CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2024-42286 – scsi: qla2xxx: validate nvme_local_port correctly
https://notcve.org/view.php?id=CVE-2024-42286
17 Aug 2024 — In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: validate nvme_local_port correctly The driver load failed with error message, qla2xxx [0000:04:00.0]-ffff:0: register_localport failed: ret=ffffffef and with a kernel crash, BUG: unable to handle kernel NULL pointer dereference at 0000000000000070 Workqueue: events_unbound qla_register_fcport_fn [qla2xxx] RIP: 0010:nvme_fc_register_remoteport+0x16/0x430 [nvme_fc] RSP: 0018:ffffaaa040eb3d98 EFLAGS: 00010282 RAX: 00000000000000... • https://git.kernel.org/stable/c/549aac9655320c9b245a24271b204668c5d40430 •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2024-42285 – RDMA/iwcm: Fix a use-after-free related to destroying CM IDs
https://notcve.org/view.php?id=CVE-2024-42285
17 Aug 2024 — In the Linux kernel, the following vulnerability has been resolved: RDMA/iwcm: Fix a use-after-free related to destroying CM IDs iw_conn_req_handler() associates a new struct rdma_id_private (conn_id) with an existing struct iw_cm_id (cm_id) as follows: conn_id->cm_id.iw = cm_id; cm_id->context = conn_id; cm_id->cm_handler = cma_iw_handler; rdma_destroy_id() frees both the cm_id and the struct rdma_id_private. Make sure that cm_work_handler() does not trigger a use-after-free by only freeing of the struct r... • https://git.kernel.org/stable/c/59c68ac31e15ad09d2cb04734e3c8c544a95f8d4 •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2024-42284 – tipc: Return non-zero value from tipc_udp_addr2str() on error
https://notcve.org/view.php?id=CVE-2024-42284
17 Aug 2024 — In the Linux kernel, the following vulnerability has been resolved: tipc: Return non-zero value from tipc_udp_addr2str() on error tipc_udp_addr2str() should return non-zero value if the UDP media address is invalid. Otherwise, a buffer overflow access can occur in tipc_media_addr_printf(). Fix this by returning 1 on an invalid UDP media address. In the Linux kernel, the following vulnerability has been resolved: tipc: Return non-zero value from tipc_udp_addr2str() on error tipc_udp_addr2str() should return ... • https://git.kernel.org/stable/c/d0f91938bede204a343473792529e0db7d599836 • CWE-393: Return of Wrong Status Code •
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2024-42281 – bpf: Fix a segment issue when downgrading gso_size
https://notcve.org/view.php?id=CVE-2024-42281
17 Aug 2024 — In the Linux kernel, the following vulnerability has been resolved: bpf: Fix a segment issue when downgrading gso_size Linearize the skb when downgrading gso_size because it may trigger a BUG_ON() later when the skb is segmented as described in [1,2]. In the Linux kernel, the following vulnerability has been resolved: bpf: Fix a segment issue when downgrading gso_size Linearize the skb when downgrading gso_size because it may trigger a BUG_ON() later when the skb is segmented as described in [1,2]. Andy Ngu... • https://git.kernel.org/stable/c/2be7e212d5419a400d051c84ca9fdd083e5aacac •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2024-42280 – mISDN: Fix a use after free in hfcmulti_tx()
https://notcve.org/view.php?id=CVE-2024-42280
17 Aug 2024 — In the Linux kernel, the following vulnerability has been resolved: mISDN: Fix a use after free in hfcmulti_tx() Don't dereference *sp after calling dev_kfree_skb(*sp). Ubuntu Security Notice 7144-1 - Supraja Sridhara, Benedict Schlüter, Mark Kuhne, Andrin Bertschi, and Shweta Shinde discovered that the Confidential Computing framework in the Linux kernel for x86 platforms did not properly handle 32-bit emulation on TDX and SEV. An attacker with access to the VMM could use this to cause a denial of service ... • https://git.kernel.org/stable/c/af69fb3a8ffa37e986db00ed93099dc44babeef4 •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2024-42271 – net/iucv: fix use after free in iucv_sock_close()
