Hui Peng

**Name of the Vulnerable Software and Affected Versions** Android (affected versions not specified) **Description** A flaw exists in the Android operating system's Bluetooth stack, specifically within the `build read multi rsp` function of `gatt sr.cc`. This issue is due to insufficient input validation, leading to a heap buffer overflow and a potential integer underflow. Successful exploitation allows a remote attacker to execute arbitrary code without requiring user interaction or authentication. The vulnerability resides in the handling of the GATT REQ READ MULTI VAR opcode. The vulnerability can lead to a denial-of-service or, under favorable conditions, remote code execution within the Bluetooth daemon. Exploitation involves crafting and sending specially designed Read Multiple requests that cause the `build read multi rsp()` function to incorrectly calculate the total response size, resulting in a heap corruption. The vulnerability has been demonstrated on devices using Jemalloc (Xiaomi 12T) and Scudo (Samsung A54). **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** No specific software or versions are mentioned in the provided descriptions. **Description** In the `eatt l2cap reconfig completed` function of `eatt impl.h`, there is a possible out of bounds write due to an integer overflow. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.4.10 **Description** The issue is related to the `l2cap sock release` function in the Linux kernel, specifically in the `net/bluetooth/l2cap sock.c` file. It involves a use-after-free error because the children of an `sk` are mishandled. This could potentially allow an attacker to cause a denial of service or have other impacts. **Recommendations** For Linux kernel versions prior to 6.4.10, update to version 6.4.10 or later to resolve the issue. As a temporary workaround, consider restricting access to the `l2cap sock release` function in `net/bluetooth/l2cap sock.c` until a patch is available.

**Nome do software vulnerável e versões afetadas** Versões do TensorFlow anteriores à 2.10.0 As versões 2.9.1, 2.8.1 e 2.7.2 do TensorFlow também estão afetadas **Descrição** A função `GatherNd` no TensorFlow recebe argumentos que determinam os tamanhos das entradas e saídas. Se as entradas fornecidas forem maiores ou iguais aos tamanhos das saídas, uma leitura de memória fora dos limites é acionada. Esta vulnerabilidade foi relatada por Hui Peng, da Baidu Security. **Recomendações** Para versões do TensorFlow anteriores à 2.10.0, atualize para a versão 2.10.0 ou posterior para resolver o problema. Para as versões 2.9.1, 2.8.1 e 2.7.2 do TensorFlow, atualize para as respectivas versões selecionadas para resolver o problema. Como solução alternativa temporária, considere restringir o uso da função `GatherNd` até que um patch esteja disponível.

**Nome do software vulnerável e versões afetadas** Versões do TensorFlow anteriores à 2.10.0 Versões do TensorFlow 2.9.1 e anteriores Versões do TensorFlow 2.8.1 e anteriores Versões do TensorFlow 2.7.2 e anteriores **Descrição** A função `ScatterNd` no TensorFlow recebe um argumento de entrada que determina os índices do tensor de saída. Se o índice de entrada for maior que o tensor de saída ou menor que zero, ela pode gravar conteúdo no índice errado ou causar uma falha no sistema. **Recomendações** Para versões anteriores à 2.10.0, atualize para o TensorFlow 2.10.0 ou posterior. Para versões 2.9.1 e anteriores, atualize para o TensorFlow 2.9.1 ou posterior. Para versões 2.8.1 e anteriores, atualize para o TensorFlow 2.8.1 ou posterior. Para versões 2.7.2 e anteriores, atualize para o TensorFlow 2.7.2 ou posterior. Como solução alternativa temporária, considere restringir o uso da função `ScatterNd` até que um patch esteja disponível.

