CVSS: 9.8EPSS: 0%CPEs: 8EXPL: 0CVE-2024-36905 – tcp: defer shutdown(SEND_SHUTDOWN) for TCP_SYN_RECV sockets
https://notcve.org/view.php?id=CVE-2024-36905
30 May 2024 — In the Linux kernel, the following vulnerability has been resolved: tcp: defer shutdown(SEND_SHUTDOWN) for TCP_SYN_RECV sockets TCP_SYN_RECV state is really special, it is only used by cross-syn connections, mostly used by fuzzers. In the following crash [1], syzbot managed to trigger a divide by zero in tcp_rcv_space_adjust() A socket makes the following state transitions, without ever calling tcp_init_transfer(), meaning tcp_init_buffer_space() is also not called. TCP_CLOSE connect() TCP_SYN_SENT TCP_SYN_... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 • CWE-369: Divide By Zero •
CVSS: 7.0EPSS: 0%CPEs: 8EXPL: 0CVE-2024-36904 – tcp: Use refcount_inc_not_zero() in tcp_twsk_unique().
https://notcve.org/view.php?id=CVE-2024-36904
30 May 2024 — In the Linux kernel, the following vulnerability has been resolved: tcp: Use refcount_inc_not_zero() in tcp_twsk_unique(). Anderson Nascimento reported a use-after-free splat in tcp_twsk_unique() with nice analysis. Since commit ec94c2696f0b ("tcp/dccp: avoid one atomic operation for timewait hashdance"), inet_twsk_hashdance() sets TIME-WAIT socket's sk_refcnt after putting it into ehash and releasing the bucket lock. Thus, there is a small race window where other threads could try to reuse the port during ... • https://git.kernel.org/stable/c/ec94c2696f0bcd5ae92a553244e4ac30d2171a2d • CWE-416: Use After Free •
CVSS: 5.5EPSS: 0%CPEs: 10EXPL: 0CVE-2024-36903 – ipv6: Fix potential uninit-value access in __ip6_make_skb()
https://notcve.org/view.php?id=CVE-2024-36903
30 May 2024 — In the Linux kernel, the following vulnerability has been resolved: ipv6: Fix potential uninit-value access in __ip6_make_skb() As it was done in commit fc1092f51567 ("ipv4: Fix uninit-value access in __ip_make_skb()") for IPv4, check FLOWI_FLAG_KNOWN_NH on fl6->flowi6_flags instead of testing HDRINCL on the socket to avoid a race condition which causes uninit-value access. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: ipv6: corrige el posible acceso a valores uninit en __ip6_make_skb() Co... • https://git.kernel.org/stable/c/ea30388baebcce37fd594d425a65037ca35e59e8 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2024-36902 – ipv6: fib6_rules: avoid possible NULL dereference in fib6_rule_action()
https://notcve.org/view.php?id=CVE-2024-36902
30 May 2024 — In the Linux kernel, the following vulnerability has been resolved: ipv6: fib6_rules: avoid possible NULL dereference in fib6_rule_action() syzbot is able to trigger the following crash [1], caused by unsafe ip6_dst_idev() use. Indeed ip6_dst_idev() can return NULL, and must always be checked. [1] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] CPU: 0 PID: 31648 Comm:... • https://git.kernel.org/stable/c/5e5f3f0f801321078c897a5de0b4b4304f234da0 • CWE-476: NULL Pointer Dereference •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2024-36901 – ipv6: prevent NULL dereference in ip6_output()
https://notcve.org/view.php?id=CVE-2024-36901
30 May 2024 — In the Linux kernel, the following vulnerability has been resolved: ipv6: prevent NULL dereference in ip6_output() According to syzbot, there is a chance that ip6_dst_idev() returns NULL in ip6_output(). Most places in IPv6 stack deal with a NULL idev just fine, but not here. syzbot reported: general protection fault, probably for non-canonical address 0xdffffc00000000bc: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x00000000000005e0-0x00000000000005e7] CPU: 0 PID: 9775 Comm: syz-executo... • https://git.kernel.org/stable/c/778d80be52699596bf70e0eb0761cf5e1e46088d • CWE-476: NULL Pointer Dereference •
