Zheng Wang

**Nome do software vulnerável e versões afetadas** Versões do kernel Linux anteriores à 6.6.58 **Descrição** O problema está relacionado a um bug de uso após liberação (use after free) na função `venus remove`, devido a uma condição de corrida. Esse bug pode ser explorado para comprometer a confidencialidade, integridade e disponibilidade de informações protegidas. A vulnerabilidade é causada pelo fato de `core->work` estar vinculado a `venus sys error handler` em `venus probe`, e pelo código usar `core->sys err done` para realizar a sincronização. O `core->work` é iniciado em `venus event notify`. Se `venus remove` for chamado, pode haver um trabalho inacabado, levando a uma possível sequência em que o `hdev` é usado após ter sido liberado. **Recomendações** Para versões do kernel Linux anteriores à 6.6.58, atualize para a versão 6.6.58 ou posterior para resolver o problema. Como solução temporária, considere desativar a função `venus remove` até que um patch esteja disponível. Restrinja o acesso à função vulnerável `venus sys error handler` para minimizar o risco de exploração. Evite usar o `core->work` na função `venus probe` afetada até que o problema seja resolvido.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to a use-after-free bug in the Linux kernel's mtk-jpeg component, specifically due to error path handling in `mtk jpeg dec device run`. This bug can be triggered in two ways: by removing the module, which calls `mtk jpeg remove` for cleanup, or by closing the file descriptor, which calls `mtk jpeg release`. The bug causes a use-after-free condition because the `mtk jpeg job timeout work` function is started while the job is marked as finished by invoking `v4l2 m2m job finish`. The fix involves starting the timeout worker only if the jpegdec worker is started successfully, ensuring that `v4l2 m2m job finish` is only called in either `mtk jpeg job timeout work` or `mtk jpeg dec device run`. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.6.28 **Description** The issue is related to a use-after-free vulnerability in the brcmf cfg80211 detach function of the brcm80211 component in the Linux kernel. This vulnerability can be exploited by physically proximate attackers with local access, potentially allowing them to cause a denial of service. The vulnerability is related to the brcmf cfg80211 escan timeout worker function in the drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c file. **Recommendations** For Linux kernel versions prior to 6.6.28, update to version 6.6.28 or later to resolve the issue. As a temporary workaround, consider restricting local access to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to a use-after-free problem in the `ravb tx timeout work()` function. This occurs when `ravb stop()` fails to call `cancel work sync()`, allowing `ravb tx timeout work()` to use freed memory after `ravb remove()` has been called. The vulnerability can be exploited to potentially elevate privileges. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to a use-after-free error in the bttv component of the Linux kernel, specifically due to a race condition between the `bttv irq timeout` timer function and the `bttv remove` function. The timer is set up in the probe and there is no timer delete operation in the remove function, which can cause the `bttv irq timeout` function to still be invoked after the `btv` object has been freed, leading to a use-after-free bug. This bug was found through static analysis and may be a false positive. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions through 6.3.8 **Description** A use-after-free issue was found in the `ravb remove()` function in the drivers/net/ethernet/renesas/ravb main.c module of the Linux kernel. This issue is related to a race condition that allows for the reuse of previously freed memory. Exploitation of this issue may allow an attacker to impact the confidentiality, integrity, and availability of protected information. **Recommendations** For Linux kernel versions through 6.3.8, as a temporary workaround, consider disabling the `ravb remove()` function until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.3.2 **Description** A use-after-free issue was found in the `dm1105 remove()` function in the drivers/media/pci/dm1105/dm1105.c module of the Linux kernel. This issue is related to a race condition that allows for the reuse of previously freed memory due to concurrent access to a resource. Exploitation of this issue may allow an attacker to impact the confidentiality, integrity, and availability of protected information. **Recommendations** For Linux kernel versions prior to 6.3.2, update to version 6.3.2 or later to resolve the issue. As a temporary workaround, consider disabling the `dm1105 remove()` function until a patch is available. Restrict access to the vulnerable module drivers/media/pci/dm1105/dm1105.c to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.3.2 **Description** The issue is related to a use-after-free in the `saa7134 finidev()` function in the Philips SAA7134 driver, located in `drivers/media/pci/saa7134/saa7134-core.c`. This is due to a race condition caused by concurrent access to a resource. Exploitation of this issue may allow an attacker to impact the confidentiality, integrity, and availability of protected information. **Recommendations** For Linux kernel versions prior to 6.3.2, update to version 6.3.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the `saa7134 finidev()` function in the affected driver until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.3.2 **Description** The issue is related to a use-after-free vulnerability in the `cedrus remove()` function in the `drivers/staging/media/sunxi/cedrus/cedrus.c` module of the Linux kernel. This vulnerability is caused by a race condition due to concurrent access to a resource, allowing an attacker to potentially impact the confidentiality, integrity, and availability of protected information. **Recommendations** For Linux kernel versions prior to 6.3.2, update to version 6.3.2 or later to resolve the issue. As a temporary workaround, consider disabling the `cedrus remove()` function until a patch is available. Restrict access to the vulnerable module `drivers/staging/media/sunxi/cedrus/cedrus.c` to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.3.2 **Description** The issue is related to a