Dmitry Vyukov

**Name of the Vulnerable Software and Affected Versions** Abseil versions prior to commit 5a0e2cb5e3958dd90bb8569a2766622cb74d90c1 Abseil versions prior to 20230802.1-4ubuntu1.2 Abseil versions prior to 0~20200923.3-2+deb11u1 **Description** Abseil-cpp contains a heap buffer overflow issue. The `sized constructors`, `reserve()`, and `rehash()` methods of `absl::{flat,node}hash{set,map}` did not enforce a limit on the size of their input argument. This allowed a malicious actor to provide a large size, causing an integer overflow when calculating the container's backing store size, leading to an out-of-bounds memory write. Subsequent access to the container could also result in out-of-bounds memory access. The issue could potentially allow an attacker to cause a denial of service or memory corruption. **Recommendations** Upgrade to a version past commit 5a0e2cb5e3958dd90bb8569a2766622cb74d90c1. Upgrade to version 20230802.1-4ubuntu1.2. Upgrade to version 0~20200923.3-2+deb11u1.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.13.0-rc7 **Description** A use-after-free issue has been identified in the Linux kernel, specifically in the btrfs file system. This occurs when attempting to join an aborted transaction, where the 'aborted' field is read after unlocking fs info->trans lock and without holding any extra reference count on it. This allows a concurrent task that is aborting the transaction to free the transaction before the 'aborted' field is read, resulting in a use-after-free. The issue was reported by syzbot and Dmitry, with stack traces provided from KASAN. **Recommendations** To resolve this issue, update to a version of the Linux kernel that includes the fix for this use-after-free issue. As a temporary workaround, consider restricting access to the btrfs file system until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A vulnerability in the Linux kernel has been identified, related to an out-of-bounds read during lookup in the xfrm state. The issue arises when lookup and resize operations run in parallel, and the hash functions can observe a hmask value that is too large for the new hlist array. This is due to the xfrm state hash generation seqlock ensuring a retry, but not preventing the hash functions from accessing an inconsistent hmask value. The vulnerability can be exploited when the update to state bydst is not properly synchronized with the lookup function. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux Kernel (affected versions not specified) **Description** A use-after-free flaw was found in `qdisc graft` in `net/sched/sch api.c` in the Linux Kernel due to a race problem. This flaw leads to a denial of service issue. The issue can be exploited to cause a denial of service. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to a null pointer dereference in the tipc component of the Linux kernel. Specifically, the function `tipc aead init()` is vulnerable, and exploitation can lead to a denial of service. The problem arises because `kmemdup` can return a null pointer, which is not checked, resulting in a null key being dereferenced later in `tipc crypto key xmit`. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to the handling of the hrtimer in the mac80211-hwsim module. When the timer fires late due to vCPU scheduling, it attempts to rearm the timer at the next deadline, which may be in the past. This behavior is incorrect and can cause stalls. The correct approach is to align the beacons to the TBTT (Target Beacon Transmission Time) and resume at the current point if late. The code has been changed to use `hrtimer forward now()` to ensure the next firing of the timer is at the next interval point after the current time. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 4.14.8 **Description** The issue allows attackers to obtain potentially sensitive information from kernel memory. This is related to a write mmio stack-based out-of-bounds read in the KVM implementation, specifically in the files arch/x86/kvm/x86.c and include/trace/events/kvm.h. **Recommendations** For Linux kernel versions prior to 4.14.8, update to version 4.14.8 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 4.13.5 **Description** The issue concerns the x86/fpu subsystem in the Linux kernel, which does not correctly handle attempts to set reserved bits in the xstate header via the `ptrace()` or `rt sigreturn()` system call when a processor supports the xsave feature but not the xsaves feature. This allows local users to read the FPU registers of other processes on the system. **Recommendations** For Linux kernel versions prior to 4.13.5, update to version 4.13.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the `ptrace()` and `rt sigreturn()` system calls to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions 4.13-rc1 through 4.13-rc6 **Description** The issue is related to a NULL pointer dereference in the Linux kernel, specifically in the net/ipv4/route.c file. This allows local users to cause a denial of service or possibly have other unspecified impacts via crafted system calls. The problem is associated with errors in pointer handling. **Recommendations** For Linux kernel versions 4.13-rc1 through 4.13-rc6, consider applying a patch that fixes the NULL pointer dereference issue in the net/ipv4/route.c file to prevent local users from causing a denial of service or other potential impacts. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 4.10.2 **Description** A race condition exists in the Linux kernel, allowing local users to cause a denial of service, such as a system crash, via crafted system calls. This issue is related to incorrect interaction between `put ucounts` and `get ucounts` due to certain decrement behavior. **Recommendations** For Linux kernel versions prior to 4.10.2, update to version 4.10.2 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 4.9.13 **Description** The issue is related to the improper management of lock dropping by the `hashbin delete` function in the Linux kernel, which can be exploited by local users to cause a denial of service (deadlock) through crafted operations on IrDA devices. **Recommendations** For Linux kernel versions prior to 4.9.13, update to version 4.9.13 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 4.9.11 **Description** The issue allows remote attackers to cause a denial of service, resulting in an infinite loop and soft lockup. This can be achieved via vectors involving a TCP packet with the URG flag. The `tcp splice read` function in `net/ipv4/tcp.c` is the vulnerable component. **Recommendations** For Linux kernel versions prior to 4.9.11, update to version 4.9.11 or later to resolve the issue. As a temporary workaround, consider restricting the handling of TCP packets with the URG flag to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 4.9.8 **Description** The issue is related to errors in resource management in the `nested vmx check vmptr` function of the Linux operating system. This can be exploited by a local attacker to cause a denial of service, specifically through memory consumption. The `nested vmx check vmptr` function in the Linux kernel improperly emulates the VMXON instruction, allowing KVM L1 guest OS users to cause a denial of service by leveraging the mishandling of page references. **Recommendations** For Linux kernel versions prior to 4.9.8, update to version 4.9.8 or later to resolve the issue. As a temporary workaround, consider restricting access to the `nested vmx check vmptr` function to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 4.9.4 **Description** The issue allows local users to obtain sensitive information from kernel memory or cause a denial of service (use-after-free) via a crafted application that leverages instruction emulation for fxrstor, fxsave, sgdt, and sidt. **Recommendations** For Linux kernel versions prior to 4.9.4, update to version 4.9.4 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 4.9 **Description** The issue is related to the netfilter subsystem in the Linux kernel, which mishandles IPv6 reassembly. This can be exploited by local users via a crafted application that makes socket, connect, and writev system calls, potentially leading to a denial of service (integer overflow, out-of-bounds write, and GPF) or other unspecified impacts. **Recommendations** For Linux kernel versions prior to 4.9, update to version 4.9 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 4.8.12 **Description** The issue allows guest OS users to gain host OS privileges or cause a denial of service, resulting in an out-of-bounds array access and host OS crash, via a crafted interrupt request when I/O APIC is enabled. This is related to the files arch/x86/kvm/ioapic.c and arch/x86/kvm/ioapic.h. **Recommendations** For Linux kernel versions prior to 4.8.12, update to version 4.8.12 or later to resolve the issue. As a temporary workaround, consider disabling I/O APIC to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 4.8.12 **Description** The issue allows local users to obtain sensitive information from kernel stack memory via a crafted application due to improper initialization of Code Segment (CS) in certain error cases. **Recommendations** For versions prior to 4.8.12, update to version 4.8.12 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 4.6.6 **Description** A race condition exists in the get task ioprio function, allowing local users to potentially gain privileges or cause a denial of service through a crafted ioprio get system call. This issue can lead to a use-after-free scenario. **Recommendations** For Linux kernel versions prior to 4.6.6, update to version 4.6.6 or later to resolve the issue. As a temporary workaround, consider restricting access to the ioprio get system call to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 4.5.2 **Description** The issue is related to a use-after-free vulnerability in the ` sys recvmmsg` function, located in the net/socket.c file of the Linux kernel. This vulnerability can be exploited by remote attackers to execute arbitrary code through vectors involving a recvmmsg system call that is mishandled during error processing. **Recommendations** For Linux kernel versions prior to 4.5.2, update to version 4.5.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the recvmmsg system call to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 4.4.2 **Description** The issue allows local users to cause a denial of service, resulting in a system crash due to a NULL pointer dereference. This occurs when a crafted application does not supply a key, related to the `lrw crypt` function. **Recommendations** For Linux kernel versions prior to 4.4.2, update to version 4.4.2 or later to resolve the issue.