Chenyuan Yang

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A use-after-free (UAF) bug has been identified in the Linux kernel, specifically in the dm9000 drv remove function. The issue arises when the `dm` variable, which is netdev private data, is used after the `free netdev()` call. This can cause a UAF bug. The problem is similar to a previously fixed issue in the emac remove function. The bug was detected using a static analysis tool. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Linux kernel (affected versions not specified) Description: A vulnerability in the Linux kernel has been resolved. The issue was related to a missing buffer index check in the `dvb vb2 expbuf()` function, which did not verify if the given buffer index was for a valid buffer. This check has been added to address the issue. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Linux kernel (affected versions not specified) Description: A crash can occur in the Linux kernel when `blk alloc disk` fails, causing the `md->disk` variable to be set to an error value. The `cleanup mapped device` function attempts to access `md->disk` even if it is non-NULL, leading to a crash when trying to set `md->disk->private data` to NULL. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to the sorting functionality in the `iio gts build avail time table` function, which is not working as intended. This could result in an out-of-bounds access when the time is zero. Specifically, when `gts->itime table[i].time us` is zero, the inner for-loop may not terminate and perform out-of-bound writes. If none of the `gts->itime table[i].time us` values are zero, the elements will be copied without being sorted. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions through 6.7.4 **Description** The issue is related to the dm table create function in the drivers/md/dm-table.c module of the Linux kernel. It can attempt to allocate more than INT MAX bytes and crash due to a missing check for struct dm ioctl.target count. This can allow an attacker to cause a denial of service. **Recommendations** For Linux kernel versions through 6.7.4, as a temporary workaround, consider disabling the dm table create function until a patch is available. Restrict access to the vulnerable module drivers/md/dm-table.c to minimize the risk of exploitation. Avoid using the `target count` variable in the affected function until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.7.4 **Description** The issue is related to the `create empty lvol()` function in the `drivers/mtd/ubi/vtbl.c` module of the Linux kernel, which lacks size control for the requested buffer. This can lead to a denial of service when the function attempts to allocate zero bytes and crashes due to a missing check for `ubi->leb size`. **Recommendations** For Linux kernel versions prior to 6.7.4, update to a version that includes the fix for this issue. As a temporary workaround, consider disabling the `create empty lvol()` function until a patch is available.

Name of the Vulnerable Software and Affected Versions: Linux kernel (affected versions not specified) Description: The vulnerability is related to the btrfs component of the Linux kernel and is caused by an assertion failure during subvolume creation. This can lead to a denial of service. The issue arises when the `btrfs get new fs root()` function is triggered after inserting a root item for a newly created subvolume, and an anonymous device number has already been assigned to the subvolume. The `btrfs get root ref()` function is involved in this process. To fix the issue, the assertion is removed, and the preallocated anonymous device number is freed. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions through 6.7.1 **Description** The issue is related to the `copy params` function in the Linux kernel, which can attempt to allocate more than `INT MAX` bytes and crash due to a missing `param kernel->data size` check. This is connected to `ctl ioctl`. The vulnerability can be exploited to cause a denial of service. **Recommendations** For Linux kernel versions through 6.7.1, as a temporary workaround, consider restricting access to the `copy params` function in `drivers/md/dm-ioctl.c` until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions through 6.7.1 **Description** The issue is related to an off-by-one error in the `rds recv track latency` function in the Linux kernel, specifically in the `net/rds/af rds.c` file. This error occurs during an `RDS MSG RX DGRAM TRACE MAX` comparison, resulting in out-of-bounds access. The exploitation of this issue may allow an attacker to impact the availability of protected information. **Recommendations** For Linux kernel versions through 6.7.1, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions through 6.7.4 **Description** The issue is related to the `printer write` function in the Linux kernel, specifically in the `drivers/usb/gadget/function/f printer.c` file. This function does not properly call `usb ep queue`, which might allow attackers to cause a denial of service or have unspecified other impact. **Recommendations** For Linux kernel versions through 6.7.4, update to a version that contains a fix for this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.