https://notcve.org/view.php?id=CVE-2024-42271
17 Aug 2024 — In the Linux kernel, the following vulnerability has been resolved: net/iucv: fix use after free in iucv_sock_close() iucv_sever_path() is called from process context and from bh context. iucv->path is used as indicator whether somebody else is taking care of severing the path (or it is already removed / never existed). This needs to be done with atomic compare and swap, otherwise there is a small window where iucv_sock_close() will try to work with a path that has already been severed and freed by iucv_cal... • https://git.kernel.org/stable/c/7d316b9453523498246e9e19a659c423d4c5081e • CWE-416: Use After Free •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2024-42267 – riscv/mm: Add handling for VM_FAULT_SIGSEGV in mm_fault_error()
https://notcve.org/view.php?id=CVE-2024-42267
17 Aug 2024 — In the Linux kernel, the following vulnerability has been resolved: riscv/mm: Add handling for VM_FAULT_SIGSEGV in mm_fault_error() Handle VM_FAULT_SIGSEGV in the page fault path so that we correctly kill the process and we don't BUG() the kernel. In the Linux kernel, the following vulnerability has been resolved: riscv/mm: Add handling for VM_FAULT_SIGSEGV in mm_fault_error() Handle VM_FAULT_SIGSEGV in the page fault path so that we correctly kill the process and we don't BUG() the kernel. Ubuntu Security ... • https://git.kernel.org/stable/c/07037db5d479f90377c998259a4f9a469c404edf •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2024-42265 – protect the fetch of ->fd[fd] in do_dup2() from mispredictions
https://notcve.org/view.php?id=CVE-2024-42265
17 Aug 2024 — In the Linux kernel, the following vulnerability has been resolved: protect the fetch of ->fd[fd] in do_dup2() from mispredictions both callers have verified that fd is not greater than ->max_fds; however, misprediction might end up with tofree = fdt->fd[fd]; being speculatively executed. That's wrong for the same reasons why it's wrong in close_fd()/file_close_fd_locked(); the same solution applies - array_index_nospec(fd, fdt->max_fds) could differ from fd only in case of speculative execution on mispredi... • https://git.kernel.org/stable/c/ed42e8ff509d2a61c6642d1825032072dab79f26 • CWE-99: Improper Control of Resource Identifiers ('Resource Injection') •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2024-42259 – drm/i915/gem: Fix Virtual Memory mapping boundaries calculation
https://notcve.org/view.php?id=CVE-2024-42259
14 Aug 2024 — In the Linux kernel, the following vulnerability has been resolved: drm/i915/gem: Fix Virtual Memory mapping boundaries calculation Calculating the size of the mapped area as the lesser value between the requested size and the actual size does not consider the partial mapping offset. This can cause page fault access. Fix the calculation of the starting and ending addresses, the total size is now deduced from the difference between the end and start addresses. Additionally, the calculations have been rewritt... • https://git.kernel.org/stable/c/c58305af1835095ddc25ee6f548ac05915e66ac5 •
CVSS: 4.7EPSS: 0%CPEs: 4EXPL: 0CVE-2024-42253 – gpio: pca953x: fix pca953x_irq_bus_sync_unlock race
https://notcve.org/view.php?id=CVE-2024-42253
08 Aug 2024 — In the Linux kernel, the following vulnerability has been resolved: gpio: pca953x: fix pca953x_irq_bus_sync_unlock race Ensure that `i2c_lock' is held when setting interrupt latch and mask in pca953x_irq_bus_sync_unlock() in order to avoid races. The other (non-probe) call site pca953x_gpio_set_multiple() ensures the lock is held before calling pca953x_write_regs(). The problem occurred when a request raced against irq_bus_sync_unlock() approximately once per thousand reboots on an i.MX8MP based system. * N... • https://git.kernel.org/stable/c/58a5c93bd1a6e949267400080f07e57ffe05ec34 •