CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2024-26865 – rds: tcp: Fix use-after-free of net in reqsk_timer_handler().
https://notcve.org/view.php?id=CVE-2024-26865
17 Apr 2024 — In the Linux kernel, the following vulnerability has been resolved: rds: tcp: Fix use-after-free of net in reqsk_timer_handler(). syzkaller reported a warning of netns tracker [0] followed by KASAN splat [1] and another ref tracker warning [1]. syzkaller could not find a repro, but in the log, the only suspicious sequence was as follows: 18:26:22 executing program 1: r0 = socket$inet6_mptcp(0xa, 0x1, 0x106) ... connect$inet6(r0, &(0x7f0000000080)={0xa, 0x4001, 0x0, @loopback}, 0x1c) (async) The notable thin... • https://git.kernel.org/stable/c/467fa15356acfb7b2efa38839c3e76caa4e6e0ea •
CVSS: 5.5EPSS: 0%CPEs: 9EXPL: 0CVE-2024-26863 – hsr: Fix uninit-value access in hsr_get_node()
https://notcve.org/view.php?id=CVE-2024-26863
17 Apr 2024 — In the Linux kernel, the following vulnerability has been resolved: hsr: Fix uninit-value access in hsr_get_node() KMSAN reported the following uninit-value access issue [1]: ===================================================== BUG: KMSAN: uninit-value in hsr_get_node+0xa2e/0xa40 net/hsr/hsr_framereg.c:246 hsr_get_node+0xa2e/0xa40 net/hsr/hsr_framereg.c:246 fill_frame_info net/hsr/hsr_forward.c:577 [inline] hsr_forward_skb+0xe12/0x30e0 net/hsr/hsr_forward.c:615 hsr_dev_xmit+0x1a1/0x270 net/hsr/hsr_device.c... • https://git.kernel.org/stable/c/f266a683a4804dc499efc6c2206ef68efed029d0 • CWE-20: Improper Input Validation •
CVSS: 4.6EPSS: 0%CPEs: 9EXPL: 0CVE-2024-26859 – net/bnx2x: Prevent access to a freed page in page_pool
https://notcve.org/view.php?id=CVE-2024-26859
17 Apr 2024 — In the Linux kernel, the following vulnerability has been resolved: net/bnx2x: Prevent access to a freed page in page_pool Fix race condition leading to system crash during EEH error handling During EEH error recovery, the bnx2x driver's transmit timeout logic could cause a race condition when handling reset tasks. The bnx2x_tx_timeout() schedules reset tasks via bnx2x_sp_rtnl_task(), which ultimately leads to bnx2x_nic_unload(). In bnx2x_nic_unload() SGEs are freed using bnx2x_free_rx_sge_range(). However,... • https://git.kernel.org/stable/c/4cace675d687ebd2d813e90af80ff87ee85202f9 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 5.5EPSS: 0%CPEs: 9EXPL: 0CVE-2023-52644 – wifi: b43: Stop/wake correct queue in DMA Tx path when QoS is disabled
https://notcve.org/view.php?id=CVE-2023-52644
17 Apr 2024 — In the Linux kernel, the following vulnerability has been resolved: wifi: b43: Stop/wake correct queue in DMA Tx path when QoS is disabled When QoS is disabled, the queue priority value will not map to the correct ieee80211 queue since there is only one queue. Stop/wake queue 0 when QoS is disabled to prevent trying to stop/wake a non-existent queue and failing to stop/wake the actual queue instantiated. Log of issue before change (with kernel parameter qos=0): [ +5.112651] ------------[ cut here ]---------... • https://git.kernel.org/stable/c/e6f5b934fba8c44c87c551e066aa7ca6fde2939e •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2024-26857 – geneve: make sure to pull inner header in geneve_rx()
https://notcve.org/view.php?id=CVE-2024-26857
17 Apr 2024 — In the Linux kernel, the following vulnerability has been resolved: geneve: make sure to pull inner header in geneve_rx() syzbot triggered a bug in geneve_rx() [1] Issue is similar to the one I fixed in commit 8d975c15c0cd ("ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv()") We have to save skb->network_header in a temporary variable in order to be able to recompute the network_header pointer after a pskb_inet_may_pull() call. pskb_inet_may_pull() makes sure the needed headers are in skb->head.... • https://git.kernel.org/stable/c/2d07dc79fe04a43d82a346ced6bbf07bdb523f1b • CWE-20: Improper Input Validation •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2024-26851 – netfilter: nf_conntrack_h323: Add protection for bmp length out of range
