CVSS: 6.3EPSS: 0%CPEs: 6EXPL: 0CVE-2024-26988 – init/main.c: Fix potential static_command_line memory overflow
https://notcve.org/view.php?id=CVE-2024-26988
01 May 2024 — In the Linux kernel, the following vulnerability has been resolved: init/main.c: Fix potential static_command_line memory overflow We allocate memory of size 'xlen + strlen(boot_command_line) + 1' for static_command_line, but the strings copied into static_command_line are extra_command_line and command_line, rather than extra_command_line and boot_command_line. When strlen(command_line) > strlen(boot_command_line), static_command_line will overflow. This patch just recovers strlen(command_line) which was m... • https://git.kernel.org/stable/c/f5c7310ac73ea270e3a1acdb73d1b4817f11fd67 •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2024-26987 – mm/memory-failure: fix deadlock when hugetlb_optimize_vmemmap is enabled
https://notcve.org/view.php?id=CVE-2024-26987
01 May 2024 — In the Linux kernel, the following vulnerability has been resolved: mm/memory-failure: fix deadlock when hugetlb_optimize_vmemmap is enabled When I did hard offline test with hugetlb pages, below deadlock occurs: ====================================================== WARNING: possible circular locking dependency detected 6.8.0-11409-gf6cef5f8c37f #1 Not tainted ------------------------------------------------------ bash/46904 is trying to acquire lock: ffffffffabe68910 (cpu_hotplug_lock){++++}-{0:0}, at: st... • https://git.kernel.org/stable/c/a6b40850c442bf996e729e1d441d3dbc37cea171 • CWE-667: Improper Locking •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2024-26986 – drm/amdkfd: Fix memory leak in create_process failure
https://notcve.org/view.php?id=CVE-2024-26986
01 May 2024 — In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Fix memory leak in create_process failure Fix memory leak due to a leaked mmget reference on an error handling code path that is triggered when attempting to create KFD processes while a GPU reset is in progress. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: drm/amdkfd: corrige la pérdida de memoria en el error create_process. Corrige la pérdida de memoria debido a una referencia mmget filtrada en una ruta de c... • https://git.kernel.org/stable/c/0ab2d7532b05a3e7c06fd3b0c8bd6b46c1dfb508 • CWE-401: Missing Release of Memory after Effective Lifetime •
CVSS: 7.2EPSS: 0%CPEs: 2EXPL: 0CVE-2024-26985 – drm/xe: Fix bo leak in intel_fb_bo_framebuffer_init
https://notcve.org/view.php?id=CVE-2024-26985
01 May 2024 — In the Linux kernel, the following vulnerability has been resolved: drm/xe: Fix bo leak in intel_fb_bo_framebuffer_init Add a unreference bo in the error path, to prevent leaking a bo ref. Return 0 on success to clarify the success path. (cherry picked from commit a2f3d731be3893e730417ae3190760fcaffdf549) En el kernel de Linux, se resolvió la siguiente vulnerabilidad: drm/xe: corrija la fuga de bo en intel_fb_bo_framebuffer_init. Agregue un bo sin referencia en la ruta del error, para evitar que se filtre u... • https://git.kernel.org/stable/c/44e694958b95395bd1c41508c88c8ca141bf9bd7 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2024-26984 – nouveau: fix instmem race condition around ptr stores
https://notcve.org/view.php?id=CVE-2024-26984
01 May 2024 — In the Linux kernel, the following vulnerability has been resolved: nouveau: fix instmem race condition around ptr stores Running a lot of VK CTS in parallel against nouveau, once every few hours you might see something like this crash. BUG: kernel NULL pointer dereference, address: 0000000000000008 PGD 8000000114e6e067 P4D 8000000114e6e067 PUD 109046067 PMD 0 Oops: 0000 [#1] PREEMPT SMP PTI CPU: 7 PID: 53891 Comm: deqp-vk Not tainted 6.8.0-rc6+ #27 Hardware name: Gigabyte Technology Co., Ltd. Z390 I AORUS ... • https://git.kernel.org/stable/c/be55287aa5ba6895e9d4d3ed2f08a1be7a065957 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') CWE-476: NULL Pointer Dereference •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2024-26983 – bootconfig: use memblock_free_late to free xbc memory to buddy
