:26 [inline]\nRIP: 0010:check_kcov_mode kernel/kcov.c:173 [inline]\nRIP: 0010:__sanitizer_cov_trace_pc+0xd/0x60 kernel/kcov.c:207\nCode: cc cc cc cc 66 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 65 48 8b 14 25 40 c2 03 00 <65> 8b 05 b4 7c 78 7e a9 00 01 ff 00 48 8b 34 24 74 0f f6 c4 01 74\nRSP: 0018:ffffc900033efa58 EFLAGS: 00000283\nRAX: ffff88807b077800 RBX: ffff88807b077800 RCX: 1ffffffff27b1189\nRDX: ffff88802a5a3b80 RSI: ffffffff8968488d RDI: ffff88807b077f70\nRBP: ffffc900033efbb0 R08: 0000000000000001 R09: fffffbfff27a900c\nR10: ffffffff93d48067 R11: ffffffff8ae000eb R12: ffff88807b077800\nR13: dffffc0000000000 R14: ffff88807b077e40 R15: 0000000000000001\nFS: 0000000000000000(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000564f4fc1e3a8 CR3: 000000000d57a000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n \n \n unix_gc+0x563/0x13b0 net/unix/garbage.c:319\n unix_release_sock+0xa93/0xf80 net/unix/af_unix.c:683\n unix_release+0x91/0xf0 net/unix/af_unix.c:1064\n __sock_release+0xb0/0x270 net/socket.c:659\n sock_close+0x1c/0x30 net/socket.c:1421\n __fput+0x270/0xb80 fs/file_table.c:376\n task_work_run+0x14f/0x250 kernel/task_work.c:180\n exit_task_work include/linux/task_work.h:38 [inline]\n do_exit+0xa8a/0x2ad0 kernel/exit.c:871\n do_group_exit+0xd4/0x2a0 kernel/exit.c:1020\n __do_sys_exit_group kernel/exit.c:1031 [inline]\n __se_sys_exit_group kernel/exit.c:1029 [inline]\n __x64_sys_exit_group+0x3e/0x50 kernel/exit.c:1029\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xd5/0x270 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x6f/0x77\nRIP: 0033:0x7f9d6cbdac09\nCode: Unable to access opcode bytes at 0x7f9d6cbdabdf.\nRSP: 002b:00007fff5952feb8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7\nRAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f9d6cbdac09\nRDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000\nRBP: 00007f9d6cc552b0 R08: ffffffffffffffb8 R09: 0000000000000006\nR10: 0000000000000006 R11: 0000000000000246 R12: 00007f9d6cc552b0\nR13: 0000000000000000 R14: 00007f9d6cc55d00 R15: 00007f9d6cbabe70\n ", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26780", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26780", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26780", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26780", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26780", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26780" } }, "CVE-2024-26781": { "affected_versions": "v6.8-rc6 to v6.8-rc7", "breaks": "b8adb69a7d29c2d33eb327bca66476fb6066516b", "fixes": "d6a9608af9a75d13243d217f6ce1e30e57d56ffe", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: fix possible deadlock in subflow diag\n\nSyzbot and Eric reported a lockdep splat in the subflow diag:\n\n WARNING: possible circular locking dependency detected\n 6.8.0-rc4-syzkaller-00212-g40b9385dd8e6 #0 Not tainted\n\n syz-executor.2/24141 is trying to acquire lock:\n ffff888045870130 (k-sk_lock-AF_INET6){+.+.}-{0:0}, at:\n tcp_diag_put_ulp net/ipv4/tcp_diag.c:100 [inline]\n ffff888045870130 (k-sk_lock-AF_INET6){+.+.}-{0:0}, at:\n tcp_diag_get_aux+0x738/0x830 net/ipv4/tcp_diag.c:137\n\n but task is already holding lock:\n ffffc9000135e488 (&h->lhash2[i].lock){+.+.}-{2:2}, at: spin_lock\n include/linux/spinlock.h:351 [inline]\n ffffc9000135e488 (&h->lhash2[i].lock){+.+.}-{2:2}, at:\n inet_diag_dump_icsk+0x39f/0x1f80 net/ipv4/inet_diag.c:1038\n\n which lock already depends on the new lock.\n\n the existing dependency chain (in reverse order) is:\n\n -> #1 (&h->lhash2[i].lock){+.+.}-{2:2}:\n lock_acquire+0x1e3/0x530 kernel/locking/lockdep.c:5754\n __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]\n _raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154\n spin_lock include/linux/spinlock.h:351 [inline]\n __inet_hash+0x335/0xbe0 net/ipv4/inet_hashtables.c:743\n inet_csk_listen_start+0x23a/0x320 net/ipv4/inet_connection_sock.c:1261\n __inet_listen_sk+0x2a2/0x770 net/ipv4/af_inet.c:217\n inet_listen+0xa3/0x110 net/ipv4/af_inet.c:239\n rds_tcp_listen_init+0x3fd/0x5a0 net/rds/tcp_listen.c:316\n rds_tcp_init_net+0x141/0x320 net/rds/tcp.c:577\n ops_init+0x352/0x610 net/core/net_namespace.c:136\n __register_pernet_operations net/core/net_namespace.c:1214 [inline]\n register_pernet_operations+0x2cb/0x660 net/core/net_namespace.c:1283\n register_pernet_device+0x33/0x80 net/core/net_namespace.c:1370\n rds_tcp_init+0x62/0xd0 net/rds/tcp.c:735\n do_one_initcall+0x238/0x830 init/main.c:1236\n do_initcall_level+0x157/0x210 init/main.c:1298\n do_initcalls+0x3f/0x80 init/main.c:1314\n kernel_init_freeable+0x42f/0x5d0 init/main.c:1551\n kernel_init+0x1d/0x2a0 init/main.c:1441\n ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:242\n\n -> #0 (k-sk_lock-AF_INET6){+.+.}-{0:0}:\n check_prev_add kernel/locking/lockdep.c:3134 [inline]\n check_prevs_add kernel/locking/lockdep.c:3253 [inline]\n validate_chain+0x18ca/0x58e0 kernel/locking/lockdep.c:3869\n __lock_acquire+0x1345/0x1fd0 kernel/locking/lockdep.c:5137\n lock_acquire+0x1e3/0x530 kernel/locking/lockdep.c:5754\n lock_sock_fast include/net/sock.h:1723 [inline]\n subflow_get_info+0x166/0xd20 net/mptcp/diag.c:28\n tcp_diag_put_ulp net/ipv4/tcp_diag.c:100 [inline]\n tcp_diag_get_aux+0x738/0x830 net/ipv4/tcp_diag.c:137\n inet_sk_diag_fill+0x10ed/0x1e00 net/ipv4/inet_diag.c:345\n inet_diag_dump_icsk+0x55b/0x1f80 net/ipv4/inet_diag.c:1061\n __inet_diag_dump+0x211/0x3a0 net/ipv4/inet_diag.c:1263\n inet_diag_dump_compat+0x1c1/0x2d0 net/ipv4/inet_diag.c:1371\n netlink_dump+0x59b/0xc80 net/netlink/af_netlink.c:2264\n __netlink_dump_start+0x5df/0x790 net/netlink/af_netlink.c:2370\n netlink_dump_start include/linux/netlink.h:338 [inline]\n inet_diag_rcv_msg_compat+0x209/0x4c0 net/ipv4/inet_diag.c:1405\n sock_diag_rcv_msg+0xe7/0x410\n netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2543\n sock_diag_rcv+0x2a/0x40 net/core/sock_diag.c:280\n netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline]\n netlink_unicast+0x7ea/0x980 net/netlink/af_netlink.c:1367\n netlink_sendmsg+0xa3b/0xd70 net/netlink/af_netlink.c:1908\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0x221/0x270 net/socket.c:745\n ____sys_sendmsg+0x525/0x7d0 net/socket.c:2584\n ___sys_sendmsg net/socket.c:2638 [inline]\n __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2667\n do_syscall_64+0xf9/0x240\n entry_SYSCALL_64_after_hwframe+0x6f/0x77\n\nAs noted by Eric we can break the lock dependency chain avoid\ndumping \n---truncated---", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26781", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26781", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26781", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26781", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26781", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26781" } }, "CVE-2024-26782": { "affected_versions": "v5.6-rc1 to v6.8-rc7", "breaks": "cf7da0d66cc1a2a19fc5930bb746ffbb2d4cd1be", "cmt_msg": "mptcp: fix double-free on socket dismantle", "fixes": "10048689def7e40a4405acda16fdc6477d4ecc5c", "last_affected_version": "6.7.8", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: fix double-free on socket dismantle\n\nwhen MPTCP server accepts an incoming connection, it clones its listener\nsocket. However, the pointer to 'inet_opt' for the new socket has the same\nvalue as the original one: as a consequence, on program exit it's possible\nto observe the following splat:\n\n BUG: KASAN: double-free in inet_sock_destruct+0x54f/0x8b0\n Free of addr ffff888485950880 by task swapper/25/0\n\n CPU: 25 PID: 0 Comm: swapper/25 Kdump: loaded Not tainted 6.8.0-rc1+ #609\n Hardware name: Supermicro SYS-6027R-72RF/X9DRH-7TF/7F/iTF/iF, BIOS 3.0 07/26/2013\n Call Trace:\n \n dump_stack_lvl+0x32/0x50\n print_report+0xca/0x620\n kasan_report_invalid_free+0x64/0x90\n __kasan_slab_free+0x1aa/0x1f0\n kfree+0xed/0x2e0\n inet_sock_destruct+0x54f/0x8b0\n __sk_destruct+0x48/0x5b0\n rcu_do_batch+0x34e/0xd90\n rcu_core+0x559/0xac0\n __do_softirq+0x183/0x5a4\n irq_exit_rcu+0x12d/0x170\n sysvec_apic_timer_interrupt+0x6b/0x80\n \n \n asm_sysvec_apic_timer_interrupt+0x16/0x20\n RIP: 0010:cpuidle_enter_state+0x175/0x300\n Code: 30 00 0f 84 1f 01 00 00 83 e8 01 83 f8 ff 75 e5 48 83 c4 18 44 89 e8 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc fb 45 85 ed <0f> 89 60 ff ff ff 48 c1 e5 06 48 c7 43 18 00 00 00 00 48 83 44 2b\n RSP: 0018:ffff888481cf7d90 EFLAGS: 00000202\n RAX: 0000000000000000 RBX: ffff88887facddc8 RCX: 0000000000000000\n RDX: 1ffff1110ff588b1 RSI: 0000000000000019 RDI: ffff88887fac4588\n RBP: 0000000000000004 R08: 0000000000000002 R09: 0000000000043080\n R10: 0009b02ea273363f R11: ffff88887fabf42b R12: ffffffff932592e0\n R13: 0000000000000004 R14: 0000000000000000 R15: 00000022c880ec80\n cpuidle_enter+0x4a/0xa0\n do_idle+0x310/0x410\n cpu_startup_entry+0x51/0x60\n start_secondary+0x211/0x270\n