CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2024-26928 – smb: client: fix potential UAF in cifs_debug_files_proc_show()
https://notcve.org/view.php?id=CVE-2024-26928
In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential UAF in cifs_debug_files_proc_show() Skip sessions that are being teared down (status == SES_EXITING) to avoid UAF. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: smb: cliente: corrige UAF potencial en cifs_debug_files_proc_show() Omita las sesiones que se están eliminando (estado == SES_EXITING) para evitar UAF. • https://git.kernel.org/stable/c/229042314602db62559ecacba127067c22ee7b88 https://git.kernel.org/stable/c/a65f2b56334ba4dc30bd5ee9ce5b2691b973344d https://git.kernel.org/stable/c/3402faf78b2516b0af1259baff50cc8453ef0bd1 https://git.kernel.org/stable/c/ca545b7f0823f19db0f1148d59bc5e1a56634502 •
CVSS: 7.0EPSS: 0%CPEs: 8EXPL: 0CVE-2024-26923 – af_unix: Fix garbage collector racing against connect()
https://notcve.org/view.php?id=CVE-2024-26923
In the Linux kernel, the following vulnerability has been resolved: af_unix: Fix garbage collector racing against connect() Garbage collector does not take into account the risk of embryo getting enqueued during the garbage collection. If such embryo has a peer that carries SCM_RIGHTS, two consecutive passes of scan_children() may see a different set of children. Leading to an incorrectly elevated inflight count, and then a dangling pointer within the gc_inflight_list. sockets are AF_UNIX/SOCK_STREAM S is an unconnected socket L is a listening in-flight socket bound to addr, not in fdtable V's fd will be passed via sendmsg(), gets inflight count bumped connect(S, addr) sendmsg(S, [V]); close(V) __unix_gc() ---------------- ------------------------- ----------- NS = unix_create1() skb1 = sock_wmalloc(NS) L = unix_find_other(addr) unix_state_lock(L) unix_peer(S) = NS // V count=1 inflight=0 NS = unix_peer(S) skb2 = sock_alloc() skb_queue_tail(NS, skb2[V]) // V became in-flight // V count=2 inflight=1 close(V) // V count=1 inflight=1 // GC candidate condition met for u in gc_inflight_list: if (total_refs == inflight_refs) add u to gc_candidates // gc_candidates={L, V} for u in gc_candidates: scan_children(u, dec_inflight) // embryo (skb1) was not // reachable from L yet, so V's // inflight remains unchanged __skb_queue_tail(L, skb1) unix_state_unlock(L) for u in gc_candidates: if (u.inflight) scan_children(u, inc_inflight_move_tail) // V count=1 inflight=2 (!) If there is a GC-candidate listening socket, lock/unlock its state. This makes GC wait until the end of any ongoing connect() to that socket. • https://git.kernel.org/stable/c/1fd05ba5a2f2aa8e7b9b52ef55df850e2e7d54c9 https://git.kernel.org/stable/c/a36ae0ec2353015f0f6762e59f4c2dbc0c906423 https://git.kernel.org/stable/c/343c5372d5e17b306db5f8f3c895539b06e3177f https://git.kernel.org/stable/c/2e2a03787f4f0abc0072350654ab0ef3324d9db3 https://git.kernel.org/stable/c/e76c2678228f6aec74b305ae30c9374cc2f28a51 https://git.kernel.org/stable/c/b75722be422c276b699200de90527d01c602ea7c https://git.kernel.org/stable/c/507cc232ffe53a352847893f8177d276c3b532a9 https://git.kernel.org/stable/c/dbdf7bec5c920200077d693193f989cb1 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2024-26915 – drm/amdgpu: Reset IH OVERFLOW_CLEAR bit
https://notcve.org/view.php?id=CVE-2024-26915
In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Reset IH OVERFLOW_CLEAR bit Allows us to detect subsequent IH ring buffer overflows as well. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: drm/amdgpu: Restablecer el bit IH OVERFLOW_CLEAR También nos permite detectar desbordamientos posteriores del búfer en anillo IH. • https://git.kernel.org/stable/c/9a9d00c23d170d4ef5a1b28e6b69f5c85dd12bc1 https://git.kernel.org/stable/c/a28f4d1e0bed85943d309ac243fd1c200f8af9a2 https://git.kernel.org/stable/c/8983397951b4b0bd51bb4b4ba9749424e1ccbb70 https://git.kernel.org/stable/c/2827633c9dab6304ec4cdbf369363219832e605d https://git.kernel.org/stable/c/7330256268664ea0a7dd5b07a3fed363093477dd •
CVSS: -EPSS: 0%CPEs: 2EXPL: 0CVE-2024-26914 – drm/amd/display: fix incorrect mpc_combine array size
https://notcve.org/view.php?id=CVE-2024-26914
In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: fix incorrect mpc_combine array size [why] MAX_SURFACES is per stream, while MAX_PLANES is per asic. The mpc_combine is an array that records all the planes per asic. Therefore MAX_PLANES should be used as the array size. Using MAX_SURFACES causes array overflow when there are more than 3 planes. [how] Use the MAX_PLANES for the mpc_combine array size. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: drm/amd/display: corrige el tamaño incorrecto de la matriz mpc_combine [por qué] MAX_SURFACES es por flujo, mientras que MAX_PLANES es por asic. mpc_combine es una matriz que registra todos los planos por asic. • https://git.kernel.org/stable/c/0bd8ef618a42d7e6ea3f701065264e15678025e3 https://git.kernel.org/stable/c/39079fe8e660851abbafa90cd55cbf029210661f •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2024-26913 – drm/amd/display: Fix dcn35 8k30 Underflow/Corruption Issue
https://notcve.org/view.php?id=CVE-2024-26913
In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix dcn35 8k30 Underflow/Corruption Issue [why] odm calculation is missing for pipe split policy determination and cause Underflow/Corruption issue. [how] Add the odm calculation. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: drm/amd/display: solucione el problema de corrupción/desbordamiento de dcn35 8k30 [por qué] falta el cálculo de odm para la determinación de la política de división de tuberías y causa un problema de corrupción/desbordamiento. [cómo] Agregue el cálculo de odm. • https://git.kernel.org/stable/c/cdbe0be8874c63bca85b8c38e5b1eecbdd18df31 https://git.kernel.org/stable/c/faf51b201bc42adf500945732abb6220c707d6f3 • CWE-191: Integer Underflow (Wrap or Wraparound) •