CVSS: 7.8EPSS: 0%CPEs: 7EXPL: 0CVE-2024-50143 – udf: fix uninit-value use in udf_get_fileshortad
https://notcve.org/view.php?id=CVE-2024-50143
07 Nov 2024 — In the Linux kernel, the following vulnerability has been resolved: udf: fix uninit-value use in udf_get_fileshortad Check for overflow when computing alen in udf_current_aext to mitigate later uninit-value use in udf_get_fileshortad KMSAN bug[1]. After applying the patch reproducer did not trigger any issue[2]. [1] https://syzkaller.appspot.com/bug?extid=8901c4560b7ab5c2f9df [2] https://syzkaller.appspot.com/x/log.txt?x=10242227980000 En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: udf: ... • https://git.kernel.org/stable/c/5eb76fb98b3335aa5cca6a7db2e659561c79c32b •
CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2024-50142 – xfrm: validate new SA's prefixlen using SA family when sel.family is unset
https://notcve.org/view.php?id=CVE-2024-50142
07 Nov 2024 — In the Linux kernel, the following vulnerability has been resolved: xfrm: validate new SA's prefixlen using SA family when sel.family is unset This expands the validation introduced in commit 07bf7908950a ("xfrm: Validate address prefix lengths in the xfrm selector.") syzbot created an SA with usersa.sel.family = AF_UNSPEC usersa.sel.prefixlen_s = 128 usersa.family = AF_INET Because of the AF_UNSPEC selector, verify_newsa_info doesn't put limits on prefixlen_{s,d}. But then copy_from_user_state sets x->sel.... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2024-50141 – ACPI: PRM: Find EFI_MEMORY_RUNTIME block for PRM handler and context
https://notcve.org/view.php?id=CVE-2024-50141
07 Nov 2024 — In the Linux kernel, the following vulnerability has been resolved: ACPI: PRM: Find EFI_MEMORY_RUNTIME block for PRM handler and context PRMT needs to find the correct type of block to translate the PA-VA mapping for EFI runtime services. The issue arises because the PRMT is finding a block of type EFI_CONVENTIONAL_MEMORY, which is not appropriate for runtime services as described in Section 2.2.2 (Runtime Services) of the UEFI Specification [1]. Since the PRM handler is a type of runtime service, this caus... • https://git.kernel.org/stable/c/cefc7ca46235f01d5233e3abd4b79452af01d9e9 •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2024-50138 – bpf: Use raw_spinlock_t in ringbuf
https://notcve.org/view.php?id=CVE-2024-50138
05 Nov 2024 — In the Linux kernel, the following vulnerability has been resolved: bpf: Use raw_spinlock_t in ringbuf The function __bpf_ringbuf_reserve is invoked from a tracepoint, which disables preemption. Using spinlock_t in this context can lead to a "sleep in atomic" warning in the RT variant. This issue is illustrated in the example below: BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48 in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 556208, name: test_progs preempt_cou... • https://git.kernel.org/stable/c/457f44363a8894135c85b7a9afd2bd8196db24ab •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2024-50135 – nvme-pci: fix race condition between reset and nvme_dev_disable()
https://notcve.org/view.php?id=CVE-2024-50135
05 Nov 2024 — In the Linux kernel, the following vulnerability has been resolved: nvme-pci: fix race condition between reset and nvme_dev_disable() nvme_dev_disable() modifies the dev->online_queues field, therefore nvme_pci_update_nr_queues() should avoid racing against it, otherwise we could end up passing invalid values to blk_mq_update_nr_hw_queues(). WARNING: CPU: 39 PID: 61303 at drivers/pci/msi/api.c:347 pci_irq_get_affinity+0x187/0x210 Workqueue: nvme-reset-wq nvme_reset_work [nvme] RIP: 0010:pci_irq_get_affinity... • https://git.kernel.org/stable/c/949928c1c731417cc0f070912c63878b62b544f4 •