secondary_startup_64_no_verify+0x184/0x18b\n \n\n Allocated by task 6853:\n kasan_save_stack+0x1c/0x40\n kasan_save_track+0x10/0x30\n __kasan_kmalloc+0xa6/0xb0\n __kmalloc+0x1eb/0x450\n cipso_v4_sock_setattr+0x96/0x360\n netlbl_sock_setattr+0x132/0x1f0\n selinux_netlbl_socket_post_create+0x6c/0x110\n selinux_socket_post_create+0x37b/0x7f0\n security_socket_post_create+0x63/0xb0\n __sock_create+0x305/0x450\n __sys_socket_create.part.23+0xbd/0x130\n __sys_socket+0x37/0xb0\n __x64_sys_socket+0x6f/0xb0\n do_syscall_64+0x83/0x160\n entry_SYSCALL_64_after_hwframe+0x6e/0x76\n\n Freed by task 6858:\n kasan_save_stack+0x1c/0x40\n kasan_save_track+0x10/0x30\n kasan_save_free_info+0x3b/0x60\n __kasan_slab_free+0x12c/0x1f0\n kfree+0xed/0x2e0\n inet_sock_destruct+0x54f/0x8b0\n __sk_destruct+0x48/0x5b0\n subflow_ulp_release+0x1f0/0x250\n tcp_cleanup_ulp+0x6e/0x110\n tcp_v4_destroy_sock+0x5a/0x3a0\n inet_csk_destroy_sock+0x135/0x390\n tcp_fin+0x416/0x5c0\n tcp_data_queue+0x1bc8/0x4310\n tcp_rcv_state_process+0x15a3/0x47b0\n tcp_v4_do_rcv+0x2c1/0x990\n tcp_v4_rcv+0x41fb/0x5ed0\n ip_protocol_deliver_rcu+0x6d/0x9f0\n ip_local_deliver_finish+0x278/0x360\n ip_local_deliver+0x182/0x2c0\n ip_rcv+0xb5/0x1c0\n __netif_receive_skb_one_core+0x16e/0x1b0\n process_backlog+0x1e3/0x650\n __napi_poll+0xa6/0x500\n net_rx_action+0x740/0xbb0\n __do_softirq+0x183/0x5a4\n\n The buggy address belongs to the object at ffff888485950880\n which belongs to the cache kmalloc-64 of size 64\n The buggy address is located 0 bytes inside of\n 64-byte region [ffff888485950880, ffff8884859508c0)\n\n The buggy address belongs to the physical page:\n page:0000000056d1e95e refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888485950700 pfn:0x485950\n flags: 0x57ffffc0000800(slab|node=1|zone=2|lastcpupid=0x1fffff)\n page_type: 0xffffffff()\n raw: 0057ffffc0000800 ffff88810004c640 ffffea00121b8ac0 dead000000000006\n raw: ffff888485950700 0000000000200019 00000001ffffffff 0000000000000000\n page dumped because: kasan: bad access detected\n\n Memory state around the buggy address:\n ffff888485950780: fa fb fb\n---truncated---", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26782", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26782", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26782", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26782", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26782", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26782" } }, "CVE-2024-26783": { "affected_versions": "v5.18-rc1 to v6.8-rc7", "breaks": "c574bbe917036c8968b984c82c7b13194fe5ce98", "cmt_msg": "mm/vmscan: fix a bug calling wakeup_kswapd() with a wrong zone index", "fixes": "2774f256e7c0219e2b0a0894af1c76bdabc4f974", "last_affected_version": "6.7.8", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/vmscan: fix a bug calling wakeup_kswapd() with a wrong zone index\n\nWith numa balancing on, when a numa system is running where a numa node\ndoesn't have its local memory so it has no managed zones, the following\noops has been observed. It's because wakeup_kswapd() is called with a\nwrong zone index, -1. Fixed it by checking the index before calling\nwakeup_kswapd().\n\n> BUG: unable to handle page fault for address: 00000000000033f3\n> #PF: supervisor read access in kernel mode\n> #PF: error_code(0x0000) - not-present page\n> PGD 0 P4D 0\n> Oops: 0000 [#1] PREEMPT SMP NOPTI\n> CPU: 2 PID: 895 Comm: masim Not tainted 6.6.0-dirty #255\n> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\n> rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\n> RIP: 0010:wakeup_kswapd (./linux/mm/vmscan.c:7812)\n> Code: (omitted)\n> RSP: 0000:ffffc90004257d58 EFLAGS: 00010286\n> RAX: ffffffffffffffff RBX: ffff88883fff0480 RCX: 0000000000000003\n> RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88883fff0480\n> RBP: ffffffffffffffff R08: ff0003ffffffffff R09: ffffffffffffffff\n> R10: ffff888106c95540 R11: 0000000055555554 R12: 0000000000000003\n> R13: 0000000000000000 R14: 0000000000000000 R15: ffff88883fff0940\n> FS: 00007fc4b8124740(0000) GS:ffff888827c00000(0000) knlGS:0000000000000000\n> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n> CR2: 00000000000033f3 CR3: 000000026cc08004 CR4: 0000000000770ee0\n> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n> PKRU: 55555554\n> Call Trace:\n> \n> ? __die\n> ? page_fault_oops\n> ? __pte_offset_map_lock\n> ? exc_page_fault\n> ? asm_exc_page_fault\n> ? wakeup_kswapd\n> migrate_misplaced_page\n> __handle_mm_fault\n> handle_mm_fault\n> do_user_addr_fault\n> exc_page_fault\n> asm_exc_page_fault\n> RIP: 0033:0x55b897ba0808\n> Code: (omitted)\n> RSP: 002b:00007ffeefa821a0 EFLAGS: 00010287\n> RAX: 000055b89983acd0 RBX: 00007ffeefa823f8 RCX: 000055b89983acd0\n> RDX: 00007fc2f8122010 RSI: 0000000000020000 RDI: 000055b89983acd0\n> RBP: 00007ffeefa821a0 R08: 0000000000000037 R09: 0000000000000075\n> R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000\n> R13: 00007ffeefa82410 R14: 000055b897ba5dd8 R15: 00007fc4b8340000\n> ", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26783", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26783", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26783", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26783", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26783", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26783" } }, "CVE-2024-26784": { "affected_versions": "unk to v6.8-rc7", "breaks": "", "cmt_msg": "pmdomain: arm: Fix NULL dereference on scmi_perf_domain removal", "fixes": "eb5555d422d0fc325e1574a7353d3c616f82d8b5", "last_affected_version": "6.7.8", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\npmdomain: arm: Fix NULL dereference on scmi_perf_domain removal\n\nOn unloading of the scmi_perf_domain module got the below splat, when in\nthe DT provided to the system under test the '#power-domain-cells' property\nwas missing. Indeed, this particular setup causes the probe to bail out\nearly without giving any error, which leads to the ->remove() callback gets\nto run too, but without all the expected initialized structures in place.\n\nAdd a check and bail out early on remove too.\n\n Call trace:\n scmi_perf_domain_remove+0x28/0x70 [scmi_perf_domain]\n scmi_dev_remove+0x28/0x40 [scmi_core]\n device_remove+0x54/0x90\n device_release_driver_internal+0x1dc/0x240\n driver_detach+0x58/0xa8\n bus_remove_driver+0x78/0x108\n driver_unregister+0x38/0x70\n scmi_driver_unregister+0x28/0x180 [scmi_core]\n scmi_perf_domain_driver_exit+0x18/0xb78 [scmi_perf_domain]\n __arm64_sys_delete_module+0x1a8/0x2c0\n invoke_syscall+0x50/0x128\n el0_svc_common.constprop.0+0x48/0xf0\n do_el0_svc+0x24/0x38\n el0_svc+0x34/0xb8\n el0t_64_sync_handler+0x100/0x130\n el0t_64_sync+0x190/0x198\n Code: a90153f3 f9403c14 f9414800 955f8a05 (b9400a80)\n ---[ end trace 0000000000000000 ]---", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26784", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26784", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26784", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26784", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26784", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26784" } }, "CVE-2024-26785": { "affected_versions": "v6.6-rc1 to v6.8-rc7", "breaks": "9227da7816dd1a42e20d41e2244cb63c205477ca", "cmt_msg": "iommufd: Fix protection fault in iommufd_test_syz_conv_iova", "fixes": "cf7c2789822db8b5efa34f5ebcf1621bc0008d48", "last_affected_version": "6.7.8", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\niommufd: Fix protection fault in iommufd_test_syz_conv_iova\n\nSyzkaller reported the following bug:\n\n general protection fault, probably for non-canonical address 0xdffffc0000000038: 0000 [#1] SMP KASAN\n KASAN: null-ptr-deref in range [0x00000000000001c0-0x00000000000001c7]\n Call Trace:\n lock_acquire\n lock_acquire+0x1ce/0x4f0\n down_read+0x93/0x4a0\n iommufd_test_syz_conv_iova+0x56/0x1f0\n iommufd_test_access_rw.isra.0+0x2ec/0x390\n iommufd_test+0x1058/0x1e30\n iommufd_fops_ioctl+0x381/0x510\n vfs_ioctl\n __do_sys_ioctl\n __se_sys_ioctl\n __x64_sys_ioctl+0x170/0x1e0\n do_syscall_x64\n do_syscall_64+0x71/0x140\n\nThis is because the new iommufd_access_change_ioas() sets access->ioas to\nNULL during its process, so the lock might be gone in a concurrent racing\ncontext.\n\nFix this by doing the same access->ioas sanity as iommufd_access_rw() and\niommufd_access_pin_pages() functions do.