CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2024-26760 – scsi: target: pscsi: Fix bio_put() for error case
https://notcve.org/view.php?id=CVE-2024-26760
03 Apr 2024 — In the Linux kernel, the following vulnerability has been resolved: scsi: target: pscsi: Fix bio_put() for error case As of commit 066ff571011d ("block: turn bio_kmalloc into a simple kmalloc wrapper"), a bio allocated by bio_kmalloc() must be freed by bio_uninit() and kfree(). That is not done properly for the error case, hitting WARN and NULL pointer dereference in bio_free(). En el kernel de Linux, se resolvió la siguiente vulnerabilidad: scsi: target: pscsi: corrige bio_put() para el caso de error A par... • https://git.kernel.org/stable/c/066ff571011d8416e903d3d4f1f41e0b5eb91e1d •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2024-26759 – mm/swap: fix race when skipping swapcache
https://notcve.org/view.php?id=CVE-2024-26759
03 Apr 2024 — In the Linux kernel, the following vulnerability has been resolved: mm/swap: fix race when skipping swapcache When skipping swapcache for SWP_SYNCHRONOUS_IO, if two or more threads swapin the same entry at the same time, they get different pages (A, B). Before one thread (T0) finishes the swapin and installs page (A) to the PTE, another thread (T1) could finish swapin of page (B), swap_free the entry, then swap out the possibly modified page reusing the same entry. It breaks the pte_same check in (T0) becau... • https://git.kernel.org/stable/c/0bcac06f27d7528591c27ac2b093ccd71c5d0168 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2024-26758 – md: Don't ignore suspended array in md_check_recovery()
https://notcve.org/view.php?id=CVE-2024-26758
03 Apr 2024 — In the Linux kernel, the following vulnerability has been resolved: md: Don't ignore suspended array in md_check_recovery() mddev_suspend() never stop sync_thread, hence it doesn't make sense to ignore suspended array in md_check_recovery(), which might cause sync_thread can't be unregistered. After commit f52f5c71f3d4 ("md: fix stopping sync thread"), following hang can be triggered by test shell/integrity-caching.sh: 1) suspend the array: raid_postsuspend mddev_suspend 2) stop the array: raid_dtr md_stop ... • https://git.kernel.org/stable/c/68866e425be2ef2664aa5c691bb3ab789736acf5 • CWE-20: Improper Input Validation CWE-129: Improper Validation of Array Index •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2024-26757 – md: Don't ignore read-only array in md_check_recovery()
https://notcve.org/view.php?id=CVE-2024-26757
03 Apr 2024 — In the Linux kernel, the following vulnerability has been resolved: md: Don't ignore read-only array in md_check_recovery() Usually if the array is not read-write, md_check_recovery() won't register new sync_thread in the first place. And if the array is read-write and sync_thread is registered, md_set_readonly() will unregister sync_thread before setting the array read-only. md/raid follow this behavior hence there is no problem. After commit f52f5c71f3d4 ("md: fix stopping sync thread"), following hang ca... • https://git.kernel.org/stable/c/ecbfb9f118bce49f571675929160e4ecef91cc8a • CWE-20: Improper Input Validation CWE-404: Improper Resource Shutdown or Release •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2024-26756 – md: Don't register sync_thread for reshape directly
https://notcve.org/view.php?id=CVE-2024-26756
03 Apr 2024 — In the Linux kernel, the following vulnerability has been resolved: md: Don't register sync_thread for reshape directly Currently, if reshape is interrupted, then reassemble the array will register sync_thread directly from pers->run(), in this case 'MD_RECOVERY_RUNNING' is set directly, however, there is no guarantee that md_do_sync() will be executed, hence stop_sync_thread() will hang because 'MD_RECOVERY_RUNNING' can't be cleared. Last patch make sure that md_do_sync() will set MD_RECOVERY_DONE, however... • https://git.kernel.org/stable/c/f67055780caac6a99f43834795c43acf99eba6a6 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2024-26754 – gtp: fix use-after-free and null-ptr-deref in gtp_genl_dump_pdp()
