Chih-Yen Chang

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.3.10 **Description** An issue in the Linux kernel's ksmbd module, specifically in fs/smb/server/smb2misc.c, does not validate the relationship between the command payload size and the RFC1002 length specification, leading to an out-of-bounds read. This could allow an attacker to access protected information or cause a denial of service. **Recommendations** For Linux kernel versions prior to 6.3.10, update to version 6.3.10 or later to resolve the issue. As a temporary workaround, consider restricting access to the ksmbd module to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.3.8 **Description** An issue in the Linux kernel's ksmbd module, specifically in the fs/smb/server/connection.c file, does not validate the relationship between the NetBIOS header's length field and the SMB header sizes. This can lead to an out-of-bounds read via the pdu size in the ksmbd conn handler loop function, potentially allowing an attacker to access protected information or cause a denial of service. **Recommendations** For Linux kernel versions prior to 6.3.8, update to version 6.3.8 or later to resolve the issue. As a temporary workaround, consider restricting access to the ksmbd module to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.3.9 **Description** An issue was discovered in the Linux kernel where ksmbd does not validate the SMB request protocol ID, leading to an out-of-bounds read. This could allow a remote attacker to access protected information or cause a denial of service. The vulnerability is related to the `ksmbd verify smb message()` function in the `fs/smb/server/smb common.c` file of the KSMBD file system. **Recommendations** For Linux kernel versions prior to 6.3.9, update to version 6.3.9 or later to resolve the issue. As a temporary workaround, consider restricting access to the ksmbd module to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.3.8 **Description** The issue is related to an integer underflow and out-of-bounds read in the `deassemble neg contexts()` function in the `fs/smb/server/smb2pdu.c` file of the KSMBD filesystem in the Linux kernel. This can allow a remote attacker to access protected information or cause a denial of service. **Recommendations** For Linux kernel versions prior to 6.3.8, update to version 6.3.8 or later to resolve the issue. As a temporary workaround, consider restricting access to the `fs/smb/server/smb2pdu.c` module until a patch is available. Avoid using the `deassemble neg contexts()` function in the affected kernel versions until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.3.4 **Description** An issue was discovered in the Linux kernel where ksmbd has an out-of-bounds read in `smb2 find context vals` when `create context`'s `name len` is larger than the tag length. This issue may allow an attacker to access protected information or cause a denial of service. **Recommendations** For Linux kernel versions prior to 6.3.4, update to version 6.3.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the `ksmbd` module to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** An out-of-bounds (OOB) memory read flaw was found in the `parse lease state()` function in the KSMBD implementation of the in-kernel samba server and CIFS in the Linux kernel. When an attacker sends the CREATE command with a malformed payload to KSMBD, due to a missing check of `NameOffset` in the `parse lease state()` function, the `create context` object can access invalid memory. This issue is related to errors in variable initialization in the `parse lease state()` function. Exploitation of this issue may allow an attacker to cause a denial of service. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Google Chrome versions prior to 104.0.5112.79 **Description** The issue is related to a heap buffer overflow in the PDFium PDF content handler, which can be exploited by a remote attacker who convinces a user to engage in specific interactions. This can potentially lead to heap corruption via a crafted PDF file. The attacker could execute arbitrary code. **Recommendations** For versions prior to 104.0.5112.79, update to version 104.0.5112.79 or later to resolve the issue. As a temporary workaround, consider avoiding the use of PDF files from untrusted sources until the update is applied.