Page 2 of 2265 results (0.010 seconds)

CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0

17 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: can: peak_usb: fix use after free bugs After calling peak_usb_netif_rx_ni(skb), dereferencing skb is unsafe. Especially, the can_frame cf which aliases skb memory is accessed after the peak_usb_netif_rx_ni(). Reordering the lines solves the issue. In the Linux kernel, the following vulnerability has been resolved: can: peak_usb: fix use after free bugs After calling peak_usb_netif_rx_ni(skb), dereferencing skb is unsafe. Especially, the can... • https://git.kernel.org/stable/c/0a25e1f4f18566b750ebd3ae995af64e23111e63 • CWE-416: Use After Free •

CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0

17 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: can: vxcan: vxcan_xmit: fix use after free bug After calling netif_rx_ni(skb), dereferencing skb is unsafe. Especially, the canfd_frame cfd which aliases skb memory is accessed after the netif_rx_ni(). In the Linux kernel, the following vulnerability has been resolved: can: vxcan: vxcan_xmit: fix use after free bug After calling netif_rx_ni(skb), dereferencing skb is unsafe. Especially, the canfd_frame cfd which aliases skb memory is access... • https://git.kernel.org/stable/c/a8f820a380a2a06fc4fe1a54159067958f800929 • CWE-416: Use After Free •

CVSS: 7.8EPSS: 0%CPEs: 7EXPL: 0

17 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: can: dev: can_restart: fix use after free bug After calling netif_rx_ni(skb), dereferencing skb is unsafe. Especially, the can_frame cf which aliases skb memory is accessed after the netif_rx_ni() in: stats->rx_bytes += cf->len; Reordering the lines solves the issue. In the Linux kernel, the following vulnerability has been resolved: can: dev: can_restart: fix use after free bug After calling netif_rx_ni(skb), dereferencing skb is unsafe. E... • https://git.kernel.org/stable/c/39549eef3587f1c1e8c65c88a2400d10fd30ea17 • CWE-416: Use After Free •

CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0

17 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: can: dev: can_get_echo_skb(): prevent call to kfree_skb() in hard IRQ context If a driver calls can_get_echo_skb() during a hardware IRQ (which is often, but not always, the case), the 'WARN_ON(in_irq)' in net/core/skbuff.c#skb_release_head_state() might be triggered, under network congestion circumstances, together with the potential risk of a NULL pointer dereference. The root cause of this issue is the call to kfree_skb() instead of dev_... • https://git.kernel.org/stable/c/39549eef3587f1c1e8c65c88a2400d10fd30ea17 •

CVSS: 9.8EPSS: 0%CPEs: 6EXPL: 0

02 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix incorrect validation for num_aces field of smb_acl parse_dcal() validate num_aces to allocate posix_ace_state_array. if (num_aces > ULONG_MAX / sizeof(struct smb_ace *)) It is an incorrect validation that we can create an array of size ULONG_MAX. smb_acl has ->size field to calculate actual number of aces in request buffer size. Use this to check invalid num_aces. In the Linux kernel, the following vulnerability has been resolved... • https://git.kernel.org/stable/c/0626e6641f6b467447c81dd7678a69c66f7746cf •

CVSS: 9.8EPSS: 0%CPEs: 8EXPL: 0

02 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: iscsi_ibft: Fix UBSAN shift-out-of-bounds warning in ibft_attr_show_nic() When performing an iSCSI boot using IPv6, iscsistart still reads the /sys/firmware/ibft/ethernetX/subnet-mask entry. Since the IPv6 prefix length is 64, this causes the shift exponent to become negative, triggering a UBSAN warning. As the concept of a subnet mask does not apply to IPv6, the value is set to ~0 to suppress the warning message. In the Linux kernel, the f... • https://git.kernel.org/stable/c/a858cd58dea06cf85b142673deea8c5d87f11e70 • CWE-125: Out-of-bounds Read •

CVSS: 9.8EPSS: 0%CPEs: 8EXPL: 0

02 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: HID: ignore non-functional sensor in HP 5MP Camera The HP 5MP Camera (USB ID 0408:5473) reports a HID sensor interface that is not actually implemented. Attempting to access this non-functional sensor via iio_info causes system hangs as runtime PM tries to wake up an unresponsive sensor. [453] hid-sensor-hub 0003:0408:5473.0003: Report latency attributes: ffffffff:ffffffff [453] hid-sensor-hub 0003:0408:5473.0003: common attributes: 5:1, 2:... • https://git.kernel.org/stable/c/9af297aea8f76a0ad21f2de5f2cd6401a748b9c3 •

CVSS: 5.5EPSS: 0%CPEs: 11EXPL: 0

02 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: x86/microcode/AMD: Fix out-of-bounds on systems with CPU-less NUMA nodes Currently, load_microcode_amd() iterates over all NUMA nodes, retrieves their CPU masks and unconditionally accesses per-CPU data for the first CPU of each mask. According to Documentation/admin-guide/mm/numaperf.rst: "Some memory may share the same node as a CPU, and others are provided as memory only nodes." Therefore, some node CPU masks may be empty and wouldn't ha... • https://git.kernel.org/stable/c/979e197968a1e8f09bf0d706801dba4432f85ab3 •

CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0

01 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: bus: mhi: host: pci_generic: Use pci_try_reset_function() to avoid deadlock There are multiple places from where the recovery work gets scheduled asynchronously. Also, there are multiple places where the caller waits synchronously for the recovery to be completed. One such place is during the PM shutdown() callback. If the device is not alive during recovery_work, it will try to reset the device using pci_reset_function(). This function int... • https://git.kernel.org/stable/c/7389337f0a78ea099c47f0af08f64f20c52ab4ba •

CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0

01 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: drivers: virt: acrn: hsm: Use kzalloc to avoid info leak in pmcmd_ioctl In the "pmcmd_ioctl" function, three memory objects allocated by kmalloc are initialized by "hcall_get_cpu_state", which are then copied to user space. The initializer is indeed implemented in "acrn_hypercall2" (arch/x86/include/asm/acrn.h). There is a risk of information leakage due to uninitialized bytes. In the Linux kernel, the following vulnerability has been resol... • https://git.kernel.org/stable/c/3d679d5aec648f50e645702929890b9611998a0b •