CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2023-52921 – drm/amdgpu: fix possible UAF in amdgpu_cs_pass1()
https://notcve.org/view.php?id=CVE-2023-52921
19 Nov 2024 — In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix possible UAF in amdgpu_cs_pass1() Since the gang_size check is outside of chunk parsing loop, we need to reset i before we free the chunk data. Suggested by Ye Zhang (@VAR10CK) of Baidu Security. In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix possible UAF in amdgpu_cs_pass1() Since the gang_size check is outside of chunk parsing loop, we need to reset i before we free the chunk data. Sugg... • https://git.kernel.org/stable/c/9a2393af1f35d1975204fc00035c64a1c792b278 • CWE-416: Use After Free •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2024-50262 – bpf: Fix out-of-bounds write in trie_get_next_key()
https://notcve.org/view.php?id=CVE-2024-50262
09 Nov 2024 — In the Linux kernel, the following vulnerability has been resolved: bpf: Fix out-of-bounds write in trie_get_next_key() trie_get_next_key() allocates a node stack with size trie->max_prefixlen, while it writes (trie->max_prefixlen + 1) nodes to the stack when it has full paths from the root to leaves. For example, consider a trie with max_prefixlen is 8, and the nodes with key 0x00/0, 0x00/1, 0x00/2, ... 0x00/8 inserted. Subsequent calls to trie_get_next_key with _key with .prefixlen = 8 make 9 nodes be wri... • https://git.kernel.org/stable/c/b471f2f1de8b816f1e799b80aa92588f3566e4bd • CWE-787: Out-of-bounds Write •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2024-50259 – netdevsim: Add trailing zero to terminate the string in nsim_nexthop_bucket_activity_write()
https://notcve.org/view.php?id=CVE-2024-50259
09 Nov 2024 — In the Linux kernel, the following vulnerability has been resolved: netdevsim: Add trailing zero to terminate the string in nsim_nexthop_bucket_activity_write() This was found by a static analyzer. We should not forget the trailing zero after copy_from_user() if we will further do some string operations, sscanf() in this case. Adding a trailing zero will ensure that the function performs properly. In the Linux kernel, the following vulnerability has been resolved: netdevsim: Add trailing zero to terminate t... • https://git.kernel.org/stable/c/c6385c0b67c527b298111775bc89a7407ba1581e •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2024-50258 – net: fix crash when config small gso_max_size/gso_ipv4_max_size
https://notcve.org/view.php?id=CVE-2024-50258
09 Nov 2024 — In the Linux kernel, the following vulnerability has been resolved: net: fix crash when config small gso_max_size/gso_ipv4_max_size Config a small gso_max_size/gso_ipv4_max_size will lead to an underflow in sk_dst_gso_max_size(), which may trigger a BUG_ON crash, because sk->sk_gso_max_size would be much bigger than device limits. Call Trace: tcp_write_xmit tso_segs = tcp_init_tso_segs(skb, mss_now); tcp_set_skb_tso_segs tcp_skb_pcount_set // skb->len = 524288, mss_now = 8 // u16 tso_segs = 524288/8 = 65535... • https://git.kernel.org/stable/c/46e6b992c2502b094e61da6994f1363f3b7c1413 •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2024-50257 – netfilter: Fix use-after-free in get_info()
https://notcve.org/view.php?id=CVE-2024-50257
09 Nov 2024 — In the Linux kernel, the following vulnerability has been resolved: netfilter: Fix use-after-free in get_info() ip6table_nat module unload has refcnt warning for UAF. call trace is: WARNING: CPU: 1 PID: 379 at kernel/module/main.c:853 module_put+0x6f/0x80 Modules linked in: ip6table_nat(-) CPU: 1 UID: 0 PID: 379 Comm: ip6tables Not tainted 6.12.0-rc4-00047-gc2ee9f594da8-dirty #205 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:mo... • https://git.kernel.org/stable/c/fdacd57c79b79a03c7ca88f706ad9fb7b46831c1 • CWE-416: Use After Free •
