CVSS: 7.8EPSS: 0%CPEs: 7EXPL: 0CVE-2024-49936 – net/xen-netback: prevent UAF in xenvif_flush_hash()
https://notcve.org/view.php?id=CVE-2024-49936
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: net/xen-netback: prevent UAF in xenvif_flush_hash() During the list_for_each_entry_rcu iteration call of xenvif_flush_hash, kfree_rcu does not exist inside the rcu read critical section, so if kfree_rcu is called when the rcu grace period ends during the iteration, UAF occurs when accessing head->next after the entry becomes free. Therefore, to solve this, you need to change it to list_for_each_entry_safe. In the Linux kernel, the following... • https://git.kernel.org/stable/c/a7f0073fcd12ed7de185ef2c0af9d0fa1ddef22c •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2024-49935 – ACPI: PAD: fix crash in exit_round_robin()
https://notcve.org/view.php?id=CVE-2024-49935
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: ACPI: PAD: fix crash in exit_round_robin() The kernel occasionally crashes in cpumask_clear_cpu(), which is called within exit_round_robin(), because when executing clear_bit(nr, addr) with nr set to 0xffffffff, the address calculation may cause misalignment within the memory, leading to access to an invalid memory address. ---------- BUG: unable to handle kernel paging request at ffffffffe0740618 ... CPU: 3 PID: 2919323 Comm: acpi_pad/14 K... • https://git.kernel.org/stable/c/92e5661b7d0727ab912b76625a88b33fdb9b609a •
CVSS: 4.9EPSS: 0%CPEs: 5EXPL: 0CVE-2024-49934 – fs/inode: Prevent dump_mapping() accessing invalid dentry.d_name.name
https://notcve.org/view.php?id=CVE-2024-49934
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: fs/inode: Prevent dump_mapping() accessing invalid dentry.d_name.name It's observed that a crash occurs during hot-remove a memory device, in which user is accessing the hugetlb. See calltrace as following: ------------[ cut here ]------------ WARNING: CPU: 1 PID: 14045 at arch/x86/mm/fault.c:1278 do_user_addr_fault+0x2a0/0x790 Modules linked in: kmem device_dax cxl_mem cxl_pmem cxl_port cxl_pci dax_hmem dax_pmem nd_pmem cxl_acpi nd_btt cxl... • https://git.kernel.org/stable/c/1a4159138e718db6199f0abf376ad52f726dcc5c •
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2024-49933 – blk_iocost: fix more out of bound shifts
https://notcve.org/view.php?id=CVE-2024-49933
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: blk_iocost: fix more out of bound shifts Recently running UBSAN caught few out of bound shifts in the ioc_forgive_debts() function: UBSAN: shift-out-of-bounds in block/blk-iocost.c:2142:38 shift exponent 80 is too large for 64-bit type 'u64' (aka 'unsigned long long') ... UBSAN: shift-out-of-bounds in block/blk-iocost.c:2144:30 shift exponent 80 is too large for 64-bit type 'u64' (aka 'unsigned long long') ... Call Trace:
CVSS: 7.1EPSS: 0%CPEs: 2EXPL: 0CVE-2024-49932 – btrfs: don't readahead the relocation inode on RST
https://notcve.org/view.php?id=CVE-2024-49932
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: btrfs: don't readahead the relocation inode on RST On relocation we're doing readahead on the relocation inode, but if the filesystem is backed by a RAID stripe tree we can get ENOENT (e.g. due to preallocated extents not being mapped in the RST) from the lookup. But readahead doesn't handle the error and submits invalid reads to the device, causing an assertion in the scatter-gather list code: BTRFS info (device nvme1n1): balance: start -d... • https://git.kernel.org/stable/c/f7a1218a983ab98aba140dc20b25f60b39ee4033 •
CVSS: 7.8EPSS: 0%CPEs: 7EXPL: 0CVE-2024-49930 – wifi: ath11k: fix array out-of-bound access in SoC stats
https://notcve.org/view.php?id=CVE-2024-49930
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: wifi: ath11k: fix array out-of-bound access in SoC stats Currently, the ath11k_soc_dp_stats::hal_reo_error array is defined with a maximum size of DP_REO_DST_RING_MAX. However, the ath11k_dp_process_rx() function access ath11k_soc_dp_stats::hal_reo_error using the REO destination SRNG ring ID, which is incorrect. SRNG ring ID differ from normal ring ID, and this usage leads to out-of-bounds array access. To fix this issue, modify ath11k_dp_... • https://git.kernel.org/stable/c/d5c65159f2895379e11ca13f62feabe93278985d •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2024-49929 – wifi: iwlwifi: mvm: avoid NULL pointer dereference
https://notcve.org/view.php?id=CVE-2024-49929
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: mvm: avoid NULL pointer dereference iwl_mvm_tx_skb_sta() and iwl_mvm_tx_mpdu() verify that the mvmvsta pointer is not NULL. It retrieves this pointer using iwl_mvm_sta_from_mac80211, which is dereferencing the ieee80211_sta pointer. If sta is NULL, iwl_mvm_sta_from_mac80211 will dereference a NULL pointer. Fix this by checking the sta pointer before retrieving the mvmsta from it. If sta is not NULL, then mvmsta isn't either. ... • https://git.kernel.org/stable/c/cbc6fc9cfcde151ff5eadaefdc6155f99579384f •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2024-49927 – x86/ioapic: Handle allocation failures gracefully
https://notcve.org/view.php?id=CVE-2024-49927
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: x86/ioapic: Handle allocation failures gracefully Breno observed panics when using failslab under certain conditions during runtime: can not alloc irq_pin_list (-1,0,20) Kernel panic - not syncing: IO-APIC: failed to add irq-pin. Can not proceed panic+0x4e9/0x590 mp_irqdomain_alloc+0x9ab/0xa80 irq_domain_alloc_irqs_locked+0x25d/0x8d0 __irq_domain_alloc_irqs+0x80/0x110 mp_map_pin_to_irq+0x645/0x890 acpi_register_gsi_ioapic+0xe6/0x150 hpet_op... • https://git.kernel.org/stable/c/e479cb835feeb2abff97f25766e23b96a6eabe28 •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2024-49926 – rcu-tasks: Fix access non-existent percpu rtpcp variable in rcu_tasks_need_gpcb()
https://notcve.org/view.php?id=CVE-2024-49926
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: rcu-tasks: Fix access non-existent percpu rtpcp variable in rcu_tasks_need_gpcb() For kernels built with CONFIG_FORCE_NR_CPUS=y, the nr_cpu_ids is defined as NR_CPUS instead of the number of possible cpus, this will cause the following system panic: smpboot: Allowing 4 CPUs, 0 hotplug CPUs ... setup_percpu: NR_CPUS:512 nr_cpumask_bits:512 nr_cpu_ids:512 nr_node_ids:1 ... BUG: unable to handle page fault for address: ffffffff9911c8c8 Oops: 0... • https://git.kernel.org/stable/c/224fd631c41b81697aa622d38615bfbf446b91cf •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2024-49925 – fbdev: efifb: Register sysfs groups through driver core
https://notcve.org/view.php?id=CVE-2024-49925
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: fbdev: efifb: Register sysfs groups through driver core The driver core can register and cleanup sysfs groups already. Make use of that functionality to simplify the error handling and cleanup. Also avoid a UAF race during unregistering where the sysctl attributes were usable after the info struct was freed. In the Linux kernel, the following vulnerability has been resolved: fbdev: efifb: Register sysfs groups through driver core The driver... • https://git.kernel.org/stable/c/2a9c40c72097b583b23aeb2a26d429ccfc81fbc1 •