CVSS: 6.7EPSS: 0%CPEs: 3EXPL: 0CVE-2024-36899 – gpiolib: cdev: Fix use after free in lineinfo_changed_notify
https://notcve.org/view.php?id=CVE-2024-36899
30 May 2024 — In the Linux kernel, the following vulnerability has been resolved: gpiolib: cdev: Fix use after free in lineinfo_changed_notify The use-after-free issue occurs as follows: when the GPIO chip device file is being closed by invoking gpio_chrdev_release(), watched_lines is freed by bitmap_free(), but the unregistration of lineinfo_changed_nb notifier chain failed due to waiting write rwsem. Additionally, one of the GPIO chip's lines is also in the release process and holds the notifier chain's read rwsem. Con... • https://git.kernel.org/stable/c/51c1064e82e77b39a49889287ca50709303e2f26 • CWE-416: Use After Free •
CVSS: 6.1EPSS: 0%CPEs: 4EXPL: 0CVE-2024-36898 – gpiolib: cdev: fix uninitialised kfifo
https://notcve.org/view.php?id=CVE-2024-36898
30 May 2024 — In the Linux kernel, the following vulnerability has been resolved: gpiolib: cdev: fix uninitialised kfifo If a line is requested with debounce, and that results in debouncing in software, and the line is subsequently reconfigured to enable edge detection then the allocation of the kfifo to contain edge events is overlooked. This results in events being written to and read from an uninitialised kfifo. Read events are returned to userspace. Initialise the kfifo in the case where the software debounce is alre... • https://git.kernel.org/stable/c/65cff70464068a823b3f4a28074000febdce0630 •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2024-36897 – drm/amd/display: Atom Integrated System Info v2_2 for DCN35
https://notcve.org/view.php?id=CVE-2024-36897
30 May 2024 — In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Atom Integrated System Info v2_2 for DCN35 New request from KMD/VBIOS in order to support new UMA carveout model. This fixes a null dereference from accessing Ctx->dc_bios->integrated_info while it was NULL. DAL parses through the BIOS and extracts the necessary integrated_info but was missing a case for the new BIOS version 2.3. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: drm/amd/display: Atom Integr... • https://git.kernel.org/stable/c/3c7013a87124bab54216d9b99f77e8b6de6fbc1a • CWE-476: NULL Pointer Dereference •
CVSS: 6.0EPSS: 0%CPEs: 8EXPL: 0CVE-2024-36894 – usb: gadget: f_fs: Fix race between aio_cancel() and AIO request complete
https://notcve.org/view.php?id=CVE-2024-36894
30 May 2024 — In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_fs: Fix race between aio_cancel() and AIO request complete FFS based applications can utilize the aio_cancel() callback to dequeue pending USB requests submitted to the UDC. There is a scenario where the FFS application issues an AIO cancel call, while the UDC is handling a soft disconnect. For a DWC3 based implementation, the callstack looks like the following: DWC3 Gadget FFS Application dwc3_gadget_soft_disconnect() ... --... • https://git.kernel.org/stable/c/2e4c7553cd6f9c68bb741582dcb614edcbeca70f • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2024-36889 – mptcp: ensure snd_nxt is properly initialized on connect
https://notcve.org/view.php?id=CVE-2024-36889
30 May 2024 — In the Linux kernel, the following vulnerability has been resolved: mptcp: ensure snd_nxt is properly initialized on connect Christoph reported a splat hinting at a corrupted snd_una: WARNING: CPU: 1 PID: 38 at net/mptcp/protocol.c:1005 __mptcp_clean_una+0x4b3/0x620 net/mptcp/protocol.c:1005 Modules linked in: CPU: 1 PID: 38 Comm: kworker/1:1 Not tainted 6.9.0-rc1-gbbeac67456c9 #59 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014 Workqueue: events mptcp_worker RIP: 0010:__... • https://git.kernel.org/stable/c/8fd738049ac3d67a937d36577763b47180aae1ad • CWE-665: Improper Initialization •