CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2024-46771 – can: bcm: Remove proc entry when dev is unregistered.
https://notcve.org/view.php?id=CVE-2024-46771
18 Sep 2024 — In the Linux kernel, the following vulnerability has been resolved: can: bcm: Remove proc entry when dev is unregistered. syzkaller reported a warning in bcm_connect() below. [0] The repro calls connect() to vxcan1, removes vxcan1, and calls connect() with ifindex == 0. Calling connect() for a BCM socket allocates a proc entry. Then, bcm_sk(sk)->bound is set to 1 to prevent further connect(). However, removing the bound device resets bcm_sk(sk)->bound to 0 in bcm_notify(). The 2nd connect() tries to allocat... • https://git.kernel.org/stable/c/ffd980f976e7fd666c2e61bf8ab35107efd11828 •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2024-46770 – ice: Add netif_device_attach/detach into PF reset flow
https://notcve.org/view.php?id=CVE-2024-46770
18 Sep 2024 — In the Linux kernel, the following vulnerability has been resolved: ice: Add netif_device_attach/detach into PF reset flow Ethtool callbacks can be executed while reset is in progress and try to access deleted resources, e.g. getting coalesce settings can result in a NULL pointer dereference seen below. Reproduction steps: Once the driver is fully initialized, trigger reset: # echo 1 > /sys/class/net/
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2024-46765 – ice: protect XDP configuration with a mutex
https://notcve.org/view.php?id=CVE-2024-46765
18 Sep 2024 — In the Linux kernel, the following vulnerability has been resolved: ice: protect XDP configuration with a mutex The main threat to data consistency in ice_xdp() is a possible asynchronous PF reset. It can be triggered by a user or by TX timeout handler. XDP setup and PF reset code access the same resources in the following sections: * ice_vsi_close() in ice_prepare_for_reset() - already rtnl-locked * ice_vsi_rebuild() for the PF VSI - not protected * ice_vsi_open() - already rtnl-locked With an unfortunate ... • https://git.kernel.org/stable/c/2d4238f5569722197612656163d824098208519c •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2024-46763 – fou: Fix null-ptr-deref in GRO.
https://notcve.org/view.php?id=CVE-2024-46763
18 Sep 2024 — In the Linux kernel, the following vulnerability has been resolved: fou: Fix null-ptr-deref in GRO. We observed a null-ptr-deref in fou_gro_receive() while shutting down a host. [0] The NULL pointer is sk->sk_user_data, and the offset 8 is of protocol in struct fou. When fou_release() is called due to netns dismantle or explicit tunnel teardown, udp_tunnel_sock_release() sets NULL to sk->sk_user_data. Then, the tunnel socket is destroyed after a single RCU grace period. So, in-flight udp4_gro_receive() coul... • https://git.kernel.org/stable/c/d92283e338f6d6503b7417536bf3478f466cbc01 •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2024-46762 – xen: privcmd: Fix possible access to a freed kirqfd instance
https://notcve.org/view.php?id=CVE-2024-46762
18 Sep 2024 — In the Linux kernel, the following vulnerability has been resolved: xen: privcmd: Fix possible access to a freed kirqfd instance Nothing prevents simultaneous ioctl calls to privcmd_irqfd_assign() and privcmd_irqfd_deassign(). If that happens, it is possible that a kirqfd created and added to the irqfds_list by privcmd_irqfd_assign() may get removed by another thread executing privcmd_irqfd_deassign(), while the former is still using it after dropping the locks. This can lead to a situation where an already... • https://git.kernel.org/stable/c/e997b357b13a7d95de31681fc54fcc34235fa527 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2024-46761 – pci/hotplug/pnv_php: Fix hotplug driver crash on Powernv
https://notcve.org/view.php?id=CVE-2024-46761
18 Sep 2024 — In the Linux kernel, the following vulnerability has been resolved: pci/hotplug/pnv_php: Fix hotplug driver crash on Powernv The hotplug driver for powerpc (pci/hotplug/pnv_php.c) causes a kernel crash when we try to hot-unplug/disable the PCIe switch/bridge from the PHB. The crash occurs because although the MSI data structure has been released during disable/hot-unplug path and it has been assigned with NULL, still during unregistration the code was again trying to explicitly disable the MSI which causes ... • https://git.kernel.org/stable/c/4eb4085c1346d19d4a05c55246eb93e74e671048 •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2024-46760 – wifi: rtw88: usb: schedule rx work after everything is set up
https://notcve.org/view.php?id=CVE-2024-46760
18 Sep 2024 — In the Linux kernel, the following vulnerability has been resolved: wifi: rtw88: usb: schedule rx work after everything is set up Right now it's possible to hit NULL pointer dereference in rtw_rx_fill_rx_status on hw object and/or its fields because initialization routine can start getting USB replies before rtw_dev is fully setup. The stack trace looks like this: rtw_rx_fill_rx_status rtw8821c_query_rx_desc rtw_usb_rx_handler ... queue_work rtw_usb_read_port_complete ... usb_submit_urb rtw_usb_rx_resubmit ... • https://git.kernel.org/stable/c/e3037485c68ec1a299ff41160d8fedbd4abc29b9 •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2024-46759 – hwmon: (adc128d818) Fix underflows seen when writing limit attributes
https://notcve.org/view.php?id=CVE-2024-46759
18 Sep 2024 — In the Linux kernel, the following vulnerability has been resolved: hwmon: (adc128d818) Fix underflows seen when writing limit attributes DIV_ROUND_CLOSEST() after kstrtol() results in an underflow if a large negative number such as -9223372036854775808 is provided by the user. Fix it by reordering clamp_val() and DIV_ROUND_CLOSEST() operations. In the Linux kernel, the following vulnerability has been resolved: hwmon: (adc128d818) Fix underflows seen when writing limit attributes DIV_ROUND_CLOSEST() after ... • https://git.kernel.org/stable/c/05419d0056dcf7088687e561bb583cc06deba777 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2024-46755 – wifi: mwifiex: Do not return unused priv in mwifiex_get_priv_by_id()
https://notcve.org/view.php?id=CVE-2024-46755
18 Sep 2024 — In the Linux kernel, the following vulnerability has been resolved: wifi: mwifiex: Do not return unused priv in mwifiex_get_priv_by_id() mwifiex_get_priv_by_id() returns the priv pointer corresponding to the bss_num and bss_type, but without checking if the priv is actually currently in use. Unused priv pointers do not have a wiphy attached to them which can lead to NULL pointer dereferences further down the callstack. Fix this by returning only used priv pointers which have priv->bss_mode set to something ... • https://git.kernel.org/stable/c/a12cf97cbefa139ef8d95081f2ea047cbbd74b7a •
CVSS: 7.1EPSS: 0%CPEs: 2EXPL: 0CVE-2024-46754 – bpf: Remove tst_run from lwt_seg6local_prog_ops.
https://notcve.org/view.php?id=CVE-2024-46754
18 Sep 2024 — In the Linux kernel, the following vulnerability has been resolved: bpf: Remove tst_run from lwt_seg6local_prog_ops. The syzbot reported that the lwt_seg6 related BPF ops can be invoked via bpf_test_run() without without entering input_action_end_bpf() first. Martin KaFai Lau said that self test for BPF_PROG_TYPE_LWT_SEG6LOCAL probably didn't work since it was introduced in commit 04d4b274e2a ("ipv6: sr: Add seg6local action End.BPF"). The reason is that the per-CPU variable seg6_bpf_srh_states::srh is neve... • https://git.kernel.org/stable/c/004d4b274e2a1a895a0e5dc66158b90a7d463d44 •