David Wang

**Name of the Vulnerable Software and Affected Versions:** Linux kernel versions prior to 6.16.0-rc2 **Description:** The Linux kernel contained a flaw in the `alloc tag top users()` function within the `lib/alloc tag` component. This function attempted to acquire a semaphore lock (`alloc tag cttype->mod lock`) even when `alloc tag cttype` was not allocated, which could occur when memory profiling was disabled or initialization failed. This resulted in a crash due to attempting to acquire a non-existent semaphore, specifically a general protection fault. The issue became more easily triggered after commit 780138b12381. **Recommendations:** Update to a version of the Linux kernel later than 6.16.0-rc2.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.6.50 **Description** The issue is related to the Linux kernel, where a recent fix for making the takeover of the broadcast timer more reliable retrieves a per CPU pointer in preemptible context. This went unnoticed as compilers hoist the access into the non-preemptible region where the pointer is actually used, triggering a bug when using `smp processor id()` in preemptible code. The caller is `hotplug cpu broadcast tick pull+0x1c/0xc0`. The fix involves moving the per CPU pointer access into the atomic section. **Recommendations** Update to Linux kernel version 6.6.50 or later to resolve the issue. As a temporary workaround, consider restricting access to the `hotplug cpu broadcast tick pull` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to a performance regression in the swap operation of the netfilter ipset component in the Linux kernel. A race condition between swap/destroy and kernel side add/del/test operations has been fixed by moving the synchronize rcu() call from the swap function to the destroy function and using call rcu() instead. This change was necessary because simply calling the destroy functions as an rcu callback does not work for sets with timeout, which use garbage collectors that need to be cancelled at destroy. The destroy functions have been split into two parts: one for cancelling garbage collectors safely at the execution of the command received by netlink, and another for moving the remaining part into the rcu callback. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to a use-after-free bug in the `dup user cpus ptr()` function. This bug can be exploited when the `sched setaffinity()` function is invoked from another process while the process being modified is undergoing a fork operation. The bug can lead to a use-after-free and possibly a double-free in the arm64 kernel. The problem arises because `dup user cpus ptr()` accesses `user cpus ptr` without any lock protection, even though the setting and clearing of `user cpus ptr` are done under `pi lock` for the arm64 architecture. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.