https://notcve.org/view.php?id=CVE-2024-26983
01 May 2024 — In the Linux kernel, the following vulnerability has been resolved: bootconfig: use memblock_free_late to free xbc memory to buddy On the time to free xbc memory in xbc_exit(), memblock may has handed over memory to buddy allocator. So it doesn't make sense to free memory back to memblock. memblock_free() called by xbc_exit() even causes UAF bugs on architectures with CONFIG_ARCH_KEEP_MEMBLOCK disabled like x86. Following KASAN logs shows this case. This patch fixes the xbc memory free problem by calling me... • https://git.kernel.org/stable/c/40caa127f3c7279c75cb0c9684559fa314ee3a66 •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2024-26982 – Squashfs: check the inode number is not the invalid value of zero
https://notcve.org/view.php?id=CVE-2024-26982
01 May 2024 — In the Linux kernel, the following vulnerability has been resolved: Squashfs: check the inode number is not the invalid value of zero Syskiller has produced an out of bounds access in fill_meta_index(). That out of bounds access is ultimately caused because the inode has an inode number with the invalid value of zero, which was not checked. The reason this causes the out of bounds access is due to following sequence of events: 1. Fill_meta_index() is called to allocate (via empty_meta_index()) and fill a me... • https://git.kernel.org/stable/c/be383effaee3d89034f0828038f95065b518772e • CWE-125: Out-of-bounds Read •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2024-26981 – nilfs2: fix OOB in nilfs_set_de_type
https://notcve.org/view.php?id=CVE-2024-26981
01 May 2024 — In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix OOB in nilfs_set_de_type The size of the nilfs_type_by_mode array in the fs/nilfs2/dir.c file is defined as "S_IFMT >> S_SHIFT", but the nilfs_set_de_type() function, which uses this array, specifies the index to read from the array in the same way as "(mode & S_IFMT) >> S_SHIFT". static void nilfs_set_de_type(struct nilfs_dir_entry *de, struct inode *inode) { umode_t mode = inode->i_mode; de->file_type = nilfs_type_by_mode[(mod... • https://git.kernel.org/stable/c/2ba466d74ed74f073257f86e61519cb8f8f46184 •
CVSS: 7.2EPSS: 0%CPEs: 5EXPL: 0CVE-2024-26980 – ksmbd: fix slab-out-of-bounds in smb2_allocate_rsp_buf
https://notcve.org/view.php?id=CVE-2024-26980
01 May 2024 — In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix slab-out-of-bounds in smb2_allocate_rsp_buf If ->ProtocolId is SMB2_TRANSFORM_PROTO_NUM, smb2 request size validation could be skipped. if request size is smaller than sizeof(struct smb2_query_info_req), slab-out-of-bounds read can happen in smb2_allocate_rsp_buf(). This patch allocate response buffer after decrypting transform request. smb3_decrypt_req() will validate transform request size and avoid slab-out-of-bound in smb2_al... • https://git.kernel.org/stable/c/0626e6641f6b467447c81dd7678a69c66f7746cf •
CVSS: 7.2EPSS: 0%CPEs: 5EXPL: 0CVE-2024-26936 – ksmbd: validate request buffer size in smb2_allocate_rsp_buf()
https://notcve.org/view.php?id=CVE-2024-26936
01 May 2024 — In the Linux kernel, the following vulnerability has been resolved: ksmbd: validate request buffer size in smb2_allocate_rsp_buf() The response buffer should be allocated in smb2_allocate_rsp_buf before validating request. But the fields in payload as well as smb2 header is used in smb2_allocate_rsp_buf(). This patch add simple buffer size validation to avoid potencial out-of-bounds in request buffer. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: ksmbd: validar el tamaño del búfer de so... • https://git.kernel.org/stable/c/0626e6641f6b467447c81dd7678a69c66f7746cf •