CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2024-50029 – Bluetooth: hci_conn: Fix UAF in hci_enhanced_setup_sync
https://notcve.org/view.php?id=CVE-2024-50029
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_conn: Fix UAF in hci_enhanced_setup_sync This checks if the ACL connection remains valid as it could be destroyed while hci_enhanced_setup_sync is pending on cmd_sync leading to the following trace: BUG: KASAN: slab-use-after-free in hci_enhanced_setup_sync+0x91b/0xa60 Read of size 1 at addr ffff888002328ffd by task kworker/u5:2/37 CPU: 0 UID: 0 PID: 37 Comm: kworker/u5:2 Not tainted 6.11.0-rc6-01300-g810be445d8d6 #7099 Hardw... • https://git.kernel.org/stable/c/e07a06b4eb417f5271d33ce2240e93c62d98b7b4 •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2024-50028 – thermal: core: Reference count the zone in thermal_zone_get_by_id()
https://notcve.org/view.php?id=CVE-2024-50028
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: thermal: core: Reference count the zone in thermal_zone_get_by_id() There are places in the thermal netlink code where nothing prevents the thermal zone object from going away while being accessed after it has been returned by thermal_zone_get_by_id(). To address this, make thermal_zone_get_by_id() get a reference on the thermal zone device object to be returned with the help of get_device(), under thermal_list_lock, and adjust all of its c... • https://git.kernel.org/stable/c/1ce50e7d408ef2bdc8ca021363fd46d1b8bfad00 •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2024-50026 – scsi: wd33c93: Don't use stale scsi_pointer value
https://notcve.org/view.php?id=CVE-2024-50026
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: scsi: wd33c93: Don't use stale scsi_pointer value A regression was introduced with commit dbb2da557a6a ("scsi: wd33c93: Move the SCSI pointer to private command data") which results in an oops in wd33c93_intr(). That commit added the scsi_pointer variable and initialized it from hostdata->connected. However, during selection, hostdata->connected is not yet valid. Fix this by getting the current scsi_pointer from hostdata->selecting. In the ... • https://git.kernel.org/stable/c/dbb2da557a6a87c88bbb4b1fef037091b57f701b •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2024-50024 – net: Fix an unsafe loop on the list
https://notcve.org/view.php?id=CVE-2024-50024
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: net: Fix an unsafe loop on the list The kernel may crash when deleting a genetlink family if there are still listeners for that family: Oops: Kernel access of bad area, sig: 11 [#1] ... NIP [c000000000c080bc] netlink_update_socket_mc+0x3c/0xc0 LR [c000000000c0f764] __netlink_clear_multicast_users+0x74/0xc0 Call Trace: __netlink_clear_multicast_users+0x74/0xc0 genl_unregister_family+0xd4/0x2d0 Change the unsafe loop on the list to a safe one... • https://git.kernel.org/stable/c/b8273570f802a7658827dcb077b0b517ba75a289 •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2024-50022 – device-dax: correct pgoff align in dax_set_mapping()
https://notcve.org/view.php?id=CVE-2024-50022
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: device-dax: correct pgoff align in dax_set_mapping() pgoff should be aligned using ALIGN_DOWN() instead of ALIGN(). Otherwise, vmf->address not aligned to fault_size will be aligned to the next alignment, that can result in memory failure getting the wrong address. It's a subtle situation that only can be observed in page_mapped_in_vma() after the page is page fault handled by dev_dax_huge_fault. Generally, there is little chance to perform... • https://git.kernel.org/stable/c/b9b5777f09be84d0de472ded2253d2f5101427f2 •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2024-50019 – kthread: unpark only parked kthread
https://notcve.org/view.php?id=CVE-2024-50019
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: kthread: unpark only parked kthread Calling into kthread unparking unconditionally is mostly harmless when the kthread is already unparked. The wake up is then simply ignored because the target is not in TASK_PARKED state. However if the kthread is per CPU, the wake up is preceded by a call to kthread_bind() which expects the task to be inactive and in TASK_PARKED state, which obviously isn't the case if it is unparked. As a result, calling... • https://git.kernel.org/stable/c/5c25b5ff89f004c30b04759dc34ace8585a4085f •
CVSS: 7.1EPSS: 0%CPEs: 3EXPL: 0CVE-2024-50017 – x86/mm/ident_map: Use gbpages only where full GB page should be mapped.
https://notcve.org/view.php?id=CVE-2024-50017
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: x86/mm/ident_map: Use gbpages only where full GB page should be mapped. When ident_pud_init() uses only GB pages to create identity maps, large ranges of addresses not actually requested can be included in the resulting table; a 4K request will map a full GB. This can include a lot of extra address space past that requested, including areas marked reserved by the BIOS. That allows processor speculation into reserved regions, that on UV syst... • https://git.kernel.org/stable/c/d80a99892f7a992d103138fa4636b2c33abd6740 •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2024-50016 – drm/amd/display: Avoid overflow assignment in link_dp_cts
https://notcve.org/view.php?id=CVE-2024-50016
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Avoid overflow assignment in link_dp_cts sampling_rate is an uint8_t but is assigned an unsigned int, and thus it can overflow. As a result, sampling_rate is changed to uint32_t. Similarly, LINK_QUAL_PATTERN_SET has a size of 2 bits, and it should only be assigned to a value less or equal than 4. This fixes 2 INTEGER_OVERFLOW issues reported by Coverity. In the Linux kernel, the following vulnerability has been resolved: dr... • https://git.kernel.org/stable/c/a1495acc6234fa79b775599d3f49009afd53299f •
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2024-50015 – ext4: dax: fix overflowing extents beyond inode size when partially writing
https://notcve.org/view.php?id=CVE-2024-50015
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: ext4: dax: fix overflowing extents beyond inode size when partially writing The dax_iomap_rw() does two things in each iteration: map written blocks and copy user data to blocks. If the process is killed by user(See signal handling in dax_iomap_iter()), the copied data will be returned and added on inode size, which means that the length of written extents may exceed the inode size, then fsck will fail. An example is given as: dd if=/dev/ur... • https://git.kernel.org/stable/c/776722e85d3b0936253ecc3d14db4fba37f191ba •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2024-50014 – ext4: fix access to uninitialised lock in fc replay path
https://notcve.org/view.php?id=CVE-2024-50014
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: ext4: fix access to uninitialised lock in fc replay path The following kernel trace can be triggered with fstest generic/629 when executed against a filesystem with fast-commit feature enabled: INFO: trying to register non-static key. The code is fine but needs lockdep annotation, or maybe you didn't initialize this object before use? turning off the locking correctness validator. CPU: 0 PID: 866 Comm: mount Not tainted 6.10.0+ #11 Hardware... • https://git.kernel.org/stable/c/d157fc20ca5239fd56965a5a8aa1a0e25919891a •