CVSS: 7.1EPSS: 0%CPEs: 7EXPL: 0CVE-2024-50134 – drm/vboxvideo: Replace fake VLA at end of vbva_mouse_pointer_shape with real VLA
https://notcve.org/view.php?id=CVE-2024-50134
05 Nov 2024 — In the Linux kernel, the following vulnerability has been resolved: drm/vboxvideo: Replace fake VLA at end of vbva_mouse_pointer_shape with real VLA Replace the fake VLA at end of the vbva_mouse_pointer_shape shape with a real VLA to fix a "memcpy: detected field-spanning write error" warning: [ 13.319813] memcpy: detected field-spanning write (size 16896) of single field "p->data" at drivers/gpu/drm/vboxvideo/hgsmi_base.c:154 (size 4) [ 13.319841] WARNING: CPU: 0 PID: 1105 at drivers/gpu/drm/vboxvideo/hgsm... • https://git.kernel.org/stable/c/dd55d44f408419278c00887bfcb2261d0caae350 •
CVSS: 7.8EPSS: 0%CPEs: 7EXPL: 0CVE-2024-50131 – tracing: Consider the NULL character when validating the event length
https://notcve.org/view.php?id=CVE-2024-50131
05 Nov 2024 — In the Linux kernel, the following vulnerability has been resolved: tracing: Consider the NULL character when validating the event length strlen() returns a string length excluding the null byte. If the string length equals to the maximum buffer length, the buffer will have no space for the NULL terminating character. This commit checks this condition and returns failure for it. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: rastreo: considerar el carácter NULL al validar la longitud del... • https://git.kernel.org/stable/c/dec65d79fd269d05427c8167090bfc9c3d0b56c4 •
CVSS: 7.1EPSS: 0%CPEs: 5EXPL: 0CVE-2024-50128 – net: wwan: fix global oob in wwan_rtnl_policy
https://notcve.org/view.php?id=CVE-2024-50128
05 Nov 2024 — In the Linux kernel, the following vulnerability has been resolved: net: wwan: fix global oob in wwan_rtnl_policy The variable wwan_rtnl_link_ops assign a *bigger* maxtype which leads to a global out-of-bounds read when parsing the netlink attributes. Exactly same bug cause as the oob fixed in commit b33fb5b801c6 ("net: qualcomm: rmnet: fix global oob in rmnet_policy"). ================================================================== BUG: KASAN: global-out-of-bounds in validate_nla lib/nlattr.c:388 [inlin... • https://git.kernel.org/stable/c/88b710532e53de2466d1033fb1d5125aabf3215a •
CVSS: 7.8EPSS: 0%CPEs: 7EXPL: 0CVE-2024-50127 – net: sched: fix use-after-free in taprio_change()
https://notcve.org/view.php?id=CVE-2024-50127
05 Nov 2024 — In the Linux kernel, the following vulnerability has been resolved: net: sched: fix use-after-free in taprio_change() In 'taprio_change()', 'admin' pointer may become dangling due to sched switch / removal caused by 'advance_sched()', and critical section protected by 'q->current_entry_lock' is too small to prevent from such a scenario (which causes use-after-free detected by KASAN). Fix this by prefer 'rcu_replace_pointer()' over 'rcu_assign_pointer()' to update 'admin' immediately before an attempt to sch... • https://git.kernel.org/stable/c/a3d43c0d56f1b94e74963a2fbadfb70126d92213 • CWE-416: Use After Free •
CVSS: 7.8EPSS: 0%CPEs: 10EXPL: 0CVE-2024-50125 – Bluetooth: SCO: Fix UAF on sco_sock_timeout
https://notcve.org/view.php?id=CVE-2024-50125
05 Nov 2024 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: SCO: Fix UAF on sco_sock_timeout conn->sk maybe have been unlinked/freed while waiting for sco_conn_lock so this checks if the conn->sk is still valid by checking if it part of sco_sk_list. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: Bluetooth: SCO: Se corrige que UAF en sco_sock_timeout conn->sk pueda haberse desvinculado/liberado mientras se esperaba sco_conn_lock, por lo que esto verifica si conn->... • https://git.kernel.org/stable/c/ba316be1b6a00db7126ed9a39f9bee434a508043 • CWE-416: Use After Free •