https://notcve.org/view.php?id=CVE-2024-26851
17 Apr 2024 — In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_h323: Add protection for bmp length out of range UBSAN load reports an exception of BRK#5515 SHIFT_ISSUE:Bitwise shifts that are out of bounds for their data type. vmlinux get_bitmap(b=75) + 712
CVSS: 4.4EPSS: 0%CPEs: 6EXPL: 0CVE-2024-26846 – nvme-fc: do not wait in vain when unloading module
https://notcve.org/view.php?id=CVE-2024-26846
17 Apr 2024 — In the Linux kernel, the following vulnerability has been resolved: nvme-fc: do not wait in vain when unloading module The module exit path has race between deleting all controllers and freeing 'left over IDs'. To prevent double free a synchronization between nvme_delete_ctrl and ida_destroy has been added by the initial commit. There is some logic around trying to prevent from hanging forever in wait_for_completion, though it does not handling all cases. E.g. blktests is able to reproduce the situation whe... • https://git.kernel.org/stable/c/4f2c95015ec2a1899161be6c0bdaecedd5a7bfb2 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') CWE-415: Double Free •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2024-26845 – scsi: target: core: Add TMF to tmr_list handling
https://notcve.org/view.php?id=CVE-2024-26845
17 Apr 2024 — In the Linux kernel, the following vulnerability has been resolved: scsi: target: core: Add TMF to tmr_list handling An abort that is responded to by iSCSI itself is added to tmr_list but does not go to target core. A LUN_RESET that goes through tmr_list takes a refcounter on the abort and waits for completion. However, the abort will be never complete because it was not started in target core. Unable to locate ITT: 0x05000000 on CID: 0 Unable to locate RefTaskTag: 0x05000000 on CID: 0. wait_for_tasks: Stop... • https://git.kernel.org/stable/c/425a571a7e6fc389954cf2564e1edbba3740e171 •
CVSS: 3.3EPSS: 0%CPEs: 4EXPL: 0CVE-2024-26844 – block: Fix WARNING in _copy_from_iter
https://notcve.org/view.php?id=CVE-2024-26844
17 Apr 2024 — In the Linux kernel, the following vulnerability has been resolved: block: Fix WARNING in _copy_from_iter Syzkaller reports a warning in _copy_from_iter because an iov_iter is supposedly used in the wrong direction. The reason is that syzcaller managed to generate a request with a transfer direction of SG_DXFER_TO_FROM_DEV. This instructs the kernel to copy user buffers into the kernel, read into the copied buffers and then copy the data back to user space. Thus the iovec is used in both directions. Detect ... • https://git.kernel.org/stable/c/8fc80874103a5c20aebdc2401361aa01c817f75b •
CVSS: 6.0EPSS: 0%CPEs: 6EXPL: 0CVE-2024-26843 – efi: runtime: Fix potential overflow of soft-reserved region size
https://notcve.org/view.php?id=CVE-2024-26843
17 Apr 2024 — In the Linux kernel, the following vulnerability has been resolved: efi: runtime: Fix potential overflow of soft-reserved region size md_size will have been narrowed if we have >= 4GB worth of pages in a soft-reserved region. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: efi: runtime: corrige el posible desbordamiento del tamaño de la región reservada por software. md_size se habrá reducido si tenemos >= 4 GB de páginas en una región reservada por software. A flaw was found in the Li... • https://git.kernel.org/stable/c/4fff3d735baea104017f2e3c245e27cdc79f2426 • CWE-121: Stack-based Buffer Overflow •