Jeongjun Park

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.11.0-rc6 **Description** The issue is related to insufficient verification of `conn rsp epid` in the `htc connect service()` function, leading to an array-index-out-of-bounds error. This can cause a denial of service. The error occurs when the index 255 is out of range for the type `htc endpoint [22]`. **Recommendations** To resolve the issue, apply the patch that adds a range check for `conn rsp epid` in `htc connect service()`. As a temporary workaround, consider restricting access to the vulnerable `ath9k` driver until the patch is applied.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.6.58 **Description** The issue is related to a use-after-free (UAF) vulnerability in the `xenvif flush hash()` function. This occurs because `kfree rcu` is called outside the RCU read critical section during the `list for each entry rcu` iteration, leading to UAF when accessing `head->next` after the entry becomes free. The vulnerability may allow an attacker to impact the confidentiality, integrity, and availability of protected information. **Recommendations** To resolve the issue, update the Linux kernel to version 6.6.58 or later. As a temporary workaround, consider modifying the `xenvif flush hash()` function to use `list for each entry safe` instead of `list for each entry rcu` to prevent the UAF vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.6.58 **Description** The issue is related to the JFS module in the Linux kernel, where there is no check for the case where `bmp->db numag` is greater or same than `MAXAG` due to a polluted image, causing an out-of-bounds condition in `dbNextAG()`. Additionally, there is no check for the case where `agpref` is greater than `bmp->db numag` in `dbNextAG()`, and no check for the case where `agno` is greater or same than `MAXAG` in `diAlloc()`, both of which can lead to out-of-bounds exceptions. **Recommendations** For Linux kernel versions prior to 6.6.58, update to version 6.6.58 or later to resolve the issue. As a temporary workaround, consider adding bounds checks in `dbMount()` and `dbNextAG()` to prevent out-of-bounds exceptions until a patch is available. Restrict access to the JFS module to minimize the risk of exploitation. Avoid using the `dbNextAG()` and `diAlloc()` functions in the affected kernel versions until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.6.50 **Description** The issue is related to the incorrect initialization of the `seqpacket allow` function in the Linux kernel. There are two problems with `seqpacket allow`: it is not initialized when a socket is created, and if `VIRTIO VSOCK F SEQPACKET` is set and then cleared, `seqpacket allow` will not be cleared properly. This could allow an attacker to impact the confidentiality, integrity, and availability of protected information. **Recommendations** To fix the issue, initialize `seqpacket allow` after allocation and set it unconditionally in `set features`. Update to Linux kernel version 6.6.50 or later to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable `vhost/vsock` module to minimize the risk of exploitation.