**Nome do software vulnerável e versões afetadas** Versões do TensorFlow anteriores à 2.10.0 Versões do TensorFlow 2.9.1 e anteriores Versões do TensorFlow 2.8.1 e anteriores Versões do TensorFlow 2.7.2 e anteriores **Descrição** O TensorFlow é uma plataforma de código aberto para aprendizado de máquina. A função `GatherNd` recebe argumentos que determinam os tamanhos das entradas e saídas. Se as entradas fornecidas forem maiores ou iguais aos tamanhos das saídas, ocorre uma leitura de memória fora dos limites ou uma falha no sistema. **Recomendações** Para versões anteriores à 2.10.0, atualize para o TensorFlow 2.10.0 ou posterior. Para versões 2.9.1 e anteriores, atualize para o TensorFlow 2.9.1 ou posterior. Para versões 2.8.1 e anteriores, atualize para o TensorFlow 2.8.1 ou posterior. Para versões 2.7.2 e anteriores, atualize para o TensorFlow 2.7.2 ou posterior. Como solução alternativa temporária, considere restringir o uso da função `GatherNd` até que um patch esteja disponível.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions through 5.2.9 **Description** The issue is related to a Double Free error in the Linux kernel, specifically in the drivers/net/wireless/rsi/rsi 91x usb.c file. This error can be triggered by crafted USB device traffic, which may be remote via usbip or usbredir, potentially allowing a remote attacker to impact the confidentiality, integrity, and availability of protected information. **Recommendations** For Linux kernel versions through 5.2.9, update to a version that contains a fix for this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions through 5.2.9 **Description** The issue is related to the `check input term` function in the `sound/usb/mixer.c` file of the Linux kernel, which mishandles recursion. This leads to kernel stack exhaustion. **Recommendations** For Linux kernel versions through 5.2.9, update to a version newer than 5.2.9 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions through 5.2.9 **Description** The issue is related to the `parse audio mixer unit` function in the `sound/usb/mixer.c` file of the Linux kernel, which mishandles a short descriptor, leading to out-of-bounds memory access. This can potentially allow an attacker to access confidential information or cause a denial of service. **Recommendations** For Linux kernel versions through 5.2.9, update to a version newer than 5.2.9 to resolve the issue. At the moment, there is no information about other specific mitigation measures for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 5.2.9 **Description** The issue is related to a driver error in the Linux kernel, specifically in the `drivers/net/wireless/ath/ath6kl/usb.c` file, which is associated with NULL pointer dereference errors. This can be exploited by an attacker to cause a denial of service. The error occurs due to an incomplete address in an endpoint descriptor. **Recommendations** For Linux kernel versions prior to 5.2.9, update to version 5.2.9 or later to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable driver to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 4.19.9 **Description** The issue is related to the function `hso get config data` in the Linux kernel, which reads data from a USB device and uses it to index an array. This can result in an object out-of-bounds read, potentially allowing arbitrary read access in the kernel address space. The vulnerability may be exploited to cause a denial of service. **Recommendations** For Linux kernel versions prior to 4.19.9, update to version 4.19.9 or later to resolve the issue. As a temporary workaround, consider restricting access to the `hso get config data` function in the `drivers/net/usb/hso.c` file until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 4.19.7 **Description** The issue is related to a use-after-free in the ALSA driver. A local user could exploit this by supplying a malicious USB Sound device that is mishandled in the `usb audio probe` function in `sound/usb/card.c`. This could allow an attacker to execute arbitrary code or cause a denial of service. **Recommendations** For Linux kernel versions prior to 4.19.7, consider updating to version 4.19.7 or later to resolve the issue. As a temporary workaround, consider restricting the use of USB Sound devices to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 4.19.9 **Description** An issue in the Linux kernel's USB subsystem mishandles size checks during the reading of an extra descriptor, related to the ` usb get extra descriptor` function in `drivers/usb/core/usb.c`. This issue may allow an attacker to impact the confidentiality and integrity of protected information. **Recommendations** For Linux kernel versions prior to 4.19.9, update to version 4.19.9 or later to resolve the issue. As a temporary workaround, consider restricting access to the USB subsystem to minimize the risk of exploitation.