CVE-2023-39198 – Kernel: qxl: race condition leading to use-after-free in qxl_mode_dumb_create()
https://notcve.org/view.php?id=CVE-2023-39198
A race condition was found in the QXL driver in the Linux kernel. The qxl_mode_dumb_create() function dereferences the qobj returned by the qxl_gem_object_create_with_handle(), but the handle is the only one holding a reference to it. This flaw allows an attacker to guess the returned handle value and trigger a use-after-free issue, potentially leading to a denial of service or privilege escalation. Se encontró una condición de ejecución en el controlador QXL del kernel de Linux. La función qxl_mode_dumb_create() desreferencia el qobj devuelto por qxl_gem_object_create_with_handle(), pero el identificador es el único que contiene una referencia a él. • https://access.redhat.com/errata/RHSA-2024:2394 https://access.redhat.com/errata/RHSA-2024:2950 https://access.redhat.com/errata/RHSA-2024:3138 https://access.redhat.com/security/cve/CVE-2023-39198 https://bugzilla.redhat.com/show_bug.cgi?id=2218332 https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html • CWE-416: Use After Free •
CVE-2023-6039 – Kernel: use-after-free in drivers/net/usb/lan78xx.c in lan78xx_disconnect
https://notcve.org/view.php?id=CVE-2023-6039
A use-after-free flaw was found in lan78xx_disconnect in drivers/net/usb/lan78xx.c in the network sub-component, net/usb/lan78xx in the Linux Kernel. This flaw allows a local attacker to crash the system when the LAN78XX USB device detaches. Se encontró una falla de use-after-free en lan78xx_disconnect en drivers/net/usb/lan78xx.c en el subcomponente de red, net/usb/lan78xx en el kernel de Linux. Esta falla permite que un atacante local bloquee el sistema cuando el dispositivo USB LAN78XX se desconecta. • https://access.redhat.com/security/cve/CVE-2023-6039 https://bugzilla.redhat.com/show_bug.cgi?id=2248755 https://github.com/torvalds/linux/commit/1e7417c188d0a83fb385ba2dbe35fd2563f2b6f3 • CWE-416: Use After Free •
CVE-2023-5090 – Kernel: kvm: svm: improper check in svm_set_x2apic_msr_interception allows direct access to host x2apic msrs
https://notcve.org/view.php?id=CVE-2023-5090
A flaw was found in KVM. An improper check in svm_set_x2apic_msr_interception() may allow direct access to host x2apic msrs when the guest resets its apic, potentially leading to a denial of service condition. Se encontró una falla en KVM. Una verificación incorrecta en svm_set_x2apic_msr_interception() puede permitir el acceso directo al host x2apic msrs cuando el invitado restablece su apic, lo que podría provocar una condición de denegación de servicio. • https://access.redhat.com/errata/RHSA-2024:3854 https://access.redhat.com/errata/RHSA-2024:3855 https://access.redhat.com/errata/RHSA-2024:4211 https://access.redhat.com/errata/RHSA-2024:4352 https://access.redhat.com/security/cve/CVE-2023-5090 https://bugzilla.redhat.com/show_bug.cgi?id=2248122 https://access.redhat.com/errata/RHSA-2024:2758 • CWE-755: Improper Handling of Exceptional Conditions •
CVE-2023-1194 – Use-after-free in parse_lease_state()
https://notcve.org/view.php?id=CVE-2023-1194
An out-of-bounds (OOB) memory read flaw was found in parse_lease_state in the KSMBD implementation of the in-kernel samba server and CIFS in the Linux kernel. When an attacker sends the CREATE command with a malformed payload to KSMBD, due to a missing check of `NameOffset` in the `parse_lease_state()` function, the `create_context` object can access invalid memory. Se encontró una falla de lectura de memoria Out-Of-Bounds (OOB) en parse_lease_state en la implementación KSMBD del servidor samba en el kernel y CIFS en el kernel de Linux. Cuando un atacante envía el comando CREATE con un payload mal formada a KSMBD, debido a una verificación faltante de `NameOffset` en la función `parse_lease_state()`, el objeto `create_context` puede acceder a memoria no válida. • https://access.redhat.com/security/cve/CVE-2023-1194 https://bugzilla.redhat.com/show_bug.cgi?id=2154176 https://security.netapp.com/advisory/ntap-20231221-0006 https://www.spinics.net/lists/stable-commits/msg303065.html • CWE-125: Out-of-bounds Read CWE-416: Use After Free •
CVE-2023-47233
https://notcve.org/view.php?id=CVE-2023-47233
The brcm80211 component in the Linux kernel through 6.5.10 has a brcmf_cfg80211_detach use-after-free in the device unplugging (disconnect the USB by hotplug) code. For physically proximate attackers with local access, this "could be exploited in a real world scenario." This is related to brcmf_cfg80211_escan_timeout_worker in drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c. El componente brcm80211 en el kernel de Linux hasta 6.5.10 tiene un código brcmf_cfg80211_detach use after free en el código de desconexión del dispositivo (desconectar el USB mediante conexión en caliente). Para los atacantes físicamente próximos con acceso local, esto "podría explotarse en un escenario del mundo real". • https://bugzilla.suse.com/show_bug.cgi?id=1216702 https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=0f7352557a35ab7888bc7831411ec8a3cbe20d78 https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html https://lore.kernel.org/all/20231104054709.716585-1-zyytlz.wz%40163.com https://marc.info/?l=linux-kernel&m=169907678011243&w=2 • CWE-416: Use After Free •