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26785", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26785", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26785", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26785", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26785", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26785" } }, "CVE-2024-26786": { "affected_versions": "v6.6-rc1 to v6.8-rc7", "breaks": "9227da7816dd1a42e20d41e2244cb63c205477ca", "cmt_msg": "iommufd: Fix iopt_access_list_id overwrite bug", "fixes": "aeb004c0cd6958e910123a1607634401009c9539", "last_affected_version": "6.7.8", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\niommufd: Fix iopt_access_list_id overwrite bug\n\nSyzkaller reported the following WARN_ON:\n WARNING: CPU: 1 PID: 4738 at drivers/iommu/iommufd/io_pagetable.c:1360\n\n Call Trace:\n iommufd_access_change_ioas+0x2fe/0x4e0\n iommufd_access_destroy_object+0x50/0xb0\n iommufd_object_remove+0x2a3/0x490\n iommufd_object_destroy_user\n iommufd_access_destroy+0x71/0xb0\n iommufd_test_staccess_release+0x89/0xd0\n __fput+0x272/0xb50\n __fput_sync+0x4b/0x60\n __do_sys_close\n __se_sys_close\n __x64_sys_close+0x8b/0x110\n do_syscall_x64\n\nThe mismatch between the access pointer in the list and the passed-in\npointer is resulting from an overwrite of access->iopt_access_list_id, in\niopt_add_access(). Called from iommufd_access_change_ioas() when\nxa_alloc() succeeds but iopt_calculate_iova_alignment() fails.\n\nAdd a new_id in iopt_add_access() and only update iopt_access_list_id when\nreturning successfully.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26786", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26786", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26786", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26786", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26786", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26786" } }, "CVE-2024-26787": { "affected_versions": "v4.20-rc1 to v6.8-rc7", "breaks": "46b723dd867d599420fb640c0eaf2a866ef721d4", "cmt_msg": "mmc: mmci: stm32: fix DMA API overlapping mappings warning", "fixes": "6b1ba3f9040be5efc4396d86c9752cdc564730be", "last_affected_version": "6.7.8", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nmmc: mmci: stm32: fix DMA API overlapping mappings warning\n\nTurning on CONFIG_DMA_API_DEBUG_SG results in the following warning:\n\nDMA-API: mmci-pl18x 48220000.mmc: cacheline tracking EEXIST,\noverlapping mappings aren't supported\nWARNING: CPU: 1 PID: 51 at kernel/dma/debug.c:568\nadd_dma_entry+0x234/0x2f4\nModules linked in:\nCPU: 1 PID: 51 Comm: kworker/1:2 Not tainted 6.1.28 #1\nHardware name: STMicroelectronics STM32MP257F-EV1 Evaluation Board (DT)\nWorkqueue: events_freezable mmc_rescan\nCall trace:\nadd_dma_entry+0x234/0x2f4\ndebug_dma_map_sg+0x198/0x350\n__dma_map_sg_attrs+0xa0/0x110\ndma_map_sg_attrs+0x10/0x2c\nsdmmc_idma_prep_data+0x80/0xc0\nmmci_prep_data+0x38/0x84\nmmci_start_data+0x108/0x2dc\nmmci_request+0xe4/0x190\n__mmc_start_request+0x68/0x140\nmmc_start_request+0x94/0xc0\nmmc_wait_for_req+0x70/0x100\nmmc_send_tuning+0x108/0x1ac\nsdmmc_execute_tuning+0x14c/0x210\nmmc_execute_tuning+0x48/0xec\nmmc_sd_init_uhs_card.part.0+0x208/0x464\nmmc_sd_init_card+0x318/0x89c\nmmc_attach_sd+0xe4/0x180\nmmc_rescan+0x244/0x320\n\nDMA API debug brings to light leaking dma-mappings as dma_map_sg and\ndma_unmap_sg are not correctly balanced.\n\nIf an error occurs in mmci_cmd_irq function, only mmci_dma_error\nfunction is called and as this API is not managed on stm32 variant,\ndma_unmap_sg is never called in this error path.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26787", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26787", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26787", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26787", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26787", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26787" } }, "CVE-2024-26788": { "affected_versions": "v5.1-rc1 to v6.8-rc7", "breaks": "b092529e0aa09829a6404424ce167bf3ce3235e2", "cmt_msg": "dmaengine: fsl-qdma: init irq after reg initialization", "fixes": "87a39071e0b639f45e05d296cc0538eef44ec0bd", "last_affected_version": "6.7.8", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: fsl-qdma: init irq after reg initialization\n\nInitialize the qDMA irqs after the registers are configured so that\ninterrupts that may have been pending from a primary kernel don't get\nprocessed by the irq handler before it is ready to and cause panic with\nthe following trace:\n\n Call trace:\n fsl_qdma_queue_handler+0xf8/0x3e8\n __handle_irq_event_percpu+0x78/0x2b0\n handle_irq_event_percpu+0x1c/0x68\n handle_irq_event+0x44/0x78\n handle_fasteoi_irq+0xc8/0x178\n generic_handle_irq+0x24/0x38\n __handle_domain_irq+0x90/0x100\n gic_handle_irq+0x5c/0xb8\n el1_irq+0xb8/0x180\n _raw_spin_unlock_irqrestore+0x14/0x40\n __setup_irq+0x4bc/0x798\n request_threaded_irq+0xd8/0x190\n devm_request_threaded_irq+0x74/0xe8\n fsl_qdma_probe+0x4d4/0xca8\n platform_drv_probe+0x50/0xa0\n really_probe+0xe0/0x3f8\n driver_probe_device+0x64/0x130\n device_driver_attach+0x6c/0x78\n __driver_attach+0xbc/0x158\n bus_for_each_dev+0x5c/0x98\n driver_attach+0x20/0x28\n bus_add_driver+0x158/0x220\n driver_register+0x60/0x110\n __platform_driver_register+0x44/0x50\n fsl_qdma_driver_init+0x18/0x20\n do_one_initcall+0x48/0x258\n kernel_init_freeable+0x1a4/0x23c\n kernel_init+0x10/0xf8\n ret_from_fork+0x10/0x18", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26788", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26788", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26788", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26788", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26788", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26788" } }, "CVE-2024-26789": { "affected_versions": "unk to v6.8-rc7", "breaks": "", "cmt_msg": "crypto: arm64/neonbs - fix out-of-bounds access on short input", "fixes": "1c0cf6d19690141002889d72622b90fc01562ce4", "last_affected_version": "6.7.8", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: arm64/neonbs - fix out-of-bounds access on short input\n\nThe bit-sliced implementation of AES-CTR operates on blocks of 128\nbytes, and will fall back to the plain NEON version for tail blocks or\ninputs that are shorter than 128 bytes to begin with.\n\nIt will call straight into the plain NEON asm helper, which performs all\nmemory accesses in granules of 16 bytes (the size of a NEON register).\nFor this reason, the associated plain NEON glue code will copy inputs\nshorter than 16 bytes into a temporary buffer, given that this is a rare\noccurrence and it is not worth the effort to work around this in the asm\ncode.\n\nThe fallback from the bit-sliced NEON version fails to take this into\naccount, potentially resulting in out-of-bounds accesses. So clone the\nsame workaround, and use a temp buffer for short in/outputs.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26789", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26789", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26789", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26789", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26789", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26789" } }, "CVE-2024-26790": { "affected_versions": "v5.1-rc1 to v6.8-rc7", "breaks": "b092529e0aa09829a6404424ce167bf3ce3235e2", "cmt_msg": "dmaengine: fsl-qdma: fix SoC may hang on 16 byte unaligned read", "fixes": "9d739bccf261dd93ec1babf82f5c5d71dd4caa3e", "last_affected_version": "6.7.8", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: fsl-qdma: fix SoC may hang on 16 byte unaligned read\n\nThere is chip (ls1028a) errata:\n\nThe SoC may hang on 16 byte unaligned read transactions by QDMA.\n\nUnaligned read transactions initiated by QDMA may stall in the NOC\n(Network On-Chip), causing a deadlock condition. Stalled transactions will\ntrigger completion timeouts in PCIe controller.\n\nWorkaround:\nEnable prefetch by setting the source descriptor prefetchable bit\n( SD[PF] = 1 ).\n\nImplement this workaround.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26790", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26790", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26790", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26790", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26790", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26790" } }, "CVE-2024-26791": { "affected_versions": "v2.6.12-rc2 to v6.8-rc7", "breaks": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "cmt_msg": "btrfs: dev-replace: properly validate device names", "fixes": "9845664b9ee47ce7ee7ea93caf47d39a9d4552c4", "last_affected_version": "6.7.8", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: dev-replace: properly validate device names\n\nThere's a syzbot report that device name buffers passed to device\nreplace are not properly checked for string termination which could lead\nto a read out of bounds in getname_kernel().\n\nAdd a helper that validates both source and target device name buffers.\nFor devid as the source initialize the buffer to empty string in case\nsomething tries to read it later.