CVSS: 6.6EPSS: 0%CPEs: 2EXPL: 0CVE-2024-40907 – ionic: fix kernel panic in XDP_TX action
https://notcve.org/view.php?id=CVE-2024-40907
12 Jul 2024 — In the Linux kernel, the following vulnerability has been resolved: ionic: fix kernel panic in XDP_TX action In the XDP_TX path, ionic driver sends a packet to the TX path with rx page and corresponding dma address. After tx is done, ionic_tx_clean() frees that page. But RX ring buffer isn't reset to NULL. So, it uses a freed page, which causes kernel panic. BUG: unable to handle page fault for address: ffff8881576c110c PGD 773801067 P4D 773801067 PUD 87f086067 PMD 87efca067 PTE 800ffffea893e060 Oops: Oops:... • https://git.kernel.org/stable/c/8eeed8373e1cca836799bf8e4a05cffa8e444908 • CWE-416: Use After Free •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2024-40906 – net/mlx5: Always stop health timer during driver removal
https://notcve.org/view.php?id=CVE-2024-40906
12 Jul 2024 — In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Always stop health timer during driver removal Currently, if teardown_hca fails to execute during driver removal, mlx5 does not stop the health timer. Afterwards, mlx5 continue with driver teardown. This may lead to a UAF bug, which results in page fault Oops[1], since the health timer invokes after resources were freed. Hence, stop the health monitor even if teardown_hca fails. [1] mlx5_core 0000:18:00.0: E-Switch: Unload vfs: mo... • https://git.kernel.org/stable/c/9b98d395b85dd042fe83fb696b1ac02e6c93a520 • CWE-416: Use After Free •
CVSS: 4.7EPSS: 0%CPEs: 7EXPL: 0CVE-2024-40905 – ipv6: fix possible race in __fib6_drop_pcpu_from()
https://notcve.org/view.php?id=CVE-2024-40905
12 Jul 2024 — In the Linux kernel, the following vulnerability has been resolved: ipv6: fix possible race in __fib6_drop_pcpu_from() syzbot found a race in __fib6_drop_pcpu_from() [1] If compiler reads more than once (*ppcpu_rt), second read could read NULL, if another cpu clears the value in rt6_get_pcpu_route(). Add a READ_ONCE() to prevent this race. Also add rcu_read_lock()/rcu_read_unlock() because we rely on RCU protection while dereferencing pcpu_rt. [1] Oops: general protection fault, probably for non-canonical a... • https://git.kernel.org/stable/c/d52d3997f843ffefaa8d8462790ffcaca6c74192 • CWE-476: NULL Pointer Dereference •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2024-40904 – USB: class: cdc-wdm: Fix CPU lockup caused by excessive log messages
https://notcve.org/view.php?id=CVE-2024-40904
12 Jul 2024 — In the Linux kernel, the following vulnerability has been resolved: USB: class: cdc-wdm: Fix CPU lockup caused by excessive log messages The syzbot fuzzer found that the interrupt-URB completion callback in the cdc-wdm driver was taking too long, and the driver's immediate resubmission of interrupt URBs with -EPROTO status combined with the dummy-hcd emulation to cause a CPU lockup: cdc_wdm 1-1:1.0: nonzero urb status received: -71 cdc_wdm 1-1:1.0: wdm_int_callback - 0 bytes watchdog: BUG: soft lockup - CPU... • https://git.kernel.org/stable/c/9908a32e94de2141463e104c9924279ed3509447 • CWE-667: Improper Locking •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2024-40903 – usb: typec: tcpm: fix use-after-free case in tcpm_register_source_caps
https://notcve.org/view.php?id=CVE-2024-40903
12 Jul 2024 — In the Linux kernel, the following vulnerability has been resolved: usb: typec: tcpm: fix use-after-free case in tcpm_register_source_caps There could be a potential use-after-free case in tcpm_register_source_caps(). This could happen when: * new (say invalid) source caps are advertised * the existing source caps are unregistered * tcpm_register_source_caps() returns with an error as usb_power_delivery_register_capabilities() fails This causes port->partner_source_caps to hold on to the now freed source ca... • https://git.kernel.org/stable/c/cfcd544a9974c6b6fb37ca385146e4796dcaf66d • CWE-416: Use After Free •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2024-40902 – jfs: xattr: fix buffer overflow for invalid xattr
