CVSS: 4.7EPSS: 0%CPEs: 6EXPL: 0CVE-2023-52898 – xhci: Fix null pointer dereference when host dies
https://notcve.org/view.php?id=CVE-2023-52898
21 Aug 2024 — In the Linux kernel, the following vulnerability has been resolved: xhci: Fix null pointer dereference when host dies Make sure xhci_free_dev() and xhci_kill_endpoint_urbs() do not race and cause null pointer dereference when host suddenly dies. Usb core may call xhci_free_dev() which frees the xhci->devs[slot_id] virt device at the same time that xhci_kill_endpoint_urbs() tries to loop through all the device's endpoints, checking if there are any cancelled urbs left to give back. hold the xhci spinlock whi... • https://git.kernel.org/stable/c/6fac4b5cecb3928a0a81069aaa815a2edc8dd5a1 •
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2023-52894 – usb: gadget: f_ncm: fix potential NULL ptr deref in ncm_bitrate()
https://notcve.org/view.php?id=CVE-2023-52894
21 Aug 2024 — In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_ncm: fix potential NULL ptr deref in ncm_bitrate() In Google internal bug 265639009 we've received an (as yet) unreproducible crash report from an aarch64 GKI 5.10.149-android13 running device. AFAICT the source code is at: https://android.googlesource.com/kernel/common/+/refs/tags/ASB-2022-12-05_13-5.10 The call stack is: ncm_close() -> ncm_notify() -> ncm_do_notify() with the crash at: ncm_do_notify+0x98/0x270 Code: 79000d0... • https://git.kernel.org/stable/c/fef6b29671b66dfb71f17e337c1ad14b5a2cedae •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2022-48893 – drm/i915/gt: Cleanup partial engine discovery failures
https://notcve.org/view.php?id=CVE-2022-48893
21 Aug 2024 — In the Linux kernel, the following vulnerability has been resolved: drm/i915/gt: Cleanup partial engine discovery failures If we abort driver initialisation in the middle of gt/engine discovery, some engines will be fully setup and some not. Those incompletely setup engines only have 'engine->release == NULL' and so will leak any of the common objects allocated. v2: - Drop the destroy_pinned_context() helper for now. It's not really worth it with just a single callsite at the moment. (Janusz) In the Linux k... • https://git.kernel.org/stable/c/5c855bcc730656c4b7d30aaddcd0eafc7003e112 •
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2022-48891 – regulator: da9211: Use irq handler when ready
https://notcve.org/view.php?id=CVE-2022-48891
21 Aug 2024 — In the Linux kernel, the following vulnerability has been resolved: regulator: da9211: Use irq handler when ready If the system does not come from reset (like when it is kexec()), the regulator might have an IRQ waiting for us. If we enable the IRQ handler before its structures are ready, we crash. This patch fixes: [ 1.141839] Unable to handle kernel read from unreadable memory at virtual address 0000000000000078 [ 1.316096] Call trace: [ 1.316101] blocking_notifier_call_chain+0x20/0xa8 [ 1.322757] cpu cpu... • https://git.kernel.org/stable/c/1c1afcb8839b91c09d211ea304faa269763b1f91 •
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2022-48877 – f2fs: let's avoid panic if extent_tree is not created
https://notcve.org/view.php?id=CVE-2022-48877
21 Aug 2024 — In the Linux kernel, the following vulnerability has been resolved: f2fs: let's avoid panic if extent_tree is not created This patch avoids the below panic. pc : __lookup_extent_tree+0xd8/0x760 lr : f2fs_do_write_data_page+0x104/0x87c sp : ffffffc010cbb3c0 x29: ffffffc010cbb3e0 x28: 0000000000000000 x27: ffffff8803e7f020 x26: ffffff8803e7ed40 x25: ffffff8803e7f020 x24: ffffffc010cbb460 x23: ffffffc010cbb480 x22: 0000000000000000 x21: 0000000000000000 x20: ffffffff22e90900 x19: 0000000000000000 x18: ffffffc0... • https://git.kernel.org/stable/c/dd83a9763e29ed7a21c8a43f7a62cd0a6bf74692 •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2022-48875 – wifi: mac80211: sdata can be NULL during AMPDU start
