Budimir Markovic

Name of the Vulnerable Software and Affected Versions: Linux kernel (affected versions not specified) Description: The issue is related to the use of memory after it has been freed in the `qdisc tree reduce backlog()` function of the Linux kernel. This can lead to a denial of service. The problem arises from an incorrect assumption about Qdiscs with a major handle of `ffff:` being either root or ingress, which can cause a use-after-free (UAF) error with a dangling class pointer. The vulnerability can be exploited by creating egress Qdiscs with a major handle of `ffff:`. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to a use-after-free vulnerability in the `netem dequeue()` function. When `netem dequeue()` enqueues a packet to an inner qdisc and that qdisc returns ` NET XMIT STOLEN`, the packet is dropped, but `qdisc tree reduce backlog()` is not called to update the parent's `q.qlen`. This leads to a similar use-after-free issue as seen in a previous commit. The vulnerability can be triggered using specific commands to configure the network interface and send packets. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.10.6 **Description** A bug in the `netem enqueue()` function can lead to a use-after-free issue. This occurs when a packet is duplicated and the original packet is dropped, causing the parent qdisc's `q.qlen` to be mistakenly incremented. As a result, `qlen notify()` may be skipped during destruction, leaving a dangling pointer for some classful qdiscs like DRR. The issue arises in two scenarios: when the duplicated packet is dropped by `rootq->enqueue()` and the original packet is also dropped, or when `rootq->enqueue()` sends the duplicated packet to a different qdisc and the original packet is dropped. In both cases, `NET XMIT SUCCESS` is returned even though no packets are enqueued at the netem qdisc. **Recommendations** To resolve the issue, upgrade the Linux kernel to a version later than 6.10.6. As a temporary workaround, consider disabling the `netem enqueue()` function until a patch is available. Restrict access to the vulnerable `netem` module to minimize the risk of exploitation. Avoid using the `rootq->enqueue()` function with duplicated packets until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A heap out-of-bounds write vulnerability in the Linux kernel's Performance Events system component can be exploited to achieve local privilege escalation. A perf event's `read size` can overflow, leading to an heap out-of-bounds increment or write in `perf read group()`. This issue may allow an attacker to impact the confidentiality, integrity, and availability of protected information and elevate their privileges in the system. **Recommendations** Upgrade past commit 382c27f4ed28f803b1f1473ac2d8db0afc795a1b to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable `perf read group()` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A heap out-of-bounds write vulnerability in the Linux kernel's Linux Kernel Performance Events (perf) component can be exploited to achieve local privilege escalation. If `perf read group()` is called while an event's `sibling list` is smaller than its child's `sibling list`, it can increment or write to memory locations outside of the allocated buffer. **Recommendations** Upgrade past commit 32671e3799ca2e4590773fd0e63aaa4229e50c06 to resolve the issue. As a temporary workaround, consider restricting access to the `perf read group()` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A use-after-free vulnerability in the Linux kernel's net/sched: sch hfsc (HFSC qdisc traffic control) component can be exploited to achieve local privilege escalation. If a class with a link-sharing curve (i.e. with the `HFSC FSC` flag set) has a parent without a link-sharing curve, then `init vf()` will call `vttree insert()` on the parent, but `vttree remove()` will be skipped in `update vf()`. This leaves a dangling pointer that can cause a use-after-free. **Recommendations** Upgrade past commit b3d26c5702c7d6c45456326e56d2ccf3f103e60f to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable `sch hfsc` component until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Linux Kernel (affected versions not specified) **Description** A use-after-free vulnerability in the Linux Kernel Performance Events system can be exploited to achieve local privilege escalation. The `perf group detach` function did not check the event's siblings' `attach state` before calling `add event to groups()`, but `remove on exec` made it possible to call `list del event()` on before detaching from their group, making it possible to use a dangling pointer causing a use-after-free vulnerability. **Recommendations** Upgrade past commit fd0815f632c24878e325821943edccc7fde947a2 to resolve the issue. As a temporary workaround, consider restricting access to the `perf group detach` function until a patch is available.