CVSS: 7.1EPSS: 0%CPEs: 3EXPL: 0CVE-2024-50080 – ublk: don't allow user copy for unprivileged device
https://notcve.org/view.php?id=CVE-2024-50080
29 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: ublk: don't allow user copy for unprivileged device UBLK_F_USER_COPY requires userspace to call write() on ublk char device for filling request buffer, and unprivileged device can't be trusted. So don't allow user copy for unprivileged device. In the Linux kernel, the following vulnerability has been resolved: ublk: don't allow user copy for unprivileged device UBLK_F_USER_COPY requires userspace to call write() on ublk char device for fill... • https://git.kernel.org/stable/c/1172d5b8beca6b899deb9f7f2850e7e47ec16198 •
CVSS: 6.1EPSS: 0%CPEs: 4EXPL: 0CVE-2024-50078 – Bluetooth: Call iso_exit() on module unload
https://notcve.org/view.php?id=CVE-2024-50078
29 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Call iso_exit() on module unload If iso_init() has been called, iso_exit() must be called on module unload. Without that, the struct proto that iso_init() registered with proto_register() becomes invalid, which could cause unpredictable problems later. In my case, with CONFIG_LIST_HARDENED and CONFIG_BUG_ON_DATA_CORRUPTION enabled, loading the module again usually triggers this BUG(): list_add corruption. next->prev should be pre... • https://git.kernel.org/stable/c/ccf74f2390d60a2f9a75ef496d2564abb478f46a •
CVSS: 7.3EPSS: 0%CPEs: 4EXPL: 0CVE-2024-50077 – Bluetooth: ISO: Fix multiple init when debugfs is disabled
https://notcve.org/view.php?id=CVE-2024-50077
29 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: ISO: Fix multiple init when debugfs is disabled If bt_debugfs is not created successfully, which happens if either CONFIG_DEBUG_FS or CONFIG_DEBUG_FS_ALLOW_ALL is unset, then iso_init() returns early and does not set iso_inited to true. This means that a subsequent call to iso_init() will result in duplicate calls to proto_register(), bt_sock_register(), etc. With CONFIG_LIST_HARDENED and CONFIG_BUG_ON_DATA_CORRUPTION enabled, th... • https://git.kernel.org/stable/c/ccf74f2390d60a2f9a75ef496d2564abb478f46a •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2024-50076 – vt: prevent kernel-infoleak in con_font_get()
https://notcve.org/view.php?id=CVE-2024-50076
29 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: vt: prevent kernel-infoleak in con_font_get() font.data may not initialize all memory spaces depending on the implementation of vc->vc_sw->con_font_get. This may cause info-leak, so to prevent this, it is safest to modify it to initialize the allocated memory space to 0, and it generally does not affect the overall performance of the system. In the Linux kernel, the following vulnerability has been resolved: vt: prevent kernel-infoleak in c... • https://git.kernel.org/stable/c/05e2600cb0a4d73b0779cf29512819616252aeeb •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2024-50075 – xhci: tegra: fix checked USB2 port number
https://notcve.org/view.php?id=CVE-2024-50075
29 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: xhci: tegra: fix checked USB2 port number If USB virtualizatoin is enabled, USB2 ports are shared between all Virtual Functions. The USB2 port number owned by an USB2 root hub in a Virtual Function may be less than total USB2 phy number supported by the Tegra XUSB controller. Using total USB2 phy number as port number to check all PORTSC values would cause invalid memory access. [ 116.923438] Unable to handle kernel paging request at virtua... • https://git.kernel.org/stable/c/a30951d31b250bf3479c00e93646b6cc6fb42a56 •
CVSS: 7.1EPSS: 0%CPEs: 9EXPL: 0CVE-2024-50074 – parport: Proper fix for array out-of-bounds access
https://notcve.org/view.php?id=CVE-2024-50074
29 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: parport: Proper fix for array out-of-bounds access The recent fix for array out-of-bounds accesses replaced sprintf() calls blindly with snprintf(). However, since snprintf() returns the would-be-printed size, not the actually output size, the length calculation can still go over the given limit. Use scnprintf() instead of snprintf(), which returns the actually output letters, for addressing the potential out-of-bounds access properly. In t... • https://git.kernel.org/stable/c/166a0bddcc27de41fe13f861c8348e8e53e988c8 •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2024-50073 – tty: n_gsm: Fix use-after-free in gsm_cleanup_mux
https://notcve.org/view.php?id=CVE-2024-50073
29 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: tty: n_gsm: Fix use-after-free in gsm_cleanup_mux BUG: KASAN: slab-use-after-free in gsm_cleanup_mux+0x77b/0x7b0 drivers/tty/n_gsm.c:3160 [n_gsm] Read of size 8 at addr ffff88815fe99c00 by task poc/3379 CPU: 0 UID: 0 PID: 3379 Comm: poc Not tainted 6.11.0+ #56 Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020 Call Trace:
CVSS: 7.8EPSS: 0%CPEs: 7EXPL: 0CVE-2024-50072 – x86/bugs: Use code segment selector for VERW operand
https://notcve.org/view.php?id=CVE-2024-50072
29 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: x86/bugs: Use code segment selector for VERW operand Robert Gill reported below #GP in 32-bit mode when dosemu software was executing vm86() system call: general protection fault: 0000 [#1] PREEMPT SMP CPU: 4 PID: 4610 Comm: dosemu.bin Not tainted 6.6.21-gentoo-x86 #1 Hardware name: Dell Inc. PowerEdge 1950/0H723K, BIOS 2.7.0 10/30/2010 EIP: restore_all_switch_stack+0xbe/0xcf EAX: 00000000 EBX: 00000000 ECX: 00000000 EDX: 00000000 ESI: 0000... • https://git.kernel.org/stable/c/50f021f0b985629accf10481a6e89af8b9700583 •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2024-50070 – pinctrl: stm32: check devm_kasprintf() returned value
https://notcve.org/view.php?id=CVE-2024-50070
29 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: pinctrl: stm32: check devm_kasprintf() returned value devm_kasprintf() can return a NULL pointer on failure but this returned value is not checked. Fix this lack and check the returned value. Found by code review. In the Linux kernel, the following vulnerability has been resolved: pinctrl: stm32: check devm_kasprintf() returned value devm_kasprintf() can return a NULL pointer on failure but this returned value is not checked. Fix this lack ... • https://git.kernel.org/stable/c/32c170ff15b044579b1f8b8cdabf543406dde9da •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2024-50069 – pinctrl: apple: check devm_kasprintf() returned value
https://notcve.org/view.php?id=CVE-2024-50069
29 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: pinctrl: apple: check devm_kasprintf() returned value devm_kasprintf() can return a NULL pointer on failure but this returned value is not checked. Fix this lack and check the returned value. Found by code review. In the Linux kernel, the following vulnerability has been resolved: pinctrl: apple: check devm_kasprintf() returned value devm_kasprintf() can return a NULL pointer on failure but this returned value is not checked. Fix this lack ... • https://git.kernel.org/stable/c/a0f160ffcb83de6a04fa75f9e7bdfe969f2863f7 •