CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2024-53171 – ubifs: authentication: Fix use-after-free in ubifs_tnc_end_commit
https://notcve.org/view.php?id=CVE-2024-53171
27 Dec 2024 — In the Linux kernel, the following vulnerability has been resolved: ubifs: authentication: Fix use-after-free in ubifs_tnc_end_commit After an insertion in TNC, the tree might split and cause a node to change its `znode->parent`. A further deletion of other nodes in the tree (which also could free the nodes), the aforementioned node's `znode->cparent` could still point to a freed node. This `znode->cparent` may not be updated when getting nodes to commit in `ubifs_tnc_start_commit()`. This could then trig... • https://git.kernel.org/stable/c/16a26b20d2afd0cf063816725b45b12e78d5bb31 •
CVSS: 7.1EPSS: 0%CPEs: 3EXPL: 0CVE-2024-53170 – block: fix uaf for flush rq while iterating tags
https://notcve.org/view.php?id=CVE-2024-53170
27 Dec 2024 — In the Linux kernel, the following vulnerability has been resolved: block: fix uaf for flush rq while iterating tags blk_mq_clear_flush_rq_mapping() is not called during scsi probe, by checking blk_queue_init_done(). However, QUEUE_FLAG_INIT_DONE is cleared in del_gendisk by commit aec89dc5d421 ("block: keep q_usage_counter in atomic mode after del_gendisk"), hence for disk like scsi, following blk_mq_destroy_queue() will not clear flush rq from tags->rqs[] as well, cause following uaf that is found by ou... • https://git.kernel.org/stable/c/6cfeadbff3f8905f2854735ebb88e581402c16c4 •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2024-53168 – sunrpc: fix one UAF issue caused by sunrpc kernel tcp socket
https://notcve.org/view.php?id=CVE-2024-53168
27 Dec 2024 — In the Linux kernel, the following vulnerability has been resolved: sunrpc: fix one UAF issue caused by sunrpc kernel tcp socket BUG: KASAN: slab-use-after-free in tcp_write_timer_handler+0x156/0x3e0 Read of size 1 at addr ffff888111f322cd by task swapper/0/0 CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.12.0-rc4-dirty #7 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 Call Trace:
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2024-53166 – block, bfq: fix bfqq uaf in bfq_limit_depth()
https://notcve.org/view.php?id=CVE-2024-53166
27 Dec 2024 — In the Linux kernel, the following vulnerability has been resolved: block, bfq: fix bfqq uaf in bfq_limit_depth() Set new allocated bfqq to bic or remove freed bfqq from bic are both protected by bfqd->lock, however bfq_limit_depth() is deferencing bfqq from bic without the lock, this can lead to UAF if the io_context is shared by multiple tasks. For example, test bfq with io_uring can trigger following UAF in v6.6: ================================================================== BUG: KASAN: slab-use-... • https://git.kernel.org/stable/c/76f1df88bbc2f984eb0418cc90de0a8384e63604 •
CVSS: 7.8EPSS: 0%CPEs: 9EXPL: 0CVE-2024-53165 – sh: intc: Fix use-after-free bug in register_intc_controller()
https://notcve.org/view.php?id=CVE-2024-53165
27 Dec 2024 — In the Linux kernel, the following vulnerability has been resolved: sh: intc: Fix use-after-free bug in register_intc_controller() In the error handling for this function, d is freed without ever removing it from intc_list which would lead to a use after free. To fix this, let's only add it to the list after everything has succeeded. In the Linux kernel, the following vulnerability has been resolved: sh: intc: Fix use-after-free bug in register_intc_controller() In the error handling for this function, d ... • https://git.kernel.org/stable/c/2dcec7a988a1895540460a0bf5603bab63d5a3ed •
