CVSS: 5.5EPSS: 0%CPEs: 9EXPL: 0CVE-2024-53181 – um: vector: Do not use drvdata in release
https://notcve.org/view.php?id=CVE-2024-53181
27 Dec 2024 — In the Linux kernel, the following vulnerability has been resolved: um: vector: Do not use drvdata in release The drvdata is not available in release. Let's just use container_of() to get the vector_device instance. Otherwise, removing a vector device will result in a crash: RIP: 0033:vector_device_release+0xf/0x50 RSP: 00000000e187bc40 EFLAGS: 00010202 RAX: 0000000060028f61 RBX: 00000000600f1baf RCX: 00000000620074e0 RDX: 000000006220b9c0 RSI: 0000000060551c80 RDI: 0000000000000000 RBP: 00000000e187bc50 R0... • https://git.kernel.org/stable/c/8ed7793f6f589b4e1f0b38f8448578d2a48f9c82 •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2024-53180 – ALSA: pcm: Add sanity NULL check for the default mmap fault handler
https://notcve.org/view.php?id=CVE-2024-53180
27 Dec 2024 — In the Linux kernel, the following vulnerability has been resolved: ALSA: pcm: Add sanity NULL check for the default mmap fault handler A driver might allow the mmap access before initializing its runtime->dma_area properly. Add a proper NULL check before passing to virt_to_page() for avoiding a panic. In the Linux kernel, the following vulnerability has been resolved: ALSA: pcm: Add sanity NULL check for the default mmap fault handler A driver might allow the mmap access before initializing its runtime->dm... • https://git.kernel.org/stable/c/8799f4332a9fd812eadfbc32fc5104d6292f754f •
CVSS: 9.3EPSS: 0%CPEs: 2EXPL: 0CVE-2024-53179 – smb: client: fix use-after-free of signing key
https://notcve.org/view.php?id=CVE-2024-53179
27 Dec 2024 — In the Linux kernel, the following vulnerability has been resolved: smb: client: fix use-after-free of signing key Customers have reported use-after-free in @ses->auth_key.response with SMB2.1 + sign mounts which occurs due to following race: task A task B cifs_mount() dfs_mount_share() get_session() cifs_mount_get_session() cifs_send_recv() cifs_get_smb_ses() compound_send_recv() cifs_setup_session() smb2_setup_request() kfree_sensitive() smb2_calc_signature() crypto_shash_setkey() *UAF* Fix this by ensuri... • https://git.kernel.org/stable/c/0e2b654a3848bf9da3b0d54c1ccf3f1b8c635591 •
CVSS: 6.6EPSS: 0%CPEs: 4EXPL: 0CVE-2024-53177 – smb: prevent use-after-free due to open_cached_dir error paths
https://notcve.org/view.php?id=CVE-2024-53177
27 Dec 2024 — In the Linux kernel, the following vulnerability has been resolved: smb: prevent use-after-free due to open_cached_dir error paths If open_cached_dir() encounters an error parsing the lease from the server, the error handling may race with receiving a lease break, resulting in open_cached_dir() freeing the cfid while the queued work is pending. Update open_cached_dir() to drop refs rather than directly freeing the cfid. Have cached_dir_lease_break(), cfids_laundromat_worker(), and invalidate_all_cached_dirs... • https://git.kernel.org/stable/c/791f833053578b9fd24252ebb7162a61bc3f805b •
CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2024-53174 – SUNRPC: make sure cache entry active before cache_show
https://notcve.org/view.php?id=CVE-2024-53174
27 Dec 2024 — In the Linux kernel, the following vulnerability has been resolved: SUNRPC: make sure cache entry active before cache_show The function `c_show` was called with protection from RCU. This only ensures that `cp` will not be freed. Therefore, the reference count for `cp` can drop to zero, which will trigger a refcount use-after-free warning when `cache_get` is called. To resolve this issue, use `cache_get_rcu` to ensure that `cp` remains active. ------------[ cut here ]------------ refcount_t: addition on 0; u... • https://git.kernel.org/stable/c/e9be26735d055c42543a4d047a769cc6d0fb1504 •
