Kees Cook

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to the Linux kernel, specifically with the binfmt flat format. A RISC-V specific variant of this format was introduced, which does not allocate space for the array of shared library pointers. However, the code that initializes this array was not disabled, resulting in the corruption of sizeof(long) bytes before the DATA segment. This corruption generally occurs at the end of the TEXT segment. To address this, MAX SHARED LIBS UPDATE was introduced, which depends on the state of CONFIG BINFMT FLAT NO DATA START OFFSET to guard the initialization of the shared library pointer region. This ensures that the region is only initialized if space is reserved for it. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Linux kernel (affected versions not specified) Description: The issue is related to a memory corruption vulnerability in the Linux kernel's kunit/fortify component, specifically in the function DEFINE ALLOC SIZE TEST PAIR(). This vulnerability can be exploited to gain access to confidential information. The problem arises from the incorrect usage of kvalloc() and vfree() instead of kvfree() in the kv*() family of tests. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue arises when unloading a modular pstore backend with records in pstorefs, triggering a dput() double-drop warning. This warning occurs due to the incorrect use of `d drop()` and `dput()` as mentioned in Documentation/filesystems/vfs.rst, leading to a reference counting problem. The solution involves using `d invalidate()` and updating the code to not check for error codes that can never happen. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.2.5 **Description** The issue is related to the `ms lib process bootblock()` function in the `ene ub6250.c` module of the ENE UB6250 reader driver in the Linux kernel. It is associated with accessing memory beyond the allocated buffer. Exploitation of this issue could allow a remote attacker to cause a denial of service. An object could potentially extend beyond the end of an allocation. **Recommendations** For Linux kernel versions prior to 6.2.5, update to version 6.2.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the `ene ub6250` driver until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to a field-overflowing memcpy() in the net/mlx5e module of the Linux kernel. In preparation for FORTIFY SOURCE performing compile-time and run-time field bounds checking for memcpy(), memmove(), and memset(), the code has been modified to avoid intentionally writing across neighboring fields. The vulnerability occurs when the compiler sees the target as being 2 bytes in size, but 18 bytes are copied, intending to write across the start, which is really vlan tci, 2 bytes. The remaining 16 bytes get written into wqe->data[0], covering byte count, lkey, and addr. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A vulnerability in the Linux kernel has been resolved, specifically an out-of-bounds (OOB) read when handling the Post Cursor2 register. The issue was found in the `drm dp get adjust request post cursor` function, where the `link status` array was not large enough to read the Adjust Request Post Cursor2 register. This led to an OOB read error. The vulnerability was identified with a `-Warray-bounds` build. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to a function in the Linux kernel's amdgpu driver, specifically the `validate bksv()` function in the `hdcp1 execution.c` module. This function is vulnerable to a buffer over-read, which could result in corrupted values if the trailing bytes are non-zero. The vulnerability can be exploited by a remote attacker to impact the confidentiality and availability of protected information. The vulnerability occurs because the code reads 8 bytes instead of the desired 5 bytes of the target field. To fix this, an appropriately sized and zero-initialized bounce buffer is used, and only 5 bytes are read before casting to `u64`. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Nvidia Linux driver versions prior to 295.53 **Description** A heap buffer overflow was discovered in the device control ioctl in the Linux driver for Nvidia graphics cards, which may allow an attacker to overflow 49 bytes. **Recommendations** For versions prior to 295.53, update to version 295.53 or later to resolve the issue. As a temporary workaround, consider restricting access to the device control ioctl until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Nvidia Linux drivers versions prior to 295.53 **Description** A race condition was discovered in the Linux drivers for Nvidia graphics, allowing an attacker to exfiltrate kernel memory to userspace. **Recommendations** For versions prior to 295.53, update to version 295.53 or later to resolve the issue. As a temporary workaround, consider restricting access to sensitive kernel memory areas until the update can be applied.

