CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2024-50167 – be2net: fix potential memory leak in be_xmit()
https://notcve.org/view.php?id=CVE-2024-50167
07 Nov 2024 — In the Linux kernel, the following vulnerability has been resolved: be2net: fix potential memory leak in be_xmit() The be_xmit() returns NETDEV_TX_OK without freeing skb in case of be_xmit_enqueue() fails, add dev_kfree_skb_any() to fix it. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: be2net: corrige una posible pérdida de memoria en be_xmit(). Be_xmit() devuelve NETDEV_TX_OK sin liberar skb en caso de que be_xmit_enqueue() falle, agregue dev_kfree_skb_any() para solucionarlo. In the L... • https://git.kernel.org/stable/c/760c295e0e8d982917d004c9095cff61c0cbd803 •
CVSS: 5.6EPSS: 0%CPEs: 3EXPL: 0CVE-2024-50166 – fsl/fman: Fix refcount handling of fman-related devices
https://notcve.org/view.php?id=CVE-2024-50166
07 Nov 2024 — In the Linux kernel, the following vulnerability has been resolved: fsl/fman: Fix refcount handling of fman-related devices In mac_probe() there are multiple calls to of_find_device_by_node(), fman_bind() and fman_port_bind() which takes references to of_dev->dev. Not all references taken by these calls are released later on error path in mac_probe() and in mac_remove() which lead to reference leaks. Add references release. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: fsl/fman: se ha c... • https://git.kernel.org/stable/c/3933961682a30ae7d405cda344c040a129fea422 •
CVSS: 7.1EPSS: 0%CPEs: 9EXPL: 0CVE-2024-50164 – bpf: Fix overloading of MEM_UNINIT's meaning
https://notcve.org/view.php?id=CVE-2024-50164
07 Nov 2024 — In the Linux kernel, the following vulnerability has been resolved: bpf: Fix overloading of MEM_UNINIT's meaning Lonial reported an issue in the BPF verifier where check_mem_size_reg() has the following code: if (!tnum_is_const(reg->var_off)) /* For unprivileged variable accesses, disable raw * mode so that the program is required to * initialize all the memory that the helper could * just partially fill up. */ meta = NULL; This means that writes are not checked when the register containing the size of the ... • https://git.kernel.org/stable/c/7b3552d3f9f6897851fc453b5131a967167e43c2 •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2024-50163 – bpf: Make sure internal and UAPI bpf_redirect flags don't overlap
https://notcve.org/view.php?id=CVE-2024-50163
07 Nov 2024 — In the Linux kernel, the following vulnerability has been resolved: bpf: Make sure internal and UAPI bpf_redirect flags don't overlap The bpf_redirect_info is shared between the SKB and XDP redirect paths, and the two paths use the same numeric flag values in the ri->flags field (specifically, BPF_F_BROADCAST == BPF_F_NEXTHOP). This means that if skb bpf_redirect_neigh() is used with a non-NULL params argument and, subsequently, an XDP redirect is performed using the same bpf_redirect_info struct, the XDP p... • https://git.kernel.org/stable/c/e624d4ed4aa8cc3c69d1359b0aaea539203ed266 •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2024-50162 – bpf: devmap: provide rxq after redirect
https://notcve.org/view.php?id=CVE-2024-50162
07 Nov 2024 — In the Linux kernel, the following vulnerability has been resolved: bpf: devmap: provide rxq after redirect rxq contains a pointer to the device from where the redirect happened. Currently, the BPF program that was executed after a redirect via BPF_MAP_TYPE_DEVMAP* does not have it set. This is particularly bad since accessing ingress_ifindex, e.g. SEC("xdp") int prog(struct xdp_md *pkt) { return bpf_redirect_map(&dev_redirect_map, 0, 0); } SEC("xdp/devmap") int prog_after_redirect(struct xdp_md *pkt) { bpf... • https://git.kernel.org/stable/c/cb261b594b4108668e00f565184c7c221efe0359 •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2024-50160 – ALSA: hda/cs8409: Fix possible NULL dereference
