CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2024-46764 – bpf: add check for invalid name in btf_name_valid_section()
https://notcve.org/view.php?id=CVE-2024-46764
18 Sep 2024 — In the Linux kernel, the following vulnerability has been resolved: bpf: add check for invalid name in btf_name_valid_section() If the length of the name string is 1 and the value of name[0] is NULL byte, an OOB vulnerability occurs in btf_name_valid_section() and the return value is true, so the invalid name passes the check. To solve this, you need to check if the first position is NULL byte and if the first character is printable. In the Linux kernel, the following vulnerability has been resolved: bpf: a... • https://git.kernel.org/stable/c/bd70a8fb7ca4fcb078086f4d96b048aaf1aa4786 •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2024-46763 – fou: Fix null-ptr-deref in GRO.
https://notcve.org/view.php?id=CVE-2024-46763
18 Sep 2024 — In the Linux kernel, the following vulnerability has been resolved: fou: Fix null-ptr-deref in GRO. We observed a null-ptr-deref in fou_gro_receive() while shutting down a host. [0] The NULL pointer is sk->sk_user_data, and the offset 8 is of protocol in struct fou. When fou_release() is called due to netns dismantle or explicit tunnel teardown, udp_tunnel_sock_release() sets NULL to sk->sk_user_data. Then, the tunnel socket is destroyed after a single RCU grace period. So, in-flight udp4_gro_receive() coul... • https://git.kernel.org/stable/c/d92283e338f6d6503b7417536bf3478f466cbc01 •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2024-46762 – xen: privcmd: Fix possible access to a freed kirqfd instance
https://notcve.org/view.php?id=CVE-2024-46762
18 Sep 2024 — In the Linux kernel, the following vulnerability has been resolved: xen: privcmd: Fix possible access to a freed kirqfd instance Nothing prevents simultaneous ioctl calls to privcmd_irqfd_assign() and privcmd_irqfd_deassign(). If that happens, it is possible that a kirqfd created and added to the irqfds_list by privcmd_irqfd_assign() may get removed by another thread executing privcmd_irqfd_deassign(), while the former is still using it after dropping the locks. This can lead to a situation where an already... • https://git.kernel.org/stable/c/e997b357b13a7d95de31681fc54fcc34235fa527 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2024-46761 – pci/hotplug/pnv_php: Fix hotplug driver crash on Powernv
https://notcve.org/view.php?id=CVE-2024-46761
18 Sep 2024 — In the Linux kernel, the following vulnerability has been resolved: pci/hotplug/pnv_php: Fix hotplug driver crash on Powernv The hotplug driver for powerpc (pci/hotplug/pnv_php.c) causes a kernel crash when we try to hot-unplug/disable the PCIe switch/bridge from the PHB. The crash occurs because although the MSI data structure has been released during disable/hot-unplug path and it has been assigned with NULL, still during unregistration the code was again trying to explicitly disable the MSI which causes ... • https://git.kernel.org/stable/c/4eb4085c1346d19d4a05c55246eb93e74e671048 •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2024-46760 – wifi: rtw88: usb: schedule rx work after everything is set up
https://notcve.org/view.php?id=CVE-2024-46760
18 Sep 2024 — In the Linux kernel, the following vulnerability has been resolved: wifi: rtw88: usb: schedule rx work after everything is set up Right now it's possible to hit NULL pointer dereference in rtw_rx_fill_rx_status on hw object and/or its fields because initialization routine can start getting USB replies before rtw_dev is fully setup. The stack trace looks like this: rtw_rx_fill_rx_status rtw8821c_query_rx_desc rtw_usb_rx_handler ... queue_work rtw_usb_read_port_complete ... usb_submit_urb rtw_usb_rx_resubmit ... • https://git.kernel.org/stable/c/e3037485c68ec1a299ff41160d8fedbd4abc29b9 •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2024-46759 – hwmon: (adc128d818) Fix underflows seen when writing limit attributes