\n\nThis was originally analyzed and fixed in a different way by Edward Adam\nDavis (see links).", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26791", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26791", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26791", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26791", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26791", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26791" } }, "CVE-2024-26792": { "affected_versions": "v6.8-rc4 to v6.8-rc7", "breaks": "e03ee2fe873eb68c1f9ba5112fee70303ebf9dfb", "fixes": "e2b54eaf28df0c978626c9736b94f003b523b451", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix double free of anonymous device after snapshot creation failure\n\nWhen creating a snapshot we may do a double free of an anonymous device\nin case there's an error committing the transaction. The second free may\nresult in freeing an anonymous device number that was allocated by some\nother subsystem in the kernel or another btrfs filesystem.\n\nThe steps that lead to this:\n\n1) At ioctl.c:create_snapshot() we allocate an anonymous device number\n and assign it to pending_snapshot->anon_dev;\n\n2) Then we call btrfs_commit_transaction() and end up at\n transaction.c:create_pending_snapshot();\n\n3) There we call btrfs_get_new_fs_root() and pass it the anonymous device\n number stored in pending_snapshot->anon_dev;\n\n4) btrfs_get_new_fs_root() frees that anonymous device number because\n btrfs_lookup_fs_root() returned a root - someone else did a lookup\n of the new root already, which could some task doing backref walking;\n\n5) After that some error happens in the transaction commit path, and at\n ioctl.c:create_snapshot() we jump to the 'fail' label, and after\n that we free again the same anonymous device number, which in the\n meanwhile may have been reallocated somewhere else, because\n pending_snapshot->anon_dev still has the same value as in step 1.\n\nRecently syzbot ran into this and reported the following trace:\n\n ------------[ cut here ]------------\n ida_free called for id=51 which is not allocated.\n WARNING: CPU: 1 PID: 31038 at lib/idr.c:525 ida_free+0x370/0x420 lib/idr.c:525\n Modules linked in:\n CPU: 1 PID: 31038 Comm: syz-executor.2 Not tainted 6.8.0-rc4-syzkaller-00410-gc02197fc9076 #0\n Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024\n RIP: 0010:ida_free+0x370/0x420 lib/idr.c:525\n Code: 10 42 80 3c 28 (...)\n RSP: 0018:ffffc90015a67300 EFLAGS: 00010246\n RAX: be5130472f5dd000 RBX: 0000000000000033 RCX: 0000000000040000\n RDX: ffffc90009a7a000 RSI: 000000000003ffff RDI: 0000000000040000\n RBP: ffffc90015a673f0 R08: ffffffff81577992 R09: 1ffff92002b4cdb4\n R10: dffffc0000000000 R11: fffff52002b4cdb5 R12: 0000000000000246\n R13: dffffc0000000000 R14: ffffffff8e256b80 R15: 0000000000000246\n FS: 00007fca3f4b46c0(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007f167a17b978 CR3: 000000001ed26000 CR4: 0000000000350ef0\n Call Trace:\n \n btrfs_get_root_ref+0xa48/0xaf0 fs/btrfs/disk-io.c:1346\n create_pending_snapshot+0xff2/0x2bc0 fs/btrfs/transaction.c:1837\n create_pending_snapshots+0x195/0x1d0 fs/btrfs/transaction.c:1931\n btrfs_commit_transaction+0xf1c/0x3740 fs/btrfs/transaction.c:2404\n create_snapshot+0x507/0x880 fs/btrfs/ioctl.c:848\n btrfs_mksubvol+0x5d0/0x750 fs/btrfs/ioctl.c:998\n btrfs_mksnapshot+0xb5/0xf0 fs/btrfs/ioctl.c:1044\n __btrfs_ioctl_snap_create+0x387/0x4b0 fs/btrfs/ioctl.c:1306\n btrfs_ioctl_snap_create_v2+0x1ca/0x400 fs/btrfs/ioctl.c:1393\n btrfs_ioctl+0xa74/0xd40\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:871 [inline]\n __se_sys_ioctl+0xfe/0x170 fs/ioctl.c:857\n do_syscall_64+0xfb/0x240\n entry_SYSCALL_64_after_hwframe+0x6f/0x77\n RIP: 0033:0x7fca3e67dda9\n Code: 28 00 00 00 (...)\n RSP: 002b:00007fca3f4b40c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\n RAX: ffffffffffffffda RBX: 00007fca3e7abf80 RCX: 00007fca3e67dda9\n RDX: 00000000200005c0 RSI: 0000000050009417 RDI: 0000000000000003\n RBP: 00007fca3e6ca47a R08: 0000000000000000 R09: 0000000000000000\n R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\n R13: 000000000000000b R14: 00007fca3e7abf80 R15: 00007fff6bf95658\n \n\nWhere we get an explicit message where we attempt to free an anonymous\ndevice number that is not currently allocated. It happens in a different\ncode path from the example below, at btrfs_get_root_ref(), so this change\nmay not fix the case triggered by sy\n---truncated---", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26792", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26792", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26792", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26792", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26792", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26792" } }, "CVE-2024-26793": { "affected_versions": "unk to v6.8-rc7", "breaks": "", "cmt_msg": "gtp: fix use-after-free and null-ptr-deref in gtp_newlink()", "fixes": "616d82c3cfa2a2146dd7e3ae47bda7e877ee549e", "last_affected_version": "6.7.8", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\ngtp: fix use-after-free and null-ptr-deref in gtp_newlink()\n\nThe gtp_link_ops operations structure for the subsystem must be\nregistered after registering the gtp_net_ops pernet operations structure.\n\nSyzkaller hit 'general protection fault in gtp_genl_dump_pdp' bug:\n\n[ 1010.702740] gtp: GTP module unloaded\n[ 1010.715877] general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] SMP KASAN NOPTI\n[ 1010.715888] KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]\n[ 1010.715895] CPU: 1 PID: 128616 Comm: a.out Not tainted 6.8.0-rc6-std-def-alt1 #1\n[ 1010.715899] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.0-alt1 04/01/2014\n[ 1010.715908] RIP: 0010:gtp_newlink+0x4d7/0x9c0 [gtp]\n[ 1010.715915] Code: 80 3c 02 00 0f 85 41 04 00 00 48 8b bb d8 05 00 00 e8 ed f6 ff ff 48 89 c2 48 89 c5 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f 85 4f 04 00 00 4c 89 e2 4c 8b 6d 00 48 b8 00 00 00\n[ 1010.715920] RSP: 0018:ffff888020fbf180 EFLAGS: 00010203\n[ 1010.715929] RAX: dffffc0000000000 RBX: ffff88800399c000 RCX: 0000000000000000\n[ 1010.715933] RDX: 0000000000000001 RSI: ffffffff84805280 RDI: 0000000000000282\n[ 1010.715938] RBP: 000000000000000d R08: 0000000000000001 R09: 0000000000000000\n[ 1010.715942] R10: 0000000000000001 R11: 0000000000000001 R12: ffff88800399cc80\n[ 1010.715947] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000400\n[ 1010.715953] FS: 00007fd1509ab5c0(0000) GS:ffff88805b300000(0000) knlGS:0000000000000000\n[ 1010.715958] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 1010.715962] CR2: 0000000000000000 CR3: 000000001c07a000 CR4: 0000000000750ee0\n[ 1010.715968] PKRU: 55555554\n[ 1010.715972] Call Trace:\n[ 1010.715985] ? __die_body.cold+0x1a/0x1f\n[ 1010.715995] ? die_addr+0x43/0x70\n[ 1010.716002] ? exc_general_protection+0x199/0x2f0\n[ 1010.716016] ? asm_exc_general_protection+0x1e/0x30\n[ 1010.716026] ? gtp_newlink+0x4d7/0x9c0 [gtp]\n[ 1010.716034] ? gtp_net_exit+0x150/0x150 [gtp]\n[ 1010.716042] __rtnl_newlink+0x1063/0x1700\n[ 1010.716051] ? rtnl_setlink+0x3c0/0x3c0\n[ 1010.716063] ? is_bpf_text_address+0xc0/0x1f0\n[ 1010.716070] ? kernel_text_address.part.0+0xbb/0xd0\n[ 1010.716076] ? __kernel_text_address+0x56/0xa0\n[ 1010.716084] ? unwind_get_return_address+0x5a/0xa0\n[ 1010.716091] ? create_prof_cpu_mask+0x30/0x30\n[ 1010.716098] ? arch_stack_walk+0x9e/0xf0\n[ 1010.716106] ? stack_trace_save+0x91/0xd0\n[ 1010.716113] ? stack_trace_consume_entry+0x170/0x170\n[ 1010.716121] ? __lock_acquire+0x15c5/0x5380\n[ 1010.716139] ? mark_held_locks+0x9e/0xe0\n[ 1010.716148] ? kmem_cache_alloc_trace+0x35f/0x3c0\n[ 1010.716155] ? __rtnl_newlink+0x1700/0x1700\n[ 1010.716160] rtnl_newlink+0x69/0xa0\n[ 1010.716166] rtnetlink_rcv_msg+0x43b/0xc50\n[ 1010.716172] ? rtnl_fdb_dump+0x9f0/0x9f0\n[ 1010.716179] ? lock_acquire+0x1fe/0x560\n[ 1010.716188] ? netlink_deliver_tap+0x12f/0xd50\n[ 1010.716196] netlink_rcv_skb+0x14d/0x440\n[ 1010.716202] ? rtnl_fdb_dump+0x9f0/0x9f0\n[ 1010.716208] ? netlink_ack+0xab0/0xab0\n[ 1010.716213] ? netlink_deliver_tap+0x202/0xd50\n[ 1010.716220] ? netlink_deliver_tap+0x218/0xd50\n[ 1010.716226] ? __virt_addr_valid+0x30b/0x590\n[ 1010.716233] netlink_unicast+0x54b/0x800\n[ 1010.716240] ? netlink_attachskb+0x870/0x870\n[ 1010.716248] ? __check_object_size+0x2de/0x3b0\n[ 1010.716254] netlink_sendmsg+0x938/0xe40\n[ 1010.716261] ? netlink_unicast+0x800/0x800\n[ 1010.716269] ? __import_iovec+0x292/0x510\n[ 1010.716276] ? netlink_unicast+0x800/0x800\n[ 1010.716284] __sock_sendmsg+0x159/0x190\n[ 1010.716290] ____sys_sendmsg+0x712/0x880\n[ 1010.716297] ? sock_write_iter+0x3d0/0x3d0\n[ 1010.716304] ? __ia32_sys_recvmmsg+0x270/0x270\n[ 1010.716309] ? lock_acquire+0x1fe/0x560\n[ 1010.716315] ? drain_array_locked+0x90/0x90\n[ 1010.716324] ___sys_sendmsg+0xf8/0x170\n[ 1010.716331] ? sendmsg_copy_msghdr+0x170/0x170\n[ 1010.716337] ? lockdep_init_map\n---truncated---", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26793", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26793", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26793", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26793", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26793", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26793" } }, "CVE-2024-26794": { "affected_versions": "v6.8-rc6 to v6.8-rc7", "breaks": "b0ad381fa7690244802aed119b478b4bdafc31dd", "fixes": "a1a4a9ca77f143c00fce69c1239887ff8b813bec", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix race between ordered extent completion and fiemap\n\nFor fiemap we recently stopped locking the target extent range for the\nwhole duration of the fiemap call, in order to avoid a deadlock in a\nscenario where the fiemap buffer happens to be a memory mapped range of\nthe same file. This use case is very unlikely to be useful in practice but\nit may be triggered by fuzz testing (syzbot, etc).