CVSS: 5.5EPSS: 0%CPEs: 9EXPL: 0CVE-2022-49034 – sh: cpuinfo: Fix a warning for CONFIG_CPUMASK_OFFSTACK
https://notcve.org/view.php?id=CVE-2022-49034
27 Dec 2024 — In the Linux kernel, the following vulnerability has been resolved: sh: cpuinfo: Fix a warning for CONFIG_CPUMASK_OFFSTACK When CONFIG_CPUMASK_OFFSTACK and CONFIG_DEBUG_PER_CPU_MAPS are selected, cpu_max_bits_warn() generates a runtime warning similar as below when showing /proc/cpuinfo. Fix this by using nr_cpu_ids (the runtime limit) instead of NR_CPUS to iterate CPUs. [ 3.052463] ------------[ cut here ]------------ [ 3.059679] WARNING: CPU: 3 PID: 1 at include/linux/cpumask.h:108 show_cpuinfo+0... • https://git.kernel.org/stable/c/8fbb57eabfc8ae67115cb47f904614c99d626a89 •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2024-53164 – net: sched: fix ordering of qlen adjustment
https://notcve.org/view.php?id=CVE-2024-53164
27 Dec 2024 — In the Linux kernel, the following vulnerability has been resolved: net: sched: fix ordering of qlen adjustment Changes to sch->q.qlen around qdisc_tree_reduce_backlog() need to happen _before_ a call to said function because otherwise it may fail to notify parent qdiscs when the child is about to become empty. In the Linux kernel, the following vulnerability has been resolved: net: sched: fix ordering of qlen adjustment Changes to sch->q.qlen around qdisc_tree_reduce_backlog() need to happen _before_ a c... • https://git.kernel.org/stable/c/489422e2befff88a1de52b2acebe7b333bded025 •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2024-53163 – crypto: qat/qat_420xx - fix off by one in uof_get_name()
https://notcve.org/view.php?id=CVE-2024-53163
24 Dec 2024 — In the Linux kernel, the following vulnerability has been resolved: crypto: qat/qat_420xx - fix off by one in uof_get_name() This is called from uof_get_name_420xx() where "num_objs" is the ARRAY_SIZE() of fw_objs[]. The > needs to be >= to prevent an out of bounds access. In the Linux kernel, the following vulnerability has been resolved: crypto: qat/qat_420xx - fix off by one in uof_get_name() This is called from uof_get_name_420xx() where "num_objs" is the ARRAY_SIZE() of fw_objs[]. The > needs to be ... • https://git.kernel.org/stable/c/fcf60f4bcf54952cc14d14178c358be222dbeb43 •
CVSS: 7.1EPSS: 0%CPEs: 4EXPL: 0CVE-2024-53162 – crypto: qat/qat_4xxx - fix off by one in uof_get_name()
https://notcve.org/view.php?id=CVE-2024-53162
24 Dec 2024 — In the Linux kernel, the following vulnerability has been resolved: crypto: qat/qat_4xxx - fix off by one in uof_get_name() The fw_objs[] array has "num_objs" elements so the > needs to be >= to prevent an out of bounds read. In the Linux kernel, the following vulnerability has been resolved: crypto: qat/qat_4xxx - fix off by one in uof_get_name() The fw_objs[] array has "num_objs" elements so the > needs to be >= to prevent an out of bounds read. • https://git.kernel.org/stable/c/10484c647af6b1952d1675e83be9cc976cdb6a96 •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2024-53161 – EDAC/bluefield: Fix potential integer overflow
https://notcve.org/view.php?id=CVE-2024-53161
24 Dec 2024 — In the Linux kernel, the following vulnerability has been resolved: EDAC/bluefield: Fix potential integer overflow The 64-bit argument for the "get DIMM info" SMC call consists of mem_ctrl_idx left-shifted 16 bits and OR-ed with DIMM index. With mem_ctrl_idx defined as 32-bits wide the left-shift operation truncates the upper 16 bits of information during the calculation of the SMC argument. The mem_ctrl_idx stack variable must be defined as 64-bits wide to prevent any potential integer overflow, i.e. l... • https://git.kernel.org/stable/c/82413e562ea6eadfb6de946dcc6f74af31d64e7f •