CVSS: 4.6EPSS: 0%CPEs: 5EXPL: 0CVE-2024-38540 – bnxt_re: avoid shift undefined behavior in bnxt_qplib_alloc_init_hwq
https://notcve.org/view.php?id=CVE-2024-38540
19 Jun 2024 — In the Linux kernel, the following vulnerability has been resolved: bnxt_re: avoid shift undefined behavior in bnxt_qplib_alloc_init_hwq Undefined behavior is triggered when bnxt_qplib_alloc_init_hwq is called with hwq_attr->aux_depth != 0 and hwq_attr->aux_stride == 0. In that case, "roundup_pow_of_two(hwq_attr->aux_stride)" gets called. roundup_pow_of_two is documented as undefined for 0. Fix it in the one caller that had this combination. The undefined behavior was detected by UBSAN: UBSAN: shift-out-of-... • https://git.kernel.org/stable/c/0c4dcd602817502bb3dced7a834a13ef717d65a4 • CWE-125: Out-of-bounds Read •
CVSS: 7.1EPSS: 0%CPEs: 9EXPL: 0CVE-2024-38538 – net: bridge: xmit: make sure we have at least eth header len bytes
https://notcve.org/view.php?id=CVE-2024-38538
19 Jun 2024 — In the Linux kernel, the following vulnerability has been resolved: net: bridge: xmit: make sure we have at least eth header len bytes syzbot triggered an uninit value[1] error in bridge device's xmit path by sending a short (less than ETH_HLEN bytes) skb. To fix it check if we can actually pull that amount instead of assuming. Tested with dropwatch: drop at: br_dev_xmit+0xb93/0x12d0 [bridge] (0xffffffffc06739b3) origin: software timestamp: Mon May 13 11:31:53 2024 778214037 nsec protocol: 0x88a8 length: 2 ... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 • CWE-99: Improper Control of Resource Identifiers ('Resource Injection') •
CVSS: 7.8EPSS: 0%CPEs: 7EXPL: 0CVE-2024-36978 – net: sched: sch_multiq: fix possible OOB write in multiq_tune()
https://notcve.org/view.php?id=CVE-2024-36978
19 Jun 2024 — In the Linux kernel, the following vulnerability has been resolved: net: sched: sch_multiq: fix possible OOB write in multiq_tune() q->bands will be assigned to qopt->bands to execute subsequent code logic after kmalloc. So the old q->bands should not be used in kmalloc. Otherwise, an out-of-bounds write will occur. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net: sched: sch_multiq: corrige posible escritura OOB en multiq_tune() q->bands se asignarán a qopt->bands para ejecutar ... • https://git.kernel.org/stable/c/c2999f7fb05b87da4060e38150c70fa46794d82b • CWE-787: Out-of-bounds Write •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2024-36975 – KEYS: trusted: Do not use WARN when encode fails
https://notcve.org/view.php?id=CVE-2024-36975
18 Jun 2024 — In the Linux kernel, the following vulnerability has been resolved: KEYS: trusted: Do not use WARN when encode fails When asn1_encode_sequence() fails, WARN is not the correct solution. 1. asn1_encode_sequence() is not an internal function (located in lib/asn1_encode.c). 2. Location is known, which makes the stack trace useless. 3. Results a crash if panic_on_warn is set. It is also noteworthy that the use of WARN is undocumented, and it should be avoided unless there is a carefully considered rationale to ... • https://git.kernel.org/stable/c/f2219745250f388edacabe6cca73654131c67d0a •
CVSS: 7.8EPSS: 0%CPEs: 7EXPL: 0CVE-2024-36974 – net/sched: taprio: always validate TCA_TAPRIO_ATTR_PRIOMAP
https://notcve.org/view.php?id=CVE-2024-36974
18 Jun 2024 — In the Linux kernel, the following vulnerability has been resolved: net/sched: taprio: always validate TCA_TAPRIO_ATTR_PRIOMAP If one TCA_TAPRIO_ATTR_PRIOMAP attribute has been provided, taprio_parse_mqprio_opt() must validate it, or userspace can inject arbitrary data to the kernel, the second time taprio_change() is called. First call (with valid attributes) sets dev->num_tc to a non zero value. Second call (with arbitrary mqprio attributes) returns early from taprio_parse_mqprio_opt() and bad things can ... • https://git.kernel.org/stable/c/a3d43c0d56f1b94e74963a2fbadfb70126d92213 • CWE-787: Out-of-bounds Write •
CVSS: 7.5EPSS: 0%CPEs: 6EXPL: 0CVE-2024-36972 – af_unix: Update unix_sk(sk)->oob_skb under sk_receive_queue lock.
