Li Lingfeng

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.12.0-rc6 **Description** A use-after-free issue exists in the Linux kernel. When `posix acl release` is called, `acl access` and `acl default` are released simultaneously. However, `acl access` retains a pointer to the released `posix acl`, triggering a warning in `nfs3svc release getacl`. This can lead to a kernel panic. **Recommendations** For Linux kernel versions prior to 6.12.0-rc6, clear `acl access` and `acl default` after `posix acl release` is called to prevent the use-after-free issue. As a temporary workaround, consider disabling the `nfsd` service until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.6.58 **Description** A vulnerability in the Linux kernel has been resolved, specifically in the nfsd component. When a corrupted main.sqlite file is present in /var/lib/nfs/nfsdcld/, it may result in a null pointer dereference in the nfs4 client to reclaim() function. This occurs because memdup user() returns ZERO SIZE PTR when namelen is 0. The issue can be triggered when accessing the name.data assigned the value of ZERO SIZE PTR. Technical details about exploitation include: - The `nfs4 client to reclaim()` function is vulnerable to null pointer dereference. - The `memdup user()` function returns ZERO SIZE PTR when `namelen` is 0. - The issue is triggered when accessing `name.data` assigned the value of ZERO SIZE PTR. **Recommendations** To resolve the issue, update the Linux kernel to version 6.6.58 or later. As a temporary workaround, consider checking `namelen` to prevent null pointer dereference in the `nfs4 client to reclaim()` function.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A use-after-free (UAF) issue has been resolved in the Linux kernel. The issue occurs when someone tries to open an nbd device right after nbd put(), since nbd has been freed in nbd dev remove(). This is due to the disk being cleaned up by blk cleanup disk(), which does not set disk->private data to NULL as before. The fix involves implementing ->free disk and freeing private data in it. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.