CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2024-56650 – netfilter: x_tables: fix LED ID check in led_tg_check()
https://notcve.org/view.php?id=CVE-2024-56650
27 Dec 2024 — In the Linux kernel, the following vulnerability has been resolved: netfilter: x_tables: fix LED ID check in led_tg_check() Syzbot has reported the following BUG detected by KASAN: BUG: KASAN: slab-out-of-bounds in strlen+0x58/0x70 Read of size 1 at addr ffff8881022da0c8 by task repro/5879 ... Call Trace: <TASK> dump_stack_lvl+0x241/0x360 ? __pfx_dump_stack_lvl+0x10/0x10 ? __pfx__printk+0x10/0x10 ? _printk+0xd5/0x120 ? __virt_addr_valid+0x183/0x530 ? • https://git.kernel.org/stable/c/268cb38e1802db560c73167e643f14a3dcb4b07c •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2024-56648 – net: hsr: avoid potential out-of-bound access in fill_frame_info()
https://notcve.org/view.php?id=CVE-2024-56648
27 Dec 2024 — In the Linux kernel, the following vulnerability has been resolved: net: hsr: avoid potential out-of-bound access in fill_frame_info() syzbot is able to feed a packet with 14 bytes, pretending it is a vlan one. Since fill_frame_info() is relying on skb->mac_len already, extend the check to cover this case. BUG: KMSAN: uninit-value in fill_frame_info net/hsr/hsr_forward.c:709 [inline] BUG: KMSAN: uninit-value in hsr_forward_skb+0x9ee/0x3b10 net/hsr/hsr_forward.c:724 fill_frame_info net/hsr/hsr_forward... • https://git.kernel.org/stable/c/f6442ee08fe66c8e45c4f246531a2aaf4f17a7a7 •
CVSS: -EPSS: 0%CPEs: 2EXPL: 0CVE-2024-56647 – net: Fix icmp host relookup triggering ip_rt_bug
https://notcve.org/view.php?id=CVE-2024-56647
27 Dec 2024 — In the Linux kernel, the following vulnerability has been resolved: net: Fix icmp host relookup triggering ip_rt_bug arp link failure may trigger ip_rt_bug while xfrm enabled, call trace is: WARNING: CPU: 0 PID: 0 at net/ipv4/route.c:1241 ip_rt_bug+0x14/0x20 Modules linked in: CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.12.0-rc6-00077-g2e1b3cc9d7f7 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:ip_rt_bug+0x14/0x20 Call ... • https://git.kernel.org/stable/c/8b7817f3a959ed99d7443afc12f78a7e1fcc2063 •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2024-56645 – can: j1939: j1939_session_new(): fix skb reference counting
https://notcve.org/view.php?id=CVE-2024-56645
27 Dec 2024 — In the Linux kernel, the following vulnerability has been resolved: can: j1939: j1939_session_new(): fix skb reference counting Since j1939_session_skb_queue() does an extra skb_get() for each new skb, do the same for the initial one in j1939_session_new() to avoid refcount underflow. [mkl: clean up commit message] • https://git.kernel.org/stable/c/9d71dd0c70099914fcd063135da3c580865e924c •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2024-56644 – net/ipv6: release expired exception dst cached in socket
https://notcve.org/view.php?id=CVE-2024-56644
27 Dec 2024 — In the Linux kernel, the following vulnerability has been resolved: net/ipv6: release expired exception dst cached in socket Dst objects get leaked in ip6_negative_advice() when this function is executed for an expired IPv6 route located in the exception table. There are several conditions that must be fulfilled for the leak to occur: * an ICMPv6 packet indicating a change of the MTU for the path is received, resulting in an exception dst being created * a TCP connection that uses the exception dst for ... • https://git.kernel.org/stable/c/54c1a859efd9fd6cda05bc700315ba2519c14eba •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2024-56643 – dccp: Fix memory leak in dccp_feat_change_recv
https://notcve.org/view.php?id=CVE-2024-56643
27 Dec 2024 — In the Linux kernel, the following vulnerability has been resolved: dccp: Fix memory leak in dccp_feat_change_recv If dccp_feat_push_confirm() fails after new value for SP feature was accepted without reconciliation ('entry == NULL' branch), memory allocated for that value with dccp_feat_clone_sp_val() is never freed. Here is the kmemleak stack for this: unreferenced object 0xffff88801d4ab488 (size 8): comm "syz-executor310", pid 1127, jiffies 4295085598 (age 41.666s) hex dump (first 8 bytes): 0... • https://git.kernel.org/stable/c/e77b8363b2ea7c0d89919547c1a8b0562f298b57 •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2024-56642 – tipc: Fix use-after-free of kernel socket in cleanup_bearer().
https://notcve.org/view.php?id=CVE-2024-56642
27 Dec 2024 — In the Linux kernel, the following vulnerability has been resolved: tipc: Fix use-after-free of kernel socket in cleanup_bearer(). syzkaller reported a use-after-free of UDP kernel socket in cleanup_bearer() without repro. [0][1] When bearer_disable() calls tipc_udp_disable(), cleanup of the UDP kernel socket is deferred by work calling cleanup_bearer(). tipc_net_stop() waits for such works to finish by checking tipc_net(net)->wq_count. However, the work decrements the count too early before releasing ... • https://git.kernel.org/stable/c/26abe14379f8e2fa3fd1bcf97c9a7ad9364886fe •
CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2024-56641 – net/smc: initialize close_work early to avoid warning
https://notcve.org/view.php?id=CVE-2024-56641
27 Dec 2024 — In the Linux kernel, the following vulnerability has been resolved: net/smc: initialize close_work early to avoid warning We encountered a warning that close_work was canceled before initialization. WARNING: CPU: 7 PID: 111103 at kernel/workqueue.c:3047 __flush_work+0x19e/0x1b0 Workqueue: events smc_lgr_terminate_work [smc] RIP: 0010:__flush_work+0x19e/0x1b0 Call Trace: ? __wake_up_common+0x7a/0x190 ? work_busy+0x80/0x80 __cancel_work_timer+0xe3/0x160 smc_close_cancel_work+0x1a/0x70 [... • https://git.kernel.org/stable/c/46c28dbd4c23c3f7fa37f5ea48772af79c9cc40e •
CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2024-56640 – net/smc: fix LGR and link use-after-free issue
https://notcve.org/view.php?id=CVE-2024-56640
27 Dec 2024 — In the Linux kernel, the following vulnerability has been resolved: net/smc: fix LGR and link use-after-free issue We encountered a LGR/link use-after-free issue, which manifested as the LGR/link refcnt reaching 0 early and entering the clear process, making resource access unsafe. refcount_t: addition on 0; use-after-free. WARNING: CPU: 14 PID: 107447 at lib/refcount.c:25 refcount_warn_saturate+0x9c/0x140 Workqueue: events smc_lgr_terminate_work [smc] Call trace: refcount_warn_saturate+0x9c/0x140 ... • https://git.kernel.org/stable/c/3b2dec2603d5b06ad3af71c1164ca0b92df3d2a8 •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2024-56637 – netfilter: ipset: Hold module reference while requesting a module
https://notcve.org/view.php?id=CVE-2024-56637
27 Dec 2024 — In the Linux kernel, the following vulnerability has been resolved: netfilter: ipset: Hold module reference while requesting a module User space may unload ip_set.ko while it is itself requesting a set type backend module, leading to a kernel crash. The race condition may be provoked by inserting an mdelay() right after the nfnl_unlock() call. • https://git.kernel.org/stable/c/a7b4f989a629493bb4ec4a354def784d440b32c4 •