CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2021-47598 – sch_cake: do not call cake_destroy() from cake_init()
https://notcve.org/view.php?id=CVE-2021-47598
19 Jun 2024 — In the Linux kernel, the following vulnerability has been resolved: sch_cake: do not call cake_destroy() from cake_init() qdiscs are not supposed to call their own destroy() method from init(), because core stack already does that. syzbot was able to trigger use after free: DEBUG_LOCKS_WARN_ON(lock->magic != lock) WARNING: CPU: 0 PID: 21902 at kernel/locking/mutex.c:586 __mutex_lock_common kernel/locking/mutex.c:586 [inline] WARNING: CPU: 0 PID: 21902 at kernel/locking/mutex.c:586 __mutex_lock+0x9ec/0x12f0 ... • https://git.kernel.org/stable/c/046f6fd5daefac7f5abdafb436b30f63bc7c602b •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2021-47597 – inet_diag: fix kernel-infoleak for UDP sockets
https://notcve.org/view.php?id=CVE-2021-47597
19 Jun 2024 — In the Linux kernel, the following vulnerability has been resolved: inet_diag: fix kernel-infoleak for UDP sockets KMSAN reported a kernel-infoleak [1], that can exploited by unpriv users. After analysis it turned out UDP was not initializing r->idiag_expires. Other users of inet_sk_diag_fill() might make the same mistake in the future, so fix this in inet_sk_diag_fill(). [1] BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:121 [inline] BUG: KMSAN: kernel-infoleak in copyo... • https://git.kernel.org/stable/c/3c4d05c8056724aff3abc20650807dd828fded54 •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2021-47596 – net: hns3: fix use-after-free bug in hclgevf_send_mbx_msg
https://notcve.org/view.php?id=CVE-2021-47596
19 Jun 2024 — In the Linux kernel, the following vulnerability has been resolved: net: hns3: fix use-after-free bug in hclgevf_send_mbx_msg Currently, the hns3_remove function firstly uninstall client instance, and then uninstall acceletion engine device. The netdevice is freed in client instance uninstall process, but acceletion engine device uninstall process still use it to trace runtime information. This causes a use after free problem. So fixes it by check the instance register state to avoid use after free. En el k... • https://git.kernel.org/stable/c/d8355240cf8fb8b9e002b5c8458578435cea85c2 • CWE-416: Use After Free •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2021-47595 – net/sched: sch_ets: don't remove idle classes from the round-robin list
https://notcve.org/view.php?id=CVE-2021-47595
19 Jun 2024 — In the Linux kernel, the following vulnerability has been resolved: net/sched: sch_ets: don't remove idle classes from the round-robin list Shuang reported that the following script: 1) tc qdisc add dev ddd0 handle 10: parent 1: ets bands 8 strict 4 priomap 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 2) mausezahn ddd0 -A 10.10.10.1 -B 10.10.10.2 -c 0 -a own -b 00:c1:a0:c1:a0:00 -t udp & 3) tc qdisc change dev ddd0 handle 10: ets bands 4 strict 2 quanta 2500 2500 priomap 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 crashes systemati... • https://git.kernel.org/stable/c/ae2659d2c670252759ee9c823c4e039c0e05a6f2 •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2021-47594 – mptcp: never allow the PM to close a listener subflow
https://notcve.org/view.php?id=CVE-2021-47594
19 Jun 2024 — In the Linux kernel, the following vulnerability has been resolved: mptcp: never allow the PM to close a listener subflow Currently, when deleting an endpoint the netlink PM treverses all the local MPTCP sockets, regardless of their status. If an MPTCP listener socket is bound to the IP matching the delete endpoint, the listener TCP socket will be closed. That is unexpected, the PM should only affect data subflows. Additionally, syzbot was able to trigger a NULL ptr dereference due to the above: general pro... • https://git.kernel.org/stable/c/740d798e8767d8a449902b1a1bbc70facfce19b5 •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2021-47593 – mptcp: clear 'kern' flag from fallback sockets
