CVSS: 7.0EPSS: 0%CPEs: 7EXPL: 0CVE-2024-50059 – ntb: ntb_hw_switchtec: Fix use after free vulnerability in switchtec_ntb_remove due to race condition
https://notcve.org/view.php?id=CVE-2024-50059
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: ntb: ntb_hw_switchtec: Fix use after free vulnerability in switchtec_ntb_remove due to race condition In the switchtec_ntb_add function, it can call switchtec_ntb_init_sndev function, then &sndev->check_link_status_work is bound with check_link_status_work. switchtec_ntb_link_notification may be called to start the work. If we remove the module which will call switchtec_ntb_remove to make cleanup, it will free sndev through kfree(sndev), wh... • https://git.kernel.org/stable/c/d04be142b8b61ffb3c9cc5c6d1abda8fc59a16c9 •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2024-50058 – serial: protect uart_port_dtr_rts() in uart_shutdown() too
https://notcve.org/view.php?id=CVE-2024-50058
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: serial: protect uart_port_dtr_rts() in uart_shutdown() too Commit af224ca2df29 (serial: core: Prevent unsafe uart port access, part 3) added few uport == NULL checks. It added one to uart_shutdown(), so the commit assumes, uport can be NULL in there. But right after that protection, there is an unprotected "uart_port_dtr_rts(uport, false);" call. That is invoked only if HUPCL is set, so I assume that is the reason why we do not see lots of ... • https://git.kernel.org/stable/c/af224ca2df297440448b9d407d21b50982c6d532 • CWE-476: NULL Pointer Dereference •
CVSS: 3.3EPSS: 0%CPEs: 3EXPL: 0CVE-2024-50057 – usb: typec: tipd: Free IRQ only if it was requested before
https://notcve.org/view.php?id=CVE-2024-50057
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: usb: typec: tipd: Free IRQ only if it was requested before In polling mode, if no IRQ was requested there is no need to free it. Call devm_free_irq() only if client->irq is set. This fixes the warning caused by the tps6598x module removal: WARNING: CPU: 2 PID: 333 at kernel/irq/devres.c:144 devm_free_irq+0x80/0x8c ... ... Call trace: devm_free_irq+0x80/0x8c tps6598x_remove+0x28/0x88 [tps6598x] i2c_device_remove+0x2c/0x9c device_remove+0x4c/... • https://git.kernel.org/stable/c/0a4c005bd1715d8b32a368ed5516a6ee7e603d18 • CWE-763: Release of Invalid Pointer or Reference •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2024-50045 – netfilter: br_netfilter: fix panic with metadata_dst skb
https://notcve.org/view.php?id=CVE-2024-50045
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: netfilter: br_netfilter: fix panic with metadata_dst skb Fix a kernel panic in the br_netfilter module when sending untagged traffic via a VxLAN device. This happens during the check for fragmentation in br_nf_dev_queue_xmit. It is dependent on: 1) the br_netfilter module being loaded; 2) net.bridge.bridge-nf-call-iptables set to 1; 3) a bridge with a VxLAN (single-vxlan-device) netdevice as a bridge port; 4) untagged frames with size highe... • https://git.kernel.org/stable/c/11538d039ac6efcf4f1a6c536e1b87cd3668a9fd •
CVSS: 4.7EPSS: 0%CPEs: 8EXPL: 0CVE-2024-50044 – Bluetooth: RFCOMM: FIX possible deadlock in rfcomm_sk_state_change
https://notcve.org/view.php?id=CVE-2024-50044
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: RFCOMM: FIX possible deadlock in rfcomm_sk_state_change rfcomm_sk_state_change attempts to use sock_lock so it must never be called with it locked but rfcomm_sock_ioctl always attempt to lock it causing the following trace: ====================================================== WARNING: possible circular locking dependency detected 6.8.0-syzkaller-08951-gfe46a7dd189e #0 Not tainted ------------------------------------------------... • https://git.kernel.org/stable/c/3241ad820dbb172021e0268b5611031991431626 •