\n\nHowever by not locking the target extent range for the whole duration of\nthe fiemap call we can race with an ordered extent. This happens like\nthis:\n\n1) The fiemap task finishes processing a file extent item that covers\n the file range [512K, 1M[, and that file extent item is the last item\n in the leaf currently being processed;\n\n2) And ordered extent for the file range [768K, 2M[, in COW mode,\n completes (btrfs_finish_one_ordered()) and the file extent item\n covering the range [512K, 1M[ is trimmed to cover the range\n [512K, 768K[ and then a new file extent item for the range [768K, 2M[\n is inserted in the inode's subvolume tree;\n\n3) The fiemap task calls fiemap_next_leaf_item(), which then calls\n btrfs_next_leaf() to find the next leaf / item. This finds that the\n the next key following the one we previously processed (its type is\n BTRFS_EXTENT_DATA_KEY and its offset is 512K), is the key corresponding\n to the new file extent item inserted by the ordered extent, which has\n a type of BTRFS_EXTENT_DATA_KEY and an offset of 768K;\n\n4) Later the fiemap code ends up at emit_fiemap_extent() and triggers\n the warning:\n\n if (cache->offset + cache->len > offset) {\n WARN_ON(1);\n return -EINVAL;\n }\n\n Since we get 1M > 768K, because the previously emitted entry for the\n old extent covering the file range [512K, 1M[ ends at an offset that\n is greater than the new extent's start offset (768K). This makes fiemap\n fail with -EINVAL besides triggering the warning that produces a stack\n trace like the following:\n\n [1621.677651] ------------[ cut here ]------------\n [1621.677656] WARNING: CPU: 1 PID: 204366 at fs/btrfs/extent_io.c:2492 emit_fiemap_extent+0x84/0x90 [btrfs]\n [1621.677899] Modules linked in: btrfs blake2b_generic (...)\n [1621.677951] CPU: 1 PID: 204366 Comm: pool Not tainted 6.8.0-rc5-btrfs-next-151+ #1\n [1621.677954] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014\n [1621.677956] RIP: 0010:emit_fiemap_extent+0x84/0x90 [btrfs]\n [1621.678033] Code: 2b 4c 89 63 (...)\n [1621.678035] RSP: 0018:ffffab16089ffd20 EFLAGS: 00010206\n [1621.678037] RAX: 00000000004fa000 RBX: ffffab16089ffe08 RCX: 0000000000009000\n [1621.678039] RDX: 00000000004f9000 RSI: 00000000004f1000 RDI: ffffab16089ffe90\n [1621.678040] RBP: 00000000004f9000 R08: 0000000000001000 R09: 0000000000000000\n [1621.678041] R10: 0000000000000000 R11: 0000000000001000 R12: 0000000041d78000\n [1621.678043] R13: 0000000000001000 R14: 0000000000000000 R15: ffff9434f0b17850\n [1621.678044] FS: 00007fa6e20006c0(0000) GS:ffff943bdfa40000(0000) knlGS:0000000000000000\n [1621.678046] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n [1621.678048] CR2: 00007fa6b0801000 CR3: 000000012d404002 CR4: 0000000000370ef0\n [1621.678053] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n [1621.678055] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n [1621.678056] Call Trace:\n [1621.678074] \n [1621.678076] ? __warn+0x80/0x130\n [1621.678082] ? emit_fiemap_extent+0x84/0x90 [btrfs]\n [1621.678159] ? report_bug+0x1f4/0x200\n [1621.678164] ? handle_bug+0x42/0x70\n [1621.678167] ? exc_invalid_op+0x14/0x70\n [1621.678170] ? asm_exc_invalid_op+0x16/0x20\n [1621.678178] ? emit_fiemap_extent+0x84/0x90 [btrfs]\n [1621.678253] extent_fiemap+0x766\n---truncated---", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26794", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26794", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26794", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26794", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26794", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26794" } }, "CVE-2024-26795": { "affected_versions": "v5.4-rc1 to v6.8-rc7", "breaks": "d95f1a542c3df396137afa217ef9bd39cb8931ca", "cmt_msg": "riscv: Sparse-Memory/vmemmap out-of-bounds fix", "fixes": "a11dd49dcb9376776193e15641f84fcc1e5980c9", "last_affected_version": "6.7.8", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: Sparse-Memory/vmemmap out-of-bounds fix\n\nOffset vmemmap so that the first page of vmemmap will be mapped\nto the first page of physical memory in order to ensure that\nvmemmap\u2019s bounds will be respected during\npfn_to_page()/page_to_pfn() operations.\nThe conversion macros will produce correct SV39/48/57 addresses\nfor every possible/valid DRAM_BASE inside the physical memory limits.\n\nv2:Address Alex's comments", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26795", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26795", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26795", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26795", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26795", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26795" } }, "CVE-2024-26796": { "affected_versions": "v6.6-rc1 to v6.8-rc7", "breaks": "cc4c07c89aada16229084eeb93895c95b7eabaa3", "cmt_msg": "drivers: perf: ctr_get_width function for legacy is not defined", "fixes": "682dc133f83e0194796e6ea72eb642df1c03dfbe", "last_affected_version": "6.7.8", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrivers: perf: ctr_get_width function for legacy is not defined\n\nWith parameters CONFIG_RISCV_PMU_LEGACY=y and CONFIG_RISCV_PMU_SBI=n\nlinux kernel crashes when you try perf record:\n\n$ perf record ls\n[ 46.749286] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000\n[ 46.750199] Oops [#1]\n[ 46.750342] Modules linked in:\n[ 46.750608] CPU: 0 PID: 107 Comm: perf-exec Not tainted 6.6.0 #2\n[ 46.750906] Hardware name: riscv-virtio,qemu (DT)\n[ 46.751184] epc : 0x0\n[ 46.751430] ra : arch_perf_update_userpage+0x54/0x13e\n[ 46.751680] epc : 0000000000000000 ra : ffffffff8072ee52 sp : ff2000000022b8f0\n[ 46.751958] gp : ffffffff81505988 tp : ff6000000290d400 t0 : ff2000000022b9c0\n[ 46.752229] t1 : 0000000000000001 t2 : 0000000000000003 s0 : ff2000000022b930\n[ 46.752451] s1 : ff600000028fb000 a0 : 0000000000000000 a1 : ff600000028fb000\n[ 46.752673] a2 : 0000000ae2751268 a3 : 00000000004fb708 a4 : 0000000000000004\n[ 46.752895] a5 : 0000000000000000 a6 : 000000000017ffe3 a7 : 00000000000000d2\n[ 46.753117] s2 : ff600000028fb000 s3 : 0000000ae2751268 s4 : 0000000000000000\n[ 46.753338] s5 : ffffffff8153e290 s6 : ff600000863b9000 s7 : ff60000002961078\n[ 46.753562] s8 : ff60000002961048 s9 : ff60000002961058 s10: 0000000000000001\n[ 46.753783] s11: 0000000000000018 t3 : ffffffffffffffff t4 : ffffffffffffffff\n[ 46.754005] t5 : ff6000000292270c t6 : ff2000000022bb30\n[ 46.754179] status: 0000000200000100 badaddr: 0000000000000000 cause: 000000000000000c\n[ 46.754653] Code: Unable to access instruction at 0xffffffffffffffec.\n[ 46.754939] ---[ end trace 0000000000000000 ]---\n[ 46.755131] note: perf-exec[107] exited with irqs disabled\n[ 46.755546] note: perf-exec[107] exited with preempt_count 4\n\nThis happens because in the legacy case the ctr_get_width function was not\ndefined, but it is used in arch_perf_update_userpage.\n\nAlso remove extra check in riscv_pmu_ctr_get_width_mask", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26796", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26796", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26796", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26796", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26796", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26796" } }, "CVE-2024-26797": { "affected_versions": "unk to v6.8-rc7", "breaks": "", "cmt_msg": "drm/amd/display: Prevent potential buffer overflow in map_hw_resources", "fixes": "0f8ca019544a252d1afb468ce840c6dcbac73af4", "last_affected_version": "6.7.8", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Prevent potential buffer overflow in map_hw_resources\n\nAdds a check in the map_hw_resources function to prevent a potential\nbuffer overflow. The function was accessing arrays using an index that\ncould potentially be greater than the size of the arrays, leading to a\nbuffer overflow.