Florian Westphal

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The vulnerability is related to a memory leak in the `nft flow offload` component of the Linux kernel. Specifically, the issue arises when the direct xmit path is used, and the `dst release()` function is called. This can lead to an unreferenced object, as reported by `kmemleak`. The vulnerability may allow an attacker to cause a denial of service. Technical details include the involvement of functions such as `kmem cache alloc()`, `dst alloc()`, and `nft flow offload eval()`. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to a null pointer dereference flaw in the nft inner.c functionality of netfilter in the Linux kernel. This flaw could allow a local user to crash the system or escalate their privileges on the system. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to a memory leak in the netfilter component of the Linux kernel during the update of stateful objects. Stateful objects can be updated from the control plane, and the transaction logic allocates a temporary object for this purpose. However, the `->init` function was called for this object, resulting in a memory leak when using `kfree()`. To fix this, the `->destroy` function of the object should be called, which is done by `nft obj destroy()`. This function also decrements the module refcount, but the update path does not increment it. The solution involves doing `module get` for the update case and releasing it via `nft obj destroy()`. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A reference leak occurs in the Linux kernel when switching zones or network namespaces without clearing the connection tracking (ct) entry in between. This happens because `tcf ct skb nfct cached()` returns false and `tcf ct flow table lookup()` may overwrite the old ct entry. The issue arises from the ct entry not being reusable. **Recommendations** To resolve the issue, apply the fix that frees the ct entry at `tcf ct skb nfct cached()` to prevent reference leaks when switching zones or network namespaces.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to the mptcp component of the Linux kernel, which can cause a crash due to a null pointer dereference. This occurs when the `sk->sk sock kern` flag is not set correctly, allowing `setsockopt` to work for plain TCP sockets. In the case of a fallback, `accept()` can return a plain TCP socket that is still tagged as 'kernel', leading to a crash. The subflow extension has a NULL `ctx->conn` mptcp socket, resulting in a null pointer dereference in `subflow data ready`. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** cmd5checkpw (affected versions not specified) **Description** The issue is related to cmd5checkpw, which does not properly drop privileges when running setuid. This allows local users to read the poppasswd file by exploiting the improper privilege handling before the execvp function is called. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ngIRCd versions prior to 0.8.2 **Description** The issue is caused by an integer underflow in the Lists MakeMask() function, which can lead to a denial of service (application crash) and potentially allow the execution of arbitrary code. This occurs when a remote attacker sends a long MODE line, causing an incorrect length calculation and resulting in a buffer overflow. **Recommendations** For versions prior to 0.8.2, update to version 0.8.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the Lists MakeMask() function until a patch is available.