CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2023-52531 – wifi: iwlwifi: mvm: Fix a memory corruption issue
https://notcve.org/view.php?id=CVE-2023-52531
02 Mar 2024 — In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: mvm: Fix a memory corruption issue A few lines above, space is kzalloc()'ed for: sizeof(struct iwl_nvm_data) + sizeof(struct ieee80211_channel) + sizeof(struct ieee80211_rate) 'mvm->nvm_data' is a 'struct iwl_nvm_data', so it is fine. At the end of this structure, there is the 'channels' flex array. Each element is of type 'struct ieee80211_channel'. So only 1 element is allocated in this array. When doing: mvm->nvm... • https://git.kernel.org/stable/c/8ca151b568b67a7b72dcfc6ee6ea7c107ddd795c •
CVSS: 5.8EPSS: 0%CPEs: 13EXPL: 0CVE-2023-52530 – wifi: mac80211: fix potential key use-after-free
https://notcve.org/view.php?id=CVE-2023-52530
02 Mar 2024 — In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: fix potential key use-after-free When ieee80211_key_link() is called by ieee80211_gtk_rekey_add() but returns 0 due to KRACK protection (identical key reinstall), ieee80211_gtk_rekey_add() will still return a pointer into the key, in a potential use-after-free. This normally doesn't happen since it's only called by iwlwifi in case of WoWLAN rekey offload which has its own KRACK protection, but still better to fix, do that ... • https://git.kernel.org/stable/c/fdf7cb4185b60c68e1a75e61691c4afdc15dea0e • CWE-416: Use After Free •
CVSS: 6.0EPSS: 0%CPEs: 6EXPL: 0CVE-2023-52529 – HID: sony: Fix a potential memory leak in sony_probe()
https://notcve.org/view.php?id=CVE-2023-52529
02 Mar 2024 — In the Linux kernel, the following vulnerability has been resolved: HID: sony: Fix a potential memory leak in sony_probe() If an error occurs after a successful usb_alloc_urb() call, usb_free_urb() should be called. • https://git.kernel.org/stable/c/fb1a79a6b6e1223ddb18f12aa35e36f832da2290 • CWE-402: Transmission of Private Resources into a New Sphere ('Resource Leak') CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 4.4EPSS: 0%CPEs: 8EXPL: 0CVE-2023-52528 – net: usb: smsc75xx: Fix uninit-value access in __smsc75xx_read_reg
https://notcve.org/view.php?id=CVE-2023-52528
02 Mar 2024 — In the Linux kernel, the following vulnerability has been resolved: net: usb: smsc75xx: Fix uninit-value access in __smsc75xx_read_reg syzbot reported the following uninit-value access issue: ===================================================== BUG: KMSAN: uninit-value in smsc75xx_wait_ready drivers/net/usb/smsc75xx.c:975 [inline] BUG: KMSAN: uninit-value in smsc75xx_bind+0x5c9/0x11e0 drivers/net/usb/smsc75xx.c:1482 CPU: 0 PID: 8696 Comm: kworker/0:3 Not tainted 5.8.0-rc5-syzkaller #0 Hardware name: Goo... • https://git.kernel.org/stable/c/d0cad871703b898a442e4049c532ec39168e5b57 • CWE-252: Unchecked Return Value •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2023-52527 – ipv4, ipv6: Fix handling of transhdrlen in __ip{,6}_append_data()
https://notcve.org/view.php?id=CVE-2023-52527
02 Mar 2024 — In the Linux kernel, the following vulnerability has been resolved: ipv4, ipv6: Fix handling of transhdrlen in __ip{,6}_append_data() Including the transhdrlen in length is a problem when the packet is partially filled (e.g. something like send(MSG_MORE) happened previously) when appending to an IPv4 or IPv6 packet as we don't want to repeat the transport header or account for it twice. This can happen under some circumstances, such as splicing into an L2TP socket. The symptom observed is a warning in _... • https://git.kernel.org/stable/c/a32e0eec7042b21ccb52896cf715e3e2641fed93 •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2023-52525 – wifi: mwifiex: Fix oob check condition in mwifiex_process_rx_packet
https://notcve.org/view.php?id=CVE-2023-52525
02 Mar 2024 — In the Linux kernel, the following vulnerability has been resolved: wifi: mwifiex: Fix oob check condition in mwifiex_process_rx_packet Only skip the code path trying to access the rfc1042 headers when the buffer is too small, so the driver can still process packets without rfc1042 headers. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: wifi: mwifiex: corrige la condición de verificación de oob en mwifiex_process_rx_packet Solo omita la ruta del código al intentar acceder a los encabez... • https://git.kernel.org/stable/c/f517c97fc129995de77dd06aa5a74f909ebf568f •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2023-52524 – net: nfc: llcp: Add lock when modifying device list
https://notcve.org/view.php?id=CVE-2023-52524
02 Mar 2024 — In the Linux kernel, the following vulnerability has been resolved: net: nfc: llcp: Add lock when modifying device list The device list needs its associated lock held when modifying it, or the list could become corrupted, as syzbot discovered. • https://git.kernel.org/stable/c/dd6ff3f3862709ab1a12566e73b9d6a9b8f6e548 •
CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2023-52523 – bpf, sockmap: Reject sk_msg egress redirects to non-TCP sockets
https://notcve.org/view.php?id=CVE-2023-52523
02 Mar 2024 — In the Linux kernel, the following vulnerability has been resolved: bpf, sockmap: Reject sk_msg egress redirects to non-TCP sockets With a SOCKMAP/SOCKHASH map and an sk_msg program user can steer messages sent from one TCP socket (s1) to actually egress from another TCP socket (s2): tcp_bpf_sendmsg(s1) // = sk_prot->sendmsg tcp_bpf_send_verdict(s1) // __SK_REDIRECT case tcp_bpf_sendmsg_redir(s2) tcp_bpf_push_locked(s2) tcp_bpf_push(s2) tcp_rate_check_app_limited(s2) // expects tcp_sock ... • https://git.kernel.org/stable/c/122e6c79efe1c25816118aca9cfabe54e99c2432 •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2023-52522 – net: fix possible store tearing in neigh_periodic_work()
https://notcve.org/view.php?id=CVE-2023-52522
02 Mar 2024 — In the Linux kernel, the following vulnerability has been resolved: net: fix possible store tearing in neigh_periodic_work() While looking at a related syzbot report involving neigh_periodic_work(), I found that I forgot to add an annotation when deleting an RCU protected item from a list. Readers use rcu_deference(*np), we need to use either rcu_assign_pointer() or WRITE_ONCE() on writer side to prevent store tearing. I use rcu_assign_pointer() to have lockdep support, this was the choice made in neigh... • https://git.kernel.org/stable/c/767e97e1e0db0d0f3152cd2f3bd3403596aedbad • CWE-20: Improper Input Validation •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2023-52520 – platform/x86: think-lmi: Fix reference leak
https://notcve.org/view.php?id=CVE-2023-52520
02 Mar 2024 — In the Linux kernel, the following vulnerability has been resolved: platform/x86: think-lmi: Fix reference leak If a duplicate attribute is found using kset_find_obj(), a reference to that attribute is returned which needs to be disposed accordingly using kobject_put(). Move the setting name validation into a separate function to allow for this change without having to duplicate the cleanup code for this setting. As a side note, a very similar bug was fixed in commit 7295a996fdab ("platform/x86: dell-sysm... • https://git.kernel.org/stable/c/1bcad8e510b27ad843315ab2c27ccf459e3acded •