Felix Fietkau

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A NULL pointer dereference issue has been identified in the mt7915 mac fill rx vector routine of the mt76 driver in the Linux kernel. This issue occurs when the chip does not support dbdc and the hardware reports the band idx set to 1. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Linux kernel (affected versions not specified) Description: The issue concerns the Linux kernel's handling of TCP fragmentation. Specifically, it involves the `net: gso: fix tcp fraglist segmentation after pull from frag list` fix, which addresses a problem where optional datapath hooks like NAT and BPF can modify SKB GSO FRAGLIST skbs, breaking their invariants. This can lead to a NULL pointer dereference in ` tcpv4 gso segment list csum` at `tcp hdr(seg->next)`. The solution involves detecting invalid geometry due to pull by checking the `head skb` size and converting it to be able to pass to regular `skb segment` instead of `skb segment list`. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Linux kernel (affected versions not specified) Description: The issue is related to the incorrect handling of errors in the Linux kernel's core component, specifically with the `skb copy` and `skb copy expand` functions when dealing with `SKB GSO FRAGLIST` skbs. These skbs must not be linearized, as this would make them invalid and potentially lead to a crash when `skb gso segment` is called later. The vulnerability can be exploited to cause a denial of service. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Linux kernel (affected versions not specified) Description: The issue is related to a use-after-free vulnerability in the `free irq()` function of the MediaTek MT7925E (PCIe) driver in the Linux kernel. This vulnerability can be exploited to cause a denial of service. The `mt7925 pci remove()` function in the `drivers/net/wireless/mediatek/mt76/mt7925/pci.c` module is also affected by the reuse of previously freed memory. To address this issue, a flag `MT76 REMOVED` is applied to indicate that the device was removed, preventing further resource access. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to a race condition in the mac80211 component of the Linux kernel. This condition can lead to potential crashes due to uninitialized drv priv data when fast-xmit is enabled before the sta has been uploaded to the driver. The vulnerability may allow an attacker to elevate privileges in the system. The affected functions include ieee80211 check fast xmit() in net/mac80211/tx.c and sta info insert finish() in net/mac80211/sta info.c. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A use-after-free race condition exists in the Linux kernel, specifically in the mt76 module, related to tx status on station removal. There is a small window where ongoing tx activity can lead to a skb being added to the status tracking idr after it has been cleaned up, keeping the wcid linked in the status poll list. This issue occurs due to the timing of when the wcid pointer is cleared in dev->wcid during mt76 sta pre rcu remove. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to the `mt76 dma tx queue skb raw` function in the Linux kernel's mt76 component. It involves a potential DMA mapping leak due to the `buf` being uninitialized, which could cause its `skip unmap` field to inherit a non-zero value from stack garbage. This may lead to DMA mappings for MCU command frames not being unmapped after completion, potentially allowing an attacker to gain unauthorized access to protected information. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.