use-after-free vulnerability in the `rkvdec remove()` function within the Rockchip Video Decoder driver in the Linux kernel. This vulnerability is caused by a race condition due to concurrent access to a resource, allowing an attacker to potentially impact the confidentiality, integrity, and availability of protected information. A proof-of-concept exploit has been discovered, which can silently execute a malicious bash script disguised as a kernel-level process. **Recommendations** For Linux kernel versions prior to 6.3.2, update to version 6.3.2 or later to resolve the issue. As a temporary workaround, consider disabling the `rkvdec remove()` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.2.9 **Description** The issue is related to a race condition and resultant use-after-free in the Linux kernel, specifically in the drivers/net/ethernet/qualcomm/emac/emac.c module. This occurs when a physically proximate attacker unplugs an emac based device, potentially allowing the attacker to impact the confidentiality, integrity, and availability of protected information. The vulnerability is associated with the emac remove() function. **Recommendations** For Linux kernel versions prior to 6.2.9, update to version 6.2.9 or later to resolve the issue. As a temporary workaround, consider restricting access to the emac module to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A flaw use after free in the Linux kernel Xircom 16-bit PCMCIA (PC-card) Ethernet driver was found. A local user could use this flaw to crash the system or potentially escalate their privileges on the system. The vulnerability is related to the `xirc2ps detach()` function of the Xircom 16-bit PCMCIA (PC-card) network adapter driver. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux Kernel (affected versions not specified) **Description** The issue is related to a use-after-free flaw in the `ndlc remove()` function, which can cause a system crash due to a race problem. This flaw may allow an attacker to disrupt service. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.2.9 **Description** The issue is related to a race condition and resultant use-after-free in the drivers/power/supply/da9150-charger.c driver of the Linux kernel. This occurs when a physically proximate attacker unplugs a device, potentially leading to a denial of service. The vulnerability is associated with the `da9150 charger remove()` function and the use of shared resources. **Recommendations** For Linux kernel versions prior to 6.2.9, update to version 6.2.9 or later to resolve the issue. As a temporary workaround, consider restricting access to the `da9150-charger.c` driver to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.2.9 **Description** A use-after-free issue was found in the `bq24190 remove()` function in the `drivers/power/supply/bq24190 charger.c` module of the Linux kernel. This issue could allow a local attacker to crash the system due to a race condition. The exploitation of this issue may result in a denial of service. **Recommendations** For Linux kernel versions prior to 6.2.9, update to version 6.2.9 or later to resolve the issue. As a temporary workaround, consider restricting access to the `bq24190 remove()` function in the `drivers/power/supply/bq24190 charger.c` module to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Linux Kernel (affected versions not specified) **Description** A use-after-free flaw was found in the `xgene hwmon remove` function in `drivers/hwmon/xgene-hwmon.c` of the Hardware Monitoring Linux Kernel Driver (xgene-hwmon). This issue could allow a local attacker to crash the system due to a race problem, potentially leading to a kernel information leak problem. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux Kernel (affected versions not specified) **Description** A use-after-free flaw was found in the `btsdio remove` function in the `driversbluetoothbtsdio.c` module of the Linux Kernel. This flaw may cause a race problem leading to a use-after-free issue on `hdev` devices when `btsdio remove` is called with an unfinished job. The exploitation of this issue can lead to a denial of service. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux Kernel (affected versions not specified) **Description** A use-after-free flaw was found in the `r592 remove` function in `drivers/memstick/host/r592.c` related to media access in the Linux Kernel. This issue allows a local attacker to crash the system at device disconnect, possibly leading to a kernel information leak. The flaw is associated with a race condition due to concurrent access to resources, which could impact the confidentiality and availability of protected information. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Nome do software vulnerável e versões afetadas** Kernel do Linux (versões afetadas não especificadas) **Descrição** Foi encontrada uma falha de liberação dupla de memória no kernel do Linux, especificamente no driver gráfico Intel GVT-g, que provoca sobrecarga dos recursos do sistema da placa VGA. Esse problema pode permitir que um usuário local cause uma falha no sistema ao provocar uma falha na função `intel gvt dma map guest page`. A falha está relacionada à limpeza inadequada ao lidar com exceções, o que pode levar a uma negação de serviço. **Recomendações** No momento, não há informações sobre uma versão mais recente que contenha uma correção para essa vulnerabilidade. Como solução temporária, considere desativar a função `intel gvt dma map guest page` até que um patch esteja disponível. Restrinja o acesso ao driver gráfico Intel GVT-g para minimizar o risco de exploração. Evite usar o driver gráfico Intel GVT-g até que o problema seja resolvido.

**Nome do software vulnerável e versões afetadas** Kernel do Linux (versões afetadas não especificadas) **Descrição** Foi identificada uma vulnerabilidade crítica no Kernel do Linux, afetando a função `spl2sw nvmem get mac address` no arquivo `drivers/net/ethernet/sunplus/spl2sw driver.c` do componente BPF. Essa vulnerabilidade leva a um uso após liberação de memória (use after free), permitindo que um invasor comprometa a confidencialidade, integridade e disponibilidade das informações protegidas. **Recomendações** Para corrigir esse problema, recomenda-se aplicar um patch. No momento, não há informações sobre uma versão mais recente que contenha uma correção para essa vulnerabilidade.