https://notcve.org/view.php?id=CVE-2024-36972
10 Jun 2024 — In the Linux kernel, the following vulnerability has been resolved: af_unix: Update unix_sk(sk)->oob_skb under sk_receive_queue lock. Billy Jheng Bing-Jhong reported a race between __unix_gc() and queue_oob(). __unix_gc() tries to garbage-collect close()d inflight sockets, and then if the socket has MSG_OOB in unix_sk(sk)->oob_skb, GC will drop the reference and set NULL to it locklessly. However, the peer socket still can send MSG_OOB message and queue_oob() can update unix_sk(sk)->oob_skb concurrently, le... • https://git.kernel.org/stable/c/4fe505c63aa3273135a57597fda761e9aecc7668 • CWE-476: NULL Pointer Dereference •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2024-36971 – Android Kernel Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2024-36971
10 Jun 2024 — In the Linux kernel, the following vulnerability has been resolved: net: fix __dst_negative_advice() race __dst_negative_advice() does not enforce proper RCU rules when sk->dst_cache must be cleared, leading to possible UAF. RCU rules are that we must first clear sk->sk_dst_cache, then call dst_release(old_dst). Note that sk_dst_reset(sk) is implementing this protocol correctly, while __dst_negative_advice() uses the wrong order. Given that ip6_negative_advice() has special logic against RTF_CACHE, this mea... • https://git.kernel.org/stable/c/a87cb3e48ee86d29868d3f59cfb9ce1a8fa63314 • CWE-416: Use After Free •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2024-36969 – drm/amd/display: Fix division by zero in setup_dsc_config
https://notcve.org/view.php?id=CVE-2024-36969
08 Jun 2024 — In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix division by zero in setup_dsc_config When slice_height is 0, the division by slice_height in the calculation of the number of slices will cause a division by zero driver crash. This leaves the kernel in a state that requires a reboot. This patch adds a check to avoid the division by zero. The stack trace below is for the 6.8.4 Kernel. I reproduced the issue on a Z16 Gen 2 Lenovo Thinkpad with a Apple Studio Display moni... • https://git.kernel.org/stable/c/a32c8f951c8a456c1c251e1dcdf21787f8066445 • CWE-369: Divide By Zero •
CVSS: 6.5EPSS: 0%CPEs: 5EXPL: 0CVE-2024-36968 – Bluetooth: L2CAP: Fix div-by-zero in l2cap_le_flowctl_init()
https://notcve.org/view.php?id=CVE-2024-36968
08 Jun 2024 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix div-by-zero in l2cap_le_flowctl_init() l2cap_le_flowctl_init() can cause both div-by-zero and an integer overflow since hdev->le_mtu may not fall in the valid range. Move MTU from hci_dev to hci_conn to validate MTU and stop the connection process earlier if MTU is invalid. Also, add a missing validation in read_buffer_size() and make it return an error value if the validation fails. Now hci_conn_add() returns ERR_PTR(... • https://git.kernel.org/stable/c/6ed58ec520ad2b2fe3f955c8a5fd0eecafccebdf • CWE-190: Integer Overflow or Wraparound CWE-369: Divide By Zero •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2024-36967 – KEYS: trusted: Fix memory leak in tpm2_key_encode()
https://notcve.org/view.php?id=CVE-2024-36967
08 Jun 2024 — In the Linux kernel, the following vulnerability has been resolved: KEYS: trusted: Fix memory leak in tpm2_key_encode() 'scratch' is never freed. Fix this by calling kfree() in the success, and in the error case. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: KEYS: confiable: corrige la pérdida de memoria en tpm2_key_encode() 'scratch' nunca se libera. Solucione este problema llamando a kfree() en caso de éxito y de error. In the Linux kernel, the following vulnerability has been resolve... • https://git.kernel.org/stable/c/f2219745250f388edacabe6cca73654131c67d0a • CWE-401: Missing Release of Memory after Effective Lifetime •