Davide Caratti

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue arises when reversing the flow of traffic with the redirect (egress -> ingress), potentially reaching the same socket that generated the packet while still holding its socket lock. This can lead to a deadlock, specifically a tcp v4 rcv -> tcp v4 rcv deadlock reported by lockdep. The solution involves putting the packet in the Rx backlog rather than running the Rx path inline for all egress -> ingress reversals. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Linux kernel versions prior to 6.8.0-rc1+ Description: The vulnerability is related to a double-free issue in the Linux kernel's MPTCP (Multipath TCP) implementation. When an MPTCP server accepts an incoming connection, it clones its listener socket. However, the pointer to 'inet opt' for the new socket has the same value as the original one, leading to a double-free error when the program exits. This can cause a denial-of-service (DoS) condition. Recommendations: To resolve this issue, update the Linux kernel to a version that includes the fix for the double-free vulnerability, which is version 6.8.0-rc1 or later. If updating is not possible, consider disabling MPTCP or restricting its use to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 5.12.0+ **Description** The issue is related to an out-of-bounds access in the traffic path of the Linux kernel's fq pie module. This occurs when the `fq pie qdisc enqueue` function attempts to access memory beyond the allocated bounds. The vulnerability can be triggered by executing a specific script that involves adding a qdisc and filter to a network device, and then sending a ping request. The vulnerability is caused by the selection of an invalid flow, specifically `q->flows + q->flows cnt`, which is an address beyond the allocated memory. **Recommendations** To resolve this issue, update the Linux kernel to a version that includes the fix for the out-of-bounds access in the fq pie module. Specifically, versions prior to 5.12.0 should be updated to 5.12.0 or later. As a temporary workaround, consider disabling the `fq pie qdisc enqueue` function until a patch is available. However, this may have performance implications and should be carefully evaluated before implementation. Note: The provided information does not specify the exact version that includes the fix, so it is recommended to update to the latest available version of the Linux kernel.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 5.12.0-rc6+ **Description** The vulnerability is related to a stack out-of-bounds read in the `ip do fragment` function when fragmenting IPv4 packets. This occurs when the `ovs fragment` function uses a temporary `struct dst entry` and the pointer to this structure is used as a pointer to `struct rtable`, leading to an out-of-bounds read in the stack. The issue can be fixed by changing the temporary variable used for IPv4 packets in `ovs fragment`, similar to what is done for IPv6. **Recommendations** To resolve the issue, update the Linux kernel to a version that includes the fix for the stack out-of-bounds read in `ip do fragment`. As a temporary workaround, consider disabling the `ovs fragment` function until a patch is available. Restrict access to the vulnerable `openvswitch` module to minimize the risk of exploitation. Avoid using the `ip do fragment` function in the affected API endpoint until the issue is resolved.