CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2024-26928 – smb: client: fix potential UAF in cifs_debug_files_proc_show()
https://notcve.org/view.php?id=CVE-2024-26928
In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential UAF in cifs_debug_files_proc_show() Skip sessions that are being teared down (status == SES_EXITING) to avoid UAF. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: smb: cliente: corrige UAF potencial en cifs_debug_files_proc_show() Omita las sesiones que se están eliminando (estado == SES_EXITING) para evitar UAF. • https://git.kernel.org/stable/c/229042314602db62559ecacba127067c22ee7b88 https://git.kernel.org/stable/c/a65f2b56334ba4dc30bd5ee9ce5b2691b973344d https://git.kernel.org/stable/c/3402faf78b2516b0af1259baff50cc8453ef0bd1 https://git.kernel.org/stable/c/ca545b7f0823f19db0f1148d59bc5e1a56634502 •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2023-52646 – aio: fix mremap after fork null-deref
https://notcve.org/view.php?id=CVE-2023-52646
In the Linux kernel, the following vulnerability has been resolved: aio: fix mremap after fork null-deref Commit e4a0d3e720e7 ("aio: Make it possible to remap aio ring") introduced a null-deref if mremap is called on an old aio mapping after fork as mm->ioctx_table will be set to NULL. [jmoyer@redhat.com: fix 80 column issue] En el kernel de Linux, se resolvió la siguiente vulnerabilidad: aio: corrige mremap después de la bifurcación null-deref Commit e4a0d3e720e7 ("aio: Make it posible reasignar el anillo aio") introdujo un null-deref si se llama a mremap en un mapeo aio antiguo después de la bifurcación como mm->ioctx_table se establecerá en NULL. [jmoyer@redhat.com: soluciona el problema de 80 columnas] • https://git.kernel.org/stable/c/e4a0d3e720e7e508749c1439b5ba3aff56c92976 https://git.kernel.org/stable/c/808f1e4b5723ae4eda724d2ad6f6638905eefd95 https://git.kernel.org/stable/c/d8dca1bfe9adcae38b35add64977818c0c13dd22 https://git.kernel.org/stable/c/4326d0080f7e84fba775da41d158f46cf9d3f1c2 https://git.kernel.org/stable/c/c261f798f7baa8080cf0214081d43d5f86bb073f https://git.kernel.org/stable/c/178993157e8c50aef7f35d7d6d3b44bb428199e1 https://git.kernel.org/stable/c/af126acf01a12bdb04986fd26fc2eb3b40249e0d https://git.kernel.org/stable/c/81e9d6f8647650a7bead74c5f926e2997 •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2024-26926 – binder: check offset alignment in binder_get_object()
https://notcve.org/view.php?id=CVE-2024-26926
In the Linux kernel, the following vulnerability has been resolved: binder: check offset alignment in binder_get_object() Commit 6d98eb95b450 ("binder: avoid potential data leakage when copying txn") introduced changes to how binder objects are copied. In doing so, it unintentionally removed an offset alignment check done through calls to binder_alloc_copy_from_buffer() -> check_buffer(). These calls were replaced in binder_get_object() with copy_from_user(), so now an explicit offset alignment check is needed here. This avoids later complications when unwinding the objects gets harder. It is worth noting this check existed prior to commit 7a67a39320df ("binder: add function to copy binder object from buffer"), likely removed due to redundancy at the time. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: Binder: verifique la alineación de desplazamiento en binder_get_object() El commit 6d98eb95b450 ("binder: evite posibles fugas de datos al copiar txn") introdujo cambios en la forma en que se copian los objetos de Binder. Al hacerlo, eliminó involuntariamente una verificación de alineación de desplazamiento realizada mediante llamadas a binder_alloc_copy_from_buffer() -> check_buffer(). • https://git.kernel.org/stable/c/c056a6ba35e00ae943e377eb09abd77a6915b31a https://git.kernel.org/stable/c/23e9d815fad84c1bee3742a8de4bd39510435362 https://git.kernel.org/stable/c/7a9ad4aceb0226b391c9d3b8e4ac2e7d438b6bde https://git.kernel.org/stable/c/6d98eb95b450a75adb4516a1d33652dc78d2b20c https://git.kernel.org/stable/c/66e12f5b3a9733f941893a00753b10498724607d https://git.kernel.org/stable/c/68a28f551e4690db2b27b3db716c7395f6fada12 https://git.kernel.org/stable/c/48a1f83ca9c68518b1a783c62e6a8223144fa9fc https://git.kernel.org/stable/c/a2fd6dbc98be1105a1d8e9e31575da887 •
CVSS: 7.0EPSS: 0%CPEs: 9EXPL: 0CVE-2024-26925 – netfilter: nf_tables: release mutex after nft_gc_seq_end from abort path
