Al Viro

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.6.52 **Description** The issue is related to the Linux kernel, specifically the xen: privcmd component. It allows for possible access to a freed kirqfd instance due to simultaneous ioctl calls to `privcmd irqfd assign()` and `privcmd irqfd deassign()`. If this happens, a kirqfd created by `privcmd irqfd assign()` may be removed by another thread executing `privcmd irqfd deassign()` while still being used, leading to a situation where an already freed kirqfd instance may be accessed and cause kernel oops. The fix involves using SRCU locking, similar to the KVM implementation for irqfds. **Recommendations** To resolve the issue, update the Linux kernel to version 6.6.52 or later. As a temporary workaround, consider disabling the `privcmd irqfd assign()` and `privcmd irqfd deassign()` functions until a patch is available. Restrict access to the irqfds list to minimize the risk of exploitation. Avoid using the `irqfds list` in the affected API endpoints until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.6.50 **Description** The issue is related to a deadlock that occurs when `irqfd wakeup()` gets `EPOLLHUP` and is called by `eventfd release()` through `wake up poll(&ctx->wqh, EPOLLHUP)`, which is called under `spin lock irqsave()`. This happens because a mutex cannot be used in this context, as it would lead to a deadlock. The fix involves switching from a mutex to a spinlock for irqfds. The vulnerability can be exploited through a local network attack vector. **Recommendations** To resolve the issue, update the Linux kernel to version 6.6.50 or later. As a temporary workaround, consider restricting access to the vulnerable `irqfd wakeup()` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.6.43 **Description** A use-after-free vulnerability in the `kvm spapr tce attach iommu group()` function in the Linux kernel allows an attacker to potentially impact the confidentiality, integrity, and availability of protected information. The vulnerability occurs when the function looks up `stt` from `tablefd` and continues to use it after doing `fdput()` on the returned fd, which can be closed by another thread, freeing `stt`. Although there are calls to `rcu read lock()` in `kvm spapr tce attach iommu group()`, they are not sufficient to prevent the use-after-free, as `stt` is used outside the locked regions. The issue can be detected by KASAN with an artificial delay after the `fdput()` and a userspace program that triggers the race. **Recommendations** To resolve the issue, update the Linux kernel to version 6.6.43 or later. As a temporary workaround, consider delaying the `fdput()` until `stt` is no longer in use, which is effectively the entire `kvm spapr tce attach iommu group()` function. To keep the patch minimal, add a call to `fdput()` at each of the existing return paths. Future work can convert the function to goto or cleanup style cleanup.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to a use-after-free vulnerability in the Linux kernel's IMA (Integrity Measurement Architecture) component, specifically in the `ima collect measurement()` function. This vulnerability can be exploited to impact the confidentiality, integrity, and availability of protected information. The vulnerability occurs because the `d name.name` field of a `dentry` can change when renamed, and the earlier value can be freed. However, the conditions to stabilize this, such as `d lock` on the `dentry`, its parent, or `i rwsem` exclusive on the parent's inode, and `rename lock`, are not met at the affected sites. To resolve this, a stable snapshot of the name is taken instead. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.6.50 **Description** The issue is related to the Linux kernel, specifically with the `do dup2()` function, where a misprediction might lead to speculative execution of `tofree = fdt->fd[fd]`. This is wrong for the same reasons it is wrong in `close fd()`/`file close fd locked()`. The solution involves using `array index nospec(fd, fdt->max fds)` to protect against mispredictions. The vulnerability is associated with incorrect input validation in the `fs/file` component of the Linux kernel, which could allow an attacker to cause a denial of service. **Recommendations** For Linux kernel versions prior to 6.6.50, update to version 6.6.50 or later to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable `do dup2()` function until a patch is available. Avoid using the `fd` variable in the affected `do dup2()` function until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: Linux kernel (affected versions not specified) Description: The issue is related to a deadlock or deadcode in the Linux kernel's ceph component, caused by incorrect lock ordering between denty and its parent. The lock order is incorrect, and the parent should always get the lock first. However, since this deadcode is never used and the parent directory will always be set from the callers, the solution is to remove it. The vulnerability may allow an attacker to cause a denial of service. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to the `f2fs rename()` function in the Linux kernel, which can cause dirent corruption due to a missed call to `f2fs set link()` to update the ".." link to the new directory. This can occur when performing a cross-directory rename operation. The vulnerability may allow an attacker to elevate their privileges. Technical details about exploitation include: - The `f2fs rename()` function is vulnerable. - The `old dir` and `new dir` variables are used in the function. - The `f2fs set link()` function is not called in certain cases, leading to the corruption. - A testcase involving `mkdir -p dir/foo` and `renameat2 -w dir/foo bar` can cause the corruption. