CVSS: 4.6EPSS: 0%CPEs: 9EXPL: 0CVE-2024-26859 – net/bnx2x: Prevent access to a freed page in page_pool
https://notcve.org/view.php?id=CVE-2024-26859
17 Apr 2024 — In the Linux kernel, the following vulnerability has been resolved: net/bnx2x: Prevent access to a freed page in page_pool Fix race condition leading to system crash during EEH error handling During EEH error recovery, the bnx2x driver's transmit timeout logic could cause a race condition when handling reset tasks. The bnx2x_tx_timeout() schedules reset tasks via bnx2x_sp_rtnl_task(), which ultimately leads to bnx2x_nic_unload(). In bnx2x_nic_unload() SGEs are freed using bnx2x_free_rx_sge_range(). However,... • https://git.kernel.org/stable/c/4cace675d687ebd2d813e90af80ff87ee85202f9 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 5.5EPSS: 0%CPEs: 9EXPL: 0CVE-2023-52644 – wifi: b43: Stop/wake correct queue in DMA Tx path when QoS is disabled
https://notcve.org/view.php?id=CVE-2023-52644
17 Apr 2024 — In the Linux kernel, the following vulnerability has been resolved: wifi: b43: Stop/wake correct queue in DMA Tx path when QoS is disabled When QoS is disabled, the queue priority value will not map to the correct ieee80211 queue since there is only one queue. Stop/wake queue 0 when QoS is disabled to prevent trying to stop/wake a non-existent queue and failing to stop/wake the actual queue instantiated. Log of issue before change (with kernel parameter qos=0): [ +5.112651] ------------[ cut here ]---------... • https://git.kernel.org/stable/c/e6f5b934fba8c44c87c551e066aa7ca6fde2939e •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2024-26857 – geneve: make sure to pull inner header in geneve_rx()
https://notcve.org/view.php?id=CVE-2024-26857
17 Apr 2024 — In the Linux kernel, the following vulnerability has been resolved: geneve: make sure to pull inner header in geneve_rx() syzbot triggered a bug in geneve_rx() [1] Issue is similar to the one I fixed in commit 8d975c15c0cd ("ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv()") We have to save skb->network_header in a temporary variable in order to be able to recompute the network_header pointer after a pskb_inet_may_pull() call. pskb_inet_may_pull() makes sure the needed headers are in skb->head.... • https://git.kernel.org/stable/c/2d07dc79fe04a43d82a346ced6bbf07bdb523f1b • CWE-20: Improper Input Validation •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2024-26856 – net: sparx5: Fix use after free inside sparx5_del_mact_entry
https://notcve.org/view.php?id=CVE-2024-26856
17 Apr 2024 — In the Linux kernel, the following vulnerability has been resolved: net: sparx5: Fix use after free inside sparx5_del_mact_entry Based on the static analyzis of the code it looks like when an entry from the MAC table was removed, the entry was still used after being freed. More precise the vid of the mac_entry was used after calling devm_kfree on the mac_entry. The fix consists in first using the vid of the mac_entry to delete the entry from the HW and after that to free it. En el kernel de Linux, se ha res... • https://git.kernel.org/stable/c/b37a1bae742f92cc9b1f777d54e04ee3d86bbfc2 •
CVSS: 4.6EPSS: 0%CPEs: 7EXPL: 0CVE-2024-26855 – net: ice: Fix potential NULL pointer dereference in ice_bridge_setlink()
https://notcve.org/view.php?id=CVE-2024-26855
17 Apr 2024 — In the Linux kernel, the following vulnerability has been resolved: net: ice: Fix potential NULL pointer dereference in ice_bridge_setlink() The function ice_bridge_setlink() may encounter a NULL pointer dereference if nlmsg_find_attr() returns NULL and br_spec is dereferenced subsequently in nla_for_each_nested(). To address this issue, add a check to ensure that br_spec is not NULL before proceeding with the nested attribute iteration. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net... • https://git.kernel.org/stable/c/b1edc14a3fbfe0154a2aecb8bb9775c3012cb6e2 • CWE-690: Unchecked Return Value to NULL Pointer Dereference •