https://notcve.org/view.php?id=CVE-2024-26925
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: release mutex after nft_gc_seq_end from abort path The commit mutex should not be released during the critical section between nft_gc_seq_begin() and nft_gc_seq_end(), otherwise, async GC worker could collect expired objects and get the released commit lock within the same GC sequence. nf_tables_module_autoload() temporarily releases the mutex to load module dependencies, then it goes back to replay the transaction again. Move it at the end of the abort phase after nft_gc_seq_end() is called. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: netfilter: nf_tables: libera mutex después de nft_gc_seq_end de la ruta de cancelación. El mutex de confirmación no debe liberarse durante la sección crítica entre nft_gc_seq_begin() y nft_gc_seq_end(); de lo contrario, el trabajador asíncrono de GC podría recopilar objetos caducados y obtener el bloqueo de confirmación liberado dentro de la misma secuencia de GC. nf_tables_module_autoload() libera temporalmente el mutex para cargar las dependencias del módulo, luego vuelve a reproducir la transacción nuevamente. Muévalo al final de la fase de cancelación después de llamar a nft_gc_seq_end(). A flaw was found in the Linux kernel’s Netfilter nf_tables module. • https://git.kernel.org/stable/c/4b6346dc1edfb9839d6edee7360ed31a22fa6c95 https://git.kernel.org/stable/c/23292bdfda5f04e704a843b8f97b0eb95ace1ca6 https://git.kernel.org/stable/c/b44a459c6561595ed7c3679599c5279204132b33 https://git.kernel.org/stable/c/5d319f7a81431c6bb32eb4dc7d7975f99e2c8c66 https://git.kernel.org/stable/c/720344340fb9be2765bbaab7b292ece0a4570eae https://git.kernel.org/stable/c/f85ca36090cbb252bcbc95fc74c2853fc792694f https://git.kernel.org/stable/c/e07e68823116563bdbc49cef185cda6f463bc534 https://git.kernel.org/stable/c/61ac7284346c32f9a8c8ceac56102f791 • CWE-667: Improper Locking •
CVSS: 7.0EPSS: 0%CPEs: 8EXPL: 0CVE-2024-26923 – af_unix: Fix garbage collector racing against connect()
https://notcve.org/view.php?id=CVE-2024-26923
In the Linux kernel, the following vulnerability has been resolved: af_unix: Fix garbage collector racing against connect() Garbage collector does not take into account the risk of embryo getting enqueued during the garbage collection. If such embryo has a peer that carries SCM_RIGHTS, two consecutive passes of scan_children() may see a different set of children. Leading to an incorrectly elevated inflight count, and then a dangling pointer within the gc_inflight_list. sockets are AF_UNIX/SOCK_STREAM S is an unconnected socket L is a listening in-flight socket bound to addr, not in fdtable V's fd will be passed via sendmsg(), gets inflight count bumped connect(S, addr) sendmsg(S, [V]); close(V) __unix_gc() ---------------- ------------------------- ----------- NS = unix_create1() skb1 = sock_wmalloc(NS) L = unix_find_other(addr) unix_state_lock(L) unix_peer(S) = NS // V count=1 inflight=0 NS = unix_peer(S) skb2 = sock_alloc() skb_queue_tail(NS, skb2[V]) // V became in-flight // V count=2 inflight=1 close(V) // V count=1 inflight=1 // GC candidate condition met for u in gc_inflight_list: if (total_refs == inflight_refs) add u to gc_candidates // gc_candidates={L, V} for u in gc_candidates: scan_children(u, dec_inflight) // embryo (skb1) was not // reachable from L yet, so V's // inflight remains unchanged __skb_queue_tail(L, skb1) unix_state_unlock(L) for u in gc_candidates: if (u.inflight) scan_children(u, inc_inflight_move_tail) // V count=1 inflight=2 (!) If there is a GC-candidate listening socket, lock/unlock its state. This makes GC wait until the end of any ongoing connect() to that socket. • https://git.kernel.org/stable/c/1fd05ba5a2f2aa8e7b9b52ef55df850e2e7d54c9 https://git.kernel.org/stable/c/a36ae0ec2353015f0f6762e59f4c2dbc0c906423 https://git.kernel.org/stable/c/343c5372d5e17b306db5f8f3c895539b06e3177f https://git.kernel.org/stable/c/2e2a03787f4f0abc0072350654ab0ef3324d9db3 https://git.kernel.org/stable/c/e76c2678228f6aec74b305ae30c9374cc2f28a51 https://git.kernel.org/stable/c/b75722be422c276b699200de90527d01c602ea7c https://git.kernel.org/stable/c/507cc232ffe53a352847893f8177d276c3b532a9 https://git.kernel.org/stable/c/dbdf7bec5c920200077d693193f989cb1 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •