CVSS: 6.7EPSS: 0%CPEs: 6EXPL: 0CVE-2024-26586 – mlxsw: spectrum_acl_tcam: Fix stack corruption
https://notcve.org/view.php?id=CVE-2024-26586
22 Feb 2024 — In the Linux kernel, the following vulnerability has been resolved: mlxsw: spectrum_acl_tcam: Fix stack corruption When tc filters are first added to a net device, the corresponding local port gets bound to an ACL group in the device. The group contains a list of ACLs. In turn, each ACL points to a different TCAM region where the filters are stored. During forwarding, the ACLs are sequentially evaluated until a match is found. One reason to place filters in different regions is when they are added with decr... • https://git.kernel.org/stable/c/c3ab435466d5109b2c7525a3b90107d4d9e918fc • CWE-787: Out-of-bounds Write •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2023-52443 – apparmor: avoid crash when parsed profile name is empty
https://notcve.org/view.php?id=CVE-2023-52443
22 Feb 2024 — In the Linux kernel, the following vulnerability has been resolved: apparmor: avoid crash when parsed profile name is empty When processing a packed profile in unpack_profile() described like "profile :ns::samba-dcerpcd /usr/lib*/samba/{,samba/}samba-dcerpcd {...}" a string ":samba-dcerpcd" is unpacked as a fully-qualified name and then passed to aa_splitn_fqname(). aa_splitn_fqname() treats ":samba-dcerpcd" as only containing a namespace. Thus it returns NULL for tmpname, meanwhile tmpns is non-NULL. Later... • https://git.kernel.org/stable/c/04dc715e24d0820bf8740e1a1135ed61fe162bc8 • CWE-476: NULL Pointer Dereference •
CVSS: 7.0EPSS: 0%CPEs: 5EXPL: 0CVE-2024-26585 – tls: fix race between tx work scheduling and socket close
https://notcve.org/view.php?id=CVE-2024-26585
21 Feb 2024 — In the Linux kernel, the following vulnerability has been resolved: tls: fix race between tx work scheduling and socket close Similarly to previous commit, the submitting thread (recvmsg/sendmsg) may exit as soon as the async crypto handler calls complete(). Reorder scheduling the work before calling complete(). This seems more logical in the first place, as it's the inverse order of what the submitting thread will do. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: tls: corrige la ejecución... • https://git.kernel.org/stable/c/a42055e8d2c30d4decfc13ce943d09c7b9dad221 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2024-26584 – net: tls: handle backlogging of crypto requests
https://notcve.org/view.php?id=CVE-2024-26584
21 Feb 2024 — In the Linux kernel, the following vulnerability has been resolved: net: tls: handle backlogging of crypto requests Since we're setting the CRYPTO_TFM_REQ_MAY_BACKLOG flag on our requests to the crypto API, crypto_aead_{encrypt,decrypt} can return -EBUSY instead of -EINPROGRESS in valid situations. For example, when the cryptd queue for AESNI is full (easy to trigger with an artificially low cryptd.cryptd_max_cpu_qlen), requests will be enqueued to the backlog but still processed. In that case, the async ca... • https://git.kernel.org/stable/c/a54667f6728c2714a400f3c884727da74b6d1717 • CWE-393: Return of Wrong Status Code CWE-755: Improper Handling of Exceptional Conditions •
CVSS: 5.1EPSS: 0%CPEs: 7EXPL: 0CVE-2024-26583 – tls: fix race between async notify and socket close
https://notcve.org/view.php?id=CVE-2024-26583
21 Feb 2024 — In the Linux kernel, the following vulnerability has been resolved: tls: fix race between async notify and socket close The submitting thread (one which called recvmsg/sendmsg) may exit as soon as the async crypto handler calls complete() so any code past that point risks touching already freed data. Try to avoid the locking and extra flags altogether. Have the main thread hold an extra reference, this way we can depend solely on the atomic ref counter for synchronization. Don't futz with reiniting the comp... • https://git.kernel.org/stable/c/0cada33241d9de205522e3858b18e506ca5cce2c • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') CWE-416: Use After Free •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2024-26582 – net: tls: fix use-after-free with partial reads and async decrypt
https://notcve.org/view.php?id=CVE-2024-26582
21 Feb 2024 — In the Linux kernel, the following vulnerability has been resolved: net: tls: fix use-after-free with partial reads and async decrypt tls_decrypt_sg doesn't take a reference on the pages from clear_skb, so the put_page() in tls_decrypt_done releases them, and we trigger a use-after-free in process_rx_list when we try to read from the partially-read skb. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net: tls: corrige el use-after-free con lecturas parciales y descifrado asíncrono tls_dec... • https://git.kernel.org/stable/c/fd31f3996af2627106e22a9f8072764fede51161 • CWE-416: Use After Free •
CVSS: 9.3EPSS: 0%CPEs: 4EXPL: 0CVE-2023-52442 – ksmbd: validate session id and tree id in compound request
https://notcve.org/view.php?id=CVE-2023-52442
21 Feb 2024 — In the Linux kernel, the following vulnerability has been resolved: ksmbd: validate session id and tree id in compound request `smb2_get_msg()` in smb2_get_ksmbd_tcon() and smb2_check_user_session() will always return the first request smb2 header in a compound request. if `SMB2_TREE_CONNECT_HE` is the first command in compound request, will return 0, i.e. The tree id check is skipped. This patch use ksmbd_req_buf_next() to get current command in compound. En el kernel de Linux, se resolvió la siguiente vul... • https://git.kernel.org/stable/c/0626e6641f6b467447c81dd7678a69c66f7746cf •
CVSS: 8.6EPSS: 0%CPEs: 4EXPL: 0CVE-2023-52441 – ksmbd: fix out of bounds in init_smb2_rsp_hdr()
https://notcve.org/view.php?id=CVE-2023-52441
21 Feb 2024 — In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix out of bounds in init_smb2_rsp_hdr() If client send smb2 negotiate request and then send smb1 negotiate request, init_smb2_rsp_hdr is called for smb1 negotiate request since need_neg is set to false. This patch ignore smb1 packets after ->need_neg is set to false. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: ksmbd: corrección fuera de los límites en init_smb2_rsp_hdr() Si el cliente envía una solicitud de negoc... • https://git.kernel.org/stable/c/0626e6641f6b467447c81dd7678a69c66f7746cf • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 9.0EPSS: 0%CPEs: 5EXPL: 0CVE-2023-52440 – ksmbd: fix slub overflow in ksmbd_decode_ntlmssp_auth_blob()
https://notcve.org/view.php?id=CVE-2023-52440
21 Feb 2024 — In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix slub overflow in ksmbd_decode_ntlmssp_auth_blob() If authblob->SessionKey.Length is bigger than session key size(CIFS_KEY_SIZE), slub overflow can happen in key exchange codes. cifs_arc4_crypt copy to session key array from SessionKey from client. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: ksmbd: corrige el desbordamiento de slub en ksmbd_decode_ntlmssp_auth_blob() Si authblob->SessionKey.Length es mayor q... • https://git.kernel.org/stable/c/0626e6641f6b467447c81dd7678a69c66f7746cf • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 7.8EPSS: 0%CPEs: 9EXPL: 0CVE-2023-52439 – uio: Fix use-after-free in uio_open
https://notcve.org/view.php?id=CVE-2023-52439
20 Feb 2024 — In the Linux kernel, the following vulnerability has been resolved: uio: Fix use-after-free in uio_open core-1 core-2 ------------------------------------------------------- uio_unregister_device uio_open idev = idr_find() device_unregister(&idev->dev) put_device(&idev->dev) uio_device_release get_device(&idev->dev) kfree(idev) uio_free_minor(minor) uio_release put_device(&idev->dev) kfree(idev) ------------------------------------------------------- In the core-1 uio_unregister_device(), the device_unregis... • https://git.kernel.org/stable/c/57c5f4df0a5a0ee83df799991251e2ee93a5e4e9 • CWE-415: Double Free CWE-416: Use After Free •