Kaixin Wang

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to a use after free vulnerability in the `switchtec ntb remove()` function due to a race condition. This vulnerability may allow an attacker to impact the confidentiality, integrity, and availability of protected information. The vulnerability occurs when the `switchtec ntb add` function calls `switchtec ntb init sndev`, which binds `&sndev->check link status work` with `check link status work`. If the module is removed, `switchtec ntb remove` is called, freeing `sndev` through `kfree(sndev)`, while the aforementioned work is still being used. The sequence of operations that may lead to a UAF bug involves concurrent execution of `check link status work` and `switchtec ntb remove`. To fix this, it is necessary to ensure that the work is canceled before proceeding with the cleanup in `switchtec ntb remove`. **Recommendations** To resolve the issue, ensure that the work is canceled before proceeding with the cleanup in `switchtec ntb remove`. As a temporary workaround, consider disabling the `check link status work` function until a patch is available. Restrict access to the vulnerable module to minimize the risk of exploitation. Avoid using the `sndev` variable in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to a use after free vulnerability in the ether3 driver due to a race condition. This vulnerability may allow an attacker to impact the confidentiality, integrity, and availability of protected information. The vulnerability occurs when a timer is initialized with a callback function `ether3 ledoff` in the `ether3 probe` function, and there is a risk of a race condition if the module or device is removed, triggering the `ether3 remove` function to perform cleanup. **Recommendations** To resolve the issue, ensure that the timer is canceled before proceeding with the cleanup in the `ether3 remove` function. As a temporary workaround, consider disabling the `ether3 ledoff` function until a patch is available. Restrict access to the vulnerable `ether3` driver to minimize the risk of exploitation. Update to a newer kernel version, such as 6.6.58, which fixes bugs and vulnerabilities.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.6.58 **Description** The issue is related to a use-after-free vulnerability in the `cdns i3c master` driver due to a race condition. This vulnerability can be exploited to impact the confidentiality, integrity, and availability of protected information. The vulnerability occurs when the `cdns i3c master remove` function is called, which frees the `master->base` resource, but the `cdns i3c master hj` work is still bound to it and can be used by the `i3c master do daa` function, leading to a use-after-free bug. **Recommendations** To resolve the issue, ensure that the work is canceled before proceeding with the cleanup in `cdns i3c master remove`. Update to Linux kernel version 6.6.58 or later, which includes the fix for this vulnerability. As a temporary workaround, consider disabling the `cdns i3c master` driver until a patch is available. Restrict access to the vulnerable module to minimize the risk of exploitation. Avoid using the `master->base` resource in the affected API endpoints until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.6.58 **Description** The issue is related to a use-after-free vulnerability in the `svc i3c master` driver due to a race condition. This vulnerability can be exploited to impact the confidentiality, integrity, and availability of protected information. The vulnerability occurs when the `svc i3c master remove` function is called, which frees the `master->base` resource, while the `svc i3c master hj work` and `svc i3c master ibi work` functions are still using it. The sequence of operations that may lead to a UAF bug involves the `svc i3c master remove` function being called on one CPU core while the `svc i3c master hj work` function is being executed on another CPU core. **Recommendations** To resolve the issue, ensure that the work is canceled before proceeding with the cleanup in the `svc i3c master remove` function. As a temporary workaround, consider disabling the `svc i3c master` driver until a patch is available. Update to Linux kernel version 6.6.58 or later to fix the vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.6.58 **Description** The issue is related to a use-after-free vulnerability in the Linux kernel, specifically in the `pxafb` driver. This vulnerability can be exploited due to a race condition when removing the driver module, allowing an attacker to impact the confidentiality, integrity, and availability of protected information. The vulnerability is caused by the `pxafb remove` function not properly canceling scheduled work before proceeding with cleanup, leading to a potential use-after-free bug. The sequence of operations that may lead to this bug involves the `pxafb task` function being executed concurrently with the `pxafb remove` function, resulting in the use of freed memory. **Recommendations** To resolve this issue, ensure that the work is canceled before proceeding with the cleanup in `pxafb remove`. As a temporary workaround, consider disabling the `pxafb` driver until a patch is available. Note that only the root user can remove the driver at runtime, so restricting access to this functionality can help minimize the risk of exploitation. Update to Linux kernel version 6.6.58 or later to fix this vulnerability.