CVE-2023-1079 – kernel: hid: Use After Free in asus_remove()
https://notcve.org/view.php?id=CVE-2023-1079
A flaw was found in the Linux kernel. A use-after-free may be triggered in asus_kbd_backlight_set when plugging/disconnecting in a malicious USB device, which advertises itself as an Asus device. Similarly to the previous known CVE-2023-25012, but in asus devices, the work_struct may be scheduled by the LED controller while the device is disconnecting, triggering a use-after-free on the struct asus_kbd_leds *led structure. A malicious USB device may exploit the issue to cause memory corruption with controlled data. A use-after-free flaw was found in asus_kbd_backlight_set in drivers/hid/hid-asus.c in the Linux Kernel. • https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=4ab3a086d10eeec1424f2e8a968827a6336203df https://lists.debian.org/debian-lts-announce/2023/05/msg00005.html https://lists.debian.org/debian-lts-announce/2023/05/msg00006.html https://access.redhat.com/security/cve/CVE-2023-1079 https://bugzilla.redhat.com/show_bug.cgi?id=2173444 • CWE-416: Use After Free •
CVE-2023-28866 – kernel: Bluetooth: HCI: global out-of-bounds access in net/bluetooth/hci_sync.c
https://notcve.org/view.php?id=CVE-2023-28866
In the Linux kernel through 6.2.8, net/bluetooth/hci_sync.c allows out-of-bounds access because amp_init1[] and amp_init2[] are supposed to have an intentionally invalid element, but do not. An out-of-bounds (OOB) memory access flaw was found in net/bluetooth/hci_sync.c due to a missing exit patch while in loop in amp_init1[] and amp_init2[]. This issue could allow an attacker to leak internal kernel information. • https://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git/commit/?id=95084403f8c070ccf5d7cbe72352519c1798a40a https://lore.kernel.org/lkml/20230321015018.1759683-1-iam%40sung-woo.kim https://patchwork.kernel.org/project/bluetooth/patch/20230322232543.3079578-1-luiz.dentz%40gmail.com https://access.redhat.com/security/cve/CVE-2023-28866 https://bugzilla.redhat.com/show_bug.cgi?id=2185519 • CWE-125: Out-of-bounds Read •
CVE-2021-3923 – kernel: stack information leak in infiniband RDMA
https://notcve.org/view.php?id=CVE-2021-3923
A flaw was found in the Linux kernel's implementation of RDMA over infiniband. An attacker with a privileged local account can leak kernel stack information when issuing commands to the /dev/infiniband/rdma_cm device node. While this access is unlikely to leak sensitive user information, it can be further used to defeat existing kernel protection mechanisms. A flaw was found in the Linux kernel's implementation of RDMA over infiniband. An attacker with a privileged local account can leak kernel stack information when issuing commands to the /dev/infiniband/rdma_cm device node. • https://bugzilla.redhat.com/show_bug.cgi?id=2019643 https://lore.kernel.org/all/20220204100036.GA12348%40kili https://access.redhat.com/security/cve/CVE-2021-3923 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2023-1077
https://notcve.org/view.php?id=CVE-2023-1077
In the Linux kernel, pick_next_rt_entity() may return a type confused entry, not detected by the BUG_ON condition, as the confused entry will not be NULL, but list_head.The buggy error condition would lead to a type confused entry with the list head,which would then be used as a type confused sched_rt_entity,causing memory corruption. • https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=7c4a5b89a0b5a57a64b601775b296abf77a9fe97 https://lists.debian.org/debian-lts-announce/2023/05/msg00005.html https://lists.debian.org/debian-lts-announce/2024/01/msg00004.html https://security.netapp.com/advisory/ntap-20230511-0002 • CWE-843: Access of Resource Using Incompatible Type ('Type Confusion') •
CVE-2023-1195 – kernel: use-after-free caused by invalid pointer hostname in fs/cifs/connect.c
https://notcve.org/view.php?id=CVE-2023-1195
A use-after-free flaw was found in reconn_set_ipaddr_from_hostname in fs/cifs/connect.c in the Linux kernel. The issue occurs when it forgets to set the free pointer server->hostname to NULL, leading to an invalid pointer request. • https://github.com/torvalds/linux/commit/153695d36ead0ccc4d0256953c751cabf673e621 https://access.redhat.com/security/cve/CVE-2023-1195 https://bugzilla.redhat.com/show_bug.cgi?id=2154171 • CWE-416: Use After Free •