CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2024-46795 – ksmbd: unset the binding mark of a reused connection
https://notcve.org/view.php?id=CVE-2024-46795
18 Sep 2024 — In the Linux kernel, the following vulnerability has been resolved: ksmbd: unset the binding mark of a reused connection Steve French reported null pointer dereference error from sha256 lib. cifs.ko can send session setup requests on reused connection. If reused connection is used for binding session, conn->binding can still remain true and generate_preauth_hash() will not set sess->Preauth_HashValue and it will be NULL. It is used as a material to create an encryption key in ksmbd_gen_smb311_encryptionkey.... • https://git.kernel.org/stable/c/f5a544e3bab78142207e0242d22442db85ba1eff •
CVSS: 3.3EPSS: 0%CPEs: 4EXPL: 0CVE-2024-46794 – x86/tdx: Fix data leak in mmio_read()
https://notcve.org/view.php?id=CVE-2024-46794
18 Sep 2024 — In the Linux kernel, the following vulnerability has been resolved: x86/tdx: Fix data leak in mmio_read() The mmio_read() function makes a TDVMCALL to retrieve MMIO data for an address from the VMM. Sean noticed that mmio_read() unintentionally exposes the value of an initialized variable (val) on the stack to the VMM. This variable is only needed as an output value. It did not need to be passed to the VMM in the first place. Do not send the original value of *val to the VMM. [ dhansen: clarify what 'val' i... • https://git.kernel.org/stable/c/31d58c4e557d46fa7f8557714250fb6f89c941ae •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2024-46793 – ASoC: Intel: Boards: Fix NULL pointer deref in BYT/CHT boards harder
https://notcve.org/view.php?id=CVE-2024-46793
18 Sep 2024 — In the Linux kernel, the following vulnerability has been resolved: ASoC: Intel: Boards: Fix NULL pointer deref in BYT/CHT boards harder Since commit 13f58267cda3 ("ASoC: soc.h: don't create dummy Component via COMP_DUMMY()") dummy codecs declared like this: SND_SOC_DAILINK_DEF(dummy, DAILINK_COMP_ARRAY(COMP_DUMMY())); expand to: static struct snd_soc_dai_link_component dummy[] = { }; Which means that dummy is a zero sized array and thus dais[i].codecs should not be dereferenced *at all* since it points to ... • https://git.kernel.org/stable/c/7d99a70b65951108d82e1618c67abe69c3ed7720 •
CVSS: 7.1EPSS: 0%CPEs: 2EXPL: 0CVE-2024-46792 – riscv: misaligned: Restrict user access to kernel memory
https://notcve.org/view.php?id=CVE-2024-46792
18 Sep 2024 — In the Linux kernel, the following vulnerability has been resolved: riscv: misaligned: Restrict user access to kernel memory raw_copy_{to,from}_user() do not call access_ok(), so this code allowed userspace to access any virtual memory address. In the Linux kernel, the following vulnerability has been resolved: riscv: misaligned: Restrict user access to kernel memory raw_copy_{to,from}_user() do not call access_ok(), so this code allowed userspace to access any virtual memory address. Ubuntu Security Notice... • https://git.kernel.org/stable/c/7c83232161f609bbc452a1255f823f41afc411dd •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2024-46791 – can: mcp251x: fix deadlock if an interrupt occurs during mcp251x_open
https://notcve.org/view.php?id=CVE-2024-46791
18 Sep 2024 — In the Linux kernel, the following vulnerability has been resolved: can: mcp251x: fix deadlock if an interrupt occurs during mcp251x_open The mcp251x_hw_wake() function is called with the mpc_lock mutex held and disables the interrupt handler so that no interrupts can be processed while waking the device. If an interrupt has already occurred then waiting for the interrupt handler to complete will deadlock because it will be trying to acquire the same mutex. CPU0 CPU1 ---- ---- mcp251x_open() mutex_lock(&pri... • https://git.kernel.org/stable/c/8ce8c0abcba314e1fe954a1840f6568bf5aef2ef •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2024-46790 – codetag: debug: mark codetags for poisoned page as empty