CVSS: 5.8EPSS: 0%CPEs: 4EXPL: 0CVE-2024-50256 – netfilter: nf_reject_ipv6: fix potential crash in nf_send_reset6()
https://notcve.org/view.php?id=CVE-2024-50256
09 Nov 2024 — In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_reject_ipv6: fix potential crash in nf_send_reset6() I got a syzbot report without a repro [1] crashing in nf_send_reset6() I think the issue is that dev->hard_header_len is zero, and we attempt later to push an Ethernet header. Use LL_MAX_HEADER, as other functions in net/ipv6/netfilter/nf_reject_ipv6.c. [1] skbuff: skb_under_panic: text:ffffffff89b1d008 len:74 put:14 head:ffff88803123aa00 data:ffff88803123a9f2 tail:0x3c end:... • https://git.kernel.org/stable/c/c8d7b98bec43faaa6583c3135030be5eb4693acb •
CVSS: 7.3EPSS: 0%CPEs: 4EXPL: 0CVE-2024-50255 – Bluetooth: hci: fix null-ptr-deref in hci_read_supported_codecs
https://notcve.org/view.php?id=CVE-2024-50255
09 Nov 2024 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci: fix null-ptr-deref in hci_read_supported_codecs Fix __hci_cmd_sync_sk() to return not NULL for unknown opcodes. __hci_cmd_sync_sk() returns NULL if a command returns a status event. However, it also returns NULL where an opcode doesn't exist in the hci_cc table because hci_cmd_complete_evt() assumes status = skb->data[0] for unknown opcodes. This leads to null-ptr-deref in cmd_sync for HCI_OP_READ_LOCAL_CODECS as there is no... • https://git.kernel.org/stable/c/abfeea476c68afea54c9c050a2d3b19d5d2ee873 • CWE-476: NULL Pointer Dereference •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2024-50252 – mlxsw: spectrum_ipip: Fix memory leak when changing remote IPv6 address
https://notcve.org/view.php?id=CVE-2024-50252
09 Nov 2024 — In the Linux kernel, the following vulnerability has been resolved: mlxsw: spectrum_ipip: Fix memory leak when changing remote IPv6 address The device stores IPv6 addresses that are used for encapsulation in linear memory that is managed by the driver. Changing the remote address of an ip6gre net device never worked properly, but since cited commit the following reproducer [1] would result in a warning [2] and a memory leak [3]. The problem is that the new remote address is never added by the driver to its ... • https://git.kernel.org/stable/c/cf42911523e02026cb56d329e584ae5923e94ba1 • CWE-401: Missing Release of Memory after Effective Lifetime •
CVSS: 6.1EPSS: 0%CPEs: 8EXPL: 1CVE-2024-50251 – netfilter: nft_payload: sanitize offset and length before calling skb_checksum()
https://notcve.org/view.php?id=CVE-2024-50251
09 Nov 2024 — In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_payload: sanitize offset and length before calling skb_checksum() If access to offset + length is larger than the skbuff length, then skb_checksum() triggers BUG_ON(). skb_checksum() internally subtracts the length parameter while iterating over skbuff, BUG_ON(len) at the end of it checks that the expected length to be included in the checksum calculation is fully consumed. An incorrect buffer length flaw was found in the Lin... • https://github.com/slavin-ayu/CVE-2024-50251-PoC •
CVSS: 7.1EPSS: 0%CPEs: 5EXPL: 0CVE-2024-50249 – ACPI: CPPC: Make rmw_lock a raw_spin_lock
https://notcve.org/view.php?id=CVE-2024-50249
09 Nov 2024 — In the Linux kernel, the following vulnerability has been resolved: ACPI: CPPC: Make rmw_lock a raw_spin_lock The following BUG was triggered: ============================= [ BUG: Invalid wait context ] 6.12.0-rc2-XXX #406 Not tainted ----------------------------- kworker/1:1/62 is trying to lock: ffffff8801593030 (&cpc_ptr->rmw_lock){+.+.}-{3:3}, at: cpc_write+0xcc/0x370 other info that might help us debug this: context-{5:5} 2 locks held by kworker/1:1/62: #0: ffffff897ef5ec98 (&rq->__lock){-.-.}-{2:2}, a... • https://git.kernel.org/stable/c/94e8c988468dafde1d2bfe0532a60a3117f6394b •