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions 4.19 through 5.6.7 **Description** The issue is related to a race condition in the Linux kernel, specifically in the enable sacf uaccess function, which can lead to code execution. This occurs because the function fails to protect against a concurrent page table upgrade. A crash could also occur as a result of this issue. The problem is associated with errors in executing multithreaded tasks. **Recommendations** For Linux kernel versions 4.19 through 5.6.7, consider disabling the `enable sacf uaccess` function as a temporary workaround until a patch is available. Restrict access to the `arch/s390/lib/uaccess.c` module to minimize the risk of exploitation. Avoid using the `enable sacf uaccess` function in multithreaded tasks until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 5.5 **Description** The issue is related to a use-after-free in the `fs/namei.c` file of the Linux kernel. This can be exploited by local users to cause a denial of service or possibly obtain sensitive information from kernel memory. One potential attack vector involves an open system call for a UNIX domain socket, specifically when the socket is being moved to a new parent directory and its old parent directory is being removed. **Recommendations** For Linux kernel versions prior to 5.5, update to version 5.5 or later to resolve the issue. As a temporary workaround, consider restricting access to UNIX domain sockets to minimize the risk of exploitation. Avoid using the `open` system call for UNIX domain sockets when moving them to new parent directories, especially if the old parent directory is being removed, until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: Android kernel Description: There is an elevation of privilege issue in the bluez component of the Upstream kernel. This affects the Android product. Recommendations: For Android kernel, apply the necessary patches or updates to resolve the elevation of privilege issue in the bluez component.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 3.19 **Description** The issue is related to the bnep add connection function in the Linux kernel, which does not properly check for the availability of an l2cap socket. This allows local users to potentially gain privileges by using a crafted application. **Recommendations** For versions prior to 3.19, update to version 3.19 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 3.17.3 **Description** The issue is related to the d walk function in fs/dcache.c, which does not properly maintain the semantics of rename lock. This allows local users to cause a denial of service, resulting in a deadlock and system hang, via a crafted application. **Recommendations** For Linux kernel versions prior to 3.17.3, update to version 3.17.3 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions through 3.13.5 **Description** The issue is related to the cifs iovec write function in fs/cifs/file.c, which does not properly handle uncached write operations that copy fewer than the requested number of bytes. This allows local users to obtain sensitive information from kernel memory, cause a denial of service (memory corruption and system crash), or possibly gain privileges via a writev system call with a crafted pointer. **Recommendations** For Linux kernel versions through 3.13.5, update to a version later than 3.13.5 to resolve the issue. As a temporary workaround, consider restricting access to the cifs iovec write function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 2.6.28-rc5 **Description** The issue is related to the inotify functionality in the Linux kernel, which might allow local users to gain privileges via unknown vectors related to race conditions in inotify watch removal and umount. **Recommendations** For Linux kernel versions prior to 2.6.28-rc5, update to version 2.6.28-rc5 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions 2.6.12 through 2.6.17-rc1 **Description** The issue is related to the fill write buffer function in sysfs/file.c, which does not properly zero-terminate a buffer when a length of PAGE SIZE or more is requested. This could allow local users to cause a denial of service by triggering an out-of-bounds read, potentially leading to a system crash. **Recommendations** For Linux kernel versions 2.6.12 through 2.6.17-rc1, consider updating to a version after 2.6.17-rc1 to resolve the issue. As a temporary workaround, restrict local user access to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions 2.4 and 2.6 aa-sources package versions prior to 2.4.23-r2 in Gentoo Linux **Description** The issue concerns multiple unknown vulnerabilities in the Linux kernel and the aa-sources package in Gentoo Linux. These vulnerabilities can be exploited locally to gain privileges, access kernel memory, or disrupt the confidentiality, integrity, and availability of protected information. **Recommendations** For Linux kernel versions 2.4 and 2.6, update to a version that includes fixes for these vulnerabilities. For aa-sources package versions prior to 2.4.23-r2 in Gentoo Linux, update to version 2.4.23-r2 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** NetPBM versions 9.20 and earlier **Description** The issue involves multiple vulnerabilities that can be exploited remotely, potentially leading to disruption of confidentiality, integrity, and availability of protected information. These vulnerabilities may cause a denial of service or allow the execution of arbitrary code via maths overflow errors, including integer signedness errors or integer overflows that lead to buffer overflows. **Recommendations** For versions 9.20 and earlier, update to a version later than 9.20 to resolve the issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability for other affected versions.

