CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2024-40902 – jfs: xattr: fix buffer overflow for invalid xattr
https://notcve.org/view.php?id=CVE-2024-40902
12 Jul 2024 — In the Linux kernel, the following vulnerability has been resolved: jfs: xattr: fix buffer overflow for invalid xattr When an xattr size is not what is expected, it is printed out to the kernel log in hex format as a form of debugging. But when that xattr size is bigger than the expected size, printing it out can cause an access off the end of the buffer. Fix this all up by properly restricting the size of the debug hex dump in the kernel log. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: ... • https://git.kernel.org/stable/c/f0dedb5c511ed82cbaff4997a8decf2351ba549f • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') CWE-121: Stack-based Buffer Overflow •
CVSS: 5.7EPSS: 0%CPEs: 8EXPL: 0CVE-2024-40901 – scsi: mpt3sas: Avoid test/set_bit() operating in non-allocated memory
https://notcve.org/view.php?id=CVE-2024-40901
12 Jul 2024 — In the Linux kernel, the following vulnerability has been resolved: scsi: mpt3sas: Avoid test/set_bit() operating in non-allocated memory There is a potential out-of-bounds access when using test_bit() on a single word. The test_bit() and set_bit() functions operate on long values, and when testing or setting a single word, they can exceed the word boundary. KASAN detects this issue and produces a dump: BUG: KASAN: slab-out-of-bounds in _scsih_add_device.constprop.0 (./arch/x86/include/asm/bitops.h:60 ./inc... • https://git.kernel.org/stable/c/c696f7b83edeac804e898952058089143f49ca0a •
CVSS: 6.4EPSS: 0%CPEs: 4EXPL: 0CVE-2024-40900 – cachefiles: remove requests from xarray during flushing requests
https://notcve.org/view.php?id=CVE-2024-40900
12 Jul 2024 — In the Linux kernel, the following vulnerability has been resolved: cachefiles: remove requests from xarray during flushing requests Even with CACHEFILES_DEAD set, we can still read the requests, so in the following concurrency the request may be used after it has been freed: mount | daemon_thread1 | daemon_thread2 ------------------------------------------------------------ cachefiles_ondemand_init_object cachefiles_ondemand_send_req REQ_A = kzalloc(sizeof(*req) + data_len) wait_for_completion(&REQ_A->done... • https://git.kernel.org/stable/c/c8383054506c77b814489c09877b5db83fd4abf2 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2024-39509 – HID: core: remove unnecessary WARN_ON() in implement()
https://notcve.org/view.php?id=CVE-2024-39509
12 Jul 2024 — In the Linux kernel, the following vulnerability has been resolved: HID: core: remove unnecessary WARN_ON() in implement() Syzkaller hit a warning [1] in a call to implement() when trying to write a value into a field of smaller size in an output report. Since implement() already has a warn message printed out with the help of hid_warn() and value in question gets trimmed with: ... value &= m; ... WARN_ON may be considered superfluous. Remove it to suppress future syzkaller triggers. [1] WARNING: CPU: 0 PID... • https://git.kernel.org/stable/c/95d1c8951e5bd50bb89654a99a7012b1e75646bd •
CVSS: 7.0EPSS: 0%CPEs: 3EXPL: 0CVE-2024-39508 – io_uring/io-wq: Use set_bit() and test_bit() at worker->flags
https://notcve.org/view.php?id=CVE-2024-39508
12 Jul 2024 — In the Linux kernel, the following vulnerability has been resolved: io_uring/io-wq: Use set_bit() and test_bit() at worker->flags Utilize set_bit() and test_bit() on worker->flags within io_uring/io-wq to address potential data races. The structure io_worker->flags may be accessed through various data paths, leading to concurrency issues. When KCSAN is enabled, it reveals data races occurring in io_worker_handle_work and io_wq_activate_free_worker functions. BUG: KCSAN: data-race in io_worker_handle_work / ... • https://git.kernel.org/stable/c/ab702c3483db9046bab9f40306f1a28b22dbbdc0 • CWE-364: Signal Handler Race Condition •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2024-39507 – net: hns3: fix kernel crash problem in concurrent scenario
