CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2024-26809 – netfilter: nft_set_pipapo: release elements in clone only from destroy path
https://notcve.org/view.php?id=CVE-2024-26809
04 Apr 2024 — In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_pipapo: release elements in clone only from destroy path Clone already always provides a current view of the lookup table, use it to destroy the set, otherwise it is possible to destroy elements twice. This fix requires: 212ed75dc5fb ("netfilter: nf_tables: integrate pipapo into commit protocol") which came after: 9827a0e6e23b ("netfilter: nft_set_pipapo: release elements in clone from abort path"). En el kernel de Linux,... • https://git.kernel.org/stable/c/4a6430b99f67842617c7208ca55a411e903ba03a •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2024-26808 – netfilter: nft_chain_filter: handle NETDEV_UNREGISTER for inet/ingress basechain
https://notcve.org/view.php?id=CVE-2024-26808
04 Apr 2024 — In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_chain_filter: handle NETDEV_UNREGISTER for inet/ingress basechain Remove netdevice from inet/ingress basechain in case NETDEV_UNREGISTER event is reported, otherwise a stale reference to netdevice remains in the hook list. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: netfilter: nft_chain_filter: maneja NETDEV_UNREGISTER para la cadena base inet/ingress Elimine netdevice de la cadena base inet/ingress en cas... • https://git.kernel.org/stable/c/60a3815da702fd9e4759945f26cce5c47d3967ad • CWE-416: Use After Free •
CVSS: 5.5EPSS: 0%CPEs: 10EXPL: 0CVE-2024-26807 – spi: cadence-qspi: fix pointer reference in runtime PM hooks
https://notcve.org/view.php?id=CVE-2024-26807
04 Apr 2024 — In the Linux kernel, the following vulnerability has been resolved: Both cadence-quadspi ->runtime_suspend() and ->runtime_resume() implementations start with: struct cqspi_st *cqspi = dev_get_drvdata(dev); struct spi_controller *host = dev_get_drvdata(dev); This obviously cannot be correct, unless "struct cqspi_st" is the first member of " struct spi_controller", or the other way around, but it is not the case. "struct spi_controller" is allocated by devm_spi_alloc_host(), which allocates an extra amount o... • https://git.kernel.org/stable/c/2087e85bb66ee3652dafe732bb9b9b896229eafc •
CVSS: 5.5EPSS: 0%CPEs: 13EXPL: 0CVE-2024-26805 – netlink: Fix kernel-infoleak-after-free in __skb_datagram_iter
https://notcve.org/view.php?id=CVE-2024-26805
04 Apr 2024 — In the Linux kernel, the following vulnerability has been resolved: netlink: Fix kernel-infoleak-after-free in __skb_datagram_iter syzbot reported the following uninit-value access issue [1]: netlink_to_full_skb() creates a new `skb` and puts the `skb->data` passed as a 1st arg of netlink_to_full_skb() onto new `skb`. The data size is specified as `len` and passed to skb_put_data(). This `len` is based on `skb->end` that is not data offset but buffer offset. The `skb->end` contains data and tailroom. Since ... • https://git.kernel.org/stable/c/1853c949646005b5959c483becde86608f548f24 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2024-26804 – net: ip_tunnel: prevent perpetual headroom growth
https://notcve.org/view.php?id=CVE-2024-26804
04 Apr 2024 — In the Linux kernel, the following vulnerability has been resolved: net: ip_tunnel: prevent perpetual headroom growth syzkaller triggered following kasan splat: BUG: KASAN: use-after-free in __skb_flow_dissect+0x19d1/0x7a50 net/core/flow_dissector.c:1170 Read of size 1 at addr ffff88812fb4000e by task syz-executor183/5191 [..] kasan_report+0xda/0x110 mm/kasan/report.c:588 __skb_flow_dissect+0x19d1/0x7a50 net/core/flow_dissector.c:1170 skb_flow_dissect_flow_keys include/linux/skbuff.h:1514 [inline] ___skb_ge... • https://git.kernel.org/stable/c/243aad830e8a4cdda261626fbaeddde16b08d04a • CWE-416: Use After Free •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2024-26801 – Bluetooth: Avoid potential use-after-free in hci_error_reset
https://notcve.org/view.php?id=CVE-2024-26801
04 Apr 2024 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Avoid potential use-after-free in hci_error_reset While handling the HCI_EV_HARDWARE_ERROR event, if the underlying BT controller is not responding, the GPIO reset mechanism would free the hci_dev and lead to a use-after-free in hci_error_reset. Here's the call trace observed on a ChromeOS device with Intel AX201: queue_work_on+0x3e/0x6c __hci_cmd_sync_sk+0x2ee/0x4c0 [bluetooth
CVSS: 7.2EPSS: 0%CPEs: 6EXPL: 0CVE-2024-26795 – riscv: Sparse-Memory/vmemmap out-of-bounds fix
https://notcve.org/view.php?id=CVE-2024-26795
04 Apr 2024 — In the Linux kernel, the following vulnerability has been resolved: riscv: Sparse-Memory/vmemmap out-of-bounds fix Offset vmemmap so that the first page of vmemmap will be mapped to the first page of physical memory in order to ensure that vmemmap’s bounds will be respected during pfn_to_page()/page_to_pfn() operations. The conversion macros will produce correct SV39/48/57 addresses for every possible/valid DRAM_BASE inside the physical memory limits. v2:Address Alex's comments En el kernel de Linux, se res... • https://git.kernel.org/stable/c/d95f1a542c3df396137afa217ef9bd39cb8931ca •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2024-26793 – gtp: fix use-after-free and null-ptr-deref in gtp_newlink()
https://notcve.org/view.php?id=CVE-2024-26793
04 Apr 2024 — In the Linux kernel, the following vulnerability has been resolved: gtp: fix use-after-free and null-ptr-deref in gtp_newlink() The gtp_link_ops operations structure for the subsystem must be registered after registering the gtp_net_ops pernet operations structure. Syzkaller hit 'general protection fault in gtp_genl_dump_pdp' bug: [ 1010.702740] gtp: GTP module unloaded [ 1010.715877] general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] SMP KASAN NOPTI [ 1010.715888] KA... • https://git.kernel.org/stable/c/459aa660eb1d8ce67080da1983bb81d716aa5a69 •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2024-26792 – btrfs: fix double free of anonymous device after snapshot creation failure
https://notcve.org/view.php?id=CVE-2024-26792
04 Apr 2024 — In the Linux kernel, the following vulnerability has been resolved: btrfs: fix double free of anonymous device after snapshot creation failure When creating a snapshot we may do a double free of an anonymous device in case there's an error committing the transaction. The second free may result in freeing an anonymous device number that was allocated by some other subsystem in the kernel or another btrfs filesystem. The steps that lead to this: 1) At ioctl.c:create_snapshot() we allocate an anonymous device ... • https://git.kernel.org/stable/c/66b317a2fc45b2ef66527ee3f8fa08fb5beab88d •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2024-26791 – btrfs: dev-replace: properly validate device names
https://notcve.org/view.php?id=CVE-2024-26791
04 Apr 2024 — In the Linux kernel, the following vulnerability has been resolved: btrfs: dev-replace: properly validate device names There's a syzbot report that device name buffers passed to device replace are not properly checked for string termination which could lead to a read out of bounds in getname_kernel(). Add a helper that validates both source and target device name buffers. For devid as the source initialize the buffer to empty string in case something tries to read it later. This was originally analyzed and ... • https://git.kernel.org/stable/c/11d7a2e429c02d51e2dc90713823ea8b8d3d3a84 •