Fedor Pchelkin

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A issue has been identified in the Linux kernel related to Bluetooth L2CAP handling. Specifically, a NULL sock pointer is passed into `l2cap sock alloc()` when called from `l2cap sock new connection cb()`, and error handling paths should be aware of this. The problem arises because `l2cap chan create()` adds a soon-to-be-deallocated channel to a global list before it is properly initialized, but a more straightforward solution is to check for NULL instead of rearranging function calls. This issue was discovered by the Linux Verification Center using the SVACE static analysis tool. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A issue in the Linux kernel has been resolved, specifically in the ctucanfd module. The problem occurs when skb allocation fails, resulting in a NULL pointer to struct can frame. This issue is handled in most places within ctucan err interrupt() but was missing a NULL check in one location. The issue was discovered by the Linux Verification Center using the SVACE static analysis tool. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Linux kernel versions prior to 6.8 Description: The vulnerability is related to the function `mac802154 llsec key del()` in the Linux kernel, which can free resources of a key directly without following the RCU rules for waiting before the end of a grace period. This may lead to use-after-free in case `llsec lookup key()` is traversing the list of keys in parallel with a key deletion. The issue is caused by the function not properly releasing resources, resulting in a potential use-after-free scenario. The `ieee802154 llsec key entry` structures are not freed by `mac802154 llsec key del()`, leading to an unreferenced object. The vulnerability was found by the Linux Verification Center. Recommendations: To resolve the issue, update the Linux kernel to version 6.8 or later, which includes the fix for the `mac802154 llsec key del()` function. As a temporary workaround, consider disabling the `mac802154 llsec key del()` function until a patch is available. Restrict access to the vulnerable module `mac802154` to minimize the risk of exploitation. Avoid using the `llsec lookup key()` function in parallel with key deletion until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.7.0-rc2-dirty #16 **Description** The vulnerability is related to the apparmor module in the Linux kernel. When processing a packed profile in unpack profile(), a string ":samba-dcerpcd" is unpacked as a fully-qualified name and then passed to aa splitn fqname(). This function treats the string as only containing a namespace, returning NULL for tmpname while tmpns is non-NULL. Later, aa alloc profile() crashes as the new profile name is NULL, resulting in a general protection fault. The issue is caused by the fact that nothing can prevent the unpacked "name" from being in a form like ":samba-dcerpcd", which is passed from userspace. To mitigate this, the whole profile set replacement should be denied in such cases, and the user should be informed with EPROTO and an explaining message. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux Kernel (affected versions not specified) **Description** A problematic issue has been found in the Linux Kernel, specifically in the function `j1939 session destroy` of the file `net/can/j1939/transport.c`. This issue is related to incorrect handling of skb block usage counters and can lead to a memory leak. The exploitation of this issue may allow a remote attacker to cause a denial of service. **Recommendations** To fix this issue, it is recommended to apply a patch. At the moment, there is no information about a newer version that contains a fix for this vulnerability.