https://notcve.org/view.php?id=CVE-2021-47593
19 Jun 2024 — In the Linux kernel, the following vulnerability has been resolved: mptcp: clear 'kern' flag from fallback sockets The mptcp ULP extension relies on sk->sk_sock_kern being set correctly: It prevents setsockopt(fd, IPPROTO_TCP, TCP_ULP, "mptcp", 6); from working for plain tcp sockets (any userspace-exposed socket). But in case of fallback, accept() can return a plain tcp sk. In such case, sk is still tagged as 'kernel' and setsockopt will work. This will crash the kernel, The subflow extension has a NULL ctx... • https://git.kernel.org/stable/c/cf7da0d66cc1a2a19fc5930bb746ffbb2d4cd1be •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2021-47592 – net: stmmac: fix tc flower deletion for VLAN priority Rx steering
https://notcve.org/view.php?id=CVE-2021-47592
19 Jun 2024 — In the Linux kernel, the following vulnerability has been resolved: net: stmmac: fix tc flower deletion for VLAN priority Rx steering To replicate the issue:- 1) Add 1 flower filter for VLAN Priority based frame steering:- $ IFDEVNAME=eth0 $ tc qdisc add dev $IFDEVNAME ingress $ tc qdisc add dev $IFDEVNAME root mqprio num_tc 8 \ map 0 1 2 3 4 5 6 7 0 0 0 0 0 0 0 0 \ queues 1@0 1@1 1@2 1@3 1@4 1@5 1@6 1@7 hw 0 $ tc filter add dev $IFDEVNAME parent ffff: protocol 802.1Q \ flower vlan_prio 0 hw_tc 0 2) Get the... • https://git.kernel.org/stable/c/0e039f5cf86ce2fcb62077a163e7ff3d7b7b7cf3 • CWE-476: NULL Pointer Dereference •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2021-47591 – mptcp: remove tcp ulp setsockopt support
https://notcve.org/view.php?id=CVE-2021-47591
19 Jun 2024 — In the Linux kernel, the following vulnerability has been resolved: mptcp: remove tcp ulp setsockopt support TCP_ULP setsockopt cannot be used for mptcp because its already used internally to plumb subflow (tcp) sockets to the mptcp layer. syzbot managed to trigger a crash for mptcp connections that are in fallback mode: KASAN: null-ptr-deref in range [0x0000000000000020-0x0000000000000027] CPU: 1 PID: 1083 Comm: syz-executor.3 Not tainted 5.16.0-rc2-syzkaller #0 RIP: 0010:tls_build_proto net/tls/tls_main.c... • https://git.kernel.org/stable/c/d9e4c129181004ec94b315b0c9db5eeb09da75e6 •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2021-47590 – mptcp: fix deadlock in __mptcp_push_pending()
https://notcve.org/view.php?id=CVE-2021-47590
19 Jun 2024 — In the Linux kernel, the following vulnerability has been resolved: mptcp: fix deadlock in __mptcp_push_pending() __mptcp_push_pending() may call mptcp_flush_join_list() with subflow socket lock held. If such call hits mptcp_sockopt_sync_all() then subsequently __mptcp_sockopt_sync() could try to lock the subflow socket for itself, causing a deadlock. sysrq: Show Blocked State task:ss-server state:D stack: 0 pid: 938 ppid: 1 flags:0x00000000 Call Trace:
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2021-47589 – igbvf: fix double free in `igbvf_probe`
https://notcve.org/view.php?id=CVE-2021-47589
19 Jun 2024 — In the Linux kernel, the following vulnerability has been resolved: igbvf: fix double free in `igbvf_probe` In `igbvf_probe`, if register_netdev() fails, the program will go to label err_hw_init, and then to label err_ioremap. In free_netdev() which is just below label err_ioremap, there is `list_for_each_entry_safe` and `netif_napi_del` which aims to delete all entries in `dev->napi_list`. The program has added an entry `adapter->rx_ring->napi` which is added by `netif_napi_add` in igbvf_alloc_queues(). Ho... • https://git.kernel.org/stable/c/d4e0fe01a38a073568aee541a0247fe734095979 •