https://notcve.org/view.php?id=CVE-2024-26754
03 Apr 2024 — In the Linux kernel, the following vulnerability has been resolved: gtp: fix use-after-free and null-ptr-deref in gtp_genl_dump_pdp() The gtp_net_ops pernet operations structure for the subsystem must be registered before registering the generic netlink family. Syzkaller hit 'general protection fault in gtp_genl_dump_pdp' bug: general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] PREEMPT SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000010-0x000000000000001... • https://git.kernel.org/stable/c/459aa660eb1d8ce67080da1983bb81d716aa5a69 •
CVSS: 7.2EPSS: 0%CPEs: 5EXPL: 0CVE-2024-26753 – crypto: virtio/akcipher - Fix stack overflow on memcpy
https://notcve.org/view.php?id=CVE-2024-26753
03 Apr 2024 — In the Linux kernel, the following vulnerability has been resolved: crypto: virtio/akcipher - Fix stack overflow on memcpy sizeof(struct virtio_crypto_akcipher_session_para) is less than sizeof(struct virtio_crypto_op_ctrl_req::u), copying more bytes from stack variable leads stack overflow. Clang reports this issue by commands: make -j CC=clang-14 mrproper >/dev/null 2>&1 make -j O=/tmp/crypto-build CC=clang-14 allmodconfig >/dev/null 2>&1 make -j O=/tmp/crypto-build W=1 CC=clang-14 drivers/crypto/virtio/ ... • https://git.kernel.org/stable/c/1ff57428894fc4f5001d3df0762c1820295d6c4f •
CVSS: 7.8EPSS: 0%CPEs: 10EXPL: 0CVE-2024-26752 – l2tp: pass correct message length to ip6_append_data
https://notcve.org/view.php?id=CVE-2024-26752
03 Apr 2024 — In the Linux kernel, the following vulnerability has been resolved: l2tp: pass correct message length to ip6_append_data l2tp_ip6_sendmsg needs to avoid accounting for the transport header twice when splicing more data into an already partially-occupied skbuff. To manage this, we check whether the skbuff contains data using skb_queue_empty when deciding how much data to append using ip6_append_data. However, the code which performed the calculation was incorrect: ulen = len + skb_queue_empty(&sk->sk_write_q... • https://git.kernel.org/stable/c/559d697c5d072593d22b3e0bd8b8081108aeaf59 •
CVSS: 3.3EPSS: 0%CPEs: 8EXPL: 0CVE-2024-26751 – ARM: ep93xx: Add terminator to gpiod_lookup_table
https://notcve.org/view.php?id=CVE-2024-26751
03 Apr 2024 — In the Linux kernel, the following vulnerability has been resolved: ARM: ep93xx: Add terminator to gpiod_lookup_table Without the terminator, if a con_id is passed to gpio_find() that does not exist in the lookup table the function will not stop looping correctly, and eventually cause an oops. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: ARM: ep93xx: Agregar terminador a gpiod_lookup_table Sin el terminador, si se pasa un con_id a gpio_find() que no existe en la tabla de búsqueda, la func... • https://git.kernel.org/stable/c/b2e63555592f81331c8da3afaa607d8cf83e8138 •
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2024-26749 – usb: cdns3: fixed memory use after free at cdns3_gadget_ep_disable()
https://notcve.org/view.php?id=CVE-2024-26749
03 Apr 2024 — In the Linux kernel, the following vulnerability has been resolved: usb: cdns3: fixed memory use after free at cdns3_gadget_ep_disable() ... cdns3_gadget_ep_free_request(&priv_ep->endpoint, &priv_req->request); list_del_init(&priv_req->list); ... 'priv_req' actually free at cdns3_gadget_ep_free_request(). But list_del_init() use priv_req->list after it. [ 1542.642868][ T534] BUG: KFENCE: use-after-free read in __list_del_entry_valid+0x10/0xd4 [ 1542.642868][ T534] [ 1542.653162][ T534] Use-after-free read a... • https://git.kernel.org/stable/c/7733f6c32e36ff9d7adadf40001039bf219b1cbe •