https://notcve.org/view.php?id=CVE-2024-40902
12 Jul 2024 — In the Linux kernel, the following vulnerability has been resolved: jfs: xattr: fix buffer overflow for invalid xattr When an xattr size is not what is expected, it is printed out to the kernel log in hex format as a form of debugging. But when that xattr size is bigger than the expected size, printing it out can cause an access off the end of the buffer. Fix this all up by properly restricting the size of the debug hex dump in the kernel log. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: ... • https://git.kernel.org/stable/c/f0dedb5c511ed82cbaff4997a8decf2351ba549f • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') CWE-121: Stack-based Buffer Overflow •
CVSS: 5.7EPSS: 0%CPEs: 8EXPL: 0CVE-2024-40901 – scsi: mpt3sas: Avoid test/set_bit() operating in non-allocated memory
https://notcve.org/view.php?id=CVE-2024-40901
12 Jul 2024 — In the Linux kernel, the following vulnerability has been resolved: scsi: mpt3sas: Avoid test/set_bit() operating in non-allocated memory There is a potential out-of-bounds access when using test_bit() on a single word. The test_bit() and set_bit() functions operate on long values, and when testing or setting a single word, they can exceed the word boundary. KASAN detects this issue and produces a dump: BUG: KASAN: slab-out-of-bounds in _scsih_add_device.constprop.0 (./arch/x86/include/asm/bitops.h:60 ./inc... • https://git.kernel.org/stable/c/c696f7b83edeac804e898952058089143f49ca0a •
CVSS: 6.4EPSS: 0%CPEs: 4EXPL: 0CVE-2024-40900 – cachefiles: remove requests from xarray during flushing requests
https://notcve.org/view.php?id=CVE-2024-40900
12 Jul 2024 — In the Linux kernel, the following vulnerability has been resolved: cachefiles: remove requests from xarray during flushing requests Even with CACHEFILES_DEAD set, we can still read the requests, so in the following concurrency the request may be used after it has been freed: mount | daemon_thread1 | daemon_thread2 ------------------------------------------------------------ cachefiles_ondemand_init_object cachefiles_ondemand_send_req REQ_A = kzalloc(sizeof(*req) + data_len) wait_for_completion(&REQ_A->done... • https://git.kernel.org/stable/c/c8383054506c77b814489c09877b5db83fd4abf2 •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2024-40899 – cachefiles: fix slab-use-after-free in cachefiles_ondemand_get_fd()
https://notcve.org/view.php?id=CVE-2024-40899
12 Jul 2024 — In the Linux kernel, the following vulnerability has been resolved: cachefiles: fix slab-use-after-free in cachefiles_ondemand_get_fd() We got the following issue in a fuzz test of randomly issuing the restore command: ================================================================== BUG: KASAN: slab-use-after-free in cachefiles_ondemand_daemon_read+0x609/0xab0 Write of size 4 at addr ffff888109164a80 by task ondemand-04-dae/4962 CPU: 11 PID: 4962 Comm: ondemand-04-dae Not tainted 6.8.0-rc7-dirty #542 Call... • https://git.kernel.org/stable/c/e73fa11a356ca0905c3cc648eaacc6f0f2d2c8b3 •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2024-39510 – cachefiles: fix slab-use-after-free in cachefiles_ondemand_daemon_read()
https://notcve.org/view.php?id=CVE-2024-39510
12 Jul 2024 — In the Linux kernel, the following vulnerability has been resolved: cachefiles: fix slab-use-after-free in cachefiles_ondemand_daemon_read() We got the following issue in a fuzz test of randomly issuing the restore command: ================================================================== BUG: KASAN: slab-use-after-free in cachefiles_ondemand_daemon_read+0xb41/0xb60 Read of size 8 at addr ffff888122e84088 by task ondemand-04-dae/963 CPU: 13 PID: 963 Comm: ondemand-04-dae Not tainted 6.8.0-dirty #564 Call T... • https://git.kernel.org/stable/c/0a7e54c1959c0feb2de23397ec09c7692364313e •