\n\nAdds a check to ensure that the index is within the bounds of the\narrays. If the index is out of bounds, an error message is printed and\nbreak it will continue execution with just ignoring extra data early to\nprevent the buffer overflow.\n\nReported by smatch:\ndrivers/gpu/drm/amd/amdgpu/../display/dc/dml2/dml2_wrapper.c:79 map_hw_resources() error: buffer overflow 'dml2->v20.scratch.dml_to_dc_pipe_mapping.disp_cfg_to_stream_id' 6 <= 7\ndrivers/gpu/drm/amd/amdgpu/../display/dc/dml2/dml2_wrapper.c:81 map_hw_resources() error: buffer overflow 'dml2->v20.scratch.dml_to_dc_pipe_mapping.disp_cfg_to_plane_id' 6 <= 7", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26797", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26797", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26797", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26797", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26797", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26797" } }, "CVE-2024-26798": { "affected_versions": "unk to v6.8-rc7", "breaks": "", "cmt_msg": "fbcon: always restore the old font data in fbcon_do_set_font()", "fixes": "00d6a284fcf3fad1b7e1b5bc3cd87cbfb60ce03f", "last_affected_version": "6.7.8", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbcon: always restore the old font data in fbcon_do_set_font()\n\nCommit a5a923038d70 (fbdev: fbcon: Properly revert changes when\nvc_resize() failed) started restoring old font data upon failure (of\nvc_resize()). But it performs so only for user fonts. It means that the\n\"system\"/internal fonts are not restored at all. So in result, the very\nfirst call to fbcon_do_set_font() performs no restore at all upon\nfailing vc_resize().\n\nThis can be reproduced by Syzkaller to crash the system on the next\ninvocation of font_get(). It's rather hard to hit the allocation failure\nin vc_resize() on the first font_set(), but not impossible. Esp. if\nfault injection is used to aid the execution/failure. It was\ndemonstrated by Sirius:\n BUG: unable to handle page fault for address: fffffffffffffff8\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD cb7b067 P4D cb7b067 PUD cb7d067 PMD 0\n Oops: 0000 [#1] PREEMPT SMP KASAN\n CPU: 1 PID: 8007 Comm: poc Not tainted 6.7.0-g9d1694dc91ce #20\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\n RIP: 0010:fbcon_get_font+0x229/0x800 drivers/video/fbdev/core/fbcon.c:2286\n Call Trace:\n \n con_font_get drivers/tty/vt/vt.c:4558 [inline]\n con_font_op+0x1fc/0xf20 drivers/tty/vt/vt.c:4673\n vt_k_ioctl drivers/tty/vt/vt_ioctl.c:474 [inline]\n vt_ioctl+0x632/0x2ec0 drivers/tty/vt/vt_ioctl.c:752\n tty_ioctl+0x6f8/0x1570 drivers/tty/tty_io.c:2803\n vfs_ioctl fs/ioctl.c:51 [inline]\n ...\n\nSo restore the font data in any case, not only for user fonts. Note the\nlater 'if' is now protected by 'old_userfont' and not 'old_data' as the\nlatter is always set now. (And it is supposed to be non-NULL. Otherwise\nwe would see the bug above again.)", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26798", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26798", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26798", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26798", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26798", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26798" } }, "CVE-2024-26799": { "affected_versions": "v5.18-rc1 to v6.8-rc7", "breaks": "b81af585ea54ee9f749391e594ee9cbd44061eae", "cmt_msg": "ASoC: qcom: Fix uninitialized pointer dmactl", "fixes": "1382d8b55129875b2e07c4d2a7ebc790183769ee", "last_affected_version": "6.7.8", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: qcom: Fix uninitialized pointer dmactl\n\nIn the case where __lpass_get_dmactl_handle is called and the driver\nid dai_id is invalid the pointer dmactl is not being assigned a value,\nand dmactl contains a garbage value since it has not been initialized\nand so the null check may not work. Fix this to initialize dmactl to\nNULL. One could argue that modern compilers will set this to zero, but\nit is useful to keep this initialized as per the same way in functions\n__lpass_platform_codec_intf_init and lpass_cdc_dma_daiops_hw_params.\n\nCleans up clang scan build warning:\nsound/soc/qcom/lpass-cdc-dma.c:275:7: warning: Branch condition\nevaluates to a garbage value [core.uninitialized.Branch]", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26799", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26799", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26799", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26799", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26799", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26799" } }, "CVE-2024-26800": { "affected_versions": "v6.8-rc5 to v6.8-rc7", "breaks": "8590541473188741055d27b955db0777569438e3", "fixes": "13114dc5543069f7b97991e3b79937b6da05f5b0", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\ntls: fix use-after-free on failed backlog decryption\n\nWhen the decrypt request goes to the backlog and crypto_aead_decrypt\nreturns -EBUSY, tls_do_decryption will wait until all async\ndecryptions have completed. If one of them fails, tls_do_decryption\nwill return -EBADMSG and tls_decrypt_sg jumps to the error path,\nreleasing all the pages. But the pages have been passed to the async\ncallback, and have already been released by tls_decrypt_done.\n\nThe only true async case is when crypto_aead_decrypt returns\n -EINPROGRESS. With -EBUSY, we already waited so we can tell\ntls_sw_recvmsg that the data is available for immediate copy, but we\nneed to notify tls_decrypt_sg (via the new ->async_done flag) that the\nmemory has already been released.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26800", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26800", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26800", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26800", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26800", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26800" } }, "CVE-2024-26801": { "affected_versions": "v4.0-rc1 to v6.8-rc7", "breaks": "c7741d16a57cbf97eebe53f27e8216b1ff20e20c", "cmt_msg": "Bluetooth: Avoid potential use-after-free in hci_error_reset", "fixes": "2449007d3f73b2842c9734f45f0aadb522daf592", "last_affected_version": "6.7.8", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: Avoid potential use-after-free in hci_error_reset\n\nWhile handling the HCI_EV_HARDWARE_ERROR event, if the underlying\nBT controller is not responding, the GPIO reset mechanism would\nfree the hci_dev and lead to a use-after-free in hci_error_reset.\n\nHere's the call trace observed on a ChromeOS device with Intel AX201:\n queue_work_on+0x3e/0x6c\n __hci_cmd_sync_sk+0x2ee/0x4c0 [bluetooth ]\n ? init_wait_entry+0x31/0x31\n __hci_cmd_sync+0x16/0x20 [bluetooth ]\n hci_error_reset+0x4f/0xa4 [bluetooth ]\n process_one_work+0x1d8/0x33f\n worker_thread+0x21b/0x373\n kthread+0x13a/0x152\n ? pr_cont_work+0x54/0x54\n ? kthread_blkcg+0x31/0x31\n ret_from_fork+0x1f/0x30\n\nThis patch holds the reference count on the hci_dev while processing\na HCI_EV_HARDWARE_ERROR event to avoid potential crash.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26801", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26801", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26801", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26801", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26801", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26801" } }, "CVE-2024-26802": { "affected_versions": "unk to v6.8-rc7", "breaks": "", "cmt_msg": "stmmac: Clear variable when destroying workqueue", "fixes": "8af411bbba1f457c33734795f024d0ef26d0963f", "last_affected_version": "6.7.8", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nstmmac: Clear variable when destroying workqueue\n\nCurrently when suspending driver and stopping workqueue it is checked whether\nworkqueue is not NULL and if so, it is destroyed.\nFunction destroy_workqueue() does drain queue and does clear variable, but\nit does not set workqueue variable to NULL. This can cause kernel/module\npanic if code attempts to clear workqueue that was not initialized.\n\nThis scenario is possible when resuming suspended driver in stmmac_resume(),\nbecause there is no handling for failed stmmac_hw_setup(),\nwhich can fail and return if DMA engine has failed to initialize,\nand workqueue is initialized after DMA engine.\nShould DMA engine fail to initialize, resume will proceed normally,\nbut interface won't work and TX queue will eventually timeout,\ncausing 'Reset adapter' error.\nThis then does destroy workqueue during reset process.\nAnd since workqueue is initialized after DMA engine and can be skipped,\nit will cause kernel/module panic.