CVSS: 4.6EPSS: 0%CPEs: 4EXPL: 0CVE-2024-26853 – igc: avoid returning frame twice in XDP_REDIRECT
https://notcve.org/view.php?id=CVE-2024-26853
17 Apr 2024 — In the Linux kernel, the following vulnerability has been resolved: igc: avoid returning frame twice in XDP_REDIRECT When a frame can not be transmitted in XDP_REDIRECT (e.g. due to a full queue), it is necessary to free it by calling xdp_return_frame_rx_napi. However, this is the responsibility of the caller of the ndo_xdp_xmit (see for example bq_xmit_all in kernel/bpf/devmap.c) and thus calling it inside igc_xdp_xmit (which is the ndo_xdp_xmit of the igc driver) as well will lead to memory corruption. In... • https://git.kernel.org/stable/c/4ff3203610928cac82d5627ce803559e78d61b91 • CWE-20: Improper Input Validation •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2024-26852 – net/ipv6: avoid possible UAF in ip6_route_mpath_notify()
https://notcve.org/view.php?id=CVE-2024-26852
17 Apr 2024 — In the Linux kernel, the following vulnerability has been resolved: net/ipv6: avoid possible UAF in ip6_route_mpath_notify() syzbot found another use-after-free in ip6_route_mpath_notify() [1] Commit f7225172f25a ("net/ipv6: prevent use after free in ip6_route_mpath_notify") was not able to fix the root cause. We need to defer the fib6_info_release() calls after ip6_route_mpath_notify(), in the cleanup phase. [1] BUG: KASAN: slab-use-after-free in rt6_fill_node+0x1460/0x1ac0 Read of size 4 at addr ffff88809... • https://git.kernel.org/stable/c/3b1137fe74829e021f483756a648cbb87c8a1b4a • CWE-416: Use After Free •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2024-26851 – netfilter: nf_conntrack_h323: Add protection for bmp length out of range
https://notcve.org/view.php?id=CVE-2024-26851
17 Apr 2024 — In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_h323: Add protection for bmp length out of range UBSAN load reports an exception of BRK#5515 SHIFT_ISSUE:Bitwise shifts that are out of bounds for their data type. vmlinux get_bitmap(b=75) + 712
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2024-26849 – netlink: add nla be16/32 types to minlen array
https://notcve.org/view.php?id=CVE-2024-26849
17 Apr 2024 — In the Linux kernel, the following vulnerability has been resolved: netlink: add nla be16/32 types to minlen array BUG: KMSAN: uninit-value in nla_validate_range_unsigned lib/nlattr.c:222 [inline] BUG: KMSAN: uninit-value in nla_validate_int_range lib/nlattr.c:336 [inline] BUG: KMSAN: uninit-value in validate_nla lib/nlattr.c:575 [inline] BUG: KMSAN: uninit-value in __nla_validate_parse+0x2e20/0x45c0 lib/nlattr.c:631 nla_validate_range_unsigned lib/nlattr.c:222 [inline] nla_validate_int_range lib/nlattr.c:3... • https://git.kernel.org/stable/c/ecaf75ffd5f5db320d8b1da0198eef5a5ce64a3f •
CVSS: 4.4EPSS: 0%CPEs: 6EXPL: 0CVE-2024-26846 – nvme-fc: do not wait in vain when unloading module
https://notcve.org/view.php?id=CVE-2024-26846
17 Apr 2024 — In the Linux kernel, the following vulnerability has been resolved: nvme-fc: do not wait in vain when unloading module The module exit path has race between deleting all controllers and freeing 'left over IDs'. To prevent double free a synchronization between nvme_delete_ctrl and ida_destroy has been added by the initial commit. There is some logic around trying to prevent from hanging forever in wait_for_completion, though it does not handling all cases. E.g. blktests is able to reproduce the situation whe... • https://git.kernel.org/stable/c/4f2c95015ec2a1899161be6c0bdaecedd5a7bfb2 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') CWE-415: Double Free •