https://notcve.org/view.php?id=CVE-2024-46790
18 Sep 2024 — In the Linux kernel, the following vulnerability has been resolved: codetag: debug: mark codetags for poisoned page as empty When PG_hwpoison pages are freed they are treated differently in free_pages_prepare() and instead of being released they are isolated. Page allocation tag counters are decremented at this point since the page is considered not in use. Later on when such pages are released by unpoison_memory(), the allocation tag counters will be decremented again and the following warning gets reporte... • https://git.kernel.org/stable/c/d224eb0287fbd84f4f13eca042c7f08f87138f3b •
CVSS: 5.6EPSS: 0%CPEs: 2EXPL: 0CVE-2024-46789 – mm/slub: add check for s->flags in the alloc_tagging_slab_free_hook
https://notcve.org/view.php?id=CVE-2024-46789
18 Sep 2024 — In the Linux kernel, the following vulnerability has been resolved: mm/slub: add check for s->flags in the alloc_tagging_slab_free_hook When enable CONFIG_MEMCG & CONFIG_KFENCE & CONFIG_KMEMLEAK, the following warning always occurs,This is because the following call stack occurred: mem_pool_alloc kmem_cache_alloc_noprof slab_alloc_node kfence_alloc Once the kfence allocation is successful,slab->obj_exts will not be empty, because it has already been assigned a value in kfence_init_pool. Since in the prepare... • https://git.kernel.org/stable/c/4b8736964640fe160724e7135dc62883bddcdace •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2024-46788 – tracing/osnoise: Use a cpumask to know what threads are kthreads
https://notcve.org/view.php?id=CVE-2024-46788
18 Sep 2024 — In the Linux kernel, the following vulnerability has been resolved: tracing/osnoise: Use a cpumask to know what threads are kthreads The start_kthread() and stop_thread() code was not always called with the interface_lock held. This means that the kthread variable could be unexpectedly changed causing the kthread_stop() to be called on it when it should not have been, leading to: while true; do rtla timerlat top -u -q & PID=$!; sleep 5; kill -INT $PID; sleep 0.001; kill -TERM $PID; wait $PID; done Causing t... • https://git.kernel.org/stable/c/e88ed227f639ebcb31ed4e5b88756b47d904584b •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2024-46787 – userfaultfd: fix checks for huge PMDs
https://notcve.org/view.php?id=CVE-2024-46787
18 Sep 2024 — In the Linux kernel, the following vulnerability has been resolved: userfaultfd: fix checks for huge PMDs Patch series "userfaultfd: fix races around pmd_trans_huge() check", v2. The pmd_trans_huge() code in mfill_atomic() is wrong in three different ways depending on kernel version: 1. The pmd_trans_huge() check is racy and can lead to a BUG_ON() (if you hit the right two race windows) - I've tested this in a kernel build with some extra mdelay() calls. See the commit message for a description of the race ... • https://git.kernel.org/stable/c/c1a4de99fada21e2e9251e52cbb51eff5aadc757 •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2024-46786 – fscache: delete fscache_cookie_lru_timer when fscache exits to avoid UAF
https://notcve.org/view.php?id=CVE-2024-46786
18 Sep 2024 — In the Linux kernel, the following vulnerability has been resolved: fscache: delete fscache_cookie_lru_timer when fscache exits to avoid UAF The fscache_cookie_lru_timer is initialized when the fscache module is inserted, but is not deleted when the fscache module is removed. If timer_reduce() is called before removing the fscache module, the fscache_cookie_lru_timer will be added to the timer list of the current cpu. Afterwards, a use-after-free will be triggered in the softIRQ after removing the fscache m... • https://git.kernel.org/stable/c/12bb21a29c19aae50cfad4e2bb5c943108f34a7d •