\n\nTo secure against this possible crash, set workqueue variable to NULL when\ndestroying workqueue.\n\nLog/backtrace from crash goes as follows:\n[88.031977]------------[ cut here ]------------\n[88.031985]NETDEV WATCHDOG: eth0 (sxgmac): transmit queue 1 timed out\n[88.032017]WARNING: CPU: 0 PID: 0 at net/sched/sch_generic.c:477 dev_watchdog+0x390/0x398\n \n[88.032251]---[ end trace e70de432e4d5c2c0 ]---\n[88.032282]sxgmac 16d88000.ethernet eth0: Reset adapter.\n[88.036359]------------[ cut here ]------------\n[88.036519]Call trace:\n[88.036523] flush_workqueue+0x3e4/0x430\n[88.036528] drain_workqueue+0xc4/0x160\n[88.036533] destroy_workqueue+0x40/0x270\n[88.036537] stmmac_fpe_stop_wq+0x4c/0x70\n[88.036541] stmmac_release+0x278/0x280\n[88.036546] __dev_close_many+0xcc/0x158\n[88.036551] dev_close_many+0xbc/0x190\n[88.036555] dev_close.part.0+0x70/0xc0\n[88.036560] dev_close+0x24/0x30\n[88.036564] stmmac_service_task+0x110/0x140\n[88.036569] process_one_work+0x1d8/0x4a0\n[88.036573] worker_thread+0x54/0x408\n[88.036578] kthread+0x164/0x170\n[88.036583] ret_from_fork+0x10/0x20\n[88.036588]---[ end trace e70de432e4d5c2c1 ]---\n[88.036597]Unable to handle kernel NULL pointer dereference at virtual address 0000000000000004", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26802", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26802", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26802", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26802", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26802", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26802" } }, "CVE-2024-26803": { "affected_versions": "unk to v6.8-rc7", "breaks": "", "cmt_msg": "net: veth: clear GRO when clearing XDP even when down", "fixes": "fe9f801355f0b47668419f30f1fac1cf4539e736", "last_affected_version": "6.7.8", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: veth: clear GRO when clearing XDP even when down\n\nveth sets NETIF_F_GRO automatically when XDP is enabled,\nbecause both features use the same NAPI machinery.\n\nThe logic to clear NETIF_F_GRO sits in veth_disable_xdp() which\nis called both on ndo_stop and when XDP is turned off.\nTo avoid the flag from being cleared when the device is brought\ndown, the clearing is skipped when IFF_UP is not set.\nBringing the device down should indeed not modify its features.\n\nUnfortunately, this means that clearing is also skipped when\nXDP is disabled _while_ the device is down. And there's nothing\non the open path to bring the device features back into sync.\nIOW if user enables XDP, disables it and then brings the device\nup we'll end up with a stray GRO flag set but no NAPI instances.\n\nWe don't depend on the GRO flag on the datapath, so the datapath\nwon't crash. We will crash (or hang), however, next time features\nare sync'ed (either by user via ethtool or peer changing its config).\nThe GRO flag will go away, and veth will try to disable the NAPIs.\nBut the open path never created them since XDP was off, the GRO flag\nwas a stray. If NAPI was initialized before we'll hang in napi_disable().\nIf it never was we'll crash trying to stop uninitialized hrtimer.\n\nMove the GRO flag updates to the XDP enable / disable paths,\ninstead of mixing them with the ndo_open / ndo_close paths.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26803", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26803", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26803", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26803", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26803", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26803" } }, "CVE-2024-26804": { "affected_versions": "v2.6.34-rc3 to v6.8-rc7", "breaks": "243aad830e8a4cdda261626fbaeddde16b08d04a", "cmt_msg": "net: ip_tunnel: prevent perpetual headroom growth", "fixes": "5ae1e9922bbdbaeb9cfbe91085ab75927488ac0f", "last_affected_version": "6.7.8", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ip_tunnel: prevent perpetual headroom growth\n\nsyzkaller triggered following kasan splat:\nBUG: KASAN: use-after-free in __skb_flow_dissect+0x19d1/0x7a50 net/core/flow_dissector.c:1170\nRead of size 1 at addr ffff88812fb4000e by task syz-executor183/5191\n[..]\n kasan_report+0xda/0x110 mm/kasan/report.c:588\n __skb_flow_dissect+0x19d1/0x7a50 net/core/flow_dissector.c:1170\n skb_flow_dissect_flow_keys include/linux/skbuff.h:1514 [inline]\n ___skb_get_hash net/core/flow_dissector.c:1791 [inline]\n __skb_get_hash+0xc7/0x540 net/core/flow_dissector.c:1856\n skb_get_hash include/linux/skbuff.h:1556 [inline]\n ip_tunnel_xmit+0x1855/0x33c0 net/ipv4/ip_tunnel.c:748\n ipip_tunnel_xmit+0x3cc/0x4e0 net/ipv4/ipip.c:308\n __netdev_start_xmit include/linux/netdevice.h:4940 [inline]\n netdev_start_xmit include/linux/netdevice.h:4954 [inline]\n xmit_one net/core/dev.c:3548 [inline]\n dev_hard_start_xmit+0x13d/0x6d0 net/core/dev.c:3564\n __dev_queue_xmit+0x7c1/0x3d60 net/core/dev.c:4349\n dev_queue_xmit include/linux/netdevice.h:3134 [inline]\n neigh_connected_output+0x42c/0x5d0 net/core/neighbour.c:1592\n ...\n ip_finish_output2+0x833/0x2550 net/ipv4/ip_output.c:235\n ip_finish_output+0x31/0x310 net/ipv4/ip_output.c:323\n ..\n iptunnel_xmit+0x5b4/0x9b0 net/ipv4/ip_tunnel_core.c:82\n ip_tunnel_xmit+0x1dbc/0x33c0 net/ipv4/ip_tunnel.c:831\n ipgre_xmit+0x4a1/0x980 net/ipv4/ip_gre.c:665\n __netdev_start_xmit include/linux/netdevice.h:4940 [inline]\n netdev_start_xmit include/linux/netdevice.h:4954 [inline]\n xmit_one net/core/dev.c:3548 [inline]\n dev_hard_start_xmit+0x13d/0x6d0 net/core/dev.c:3564\n ...\n\nThe splat occurs because skb->data points past skb->head allocated area.\nThis is because neigh layer does:\n __skb_pull(skb, skb_network_offset(skb));\n\n... but skb_network_offset() returns a negative offset and __skb_pull()\narg is unsigned. IOW, we skb->data gets \"adjusted\" by a huge value.\n\nThe negative value is returned because skb->head and skb->data distance is\nmore than 64k and skb->network_header (u16) has wrapped around.\n\nThe bug is in the ip_tunnel infrastructure, which can cause\ndev->needed_headroom to increment ad infinitum.\n\nThe syzkaller reproducer consists of packets getting routed via a gre\ntunnel, and route of gre encapsulated packets pointing at another (ipip)\ntunnel. The ipip encapsulation finds gre0 as next output device.\n\nThis results in the following pattern:\n\n1). First packet is to be sent out via gre0.\nRoute lookup found an output device, ipip0.\n\n2).\nip_tunnel_xmit for gre0 bumps gre0->needed_headroom based on the future\noutput device, rt.dev->needed_headroom (ipip0).\n\n3).\nip output / start_xmit moves skb on to ipip0. which runs the same\ncode path again (xmit recursion).\n\n4).\nRouting step for the post-gre0-encap packet finds gre0 as output device\nto use for ipip0 encapsulated packet.\n\ntunl0->needed_headroom is then incremented based on the (already bumped)\ngre0 device headroom.\n\nThis repeats for every future packet:\n\ngre0->needed_headroom gets inflated because previous packets' ipip0 step\nincremented rt->dev (gre0) headroom, and ipip0 incremented because gre0\nneeded_headroom was increased.\n\nFor each subsequent packet, gre/ipip0->needed_headroom grows until\npost-expand-head reallocations result in a skb->head/data distance of\nmore than 64k.\n\nOnce that happens, skb->network_header (u16) wraps around when\npskb_expand_head tries to make sure that skb_network_offset() is unchanged\nafter the headroom expansion/reallocation.\n\nAfter this skb_network_offset(skb) returns a different (and negative)\nresult post headroom expansion.\n\nThe next trip to neigh layer (or anything else that would __skb_pull the\nnetwork header) makes skb->data point to a memory location outside\nskb->head area.\n\nv2: Cap the needed_headroom update to an arbitarily chosen upperlimit to\nprevent perpetual increase instead of dropping the headroom increment\ncompletely.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26804", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26804", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26804", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26804", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26804", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26804" } }, "CVE-2024-26805": { "affected_versions": "v4.3-rc3 to v6.8-rc7", "breaks": "1853c949646005b5959c483becde86608f548f24", "cmt_msg": "netlink: Fix kernel-infoleak-after-free in __skb_datagram_iter", "fixes": "661779e1fcafe1b74b3f3fe8e980c1e207fea1fd", "last_affected_version": "6.7.8", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetlink: Fix kernel-infoleak-after-free in __skb_datagram_iter\n\nsyzbot reported the following uninit-value access issue [1]:\n\nnetlink_to_full_skb() creates a new `skb` and puts the `skb->data`\npassed as a 1st arg of netlink_to_full_skb() onto new `skb`. The data\nsize is specified as `len` and passed to skb_put_data(). This `len`\nis based on `skb->end` that is not data offset but buffer offset. The\n`skb->end` contains data and tailroom. Since the tailroom is not\ninitialized when the new `skb` created, KMSAN detects uninitialized\nmemory area when copying the data.