David Bouman

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions 5.1 through 6.0.3 **Description** A use-after-free issue exists in the io uring asynchronous input/output interface of the Linux kernel, specifically related to Unix SCM garbage collection and the improper update of reference counts. This flaw allows an unprivileged user to escalate privileges to root level. Technical exploitation may involve using inode locking to pause a kernel thread and employing the DirtyCred file exploitation technique. **Recommendations** Update Linux kernel to a version later than 6.0.3.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 5.17.3 **Description** The issue is related to a use-after-free vulnerability in the fs/io uring.c file of the Linux kernel's io uring subsystem, caused by a race condition in io uring timeouts. This can be triggered by a local user without access to any user namespace, potentially allowing the attacker to cause a denial of service or escalate privileges. The vulnerability can be exploited infrequently due to the race condition. A detailed exploit has been described, leveraging a cross-cache attack and msg msg spraying to overwrite a tls context object and execute a ROP chain to gain root. **Recommendations** For Linux kernel versions prior to 5.17.3, update to version 5.17.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the io uring subsystem until a patch is applied. Avoid using the io uring timeouts feature in the affected kernel versions until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** AIDE versions prior to 0.17.4 **Description** The issue allows local users to obtain root privileges via crafted file metadata, such as XFS extended attributes or tmpfs ACLs, because of a heap-based buffer overflow. **Recommendations** For versions prior to 0.17.4, update to version 0.17.4 or later to resolve the issue. As a temporary workaround, consider restricting access to crafted file metadata to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A flaw was found in the Linux kernel in the netfilter subsystem, specifically in the linux/net/netfilter/nf tables api.c file. This issue allows a local user to cause an out-of-bounds write problem. The vulnerability is related to the nf tables module and can be exploited to elevate privileges using unshare(CLONE NEWUSER) or unshare(CLONE NEWNET) calls. The exploit can construct a filter that depends on the value of a kernel address on the stack, leaking the KASLR offset by observing side-effects, and then build a ROP chain to gain root privileges. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to the use of an uninitialized pointer `nft do chain` in the `nf tables` module of the Linux kernel's `netfilter` subsystem. This can cause a use-after-free condition, potentially leading to a kernel information leak problem. The issue can be exploited by a local, unprivileged attacker. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.