https://notcve.org/view.php?id=CVE-2024-46759
18 Sep 2024 — In the Linux kernel, the following vulnerability has been resolved: hwmon: (adc128d818) Fix underflows seen when writing limit attributes DIV_ROUND_CLOSEST() after kstrtol() results in an underflow if a large negative number such as -9223372036854775808 is provided by the user. Fix it by reordering clamp_val() and DIV_ROUND_CLOSEST() operations. In the Linux kernel, the following vulnerability has been resolved: hwmon: (adc128d818) Fix underflows seen when writing limit attributes DIV_ROUND_CLOSEST() after ... • https://git.kernel.org/stable/c/05419d0056dcf7088687e561bb583cc06deba777 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2024-46755 – wifi: mwifiex: Do not return unused priv in mwifiex_get_priv_by_id()
https://notcve.org/view.php?id=CVE-2024-46755
18 Sep 2024 — In the Linux kernel, the following vulnerability has been resolved: wifi: mwifiex: Do not return unused priv in mwifiex_get_priv_by_id() mwifiex_get_priv_by_id() returns the priv pointer corresponding to the bss_num and bss_type, but without checking if the priv is actually currently in use. Unused priv pointers do not have a wiphy attached to them which can lead to NULL pointer dereferences further down the callstack. Fix this by returning only used priv pointers which have priv->bss_mode set to something ... • https://git.kernel.org/stable/c/a12cf97cbefa139ef8d95081f2ea047cbbd74b7a •
CVSS: 7.1EPSS: 0%CPEs: 2EXPL: 0CVE-2024-46754 – bpf: Remove tst_run from lwt_seg6local_prog_ops.
https://notcve.org/view.php?id=CVE-2024-46754
18 Sep 2024 — In the Linux kernel, the following vulnerability has been resolved: bpf: Remove tst_run from lwt_seg6local_prog_ops. The syzbot reported that the lwt_seg6 related BPF ops can be invoked via bpf_test_run() without without entering input_action_end_bpf() first. Martin KaFai Lau said that self test for BPF_PROG_TYPE_LWT_SEG6LOCAL probably didn't work since it was introduced in commit 04d4b274e2a ("ipv6: sr: Add seg6local action End.BPF"). The reason is that the per-CPU variable seg6_bpf_srh_states::srh is neve... • https://git.kernel.org/stable/c/004d4b274e2a1a895a0e5dc66158b90a7d463d44 •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2024-46753 – btrfs: handle errors from btrfs_dec_ref() properly
https://notcve.org/view.php?id=CVE-2024-46753
18 Sep 2024 — In the Linux kernel, the following vulnerability has been resolved: btrfs: handle errors from btrfs_dec_ref() properly In walk_up_proc() we BUG_ON(ret) from btrfs_dec_ref(). This is incorrect, we have proper error handling here, return the error. In the Linux kernel, the following vulnerability has been resolved: btrfs: handle errors from btrfs_dec_ref() properly In walk_up_proc() we BUG_ON(ret) from btrfs_dec_ref(). This is incorrect, we have proper error handling here, return the error. Ubuntu Security No... • https://git.kernel.org/stable/c/a7f16a7a709845855cb5a0e080a52bda5873f9de •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2024-46752 – btrfs: replace BUG_ON() with error handling at update_ref_for_cow()
https://notcve.org/view.php?id=CVE-2024-46752
18 Sep 2024 — In the Linux kernel, the following vulnerability has been resolved: btrfs: replace BUG_ON() with error handling at update_ref_for_cow() Instead of a BUG_ON() just return an error, log an error message and abort the transaction in case we find an extent buffer belonging to the relocation tree that doesn't have the full backref flag set. This is unexpected and should never happen (save for bugs or a potential bad memory). In the Linux kernel, the following vulnerability has been resolved: btrfs: replace BUG_O... • https://git.kernel.org/stable/c/b50857b96429a09fd3beed9f7f21b7bb7c433688 •