\n\nThis patch resolved this issue by correct the len from `skb->end` to\n`skb->len`, which is the actual data offset.\n\nBUG: KMSAN: kernel-infoleak-after-free in instrument_copy_to_user include/linux/instrumented.h:114 [inline]\nBUG: KMSAN: kernel-infoleak-after-free in copy_to_user_iter lib/iov_iter.c:24 [inline]\nBUG: KMSAN: kernel-infoleak-after-free in iterate_ubuf include/linux/iov_iter.h:29 [inline]\nBUG: KMSAN: kernel-infoleak-after-free in iterate_and_advance2 include/linux/iov_iter.h:245 [inline]\nBUG: KMSAN: kernel-infoleak-after-free in iterate_and_advance include/linux/iov_iter.h:271 [inline]\nBUG: KMSAN: kernel-infoleak-after-free in _copy_to_iter+0x364/0x2520 lib/iov_iter.c:186\n instrument_copy_to_user include/linux/instrumented.h:114 [inline]\n copy_to_user_iter lib/iov_iter.c:24 [inline]\n iterate_ubuf include/linux/iov_iter.h:29 [inline]\n iterate_and_advance2 include/linux/iov_iter.h:245 [inline]\n iterate_and_advance include/linux/iov_iter.h:271 [inline]\n _copy_to_iter+0x364/0x2520 lib/iov_iter.c:186\n copy_to_iter include/linux/uio.h:197 [inline]\n simple_copy_to_iter+0x68/0xa0 net/core/datagram.c:532\n __skb_datagram_iter+0x123/0xdc0 net/core/datagram.c:420\n skb_copy_datagram_iter+0x5c/0x200 net/core/datagram.c:546\n skb_copy_datagram_msg include/linux/skbuff.h:3960 [inline]\n packet_recvmsg+0xd9c/0x2000 net/packet/af_packet.c:3482\n sock_recvmsg_nosec net/socket.c:1044 [inline]\n sock_recvmsg net/socket.c:1066 [inline]\n sock_read_iter+0x467/0x580 net/socket.c:1136\n call_read_iter include/linux/fs.h:2014 [inline]\n new_sync_read fs/read_write.c:389 [inline]\n vfs_read+0x8f6/0xe00 fs/read_write.c:470\n ksys_read+0x20f/0x4c0 fs/read_write.c:613\n __do_sys_read fs/read_write.c:623 [inline]\n __se_sys_read fs/read_write.c:621 [inline]\n __x64_sys_read+0x93/0xd0 fs/read_write.c:621\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\n\nUninit was stored to memory at:\n skb_put_data include/linux/skbuff.h:2622 [inline]\n netlink_to_full_skb net/netlink/af_netlink.c:181 [inline]\n __netlink_deliver_tap_skb net/netlink/af_netlink.c:298 [inline]\n __netlink_deliver_tap+0x5be/0xc90 net/netlink/af_netlink.c:325\n netlink_deliver_tap net/netlink/af_netlink.c:338 [inline]\n netlink_deliver_tap_kernel net/netlink/af_netlink.c:347 [inline]\n netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline]\n netlink_unicast+0x10f1/0x1250 net/netlink/af_netlink.c:1368\n netlink_sendmsg+0x1238/0x13d0 net/netlink/af_netlink.c:1910\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg net/socket.c:745 [inline]\n ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584\n ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638\n __sys_sendmsg net/socket.c:2667 [inline]\n __do_sys_sendmsg net/socket.c:2676 [inline]\n __se_sys_sendmsg net/socket.c:2674 [inline]\n __x64_sys_sendmsg+0x307/0x490 net/socket.c:2674\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\n\nUninit was created at:\n free_pages_prepare mm/page_alloc.c:1087 [inline]\n free_unref_page_prepare+0xb0/0xa40 mm/page_alloc.c:2347\n free_unref_page_list+0xeb/0x1100 mm/page_alloc.c:2533\n release_pages+0x23d3/0x2410 mm/swap.c:1042\n free_pages_and_swap_cache+0xd9/0xf0 mm/swap_state.c:316\n tlb_batch_pages\n---truncated---", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26805", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26805", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26805", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26805", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26805", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26805" } }, "CVE-2024-26806": { "affected_versions": "unk to v6.8-rc7", "breaks": "", "cmt_msg": "spi: cadence-qspi: remove system-wide suspend helper calls from runtime PM hooks", "fixes": "959043afe53ae80633e810416cee6076da6e91c6", "last_affected_version": "6.7.8", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: cadence-qspi: remove system-wide suspend helper calls from runtime PM hooks\n\nThe ->runtime_suspend() and ->runtime_resume() callbacks are not\nexpected to call spi_controller_suspend() and spi_controller_resume().\nRemove calls to those in the cadence-qspi driver.\n\nThose helpers have two roles currently:\n - They stop/start the queue, including dealing with the kworker.\n - They toggle the SPI controller SPI_CONTROLLER_SUSPENDED flag. It\n requires acquiring ctlr->bus_lock_mutex.\n\nStep one is irrelevant because cadence-qspi is not queued. Step two\nhowever has two implications:\n - A deadlock occurs, because ->runtime_resume() is called in a context\n where the lock is already taken (in the ->exec_op() callback, where\n the usage count is incremented).\n - It would disallow all operations once the device is auto-suspended.\n\nHere is a brief call tree highlighting the mutex deadlock:\n\nspi_mem_exec_op()\n ...\n spi_mem_access_start()\n mutex_lock(&ctlr->bus_lock_mutex)\n\n cqspi_exec_mem_op()\n pm_runtime_resume_and_get()\n cqspi_resume()\n spi_controller_resume()\n mutex_lock(&ctlr->bus_lock_mutex)\n ...\n\n spi_mem_access_end()\n mutex_unlock(&ctlr->bus_lock_mutex)\n ...", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26806", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26806", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26806", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26806", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26806", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26806" } }, "CVE-2024-26807": { "affected_versions": "v6.4-rc1 to v6.8-rc7", "breaks": "2087e85bb66ee3652dafe732bb9b9b896229eafc", "cmt_msg": "spi: cadence-qspi: fix pointer reference in runtime PM hooks", "fixes": "32ce3bb57b6b402de2aec1012511e7ac4e7449dc", "last_affected_version": "6.7.8", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: cadence-qspi: fix pointer reference in runtime PM hooks\n\ndev_get_drvdata() gets used to acquire the pointer to cqspi and the SPI\ncontroller. Neither embed the other; this lead to memory corruption.\n\nOn a given platform (Mobileye EyeQ5) the memory corruption is hidden\ninside cqspi->f_pdata. Also, this uninitialised memory is used as a\nmutex (ctlr->bus_lock_mutex) by spi_controller_suspend().", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26807", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26807", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26807", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26807", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26807", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26807" } }, "CVE-2024-26808": { "affected_versions": "unk to v6.8-rc2", "breaks": "", "cmt_msg": "netfilter: nft_chain_filter: handle NETDEV_UNREGISTER for inet/ingress basechain", "fixes": "01acb2e8666a6529697141a6017edbf206921913", "last_affected_version": "6.7.2", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_chain_filter: handle NETDEV_UNREGISTER for inet/ingress basechain\n\nRemove netdevice from inet/ingress basechain in case NETDEV_UNREGISTER\nevent is reported, otherwise a stale reference to netdevice remains in\nthe hook list.", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26808", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26808", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26808", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26808", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26808", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26808" } }, "CVE-2024-26809": { "affected_versions": "unk to v6.9-rc1", "breaks": "", "cmt_msg": "netfilter: nft_set_pipapo: release elements in clone only from destroy path", "fixes": "b0e256f3dd2ba6532f37c5c22e07cb07a36031ee", "last_affected_version": "6.7.10", "last_modified": "2024-04-09", "nvd_text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_set_pipapo: release elements in clone only from destroy path\n\nClone already always provides a current view of the lookup table, use it\nto destroy the set, otherwise it is possible to destroy elements twice.\n\nThis fix requires:\n\n 212ed75dc5fb (\"netfilter: nf_tables: integrate pipapo into commit protocol\")\n\nwhich came after:\n\n 9827a0e6e23b (\"netfilter: nft_set_pipapo: release elements in clone from abort path\").", "ref_urls": { "Debian": "https://security-tracker.debian.org/tracker/CVE-2024-26809", "ExploitDB": "https://www.exploit-db.com/search?cve=2024-26809", "NVD": "https://nvd.nist.gov/vuln/detail/CVE-2024-26809", "Red Hat": "https://access.redhat.com/security/cve/CVE-2024-26809", "SUSE": "https://www.suse.com/security/cve/CVE-2024-26809", "Ubuntu": "https://ubuntu.com/security/CVE-2024-26809" } } }