https://notcve.org/view.php?id=CVE-2022-48875
21 Aug 2024 — In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: sdata can be NULL during AMPDU start ieee80211_tx_ba_session_handle_start() may get NULL for sdata when a deauthentication is ongoing. Here a trace triggering the race with the hostapd test multi_ap_fronthaul_on_ap: (gdb) list *drv_ampdu_action+0x46 0x8b16 is in drv_ampdu_action (net/mac80211/driver-ops.c:396). 391 int ret = -EOPNOTSUPP; 392 393 might_sleep(); 394 395 sdata = get_bss_sdata(sdata); 396 if (!check_sdata_in_dri... • https://git.kernel.org/stable/c/187523fa7c2d4c780f775cb869216865c4a909ef •
CVSS: 8.4EPSS: 0%CPEs: 8EXPL: 0CVE-2024-43882 – exec: Fix ToCToU between perm check and set-uid/gid usage
https://notcve.org/view.php?id=CVE-2024-43882
21 Aug 2024 — In the Linux kernel, the following vulnerability has been resolved: exec: Fix ToCToU between perm check and set-uid/gid usage When opening a file for exec via do_filp_open(), permission checking is done against the file's metadata at that moment, and on success, a file pointer is passed back. Much later in the execve() code path, the file metadata (specifically mode, uid, and gid) is used to determine if/how to set the uid and gid. However, those values may have changed since the permissions check, meaning ... • https://git.kernel.org/stable/c/d5c3c7e26275a2d83b894d30f7582a42853a958f • CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2024-43858 – jfs: Fix array-index-out-of-bounds in diFree
https://notcve.org/view.php?id=CVE-2024-43858
17 Aug 2024 — In the Linux kernel, the following vulnerability has been resolved: jfs: Fix array-index-out-of-bounds in diFree Andy Nguyen discovered that the Bluetooth L2CAP implementation in the Linux kernel contained a type-confusion error. A physically proximate remote attacker could use this to cause a denial of service or possibly execute arbitrary code. Andy Nguyen discovered that the Bluetooth A2MP implementation in the Linux kernel did not properly initialize memory in some situations. A physically proximate rem... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2024-43856 – dma: fix call order in dmam_free_coherent
https://notcve.org/view.php?id=CVE-2024-43856
17 Aug 2024 — In the Linux kernel, the following vulnerability has been resolved: dma: fix call order in dmam_free_coherent dmam_free_coherent() frees a DMA allocation, which makes the freed vaddr available for reuse, then calls devres_destroy() to remove and free the data structure used to track the DMA allocation. Between the two calls, it is possible for a concurrent task to make an allocation with the same vaddr and add it to the devres list. If this happens, there will be two entries in the devres list with the same... • https://git.kernel.org/stable/c/9ac7849e35f705830f7b016ff272b0ff1f7ff759 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2024-43854 – block: initialize integrity buffer to zero before writing it to media
https://notcve.org/view.php?id=CVE-2024-43854
17 Aug 2024 — In the Linux kernel, the following vulnerability has been resolved: block: initialize integrity buffer to zero before writing it to media Metadata added by bio_integrity_prep is using plain kmalloc, which leads to random kernel memory being written media. For PI metadata this is limited to the app tag that isn't used by kernel generated metadata, but for non-PI metadata the entire buffer leaks kernel memory. Fix this by adding the __GFP_ZERO flag to allocations for writes. In the Linux kernel, the following... • https://git.kernel.org/stable/c/7ba1ba12eeef0aa7113beb16410ef8b7c748e18b • CWE-401: Missing Release of Memory after Effective Lifetime •