Andy Shevchenko

Name of the Vulnerable Software and Affected Versions: Linux kernel versions prior to 6.6.58 Description: A vulnerability in the Linux kernel has been fixed, involving the mwifiex WiFi driver. The issue was a memcpy() field-spanning write warning in the `mwifiex cmd 802 11 scan ext()` function. This warning occurred due to a one-element array in the `struct host cmd ds 802 11 scan ext` structure, which has been replaced with a flexible-array member to resolve the issue. The warning was detected when the `memcpy()` function attempted to write beyond the bounds of the `ext scan->tlv buffer` field. Recommendations: For Linux kernel versions prior to 6.6.58, update to version 6.6.58 or later to resolve the issue. As a temporary workaround, consider disabling the `mwifiex cmd 802 11 scan ext()` function until a patch is available. Restrict access to the `mwifiex` WiFi driver to minimize the risk of exploitation. Avoid using the `ext scan->tlv buffer` field in the affected `mwifiex cmd 802 11 scan ext()` function until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue arises when the last MAX3100 device is removed, triggering the removal of the driver. However, the code fails to update the respective global variable, leading to a kernel crash after an insmod — rmmod — insmod cycle. This results in a NULL pointer dereference. The error path in the probe is also affected by the variable not being cleared. To resolve this, the assignment should be moved after the successful `uart register driver()` call. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to the serial driver max3100 in the Linux kernel. The function `uart handle cts change()` needs to be called with the port lock taken, but since it is run in a separate work, the lock may not be taken at the time of running. This can cause a splat warning. The `uart handle cts change()` function is called without explicitly taking the port lock, which can lead to issues. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Linux kernel (affected versions not specified) Description: The issue is related to the ARM component of the Linux kernel, where a missing terminator in the gpiod lookup table causes the gpio find() function to loop indefinitely if a non-existent con id is passed to it, eventually leading to an oops. This can be exploited to cause a denial of service. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A shift-out-of-bounds error was found in the Linux kernel, specifically in the gpio-wcd934x driver. The bit-mask for pins 0 to 4 is incorrectly set to BIT(n - 1) instead of BIT(0) to BIT(4). This issue was caught by the UBSAN check, which reported a shift-out-of-bounds error in the drivers/gpio/gpio-wcd934x.c file at line 34, column 14. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.