https://notcve.org/view.php?id=CVE-2024-50160
07 Nov 2024 — In the Linux kernel, the following vulnerability has been resolved: ALSA: hda/cs8409: Fix possible NULL dereference If snd_hda_gen_add_kctl fails to allocate memory and returns NULL, then NULL pointer dereference will occur in the next line. Since dolphin_fixups function is a hda_fixup function which is not supposed to return any errors, add simple check before dereference, ignore the fail. Found by Linux Verification Center (linuxtesting.org) with SVACE. En el kernel de Linux, se ha resuelto la siguiente v... • https://git.kernel.org/stable/c/20e507724113300794f16884e7e7507d9b4dec68 •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2024-50156 – drm/msm: Avoid NULL dereference in msm_disp_state_print_regs()
https://notcve.org/view.php?id=CVE-2024-50156
07 Nov 2024 — In the Linux kernel, the following vulnerability has been resolved: drm/msm: Avoid NULL dereference in msm_disp_state_print_regs() If the allocation in msm_disp_state_dump_regs() failed then `block->state` can be NULL. The msm_disp_state_print_regs() function _does_ have code to try to handle it with: if (*reg) dump_addr = *reg; ...but since "dump_addr" is initialized to NULL the above is actually a noop. The code then goes on to dereference `dump_addr`. Make the function print "Registers not stored" when i... • https://git.kernel.org/stable/c/98659487b845c05b6bed85d881713545db674c7c •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2024-50154 – tcp/dccp: Don't use timer_pending() in reqsk_queue_unlink().
https://notcve.org/view.php?id=CVE-2024-50154
07 Nov 2024 — In the Linux kernel, the following vulnerability has been resolved: tcp/dccp: Don't use timer_pending() in reqsk_queue_unlink(). Martin KaFai Lau reported use-after-free [0] in reqsk_timer_handler(). """ We are seeing a use-after-free from a bpf prog attached to trace_tcp_retransmit_synack. The program passes the req->sk to the bpf_sk_storage_get_tracing kernel helper which does check for null before using it. """ The commit 83fccfc3940c ("inet: fix potential deadlock in reqsk_queue_unlink()") added timer_p... • https://git.kernel.org/stable/c/83fccfc3940c4a2db90fd7e7079f5b465cd8c6af • CWE-416: Use After Free •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2024-50153 – scsi: target: core: Fix null-ptr-deref in target_alloc_device()
https://notcve.org/view.php?id=CVE-2024-50153
07 Nov 2024 — In the Linux kernel, the following vulnerability has been resolved: scsi: target: core: Fix null-ptr-deref in target_alloc_device() There is a null-ptr-deref issue reported by KASAN: BUG: KASAN: null-ptr-deref in target_alloc_device+0xbc4/0xbe0 [target_core_mod] ... kasan_report+0xb9/0xf0 target_alloc_device+0xbc4/0xbe0 [target_core_mod] core_dev_setup_virtual_lun0+0xef/0x1f0 [target_core_mod] target_core_init_configfs+0x205/0x420 [target_core_mod] do_one_initcall+0xdd/0x4e0 ... entry_SYSCALL_64_after_hwfra... • https://git.kernel.org/stable/c/008b936bbde3e87a611b3828a0d5d2a4f99026a0 •
CVSS: 7.8EPSS: 0%CPEs: 7EXPL: 0CVE-2024-50151 – smb: client: fix OOBs when building SMB2_IOCTL request
https://notcve.org/view.php?id=CVE-2024-50151
07 Nov 2024 — In the Linux kernel, the following vulnerability has been resolved: smb: client: fix OOBs when building SMB2_IOCTL request When using encryption, either enforced by the server or when using 'seal' mount option, the client will squash all compound request buffers down for encryption into a single iov in smb2_set_next_command(). SMB2_ioctl_init() allocates a small buffer (448 bytes) to hold the SMB2_IOCTL request in the first iov, and if the user passes an input buffer that is greater than 328 bytes, smb2_set... • https://git.kernel.org/stable/c/e77fe73c7e38c36145825d84cfe385d400aba4fd •