CVSS: 4.7EPSS: 0%CPEs: 8EXPL: 0CVE-2024-26642 – netfilter: nf_tables: disallow anonymous set with timeout flag
https://notcve.org/view.php?id=CVE-2024-26642
21 Mar 2024 — In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: disallow anonymous set with timeout flag Anonymous sets are never used with timeout from userspace, reject this. Exception to this rule is NFT_SET_EVAL to ensure legacy meters still work. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: netfilter: nf_tables: no permitir conjuntos anónimos con indicador de tiempo de espera Los conjuntos anónimos nunca se usan con tiempo de espera del espacio de usuario, r... • https://git.kernel.org/stable/c/761da2935d6e18d178582dbdf315a3a458555505 • CWE-99: Improper Control of Resource Identifiers ('Resource Injection') •
CVSS: 3.8EPSS: 0%CPEs: 6EXPL: 0CVE-2023-52620 – netfilter: nf_tables: disallow timeout for anonymous sets
https://notcve.org/view.php?id=CVE-2023-52620
21 Mar 2024 — In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: disallow timeout for anonymous sets Never used from userspace, disallow these parameters. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: netfilter: nf_tables: no permite el tiempo de espera para conjuntos anónimos Nunca se usa desde el espacio de usuario, no permita estos parámetros. A vulnerability was found in netfilter/nf_tables componets of Linux Kernel allows an userspace to set timeouts for anony... • https://git.kernel.org/stable/c/116b0e8e4673a5faa8a739a19b467010c4d3058c • CWE-99: Improper Control of Resource Identifiers ('Resource Injection') •
CVSS: 6.1EPSS: 0%CPEs: 6EXPL: 0CVE-2024-26641 – ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv()
https://notcve.org/view.php?id=CVE-2024-26641
18 Mar 2024 — In the Linux kernel, the following vulnerability has been resolved: ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv() syzbot found __ip6_tnl_rcv() could access unitiliazed data [1]. Call pskb_inet_may_pull() to fix this, and initialize ipv6h variable after this call as it can change skb->head. [1] BUG: KMSAN: uninit-value in __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline] BUG: KMSAN: uninit-value in INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline] BUG: KMSAN: uninit-value in I... • https://git.kernel.org/stable/c/0d3c703a9d1723c7707e0680019ac8ff5922db42 • CWE-20: Improper Input Validation •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2024-26640 – tcp: add sanity checks to rx zerocopy
https://notcve.org/view.php?id=CVE-2024-26640
18 Mar 2024 — In the Linux kernel, the following vulnerability has been resolved: tcp: add sanity checks to rx zerocopy TCP rx zerocopy intent is to map pages initially allocated from NIC drivers, not pages owned by a fs. This patch adds to can_map_frag() these additional checks: - Page must not be a compound one. - page->mapping must be NULL. This fixes the panic reported by ZhangPeng. syzbot was able to loopback packets built with sendfile(), mapping pages owned by an ext4 file to TCP rx zerocopy. r3 = socket$inet_tcp(... • https://git.kernel.org/stable/c/93ab6cc69162775201587cc9da00d5016dc890e2 • CWE-20: Improper Input Validation •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2023-52619 – pstore/ram: Fix crash when setting number of cpus to an odd number
https://notcve.org/view.php?id=CVE-2023-52619
18 Mar 2024 — In the Linux kernel, the following vulnerability has been resolved: pstore/ram: Fix crash when setting number of cpus to an odd number When the number of cpu cores is adjusted to 7 or other odd numbers, the zone size will become an odd number. The address of the zone will become: addr of zone0 = BASE addr of zone1 = BASE + zone_size addr of zone2 = BASE + zone_size*2 ... The address of zone1/3/5/7 will be mapped to non-alignment va. Eventually crashes will occur when accessing these va. So, use ALIGN_DOWN()... • https://git.kernel.org/stable/c/8b69c30f4e8b69131d92096cb296dc1f217101e4 • CWE-99: Improper Control of Resource Identifiers ('Resource Injection') •
