Kuniyuki Iwashima

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A data-race issue exists in the Linux kernel related to the sysctl fib multipath hash fields variable. The variable can be changed concurrently while being read, which requires the use of READ ONCE() to ensure data consistency. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A data-race issue exists in the Linux kernel related to the sysctl tcp base mss variable. This issue occurs because the variable can be changed concurrently while being read, potentially leading to inconsistent results. To address this, the use of READ ONCE() is necessary for readers of sysctl tcp base mss. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A data race issue exists in the Linux kernel due to concurrent access to a sysctl variable. This issue can lead to load/store-tearing. The problem arises from the lack of protection for readers and writers accessing the variable simultaneously. The patch resolves this by using READ ONCE() and WRITE ONCE() internally in proc douintvec minmax() to prevent data-races. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A data-race issue exists around sysctl tcp max reordering in the Linux kernel. The value of sysctl tcp max reordering can be changed concurrently while it is being read, which requires the use of READ ONCE() to ensure data consistency. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A data-race issue exists in the Linux kernel related to the sysctl icmp echo enable probe variable. This issue occurs because the variable can be changed concurrently while being read, which requires the use of READ ONCE() to ensure data consistency. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.6.65 **Description** The issue is related to a use-after-free vulnerability in the Linux kernel's SMB client, specifically in the `generic ip connect()` function. This vulnerability can be exploited to impact the confidentiality, integrity, and availability of protected information. The problem occurs when the CIFS (Common Internet File System) protocol is used to reconnect to a server in a non-root network namespace, leading to a potential use-after-free error. The root cause is incorrect reference counting for the network namespace. Technical details about exploitation include: - **API Endpoints:** Not specified - **Vulnerable Parameters or Variables:** Not specified - **Function Names:** `generic ip connect()`, `cifs put tcp session()`, `clean demultiplex info()` The estimated number of potentially affected devices worldwide is not provided. There is no information about real-world incidents where this issue was exploited. **Recommendations** For Linux kernel versions prior to 6.6.65, update to version 6.6.65 or later to resolve the issue. As a temporary workaround, consider restricting the use of the CIFS protocol in non-root network namespaces until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.6.50 **Description** The issue is related to a potential null pointer dereference in the `ip6table nat table init()` function. This function accesses `net->gen->ptr[ip6table nat net ops.id]`, but it is exposed to user space before the entry is allocated via `register pernet subsys()`. To fix this, `register pernet subsys()` should be called before `xt register template()`. **Recommendations** To resolve the issue, update to Linux kernel version 6.6.50 or later. As a temporary workaround, consider restricting access to the `ip6table nat table init()` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.10.0-rc2+ **Description** The vulnerability is related to a use-after-free issue in the Linux kernel's networking code. It can be triggered by attaching an fentry probe to ` sock release()` and the probe calling the `bpf get socket cookie()` helper, or by running `traceroute -I 1.1.1.1` on a freshly booted VM. A KASAN enabled kernel will log a slab-use-after-free error in ` sock gen cookie()`. The issue is caused by a dangling `sk` pointer when socket creation fails. To exploit this vulnerability, an attacker would need to be able to run privileged commands on the system, such as attaching an fentry probe or running `traceroute` with specific options. The vulnerability could potentially allow an attacker to gain elevated privileges or disrupt system operation. **Recommendations** To resolve this issue, it is recommended to update the Linux kernel to a version that includes the fix for this vulnerability. Specifically, the fix involves clearing the struct socket reference in `sk common release()` to cover all protocol families create functions. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A data-race issue in the Linux kernel has been identified, specifically in the `unix dgram peer wake me()` function. The `unix dgram poll()` function calls `unix dgram peer wake me()` without holding the `other` lock, and checks if the receive queue is full. To fix this, `unix recvq full lockless()` should be used instead of `unix recvq full()`, as the latter can cause a data-race report by KCSAN. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A data-race issue exists around `sysctl udp l3mdev accept` in the Linux kernel. The value of `sysctl udp l3mdev accept` can be changed concurrently while it is being read, which requires the use of `READ ONCE()` to ensure a consistent view of its value. **Recommendations** To resolve this issue, apply the fix that adds `READ ONCE()` to the reader of `sysctl udp l3mdev accept`. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A data-race issue exists around the sysctl igmp llm reports variable in the Linux kernel. This occurs because the variable can be changed concurrently while being read, potentially leading to inconsistent results. To address this, the use of READ ONCE() is necessary for readers of sysctl igmp llm reports. The issue is related to the handling of IPv4 local multicast addresses. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A data-race issue exists around `sysctl tcp thin linear timeouts` in the Linux kernel. The value of `sysctl tcp thin linear timeouts` can be changed concurrently while it is being read, which requires the use of `READ ONCE()` to ensure a consistent view of its value. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A data-race issue exists in the Linux kernel related to sysctl tcp recovery. The problem occurs because sysctl tcp recovery can be changed concurrently while being read, requiring the use of READ ONCE() to ensure data consistency. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A data-race issue exists around sysctl ip prot sock in the Linux kernel. This occurs because sysctl ip prot sock is accessed concurrently, leading to potential data-race issues. To mitigate this, readers and writers need basic protection to prevent load/store-tearing. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A data-race issue exists around the sysctl igmp qrv variable in the Linux kernel. The variable can be changed concurrently while being read, which may lead to unpredictable behavior. To address this, the use of READ ONCE() is necessary for readers of sysctl igmp qrv. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A data-race issue exists around `sysctl tcp notsent lowat` in the Linux kernel. The value of `sysctl tcp notsent lowat` can be changed concurrently while it is being read, which requires the use of `READ ONCE()` to ensure a consistent view of its value. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A data-race issue exists around sysctl tcp fastopen in the Linux kernel. The value of sysctl tcp fastopen can be changed concurrently while it is being read, which requires the use of READ ONCE() to ensure data consistency. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A data-race issue exists around `sysctl tcp early retrans` in the Linux kernel. The value of `sysctl tcp early retrans` can be changed concurrently while it is being read, which requires the use of `READ ONCE()` to ensure a consistent view of its value. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A data-race issue exists in the Linux kernel related to the `sysctl tcp fastopen blackhole timeout` variable. This issue occurs because the variable can be changed concurrently while being read, which requires the use of `READ ONCE()` to ensure data consistency. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A data-race issue exists around `sysctl fib multipath use neigh`. The value of `sysctl fib multipath use neigh` can be changed concurrently while it is being read, which requires the use of `READ ONCE()` to ensure a consistent view of its value. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.