CVSS: 5.5EPSS: 0%CPEs: 10EXPL: 0CVE-2024-50040 – igb: Do not bring the device up after non-fatal error
https://notcve.org/view.php?id=CVE-2024-50040
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: igb: Do not bring the device up after non-fatal error Commit 004d25060c78 ("igb: Fix igb_down hung on surprise removal") changed igb_io_error_detected() to ignore non-fatal pcie errors in order to avoid hung task that can happen when igb_down() is called multiple times. This caused an issue when processing transient non-fatal errors. igb_io_resume(), which is called after igb_io_error_detected(), assumes that device is brought down by igb_i... • https://git.kernel.org/stable/c/124e39a734cb90658b8f0dc110847bbfc6e33792 •
CVSS: 7.8EPSS: 0%CPEs: 7EXPL: 0CVE-2024-50039 – net/sched: accept TCA_STAB only for root qdisc
https://notcve.org/view.php?id=CVE-2024-50039
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: net/sched: accept TCA_STAB only for root qdisc Most qdiscs maintain their backlog using qdisc_pkt_len(skb) on the assumption it is invariant between the enqueue() and dequeue() handlers. Unfortunately syzbot can crash a host rather easily using a TBF + SFQ combination, with an STAB on SFQ [1] We can't support TCA_STAB on arbitrary level, this would require to maintain per-qdisc storage. [1] [ 88.796496] BUG: kernel NULL pointer dereference,... • https://git.kernel.org/stable/c/175f9c1bba9b825d22b142d183c9e175488b260c • CWE-476: NULL Pointer Dereference •
CVSS: 8.5EPSS: 0%CPEs: 5EXPL: 0CVE-2024-50038 – netfilter: xtables: avoid NFPROTO_UNSPEC where needed
https://notcve.org/view.php?id=CVE-2024-50038
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: netfilter: xtables: avoid NFPROTO_UNSPEC where needed syzbot managed to call xt_cluster match via ebtables: WARNING: CPU: 0 PID: 11 at net/netfilter/xt_cluster.c:72 xt_cluster_mt+0x196/0x780 [..] ebt_do_table+0x174b/0x2a40 Module registers to NFPROTO_UNSPEC, but it assumes ipv4/ipv6 packet processing. As this is only useful to restrict locally terminating TCP/UDP traffic, register this for ipv4 and ipv6 family only. Pablo points out that th... • https://git.kernel.org/stable/c/0269ea4937343536ec7e85649932bc8c9686ea78 • CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') •
CVSS: 7.0EPSS: 0%CPEs: 10EXPL: 0CVE-2024-50036 – net: do not delay dst_entries_add() in dst_release()
https://notcve.org/view.php?id=CVE-2024-50036
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: net: do not delay dst_entries_add() in dst_release() dst_entries_add() uses per-cpu data that might be freed at netns dismantle from ip6_route_net_exit() calling dst_entries_destroy() Before ip6_route_net_exit() can be called, we release all the dsts associated with this netns, via calls to dst_release(), which waits an rcu grace period before calling dst_destroy() dst_entries_add() use in dst_destroy() is racy, because dst_entries_destroy(... • https://git.kernel.org/stable/c/f88649721268999bdff09777847080a52004f691 •
CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2024-50035 – ppp: fix ppp_async_encode() illegal access
https://notcve.org/view.php?id=CVE-2024-50035
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: ppp: fix ppp_async_encode() illegal access syzbot reported an issue in ppp_async_encode() [1] In this case, pppoe_sendmsg() is called with a zero size. Then ppp_async_encode() is called with an empty skb. BUG: KMSAN: uninit-value in ppp_async_encode drivers/net/ppp/ppp_async.c:545 [inline] BUG: KMSAN: uninit-value in ppp_async_push+0xb4f/0x2660 drivers/net/ppp/ppp_async.c:675 ppp_async_encode drivers/net/ppp/ppp_async.c:545 [inline] ppp_asy... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 • CWE-908: Use of Uninitialized Resource •