https://notcve.org/view.php?id=CVE-2024-39507
12 Jul 2024 — In the Linux kernel, the following vulnerability has been resolved: net: hns3: fix kernel crash problem in concurrent scenario When link status change, the nic driver need to notify the roce driver to handle this event, but at this time, the roce driver may uninit, then cause kernel crash. To fix the problem, when link status change, need to check whether the roce registered, and when uninit, need to wait link update finish. In the Linux kernel, the following vulnerability has been resolved: net: hns3: fix ... • https://git.kernel.org/stable/c/45e92b7e4e27a427de7e87d5c4d63d4ce7ba02ab •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2024-39506 – liquidio: Adjust a NULL pointer handling path in lio_vf_rep_copy_packet
https://notcve.org/view.php?id=CVE-2024-39506
12 Jul 2024 — In the Linux kernel, the following vulnerability has been resolved: liquidio: Adjust a NULL pointer handling path in lio_vf_rep_copy_packet In lio_vf_rep_copy_packet() pg_info->page is compared to a NULL value, but then it is unconditionally passed to skb_add_rx_frag() which looks strange and could lead to null pointer dereference. lio_vf_rep_copy_packet() call trace looks like: octeon_droq_process_packets octeon_droq_fast_process_packets octeon_droq_dispatch_pkt octeon_create_recv_info ...search in the dis... • https://git.kernel.org/stable/c/1f233f327913f3dee0602cba9c64df1903772b55 • CWE-476: NULL Pointer Dereference •
CVSS: 6.1EPSS: 0%CPEs: 7EXPL: 0CVE-2024-39505 – drm/komeda: check for error-valued pointer
https://notcve.org/view.php?id=CVE-2024-39505
12 Jul 2024 — In the Linux kernel, the following vulnerability has been resolved: drm/komeda: check for error-valued pointer komeda_pipeline_get_state() may return an error-valued pointer, thus check the pointer for negative or null value before dereferencing. In the Linux kernel, the following vulnerability has been resolved: drm/komeda: check for error-valued pointer komeda_pipeline_get_state() may return an error-valued pointer, thus check the pointer for negative or null value before dereferencing. • https://git.kernel.org/stable/c/502932a03fceca1cb161eba5f30b18eb640aa8de •
CVSS: 7.0EPSS: 0%CPEs: 8EXPL: 0CVE-2024-39503 – netfilter: ipset: Fix race between namespace cleanup and gc in the list:set type
https://notcve.org/view.php?id=CVE-2024-39503
12 Jul 2024 — In the Linux kernel, the following vulnerability has been resolved: netfilter: ipset: Fix race between namespace cleanup and gc in the list:set type Lion Ackermann reported that there is a race condition between namespace cleanup in ipset and the garbage collection of the list:set type. The namespace cleanup can destroy the list:set type of sets while the gc of the set type is waiting to run in rcu cleanup. The latter uses data from the destroyed set which thus leads use after free. The patch contains the f... • https://git.kernel.org/stable/c/c7f2733e5011bfd136f1ca93497394d43aa76225 • CWE-416: Use After Free •
CVSS: 6.7EPSS: 0%CPEs: 7EXPL: 0CVE-2024-39502 – ionic: fix use after netif_napi_del()
https://notcve.org/view.php?id=CVE-2024-39502
12 Jul 2024 — In the Linux kernel, the following vulnerability has been resolved: ionic: fix use after netif_napi_del() When queues are started, netif_napi_add() and napi_enable() are called. If there are 4 queues and only 3 queues are used for the current configuration, only 3 queues' napi should be registered and enabled. The ionic_qcq_enable() checks whether the .poll pointer is not NULL for enabling only the using queue' napi. Unused queues' napi will not be registered by netif_napi_add(), so the .poll pointer indica... • https://git.kernel.org/stable/c/0f3154e6bcb354968cc04f7cd86ce466f7b9a814 • CWE-416: Use After Free •