CVSS: -EPSS: 0%CPEs: 9EXPL: 0CVE-2024-53173 – NFSv4.0: Fix a use-after-free problem in the asynchronous open()
https://notcve.org/view.php?id=CVE-2024-53173
27 Dec 2024 — In the Linux kernel, the following vulnerability has been resolved: NFSv4.0: Fix a use-after-free problem in the asynchronous open() Yang Erkun reports that when two threads are opening files at the same time, and are forced to abort before a reply is seen, then the call to nfs_release_seqid() in nfs4_opendata_free() can result in a use-after-free of the pointer to the defunct rpc task of the other thread. The fix is to ensure that if the RPC call is aborted before the call to nfs_wait_on_sequence() is comp... • https://git.kernel.org/stable/c/24ac23ab88df5b21b5b2df8cde748bf99b289099 •
CVSS: 7.8EPSS: 0%CPEs: 9EXPL: 0CVE-2024-53165 – sh: intc: Fix use-after-free bug in register_intc_controller()
https://notcve.org/view.php?id=CVE-2024-53165
27 Dec 2024 — In the Linux kernel, the following vulnerability has been resolved: sh: intc: Fix use-after-free bug in register_intc_controller() In the error handling for this function, d is freed without ever removing it from intc_list which would lead to a use after free. To fix this, let's only add it to the list after everything has succeeded. In the Linux kernel, the following vulnerability has been resolved: sh: intc: Fix use-after-free bug in register_intc_controller() In the error handling for this function, d is... • https://git.kernel.org/stable/c/2dcec7a988a1895540460a0bf5603bab63d5a3ed •
CVSS: 5.5EPSS: 0%CPEs: 9EXPL: 0CVE-2022-49034 – sh: cpuinfo: Fix a warning for CONFIG_CPUMASK_OFFSTACK
https://notcve.org/view.php?id=CVE-2022-49034
27 Dec 2024 — In the Linux kernel, the following vulnerability has been resolved: sh: cpuinfo: Fix a warning for CONFIG_CPUMASK_OFFSTACK When CONFIG_CPUMASK_OFFSTACK and CONFIG_DEBUG_PER_CPU_MAPS are selected, cpu_max_bits_warn() generates a runtime warning similar as below when showing /proc/cpuinfo. Fix this by using nr_cpu_ids (the runtime limit) instead of NR_CPUS to iterate CPUs. [ 3.052463] ------------[ cut here ]------------ [ 3.059679] WARNING: CPU: 3 PID: 1 at include/linux/cpumask.h:108 show_cpuinfo+0x5e8/0x5f... • https://git.kernel.org/stable/c/8fbb57eabfc8ae67115cb47f904614c99d626a89 •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2024-53164 – net: sched: fix ordering of qlen adjustment
https://notcve.org/view.php?id=CVE-2024-53164
27 Dec 2024 — In the Linux kernel, the following vulnerability has been resolved: net: sched: fix ordering of qlen adjustment Changes to sch->q.qlen around qdisc_tree_reduce_backlog() need to happen _before_ a call to said function because otherwise it may fail to notify parent qdiscs when the child is about to become empty. In the Linux kernel, the following vulnerability has been resolved: net: sched: fix ordering of qlen adjustment Changes to sch->q.qlen around qdisc_tree_reduce_backlog() need to happen _before_ a cal... • https://git.kernel.org/stable/c/489422e2befff88a1de52b2acebe7b333bded025 •
CVSS: 5.5EPSS: 0%CPEs: 9EXPL: 0CVE-2024-53156 – wifi: ath9k: add range check for conn_rsp_epid in htc_connect_service()
https://notcve.org/view.php?id=CVE-2024-53156
24 Dec 2024 — In the Linux kernel, the following vulnerability has been resolved: wifi: ath9k: add range check for conn_rsp_epid in htc_connect_service() I found the following bug in my fuzzer: UBSAN: array-index-out-of-bounds in drivers/net/wireless/ath/ath9k/htc_hst.c:26:51 index 255 is out of range for type 'htc_endpoint [22]' CPU: 0 UID: 0 PID: 8 Comm: kworker/0:0 Not tainted 6.11.0-rc6-dirty #14 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Workqueue: events request_firmware_work_fu... • https://git.kernel.org/stable/c/fb9987d0f748c983bb795a86f47522313f701a08 •