**Name of the Vulnerable Software and Affected Versions** usbvision-kmp-default (affected versions not specified) usbvision-kmp-xenpae (affected versions not specified) usbvision-kmp-bigsmp (affected versions not specified) usbvision-kmp-xen (affected versions not specified) usbvision-kmp-debug (affected versions not specified) Linux kernel versions prior to 2.4.34-rc4 **Description** The issue involves multiple vulnerabilities in the usbvision-kmp packages of the openSUSE operating system, which can lead to disruption of protected information availability. These vulnerabilities can be exploited remotely. Additionally, a function in the Linux kernel, specifically the `isdn ppp ccp reset alloc state` function in `drivers/isdn/isdn ppp.c`, has an unknown attack vector that can cause a system crash due to not calling the `init timer` function for the ISDN PPP CCP reset state timer. **Recommendations** For usbvision-kmp-default, consider disabling the package until a patch is available. For usbvision-kmp-xenpae, consider disabling the package until a patch is available. For usbvision-kmp-bigsmp, consider disabling the package until a patch is available. For usbvision-kmp-xen, consider disabling the package until a patch is available. For usbvision-kmp-debug, consider disabling the package until a patch is available. For Linux kernel versions prior to 2.4.34-rc4, update to version 2.4.34-rc4 or later to resolve the issue with the `isdn ppp ccp reset alloc state` function.

**Name of the Vulnerable Software and Affected Versions** SUSE Linux Enterprise (affected versions not specified) Linux kernel versions prior to 2.6.13.1 **Description** The issue affects the Linux kernel and SUSE Linux Enterprise, involving multiple vulnerabilities in various packages. These vulnerabilities can be exploited locally, potentially leading to disruptions in confidentiality, integrity, and availability of protected information. The raw sendmsg function in the Linux kernel is specifically mentioned as allowing local users to cause a denial of service or read from arbitrary memory via crafted input. **Recommendations** For Linux kernel versions prior to 2.6.13.1, update to version 2.6.13.1 or later to resolve the issue. For SUSE Linux Enterprise, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Debian GNU/Linux kernel-image-2.4.27-4-itanium versions 2.4.27-4-itanium Debian GNU/Linux kernel-image-2.4.27-4-586tsc versions 2.4.27-4-586tsc Debian GNU/Linux kernel-image-2.4.27-4-s390 versions 2.4.27-4-s390 Debian GNU/Linux kernel-image-2.4.27-4-s390-tape versions 2.4.27-4-s390-tape Debian GNU/Linux kernel-image-2.4.27-4-mckinley versions 2.4.27-4-mckinley Debian GNU/Linux kernel-image-2.4.27-4-mckinley-smp versions 2.4.27-4-mckinley-smp Debian GNU/Linux kernel-image-2.4.27-4-686 versions 2.4.27-4-686 Debian GNU/Linux kernel-image-2.4.27-4-686-smp versions 2.4.27-4-686-smp Debian GNU/Linux kernel-image-2.4.27-4-k7 versions 2.4.27-4-k7 Debian GNU/Linux kernel-image-2.4.27-4-k7-smp versions 2.4.27-4-k7-smp Debian GNU/Linux kernel-image-2.4.27-4-sparc64 versions 2.4.27-4-sparc64 Debian GNU/Linux kernel-image-2.4.27-4-sparc64-smp versions 2.4.27-4-sparc64-smp Debian GNU/Linux kernel-image-2.4.27-4-sparc32 versions 2.4.27-4-sparc32 Debian GNU/Linux kernel-image-2.4.27-4-sparc32-smp versions 2.4.27-4-sparc32-smp Debian GNU/Linux kernel-image-2.4.27-4-386 versions 2.4.27-4-386 Debian GNU/Linux kernel-image-2.4.27-4-k6 versions 2.4.27-4-k6 Debian GNU/Linux kernel-image-2.4.27-4-s390x versions 2.4.27-4-s390x openSUSE usbvision-kmp-default versions not specified openSUSE kernel-default-nongpl versions not specified openSUSE kernel-bigsmp-nongpl versions not specified openSUSE kernel-xen-nongpl versions not specified openSUSE kernel-um-nongpl versions not specified openSUSE kernel-smp-nongpl versions not specified openSUSE k smp versions not specified openSUSE k deflt versions not specified openSUSE k itanium2-smp versions not specified openSUSE k itanium2 versions not specified openSUSE k athlon versions not specified openSUSE k page-64k versions not specified openSUSE k numa versions not specified openSUSE k psmp versions not specified openSUSE km nss versions not specified SUSE Linux Enterprise k smp versions not specified SUSE Linux Enterprise k deflt versions not specified SUSE Linux Enterprise k athlon versions not specified SUSE Linux Enterprise k debug versions not specified Linux kernel versions 2.4.22 up to 2.4.33.4 and 2.6.2 before 2.6.18.6, and 2.6.19.x **Description** The issue is related to multiple vulnerabilities in various Linux kernel packages and modules, which can lead to a denial of service (crash) and potentially allow remote attackers to execute arbitrary code. The vulnerabilities can be exploited remotely. The affected packages include kernel-image, kernel-headers, pcmcia-modules, hostap-modules, and others. The vulnerabilities are related to buffer overflows in the cmtp recv interopmsg function in the Bluetooth driver. **Recommendations** For each affected version, update to a newer version that contains a fix for this issue. As a temporary workaround, consider disabling the vulnerable functions or modules until a patch is available. Restrict access to the vulnerable modules to minimize the risk of exploitation. Avoid using the vulnerable parameters or variables in the affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.