CVE-2023-28466 – kernel: tls: race condition in do_tls_getsockopt may lead to use-after-free or NULL pointer dereference
https://notcve.org/view.php?id=CVE-2023-28466
do_tls_getsockopt in net/tls/tls_main.c in the Linux kernel through 6.2.6 lacks a lock_sock call, leading to a race condition (with a resultant use-after-free or NULL pointer dereference). A use-after-free flaw was found in the do_tls_getsockopt function in net/tls/tls_main.c in the Transport Layer Security (TLS) in the Network subcompact in the Linux kernel. This flaw allows an attacker to cause a NULL pointer dereference problem due to a race condition. • https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=49c47cc21b5b7a3d8deb18fc57b0aa2ab1286962 https://lists.debian.org/debian-lts-announce/2023/05/msg00005.html https://security.netapp.com/advisory/ntap-20230427-0006 https://access.redhat.com/security/cve/CVE-2023-28466 https://bugzilla.redhat.com/show_bug.cgi?id=2179000 • CWE-416: Use After Free CWE-476: NULL Pointer Dereference •
CVE-2023-26545 – kernel: mpls: double free on sysctl allocation failure
https://notcve.org/view.php?id=CVE-2023-26545
In the Linux kernel before 6.1.13, there is a double free in net/mpls/af_mpls.c upon an allocation failure (for registering the sysctl table under a new location) during the renaming of a device. A double-free flaw was found in the Linux kernel when the MPLS implementation handled sysctl allocation failures. This issue could allow a local user to cause a denial of service or possibly execute arbitrary code. • https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.1.13 https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=fda6c89fe3d9aca073495a664e1d5aea28cd4377 https://github.com/torvalds/linux/commit/fda6c89fe3d9aca073495a664e1d5aea28cd4377 https://lists.debian.org/debian-lts-announce/2023/05/msg00005.html https://lists.debian.org/debian-lts-announce/2023/05/msg00006.html https://security.netapp.com/advisory/ntap-20230316-0009 https://access.redhat.com/security/cve/CVE-2023-26545 • CWE-415: Double Free •
CVE-2023-0045 – Incorrect indirect branch prediction barrier in the Linux Kernel
https://notcve.org/view.php?id=CVE-2023-0045
The current implementation of the prctl syscall does not issue an IBPB immediately during the syscall. The ib_prctl_set function updates the Thread Information Flags (TIFs) for the task and updates the SPEC_CTRL MSR on the function __speculation_ctrl_update, but the IBPB is only issued on the next schedule, when the TIF bits are checked. This leaves the victim vulnerable to values already injected on the BTB, prior to the prctl syscall. The patch that added the support for the conditional mitigation via prctl (ib_prctl_set) dates back to the kernel 4.9.176. We recommend upgrading past commit a664ec9158eeddd75121d39c9a0758016097fa96 • https://github.com/ASkyeye/CVE-2023-0045 https://github.com/es0j/CVE-2023-0045 https://git.kernel.org/tip/a664ec9158eeddd75121d39c9a0758016097fa96 https://github.com/google/security-research/security/advisories/GHSA-9x5g-vmxf-4qj8 https://lists.debian.org/debian-lts-announce/2023/05/msg00005.html https://lists.debian.org/debian-lts-announce/2023/05/msg00006.html https://security.netapp.com/advisory/ntap-20230714-0001 • CWE-610: Externally Controlled Reference to a Resource in Another Sphere •
CVE-2022-47519
https://notcve.org/view.php?id=CVE-2022-47519
An issue was discovered in the Linux kernel before 6.0.11. Missing validation of IEEE80211_P2P_ATTR_OPER_CHANNEL in drivers/net/wireless/microchip/wilc1000/cfg80211.c in the WILC1000 wireless driver can trigger an out-of-bounds write when parsing the channel list attribute from Wi-Fi management frames. Se descubrió un problema en el kernel de Linux anterior a 6.0.11. La falta de validación de IEEE80211_P2P_ATTR_OPER_CHANNEL en drivers/net/wireless/microchip/wilc1000/cfg80211.c en el controlador inalámbrico WILC1000 puede desencadenar una escritura fuera de los límites al analizar el atributo de lista de canales de los marcos de administración de Wi-Fi. • https://github.com/torvalds/linux/commit/051ae669e4505abbe05165bebf6be7922de11f41 https://lists.debian.org/debian-lts-announce/2022/12/msg00031.html https://lore.kernel.org/r/20221123153543.8568-3-philipturnbull%40github.com https://security.netapp.com/advisory/ntap-20230113-0007 • CWE-787: Out-of-bounds Write •
CVE-2022-47518
https://notcve.org/view.php?id=CVE-2022-47518
An issue was discovered in the Linux kernel before 6.0.11. Missing validation of the number of channels in drivers/net/wireless/microchip/wilc1000/cfg80211.c in the WILC1000 wireless driver can trigger a heap-based buffer overflow when copying the list of operating channels from Wi-Fi management frames. Se descubrió un problema en el kernel de Linux anterior a 6.0.11. La falta de validación del número de canales en drivers/net/wireless/microchip/wilc1000/cfg80211.c en el controlador inalámbrico WILC1000 puede provocar un desbordamiento de búfer de almacenamiento dinámico al copiar la lista de canales operativos desde marcos de administración de Wi-Fi. • https://github.com/torvalds/linux/commit/0cdfa9e6f0915e3d243e2393bfa8a22e12d553b0 https://lists.debian.org/debian-lts-announce/2022/12/msg00031.html https://lore.kernel.org/r/20221123153543.8568-5-philipturnbull%40github.com https://security.netapp.com/advisory/ntap-20230113-0007 • CWE-787: Out-of-bounds Write •