CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2024-35891 – net: phy: micrel: Fix potential null pointer dereference
https://notcve.org/view.php?id=CVE-2024-35891
19 May 2024 — In the Linux kernel, the following vulnerability has been resolved: net: phy: micrel: Fix potential null pointer dereference In lan8814_get_sig_rx() and lan8814_get_sig_tx() ptp_parse_header() may return NULL as ptp_header due to abnormal packet type or corrupted packet. Fix this bug by adding ptp_header check. Found by Linux Verification Center (linuxtesting.org) with SVACE. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: net: phy: micrel: corrige una posible desreferencia del puntero null ... • https://git.kernel.org/stable/c/ece19502834d84ece2e056db28257ca2aa6e4d48 •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2024-35890 – gro: fix ownership transfer
https://notcve.org/view.php?id=CVE-2024-35890
19 May 2024 — In the Linux kernel, the following vulnerability has been resolved: gro: fix ownership transfer If packets are GROed with fraglist they might be segmented later on and continue their journey in the stack. In skb_segment_list those skbs can be reused as-is. This is an issue as their destructor was removed in skb_gro_receive_list but not the reference to their socket, and then they can't be orphaned. Fix this by also removing the reference to the socket. For example this could be observed, kernel BUG at inclu... • https://git.kernel.org/stable/c/5e10da5385d20c4bae587bc2921e5fdd9655d5fc •
CVSS: 5.5EPSS: 0%CPEs: 9EXPL: 0CVE-2024-35888 – erspan: make sure erspan_base_hdr is present in skb->head
https://notcve.org/view.php?id=CVE-2024-35888
19 May 2024 — In the Linux kernel, the following vulnerability has been resolved: erspan: make sure erspan_base_hdr is present in skb->head syzbot reported a problem in ip6erspan_rcv() [1] Issue is that ip6erspan_rcv() (and erspan_rcv()) no longer make sure erspan_base_hdr is present in skb linear part (skb->head) before getting @ver field from it. Add the missing pskb_may_pull() calls. v2: Reload iph pointer in erspan_rcv() after pskb_may_pull() because skb->head might have changed. [1] BUG: KMSAN: uninit-value in pskb_... • https://git.kernel.org/stable/c/0a198e0bb8bef51ced179702ad1af6f9e3715b64 •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2024-35887 – ax25: fix use-after-free bugs caused by ax25_ds_del_timer
https://notcve.org/view.php?id=CVE-2024-35887
19 May 2024 — In the Linux kernel, the following vulnerability has been resolved: ax25: fix use-after-free bugs caused by ax25_ds_del_timer When the ax25 device is detaching, the ax25_dev_device_down() calls ax25_ds_del_timer() to cleanup the slave_timer. When the timer handler is running, the ax25_ds_del_timer() that calls del_timer() in it will return directly. As a result, the use-after-free bugs could happen, one of the scenarios is shown below: (Thread 1) | (Thread 2) | ax25_ds_timeout() ax25_dev_device_down() | ax2... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2024-35886 – ipv6: Fix infinite recursion in fib6_dump_done().
https://notcve.org/view.php?id=CVE-2024-35886
19 May 2024 — In the Linux kernel, the following vulnerability has been resolved: ipv6: Fix infinite recursion in fib6_dump_done(). syzkaller reported infinite recursive calls of fib6_dump_done() during netlink socket destruction. [1] From the log, syzkaller sent an AF_UNSPEC RTM_GETROUTE message, and then the response was generated. The following recvmmsg() resumed the dump for IPv6, but the first call of inet6_dump_fib() failed at kzalloc() due to the fault injection. [0] 12:01:34 executing program 3: r0 = socket$nl_ro... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2024-35885 – mlxbf_gige: stop interface during shutdown
https://notcve.org/view.php?id=CVE-2024-35885
19 May 2024 — In the Linux kernel, the following vulnerability has been resolved: mlxbf_gige: stop interface during shutdown The mlxbf_gige driver intermittantly encounters a NULL pointer exception while the system is shutting down via "reboot" command. The mlxbf_driver will experience an exception right after executing its shutdown() method. One example of this exception is: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000070 Mem abort info: ESR = 0x0000000096000004 EC = 0x25: DABT (curr... • https://git.kernel.org/stable/c/f92e1869d74e1acc6551256eb084a1c14a054e19 •
CVSS: 8.8EPSS: 0%CPEs: 6EXPL: 0CVE-2024-35884 – udp: do not accept non-tunnel GSO skbs landing in a tunnel
https://notcve.org/view.php?id=CVE-2024-35884
19 May 2024 — In the Linux kernel, the following vulnerability has been resolved: udp: do not accept non-tunnel GSO skbs landing in a tunnel When rx-udp-gro-forwarding is enabled UDP packets might be GROed when being forwarded. If such packets might land in a tunnel this can cause various issues and udp_gro_receive makes sure this isn't the case by looking for a matching socket. This is performed in udp4/6_gro_lookup_skb but only in the current netns. This is an issue with tunneled packets when the endpoint is in another... • https://git.kernel.org/stable/c/9fd1ff5d2ac7181844735806b0a703c942365291 •
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2024-35879 – of: dynamic: Synchronize of_changeset_destroy() with the devlink removals
https://notcve.org/view.php?id=CVE-2024-35879
19 May 2024 — In the Linux kernel, the following vulnerability has been resolved: of: dynamic: Synchronize of_changeset_destroy() with the devlink removals In the following sequence: 1) of_platform_depopulate() 2) of_overlay_remove() During the step 1, devices are destroyed and devlinks are removed. During the step 2, OF nodes are destroyed but __of_changeset_entry_destroy() can raise warnings related to missing of_node_put(): ERROR: memory leak, expected refcount 1 instead of 2 ... Indeed, during the devlink removals pe... • https://git.kernel.org/stable/c/d007150b4e15bfcb8d36cfd88a5645d42e44d383 •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2024-35878 – of: module: prevent NULL pointer dereference in vsnprintf()
https://notcve.org/view.php?id=CVE-2024-35878
19 May 2024 — In the Linux kernel, the following vulnerability has been resolved: of: module: prevent NULL pointer dereference in vsnprintf() In of_modalias(), we can get passed the str and len parameters which would cause a kernel oops in vsnprintf() since it only allows passing a NULL ptr when the length is also 0. Also, we need to filter out the negative values of the len parameter as these will result in a really huge buffer since snprintf() takes size_t parameter while ours is ssize_t... Found by Linux Verification ... • https://git.kernel.org/stable/c/e4a449368a2ce6d57a775d0ead27fc07f5a86e5b • CWE-476: NULL Pointer Dereference •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2024-35877 – x86/mm/pat: fix VM_PAT handling in COW mappings
https://notcve.org/view.php?id=CVE-2024-35877
19 May 2024 — In the Linux kernel, the following vulnerability has been resolved: x86/mm/pat: fix VM_PAT handling in COW mappings PAT handling won't do the right thing in COW mappings: the first PTE (or, in fact, all PTEs) can be replaced during write faults to point at anon folios. Reliably recovering the correct PFN and cachemode using follow_phys() from PTEs will not work in COW mappings. Using follow_phys(), we might just get the address+protection of the anon folio (which is very wrong), or fail on swap/nonswap entr... • https://git.kernel.org/stable/c/5899329b19100c0b82dc78e9b21ed8b920c9ffb3 •