CVSS: 5.3EPSS: 0%CPEs: 6EXPL: 0CVE-2023-52618 – block/rnbd-srv: Check for unlikely string overflow
https://notcve.org/view.php?id=CVE-2023-52618
18 Mar 2024 — In the Linux kernel, the following vulnerability has been resolved: block/rnbd-srv: Check for unlikely string overflow Since "dev_search_path" can technically be as large as PATH_MAX, there was a risk of truncation when copying it and a second string into "full_path" since it was also PATH_MAX sized. The W=1 builds were reporting this warning: drivers/block/rnbd/rnbd-srv.c: In function 'process_msg_open.isra': drivers/block/rnbd/rnbd-srv.c:616:51: warning: '%s' directive output may be truncated writing up t... • https://git.kernel.org/stable/c/95bc866c11974d3e4a9d922275ea8127ff809cf7 •
CVSS: 4.4EPSS: 0%CPEs: 7EXPL: 0CVE-2023-52617 – PCI: switchtec: Fix stdev_release() crash after surprise hot remove
https://notcve.org/view.php?id=CVE-2023-52617
18 Mar 2024 — In the Linux kernel, the following vulnerability has been resolved: PCI: switchtec: Fix stdev_release() crash after surprise hot remove A PCI device hot removal may occur while stdev->cdev is held open. The call to stdev_release() then happens during close or exit, at a point way past switchtec_pci_remove(). Otherwise the last ref would vanish with the trailing put_device(), just before return. At that later point in time, the devm cleanup has already removed the stdev->mmio_mrpc mapping. Also, the stdev->p... • https://git.kernel.org/stable/c/d8c293549946ee5078ed0ab77793cec365559355 •
CVSS: 5.2EPSS: 0%CPEs: 4EXPL: 0CVE-2024-26638 – nbd: always initialize struct msghdr completely
https://notcve.org/view.php?id=CVE-2024-26638
18 Mar 2024 — In the Linux kernel, the following vulnerability has been resolved: nbd: always initialize struct msghdr completely syzbot complains that msg->msg_get_inq value can be uninitialized [1] struct msghdr got many new fields recently, we should always make sure their values is zero by default. [1] BUG: KMSAN: uninit-value in tcp_recvmsg+0x686/0xac0 net/ipv4/tcp.c:2571 tcp_recvmsg+0x686/0xac0 net/ipv4/tcp.c:2571 inet_recvmsg+0x131/0x580 net/ipv4/af_inet.c:879 sock_recvmsg_nosec net/socket.c:1044 [inline] sock_rec... • https://git.kernel.org/stable/c/f94fd25cb0aaf77fd7453f31c5d394a1a68ecf60 • CWE-456: Missing Initialization of a Variable •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2024-26636 – llc: make llc_ui_sendmsg() more robust against bonding changes
https://notcve.org/view.php?id=CVE-2024-26636
18 Mar 2024 — In the Linux kernel, the following vulnerability has been resolved: llc: make llc_ui_sendmsg() more robust against bonding changes syzbot was able to trick llc_ui_sendmsg(), allocating an skb with no headroom, but subsequently trying to push 14 bytes of Ethernet header [1] Like some others, llc_ui_sendmsg() releases the socket lock before calling sock_alloc_send_skb(). Then it acquires it again, but does not redo all the sanity checks that were performed. This fix: - Uses LL_RESERVED_SPACE() to reserve spac... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: 6.1EPSS: 0%CPEs: 8EXPL: 0CVE-2024-26635 – llc: Drop support for ETH_P_TR_802_2.
https://notcve.org/view.php?id=CVE-2024-26635
18 Mar 2024 — In the Linux kernel, the following vulnerability has been resolved: llc: Drop support for ETH_P_TR_802_2. syzbot reported an uninit-value bug below. [0] llc supports ETH_P_802_2 (0x0004) and used to support ETH_P_TR_802_2 (0x0011), and syzbot abused the latter to trigger the bug. write$tun(r0, &(0x7f0000000040)={@val={0x0, 0x11}, @val, @mpls={[], @llc={@snap={0xaa, 0x1, ')', "90e5dd"}}}}, 0x16) llc_conn_handler() initialises local variables {saddr,daddr}.mac based on skb in llc_pdu_decode_sa()/llc_pdu_decod... • https://git.kernel.org/stable/c/211ed865108e24697b44bee5daac502ee6bdd4a4 •