**Name of the Vulnerable Software and Affected Versions** NVIDIA Graphics Drivers version 29549 **Description** A Memory Corruption issue exists due to an unknown function in the file proc/driver/nvidia/registry. **Recommendations** For NVIDIA Graphics Drivers version 29549, consider restricting access to the file proc/driver/nvidia/registry to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** whoopsie-daisy versions prior to 0.1.26 **Description** The issue allows a root user to remove arbitrary files. **Recommendations** For versions prior to 0.1.26, update to version 0.1.26 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** PHP versions prior to 5.4.4 **Description** The issue is related to the XMLWriter component in PHP, where a memory leak occurs due to the failure to release resources after their expiration. This can be exploited by a remote attacker to disclose protected information. Specifically, passing invalid UTF-8 strings via the `xmlTextWriterWriteAttribute` function can cause libxml2 to misparse them, resulting in a memory leak in the output. **Recommendations** For versions prior to 5.4.4, update to version 5.4.4 or later to resolve the issue. As a temporary workaround, consider restricting the use of the `xmlTextWriterWriteAttribute` function to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** ettercap versions prior to 0.7.5 **Description** The issue arises from an unchecked sscanf() call, which allows an insecure temporary settings file to overflow a static-sized buffer on the stack. **Recommendations** For versions prior to 0.7.5, update to version 0.7.5 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Android versions Android-10 **Description** In OpenCV calls that use libpng, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges required. User interaction is not required for exploitation. **Recommendations** For Android version Android-10, consider restricting access to OpenCV calls that utilize libpng until a patch is available. As a temporary workaround, disabling the use of libpng in OpenCV may help minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 3.11 **Description** The issue allows physically proximate attackers to cause a denial of service or obtain sensitive information from kernel memory via a crafted device. This is related to the Human Interface Device (HID) subsystem when CONFIG HID LOGITECH DJ is enabled. **Recommendations** For Linux kernel versions prior to 3.11, consider disabling the CONFIG HID LOGITECH DJ configuration to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 3.11 **Description** The issue is related to the Human Interface Device (HID) subsystem in the Linux kernel, which allows physically proximate attackers to cause a denial of service via a crafted device. This is due to a lack of input sanitization in the HID driver for various Logitech devices with feedback, leading to a heap-based out-of-bounds write. The affected components include drivers/hid/hid-lgff.c, drivers/hid/hid-lg3ff.c, and drivers/hid/hid-lg4ff.c. **Recommendations** For Linux kernel versions prior to 3.11, update to a version 3.11 or later to resolve the issue. As a temporary workaround, consider disabling the CONFIG LOGITECH FF, CONFIG LOGIG940 FF, or CONFIG LOGIWHEELS FF configurations until a patch is available. Restrict access to the HID subsystem to minimize the risk of exploitation. Avoid using crafted devices that could trigger the denial of service.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 3.12 **Description** The issue affects the Human Interface Device (HID) subsystem in the Linux kernel. It allows physically proximate attackers to cause a denial of service via a crafted device. This is due to a heap-based out-of-bounds write in the `drivers/hid/hid-pl.c` file when `CONFIG HID PANTHERLORD` is enabled. **Recommendations** For Linux kernel versions prior to 3.12, update to version 3.12 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 3.11 **Description** The issue is related to a lack of input data clearing in the HID driver for Zeroplus game controllers, leading to a local denial of service. Specifically, in the Linux kernel, the `drivers/hid/hid-zpff.c` file in the Human Interface Device (HID) subsystem is affected when `CONFIG HID ZEROPLUS` is enabled. This allows physically proximate attackers to cause a denial of service via a crafted device, resulting in a heap-based out-of-bounds write. **Recommendations** For Linux kernel versions prior to 3.11, consider disabling the `CONFIG HID ZEROPLUS` configuration to minimize the risk of exploitation until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 3.11 **Description** The issue allows physically proximate attackers to cause a denial of service (NULL pointer dereference and OOPS) via a crafted device. This is related to the Human Interface Device (HID) subsystem when CONFIG HID NTRIG is enabled. **Recommendations** For Linux kernel versions prior to 3.11, consider disabling the CONFIG HID NTRIG configuration to minimize the risk of exploitation as a temporary workaround. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 3.11 **Description** The issue is related to multiple array index errors in the Human Interface Device (HID) subsystem, specifically in the drivers/hid/hid-core.c file. This allows physically proximate attackers to potentially execute arbitrary code or cause a denial of service due to heap memory corruption. The attack can be initiated via a crafted device that provides an invalid Report ID. **Recommendations** For Linux kernel versions prior to 3.11, update to a version 3.11 or later to resolve the issue.