Pengfei Wang

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 4.17.2 **Description** An issue in the Linux kernel allows a malicious user thread to tamper with critical variables due to a race condition, leading to severe kernel errors such as buffer over-accesses. This can cause a local denial of service and information leakage. The issue is related to the `vbg misc device ioctl()` function in `drivers/virt/vboxguest/vboxguest linux.c`, which reads user data twice with `copy from user`, allowing the header part of the user data to be double-fetched. **Recommendations** For Linux kernel versions prior to 4.17.2, update to version 4.17.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the `vbg misc device ioctl()` function to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 4.11.8 **Description** The issue is related to the `snd msnd interrupt` function in the Linux kernel, which allows local users to cause a denial of service or possibly have other unspecified impacts. This is due to a "double fetch" vulnerability, where the value of a message queue head pointer can be changed between two kernel reads, resulting in over-boundary access. The vulnerability may be exploited to cause a denial of service or other effects. **Recommendations** For Linux kernel versions prior to 4.11.8, update to version 4.11.8 or later to resolve the issue. As a temporary workaround, consider restricting access to the `snd msnd interrupt` function to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 4.11.7 **Description** The issue is related to the `snd msndmidi input read` function in the Linux kernel, specifically in the `sound/isa/msnd/msnd midi.c` file. It is caused by an out-of-bounds access in memory, which can be exploited to cause a denial of service or potentially have other unspecified impacts. This can be achieved by locally changing the value of a message queue head pointer between two kernel reads of that value, also known as a "double fetch" vulnerability. **Recommendations** For Linux kernel versions prior to 4.11.7, update to version 4.11.7 or later to resolve the issue. As a temporary workaround, consider restricting access to the `snd msndmidi input read` function to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 4.11.8 **Description** The issue is related to the `intr` function in `sound/oss/msnd pinnacle.c`, which allows local users to cause a denial of service or possibly have other unspecified impacts. This is due to a "double fetch" vulnerability, where the value of a message queue head pointer can be changed between two kernel reads, resulting in over-boundary access. The vulnerability can be exploited by a local attacker to cause a denial of service or potentially other effects. **Recommendations** For Linux kernel versions prior to 4.11.8, update to version 4.11.8 or later to resolve the issue. As a temporary workaround, consider restricting access to the `sound/oss/msnd pinnacle.c` module to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 4.11.5 **Description** The issue is related to a memory leak in the `saa7164 bus get` function. It may allow a local attacker to cause a denial of service or have other unspecified impacts by exploiting an out-of-bounds array access, also referred to as a "double fetch" vulnerability. This can be achieved by changing a certain sequence-number value. **Recommendations** For Linux kernel versions prior to 4.11.5, update to version 4.11.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the `saa7164 bus get` function in the `drivers/media/pci/saa7164/saa7164-bus.c` file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 4.7 **Description** The issue is related to a race condition in the `ec device ioctl xcmd` function, which can be exploited by local users to cause a denial of service through an out-of-bounds array access. This is achieved by changing a certain size value, and it is also known as a "double fetch" vulnerability. **Recommendations** For Linux kernel versions prior to 4.7, update to version 4.7 or later to resolve the issue. As a temporary workaround, consider restricting access to the `ec device ioctl xcmd` function to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 4.8 **Description** The issue is related to a race condition in the audit log single execve arg function, allowing local users to bypass character-set restrictions or disrupt system-call auditing by changing a certain string. This is due to a "double fetch" vulnerability. **Recommendations** For Linux kernel versions prior to 4.8, update to version 4.8 or later to resolve the issue. As a temporary workaround, consider restricting access to the audit log single execve arg function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 4.6.1 **Description** A race condition exists in the `vop ioctl` function, allowing local users to obtain sensitive information from kernel memory or cause a denial of service, including memory corruption and system crash, by exploiting a "double fetch" vulnerability in the MIC VOP driver. **Recommendations** For versions prior to 4.6.1, update to version 4.6.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the `vop ioctl` function to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 4.6 **Description** The issue is related to a race condition in the sclp ctl ioctl sccb function, which allows local users to obtain sensitive information from kernel memory. This is achieved by changing a certain length value, also known as a "double fetch" vulnerability. **Recommendations** For versions prior to 4.6, update to version 4.6 or later to resolve the issue. As a temporary workaround, consider restricting access to the sclp ctl ioctl sccb function until a patch is available.