Hui Peng

**Name of the Vulnerable Software and Affected Versions** Android (affected versions not specified) **Description** A flaw exists in the Android operating system's Bluetooth stack, specifically within the `build read multi rsp` function of `gatt sr.cc`. This issue is due to insufficient input validation, leading to a heap buffer overflow and a potential integer underflow. Successful exploitation allows a remote attacker to execute arbitrary code without requiring user interaction or authentication. The vulnerability resides in the handling of the GATT REQ READ MULTI VAR opcode. The vulnerability can lead to a denial-of-service or, under favorable conditions, remote code execution within the Bluetooth daemon. Exploitation involves crafting and sending specially designed Read Multiple requests that cause the `build read multi rsp()` function to incorrectly calculate the total response size, resulting in a heap corruption. The vulnerability has been demonstrated on devices using Jemalloc (Xiaomi 12T) and Scudo (Samsung A54). **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** No specific software or versions are mentioned in the provided descriptions. **Description** In the `eatt l2cap reconfig completed` function of `eatt impl.h`, there is a possible out of bounds write due to an integer overflow. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.4.10 **Description** The issue is related to the `l2cap sock release` function in the Linux kernel, specifically in the `net/bluetooth/l2cap sock.c` file. It involves a use-after-free error because the children of an `sk` are mishandled. This could potentially allow an attacker to cause a denial of service or have other impacts. **Recommendations** For Linux kernel versions prior to 6.4.10, update to version 6.4.10 or later to resolve the issue. As a temporary workaround, consider restricting access to the `l2cap sock release` function in `net/bluetooth/l2cap sock.c` until a patch is available.

**Name of the Vulnerable Software and Affected Versions** TensorFlow versions prior to 2.10.0 TensorFlow versions 2.9.1, 2.8.1, and 2.7.2 are also affected **Description** The `GatherNd` function in TensorFlow takes arguments that determine the sizes of inputs and outputs. If the inputs given are greater than or equal to the sizes of the outputs, an out-of-bounds memory read is triggered. This issue has been reported by Hui Peng from Baidu Security. **Recommendations** For TensorFlow versions prior to 2.10.0, update to version 2.10.0 or later to resolve the issue. For TensorFlow versions 2.9.1, 2.8.1, and 2.7.2, update to the respective cherrypicked versions to resolve the issue. As a temporary workaround, consider restricting the use of the `GatherNd` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** TensorFlow versions prior to 2.10.0 TensorFlow versions 2.9.1 and earlier TensorFlow versions 2.8.1 and earlier TensorFlow versions 2.7.2 and earlier **Description** The `ScatterNd` function in TensorFlow takes an input argument that determines the indices of the output tensor. If the input index is greater than the output tensor or less than zero, it can either write content at the wrong index or trigger a crash. **Recommendations** For versions prior to 2.10.0, update to TensorFlow 2.10.0 or later. For versions 2.9.1 and earlier, update to TensorFlow 2.9.1 or later. For versions 2.8.1 and earlier, update to TensorFlow 2.8.1 or later. For versions 2.7.2 and earlier, update to TensorFlow 2.7.2 or later. As a temporary workaround, consider restricting the use of the `ScatterNd` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** TensorFlow versions prior to 2.10.0 TensorFlow versions 2.9.1 and earlier TensorFlow versions 2.8.1 and earlier TensorFlow versions 2.7.2 and earlier **Description** TensorFlow is an open source platform for machine learning. The `GatherNd` function takes arguments that determine the sizes of inputs and outputs. If the inputs given are greater than or equal to the sizes of the outputs, an out-of-bounds memory read or a crash is triggered. **Recommendations** For versions prior to 2.10.0, update to TensorFlow 2.10.0 or later. For versions 2.9.1 and earlier, update to TensorFlow 2.9.1 or later. For versions 2.8.1 and earlier, update to TensorFlow 2.8.1 or later. For versions 2.7.2 and earlier, update to TensorFlow 2.7.2 or later. As a temporary workaround, consider restricting the use of the `GatherNd` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions through 5.2.9 **Description** The issue is related to a Double Free error in the Linux kernel, specifically in the drivers/net/wireless/rsi/rsi 91x usb.c file. This error can be triggered by crafted USB device traffic, which may be remote via usbip or usbredir, potentially allowing a remote attacker to impact the confidentiality, integrity, and availability of protected information. **Recommendations** For Linux kernel versions through 5.2.9, update to a version that contains a fix for this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions through 5.2.9 **Description** The issue is related to the `check input term` function in the `sound/usb/mixer.c` file of the Linux kernel, which mishandles recursion. This leads to kernel stack exhaustion. **Recommendations** For Linux kernel versions through 5.2.9, update to a version newer than 5.2.9 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions through 5.2.9 **Description** The issue is related to the `parse audio mixer unit` function in the `sound/usb/mixer.c` file of the Linux kernel, which mishandles a short descriptor, leading to out-of-bounds memory access. This can potentially allow an attacker to access confidential information or cause a denial of service. **Recommendations** For Linux kernel versions through 5.2.9, update to a version newer than 5.2.9 to resolve the issue. At the moment, there is no information about other specific mitigation measures for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 5.2.9 **Description** The issue is related to a driver error in the Linux kernel, specifically in the `drivers/net/wireless/ath/ath6kl/usb.c` file, which is associated with NULL pointer dereference errors. This can be exploited by an attacker to cause a denial of service. The error occurs due to an incomplete address in an endpoint descriptor. **Recommendations** For Linux kernel versions prior to 5.2.9, update to version 5.2.9 or later to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable driver to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 4.19.9 **Description** The issue is related to the function `hso get config data` in the Linux kernel, which reads data from a USB device and uses it to index an array. This can result in an object out-of-bounds read, potentially allowing arbitrary read access in the kernel address space. The vulnerability may be exploited to cause a denial of service. **Recommendations** For Linux kernel versions prior to 4.19.9, update to version 4.19.9 or later to resolve the issue. As a temporary workaround, consider restricting access to the `hso get config data` function in the `drivers/net/usb/hso.c` file until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 4.19.7 **Description** The issue is related to a use-after-free in the ALSA driver. A local user could exploit this by supplying a malicious USB Sound device that is mishandled in the `usb audio probe` function in `sound/usb/card.c`. This could allow an attacker to execute arbitrary code or cause a denial of service. **Recommendations** For Linux kernel versions prior to 4.19.7, consider updating to version 4.19.7 or later to resolve the issue. As a temporary workaround, consider restricting the use of USB Sound devices to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 4.19.9 **Description** An issue in the Linux kernel's USB subsystem mishandles size checks during the reading of an extra descriptor, related to the ` usb get extra descriptor` function in `drivers/usb/core/usb.c`. This issue may allow an attacker to impact the confidentiality and integrity of protected information. **Recommendations** For Linux kernel versions prior to 4.19.9, update to version 4.19.9 or later to resolve the issue. As a temporary workaround, consider restricting access to the USB subsystem to minimize the risk of exploitation.