CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2023-53139 – nfc: fdp: add null check of devm_kmalloc_array in fdp_nci_i2c_read_device_properties
https://notcve.org/view.php?id=CVE-2023-53139
02 May 2025 — In the Linux kernel, the following vulnerability has been resolved: nfc: fdp: add null check of devm_kmalloc_array in fdp_nci_i2c_read_device_properties devm_kmalloc_array may fails, *fw_vsc_cfg might be null and cause out-of-bounds write in device_property_read_u8_array later. In the Linux kernel, the following vulnerability has been resolved: nfc: fdp: add null check of devm_kmalloc_array in fdp_nci_i2c_read_device_properties devm_kmalloc_array may fails, *fw_vsc_cfg might be null and cause out-of-bounds ... • https://git.kernel.org/stable/c/a06347c04c13e380afce0c9816df51f00b83faf1 •
CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2023-53138 – net: caif: Fix use-after-free in cfusbl_device_notify()
https://notcve.org/view.php?id=CVE-2023-53138
02 May 2025 — In the Linux kernel, the following vulnerability has been resolved: net: caif: Fix use-after-free in cfusbl_device_notify() syzbot reported use-after-free in cfusbl_device_notify() [1]. This causes a stack trace like below: BUG: KASAN: use-after-free in cfusbl_device_notify+0x7c9/0x870 net/caif/caif_usb.c:138 Read of size 8 at addr ffff88807ac4e6f0 by task kworker/u4:6/1214 CPU: 0 PID: 1214 Comm: kworker/u4:6 Not tainted 5.19.0-rc3-syzkaller-00146-g92f20ff72066 #0 Hardware name: Google Google Compute Engine... • https://git.kernel.org/stable/c/7ad65bf68d705b445ef10b77ab50dab22be185ee •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2023-53137 – ext4: Fix possible corruption when moving a directory
https://notcve.org/view.php?id=CVE-2023-53137
02 May 2025 — In the Linux kernel, the following vulnerability has been resolved: ext4: Fix possible corruption when moving a directory When we are renaming a directory to a different directory, we need to update '..' entry in the moved directory. However nothing prevents moved directory from being modified and even converted from the inline format to the normal format. When such race happens the rename code gets confused and we crash. Fix the problem by locking the moved directory. In the Linux kernel, the following vul... • https://git.kernel.org/stable/c/32f7f22c0b52e8189fef83986b16dc7abe95f2c4 •
CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2023-53125 – net: usb: smsc75xx: Limit packet length to skb->len
https://notcve.org/view.php?id=CVE-2023-53125
02 May 2025 — In the Linux kernel, the following vulnerability has been resolved: net: usb: smsc75xx: Limit packet length to skb->len Packet length retrieved from skb data may be larger than the actual socket buffer length (up to 9026 bytes). In such case the cloned skb passed up the network stack will leak kernel memory contents. In the Linux kernel, the following vulnerability has been resolved: net: usb: smsc75xx: Limit packet length to skb->len Packet length retrieved from skb data may be larger than the actual socke... • https://git.kernel.org/stable/c/d0cad871703b898a442e4049c532ec39168e5b57 •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2023-53121 – tcp: tcp_make_synack() can be called from process context
https://notcve.org/view.php?id=CVE-2023-53121
02 May 2025 — In the Linux kernel, the following vulnerability has been resolved: tcp: tcp_make_synack() can be called from process context tcp_rtx_synack() now could be called in process context as explained in 0a375c822497 ("tcp: tcp_rtx_synack() can be called from process context"). tcp_rtx_synack() might call tcp_make_synack(), which will touch per-CPU variables with preemption enabled. This causes the following BUG: BUG: using __this_cpu_add() in preemptible [00000000] code: ThriftIO1/5464 caller is tcp_make_synack+... • https://git.kernel.org/stable/c/8336886f786fdacbc19b719c1f7ea91eb70706d4 •
CVSS: 8.5EPSS: 0%CPEs: 8EXPL: 0CVE-2023-53117 – fs: prevent out-of-bounds array speculation when closing a file descriptor
https://notcve.org/view.php?id=CVE-2023-53117
02 May 2025 — In the Linux kernel, the following vulnerability has been resolved: fs: prevent out-of-bounds array speculation when closing a file descriptor Google-Bug-Id: 114199369 • https://git.kernel.org/stable/c/f31cd5da636682caea424fa1c22679016cbfc16b •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2023-53111 – loop: Fix use-after-free issues
https://notcve.org/view.php?id=CVE-2023-53111
02 May 2025 — In the Linux kernel, the following vulnerability has been resolved: loop: Fix use-after-free issues do_req_filebacked() calls blk_mq_complete_request() synchronously or asynchronously when using asynchronous I/O unless memory allocation fails. Hence, modify loop_handle_cmd() such that it does not dereference 'cmd' nor 'rq' after do_req_filebacked() finished unless we are sure that the request has not yet been completed. This patch fixes the following kernel crash: Unable to handle kernel NULL pointer derefe... • https://git.kernel.org/stable/c/bc07c10a3603a5ab3ef01ba42b3d41f9ac63d1b6 •
CVSS: 6.8EPSS: 0%CPEs: 8EXPL: 0CVE-2023-53108 – net/iucv: Fix size of interrupt data
https://notcve.org/view.php?id=CVE-2023-53108
02 May 2025 — In the Linux kernel, the following vulnerability has been resolved: net/iucv: Fix size of interrupt data iucv_irq_data needs to be 4 bytes larger. These bytes are not used by the iucv module, but written by the z/VM hypervisor in case a CPU is deconfigured. Reported as: BUG dma-kmalloc-64 (Not tainted): kmalloc Redzone overwritten ----------------------------------------------------------------------------- 0x0000000000400564-0x0000000000400567 @offset=1380. First byte 0x80 instead of 0xcc Allocated in iucv... • https://git.kernel.org/stable/c/2356f4cb191100a5e92d537f13e5efdbc697e9cb •
CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2023-53106 – nfc: st-nci: Fix use after free bug in ndlc_remove due to race condition
https://notcve.org/view.php?id=CVE-2023-53106
02 May 2025 — In the Linux kernel, the following vulnerability has been resolved: nfc: st-nci: Fix use after free bug in ndlc_remove due to race condition This bug influences both st_nci_i2c_remove and st_nci_spi_remove. Take st_nci_i2c_remove as an example. In st_nci_i2c_probe, it called ndlc_probe and bound &ndlc->sm_work with llt_ndlc_sm_work. When it calls ndlc_recv or timeout handler, it will finally call schedule_work to start the work. When we call st_nci_i2c_remove to remove the driver, there may be a sequence as... • https://git.kernel.org/stable/c/35630df68d6030daf12dde12ed07bbe26324e6ac •
CVSS: 7.1EPSS: 0%CPEs: 4EXPL: 0CVE-2023-53103 – bonding: restore bond's IFF_SLAVE flag if a non-eth dev enslave fails
https://notcve.org/view.php?id=CVE-2023-53103
02 May 2025 — In the Linux kernel, the following vulnerability has been resolved: bonding: restore bond's IFF_SLAVE flag if a non-eth dev enslave fails syzbot reported a warning[1] where the bond device itself is a slave and we try to enslave a non-ethernet device as the first slave which fails but then in the error path when ether_setup() restores the bond device it also clears all flags. In my previous fix[2] I restored the IFF_MASTER flag, but I didn't consider the case that the bond device itself might also be a slav... • https://git.kernel.org/stable/c/7d5cd2ce5292b45e555de776cb9e72975a07460d •