Lin Ma

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.6.74 **Description** A vulnerability in the Linux kernel has been resolved, related to the wifi component and the nl80211 attribute. The issue was caused by an off-by-one error in the validation of the NL80211 ATTR MLO LINK ID attribute, which could lead to a wild-memory-access bug. The vulnerability was demonstrated with a crash stack showing a read of size 6 at a specific address. To fix the issue, the policy needs to be updated to ensure correct validation of the attribute. **Recommendations** Update the Linux kernel to version 6.6.74 or later to fix the vulnerability. As a temporary workaround, consider updating the policy to ensure correct validation of the NL80211 ATTR MLO LINK ID attribute to prevent off-by-one errors.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.1.0 **Description** The vulnerability is related to a global out-of-bounds read in the `ksmbd nl policy` function. This issue can be exploited to affect the confidentiality, integrity, and availability of protected information. The vulnerability was discovered by a local fuzzer and is similar to a previously reported issue. The bug trace shows a global-out-of-bounds read in the `validate nla` function and the ` nla validate parse` function. **Recommendations** To fix the vulnerability, add a placeholder named ` KSMBD EVENT MAX` and let `KSMBD EVENT MAX` be its original value - 1 according to what other netlink families do. Also, change two sites that refer to the `KSMBD EVENT MAX` to the correct value.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A flaw was found in the Linux kernel's IP framework for transforming packets (XFRM subsystem). This issue may allow a malicious user with CAP NET ADMIN privileges to cause a 4 byte out-of-bounds read of XFRMA MTIMER THRESH when parsing netlink attributes, leading to potential leakage of sensitive heap data to userspace. The vulnerability is related to a buffer overflow in the net/xfrm/xfrm user.c module. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux Kernel (affected versions not specified) **Description** A flaw exists in the Linux kernel’s IP framework for transforming packets (XFRM subsystem). This issue may allow a malicious user with CAP NET ADMIN privileges to directly dereference a NULL pointer in the `xfrm update ae params()` function, potentially leading to a kernel crash and denial of service. The vulnerability resides in the `net/xfrm/xfrm user.c` module. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A logic error in the Linux kernel's ASoC rt5645 device removal process can lead to a potential use-after-free issue. The error occurs because the `rt5645 i2c remove()` function cancels the `&rt5645->jack detect work` before deleting the `&rt5645->btn check timer`. However, the timer handler `rt5645 btn check callback()` can re-queue the `jack detect work`, causing the canceled work to be rescheduled and potentially leading to a use-after-free scenario when `del timer sync` is run concurrently with `rt5645 btn check callback`. **Recommendations** To resolve this issue, apply the patch that fixes the cleanup order by placing the `del timer sync` function before the `cancel delayed work sync` in the `rt5645 i2c remove()` function.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 5.18-rc2 **Description** A use-after-free issue in the Linux kernel's NFC subsystem allows for potential exploitation. The `nfc dev up()` function does not properly check if the `rfkill` object is unregistered before use, leading to a possible crash or code execution. The issue is triggered when the `device del(&dev->dev)` function is called in `nfc unregister device()`, but the `rfkill` object is still dereferenced. Technical details include the `nfc dev up()` function and the `rfkill blocked()` function. **Recommendations** For Linux kernel versions prior to 5.18-rc2, update to a version that includes the fix for this issue. As a temporary workaround, consider disabling the NFC subsystem until a patch is available. Restrict access to the `nfc dev up()` function to minimize the risk of exploitation. Avoid using the `rfkill` object in the affected NFC subsystem until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 5.18.0-rc2 **Description** A use-after-free bug has been identified in the Linux kernel's NFC subsystem, specifically in the nci device detachment process. This issue arises due to a race condition between the cleanup routine and the worker thread, where the cleanup routine assumes the cmd timer has been detached, but the mod timer can re-attach it, resulting in a use-after-free error. The bug can be easily triggered, and a proof-of-concept crash trace has been provided. **Recommendations** For Linux kernel versions prior to 5.18.0-rc2, consider applying a patch that adds a flush workqueue to prevent the use-after-free bug. As a temporary workaround, consider disabling the nci device detachment process until a patch is available. Restrict access to the nci cmd work function to minimize the risk of exploitation. Avoid using the cmd timer and cmd workqueue in the affected NFC subsystem until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux Kernel versions prior to 5.18-rc1 Linux Kernel versions 5.4.y Linux Kernel versions 5.10.y Linux Kernel versions 5.15.y **Description** The issue is related to an out-of-bounds access vulnerability in the `nf tables newtable` function of the Linux Kernel's netfilter module. This vulnerability can be exploited to gain unauthorized access to protected information. The lack of a safeguard against invalid `nf tables` family values within the `nf tables newtable` function enables an attacker to achieve out-of-bounds access. Disabling unprivileged user namespaces can mitigate the issue. **Recommendations** For Linux Kernel versions 5.4.y, consider disabling unprivileged user namespaces to minimize the risk of exploitation. For Linux Kernel versions 5.10.y, consider disabling unprivileged user namespaces to minimize the risk of exploitation. For Linux Kernel versions 5.15.y, consider disabling unprivileged user namespaces to minimize the risk of exploitation. For Linux Kernel versions prior to 5.18-rc1, consider disabling unprivileged user namespaces to minimize the risk of exploitation. As a temporary workaround, consider restricting the use of the `nf tables newtable` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A use-after-free vulnerability was found in the Linux kernel in drivers/net/hamradio. This flaw allows a local attacker with user privilege to cause a denial of service (DOS) when the mkiss or sixpack device is detached and reclaim resources early. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A use-after-free flaw was found in the `nci request` function in `net/nfc/nci/core.c` of the NFC Controller Interface (NCI) in the Linux kernel. This issue is related to the use of memory after it has been freed. The flaw could allow a local attacker with user privileges to cause a data race problem while a device is being removed, leading to a privilege escalation problem. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A use-after-free vulnerability in the NFC stack of the Linux kernel can lead to a threat to confidentiality, integrity, and system availability. The vulnerability is related to the NFC controller interface (NCI) and can be exploited to elevate privileges. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 5.13-rc5 **Description** A use-after-free in the function `hci sock bound ioctl()` of the Linux kernel HCI subsystem was found. This occurs when a user calls `ioct HCIUNBLOCKADDR` or triggers a race condition with the call `hci unregister dev()` together with one of the calls `hci sock blacklist add()`, `hci sock blacklist del()`, `hci get conn info()`, or `hci get auth info()`. A privileged local user could use this flaw to crash the system or escalate their privileges on the system. **Recommendations** For Linux kernel versions prior to 5.13-rc5, update to version 5.13-rc5 or later to resolve the issue. As a temporary workaround, consider restricting access to the `hci sock bound ioctl()` function and limiting the use of `ioct HCIUNBLOCKADDR` until a patch is available. Additionally, restricting the use of `hci unregister dev()` and related functions may help minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions through 5.12.2 **Description** The issue is caused by a race condition in the net/bluetooth/hci request.c component of the Linux operating system, resulting from concurrent execution with shared resources and improper synchronization. This can allow an attacker to execute arbitrary code. **Recommendations** For Linux kernel versions through 5.12.2, update to a version later than 5.12.2 to resolve the issue. As a temporary workaround, consider restricting access to the net/bluetooth/hci request.c component until a patch is available.