CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2024-50086 – ksmbd: fix user-after-free from session log off
https://notcve.org/view.php?id=CVE-2024-50086
29 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix user-after-free from session log off There is racy issue between smb2 session log off and smb2 session setup. It will cause user-after-free from session log off. This add session_lock when setting SMB2_SESSION_EXPIRED and referece count to session struct not to free session while it is being used. In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix user-after-free from session log off There is racy issu... • https://git.kernel.org/stable/c/0626e6641f6b467447c81dd7678a69c66f7746cf •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2024-50085 – mptcp: pm: fix UaF read in mptcp_pm_nl_rm_addr_or_subflow
https://notcve.org/view.php?id=CVE-2024-50085
29 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: mptcp: pm: fix UaF read in mptcp_pm_nl_rm_addr_or_subflow Syzkaller reported this splat: ================================================================== BUG: KASAN: slab-use-after-free in mptcp_pm_nl_rm_addr_or_subflow+0xb44/0xcc0 net/mptcp/pm_netlink.c:881 Read of size 4 at addr ffff8880569ac858 by task syz.1.2799/14662 CPU: 0 UID: 0 PID: 14662 Comm: syz.1.2799 Not tainted 6.12.0-rc2-syzkaller-00307-g36c254515dc6 #0 Hardware name: QEMU ... • https://git.kernel.org/stable/c/35b31f5549ede4070566b949781e83495906b43d • CWE-416: Use After Free •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2024-50084 – net: microchip: vcap api: Fix memory leaks in vcap_api_encode_rule_test()
https://notcve.org/view.php?id=CVE-2024-50084
29 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: net: microchip: vcap api: Fix memory leaks in vcap_api_encode_rule_test() Commit a3c1e45156ad ("net: microchip: vcap: Fix use-after-free error in kunit test") fixed the use-after-free error, but introduced below memory leaks by removing necessary vcap_free_rule(), add it to fix it. unreferenced object 0xffffff80ca58b700 (size 192): comm "kunit_try_catch", pid 1215, jiffies 4294898264 hex dump (first 32 bytes): 00 12 7a 00 05 00 00 00 0a 00 ... • https://git.kernel.org/stable/c/b0804c286ccfcf5f5c004d5bf8a54c0508b5e86b • CWE-416: Use After Free •
CVSS: 8.5EPSS: 0%CPEs: 6EXPL: 0CVE-2024-50083 – tcp: fix mptcp DSS corruption due to large pmtu xmit
https://notcve.org/view.php?id=CVE-2024-50083
29 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: tcp: fix mptcp DSS corruption due to large pmtu xmit Syzkaller was able to trigger a DSS corruption: TCP: request_sock_subflow_v4: Possible SYN flooding on port [::]:20002. Sending cookies. ------------[ cut here ]------------ WARNING: CPU: 0 PID: 5227 at net/mptcp/protocol.c:695 __mptcp_move_skbs_from_subflow+0x20a9/0x21f0 net/mptcp/protocol.c:695 Modules linked in: CPU: 0 UID: 0 PID: 5227 Comm: syz-executor350 Not tainted 6.11.0-syzkaller... • https://git.kernel.org/stable/c/85712484110df308215077be6ee21c4e57d7dec2 •
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2024-50082 – blk-rq-qos: fix crash on rq_qos_wait vs. rq_qos_wake_function race
https://notcve.org/view.php?id=CVE-2024-50082
29 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: blk-rq-qos: fix crash on rq_qos_wait vs. rq_qos_wake_function race We're seeing crashes from rq_qos_wake_function that look like this: BUG: unable to handle page fault for address: ffffafe180a40084 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page PGD 100000067 P4D 100000067 PUD 10027c067 PMD 10115d067 PTE 0 Oops: Oops: 0002 [#1] PREEMPT SMP PTI CPU: 17 UID: 0 PID: 0 Comm: swapper/17 Not tainted 6.12.0-r... • https://git.kernel.org/stable/c/38cfb5a45ee013bfab5d1ae4c4738815e744b440 •
CVSS: 7.1EPSS: 0%CPEs: 3EXPL: 0CVE-2024-50080 – ublk: don't allow user copy for unprivileged device
https://notcve.org/view.php?id=CVE-2024-50080
29 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: ublk: don't allow user copy for unprivileged device UBLK_F_USER_COPY requires userspace to call write() on ublk char device for filling request buffer, and unprivileged device can't be trusted. So don't allow user copy for unprivileged device. In the Linux kernel, the following vulnerability has been resolved: ublk: don't allow user copy for unprivileged device UBLK_F_USER_COPY requires userspace to call write() on ublk char device for fill... • https://git.kernel.org/stable/c/1172d5b8beca6b899deb9f7f2850e7e47ec16198 •
CVSS: 6.1EPSS: 0%CPEs: 4EXPL: 0CVE-2024-50078 – Bluetooth: Call iso_exit() on module unload
https://notcve.org/view.php?id=CVE-2024-50078
29 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Call iso_exit() on module unload If iso_init() has been called, iso_exit() must be called on module unload. Without that, the struct proto that iso_init() registered with proto_register() becomes invalid, which could cause unpredictable problems later. In my case, with CONFIG_LIST_HARDENED and CONFIG_BUG_ON_DATA_CORRUPTION enabled, loading the module again usually triggers this BUG(): list_add corruption. next->prev should be pre... • https://git.kernel.org/stable/c/ccf74f2390d60a2f9a75ef496d2564abb478f46a •
CVSS: 7.3EPSS: 0%CPEs: 4EXPL: 0CVE-2024-50077 – Bluetooth: ISO: Fix multiple init when debugfs is disabled
https://notcve.org/view.php?id=CVE-2024-50077
29 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: ISO: Fix multiple init when debugfs is disabled If bt_debugfs is not created successfully, which happens if either CONFIG_DEBUG_FS or CONFIG_DEBUG_FS_ALLOW_ALL is unset, then iso_init() returns early and does not set iso_inited to true. This means that a subsequent call to iso_init() will result in duplicate calls to proto_register(), bt_sock_register(), etc. With CONFIG_LIST_HARDENED and CONFIG_BUG_ON_DATA_CORRUPTION enabled, th... • https://git.kernel.org/stable/c/ccf74f2390d60a2f9a75ef496d2564abb478f46a •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2024-50076 – vt: prevent kernel-infoleak in con_font_get()
https://notcve.org/view.php?id=CVE-2024-50076
29 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: vt: prevent kernel-infoleak in con_font_get() font.data may not initialize all memory spaces depending on the implementation of vc->vc_sw->con_font_get. This may cause info-leak, so to prevent this, it is safest to modify it to initialize the allocated memory space to 0, and it generally does not affect the overall performance of the system. In the Linux kernel, the following vulnerability has been resolved: vt: prevent kernel-infoleak in c... • https://git.kernel.org/stable/c/05e2600cb0a4d73b0779cf29512819616252aeeb •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2024-50075 – xhci: tegra: fix checked USB2 port number
https://notcve.org/view.php?id=CVE-2024-50075
29 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: xhci: tegra: fix checked USB2 port number If USB virtualizatoin is enabled, USB2 ports are shared between all Virtual Functions. The USB2 port number owned by an USB2 root hub in a Virtual Function may be less than total USB2 phy number supported by the Tegra XUSB controller. Using total USB2 phy number as port number to check all PORTSC values would cause invalid memory access. [ 116.923438] Unable to handle kernel paging request at virtua... • https://git.kernel.org/stable/c/a30951d31b250bf3479c00e93646b6cc6fb42a56 •