Mathias Krause

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A vulnerability in the Linux kernel has been resolved, related to the tracing system. When eventfs was introduced, special care was taken to coordinate the freeing of file meta data with files exposed to user space. However, a shortcut was made for the "format" file, which did not check the file's meta data flag `EVENT FILE FL FREED` before accessing the event. This caused a race condition that could be triggered via the user events test and running a loop to read user events format files, resulting in a use-after-free bug report. A new helper function `event file file()` was added to ensure the `event mutex` is held and return NULL if the `trace event file` has the `EVENT FILE FL FREED` flag set. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.6.50 **Description** The Linux kernel has a vulnerability in the tracefs module, where the use of generic inode RCU for synchronizing freeing can cause a list del corruption when running the ftrace selftests. This can lead to a kernel BUG and an invalid opcode error. The vulnerability is caused by the overlapping of RCU-used or initialized-only-once members in the struct inode, such as i lru or i sb list, when structure layout randomization is enabled. **Recommendations** To resolve this issue, update the Linux kernel to version 6.6.50 or later. If updating is not possible, consider disabling the tracefs module or restricting its use to minimize the risk of exploitation. Additionally, ensure that any kernel modules that interact with the tracefs module are updated and configured correctly.

Name of the Vulnerable Software and Affected Versions: Linux kernel (affected versions not specified) Description: The issue is related to the drm/vmwgfx component of the Linux kernel, where a failing usercopy of the `fence rep` object leads to a stale entry in the file descriptor table. This allows userland to refer to a dangling 'file' object through a still valid file descriptor, enabling various use-after-free exploitation scenarios. The problem arises because `put unused fd()` does not release the file descriptor, and the fix involves deferring the call to `fd install()` until after the usercopy has succeeded. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to a use-after-free error in the Linux kernel, specifically in the misc component of the fastrpc module. When the copy back to userland fails for the FASTRPC IOCTL ALLOC DMA BUFF ioctl(), it should not be assumed that 'buf->dmabuf' is still valid. In fact, dma buf fd() called fd install() before, consuming one reference and leaving none. Calling dma buf put() will put a reference that is no longer owned, leading to a valid file descriptor table entry for an already released 'file' object, which is a straight use-after-free. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to a use after free flaw in the Linux kernel's File System notify functionality, specifically in the way the `copy info records to user()` function is called, which can fail in `copy event to user()`. This can be exploited by a local user to potentially escalate their privileges or crash the system. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** vmwgfx driver (affected versions not specified) **Description** The issue is related to a local privilege escalation vulnerability in the vmwgfx driver. This vulnerability allows unprivileged users to gain access to files opened by other processes on the system through a dangling 'file' pointer. The vulnerability is also associated with the use of memory after it has been freed, specifically in the vmw execbuf copy fence user() function. This can be exploited by an attacker to elevate their privileges. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions 5.14 through 5.16.4 **Description** The issue is related to a use-after-free vulnerability in the Linux kernel, specifically in the kernel/ucount.c file, when unprivileged user namespaces are enabled. This allows a ucounts object to outlive its namespace, potentially leading to privilege escalation. The problem is associated with the handling of rlimit restrictions in different user namespaces. **Recommendations** For Linux kernel versions 5.14 through 5.16.4, update to version 5.16.5 or 5.15.19 to resolve the issue. As a temporary workaround, consider disabling unprivileged user namespaces until a patch is available. Restrict access to the vulnerable `ucount` mechanism to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Linux kernel versions prior to 2.6.35 Description: The issue allows local users to cause a denial of service, resulting in a system crash, by sending signals with a process group ID of zero to the swapper process. This is possible because the Linux kernel before version 2.6.35 does not prevent such signals from reaching the swapper process. Recommendations: For Linux kernel versions prior to 2.6.35, update to version 2.6.35 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** BusyBox versions prior to 1.23.0 **Description** The issue is related to the `add probe` function in `modutils/modprobe.c` and is caused by insufficient input validation, allowing local users to bypass restrictions on loading kernel modules by using a `/` character in a module name. This can be demonstrated through commands such as "ifconfig /usbserial up" or "mount -t /snd pcm none /". The vulnerability affects the integrity of data. **Recommendations** For versions prior to 1.23.0, update to version 1.23.0 or later to resolve the issue. As a temporary workaround, consider restricting the use of the `add probe` function until a patch is available. Avoid using the `/` character in module names to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** linux-image versions 3.13.0 through 3.16.0 linux-image versions prior to 3.18.5 **Description** The issue affects the Linux kernel and can lead to breaches of confidentiality, integrity, and availability of protected information. It can be exploited locally or remotely. The Crypto API in the Linux kernel allows local users to load arbitrary kernel modules via a bind system call for an AF ALG socket with a module name in the `salg name` field. **Recommendations** For linux-image versions 3.13.0 through 3.16.0, update to a version prior to 3.18.5 to resolve the issue. For linux-image versions prior to 3.18.5, update to version 3.18.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the AF ALG socket to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 3.9-rc7 **Description** The issue allows local users to obtain sensitive information from kernel stack memory. This is due to the `llcp sock recvmsg` function in `net/nfc/llcp/sock.c` not initializing a certain length variable and a certain data structure, which can be exploited via a crafted `recvmsg` or `recvfrom` system call. **Recommendations** For Linux kernel versions prior to 3.9-rc7, update to version 3.9-rc7 or later to resolve the issue. As a temporary workaround, consider restricting access to the `llcp sock recvmsg` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 3.9-rc7 **Description** The issue allows local users to obtain sensitive information from kernel stack memory. This is due to the nr recvmsg function in net/netrom/af netrom.c not initializing a certain data structure, which can be exploited via a crafted recvmsg or recvfrom system call. **Recommendations** For Linux kernel versions prior to 3.9-rc7, update to version 3.9-rc7 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 3.9-rc7 **Description** The issue is related to the `vmci transport dgram dequeue` function in the Linux kernel, which does not properly initialize a certain length variable. This allows local users to obtain sensitive information from kernel stack memory via a crafted `recvmsg` or `recvfrom` system call. **Recommendations** For Linux kernel versions prior to 3.9-rc7, update to version 3.9-rc7 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 3.9-rc7 **Description** The issue allows local users to obtain sensitive information from kernel stack memory. This is due to the sco sock recvmsg function in net/bluetooth/sco.c not initializing a certain length variable, which can be exploited via a crafted recvmsg or recvfrom system call. **Recommendations** For Linux kernel versions prior to 3.9-rc7, update to version 3.9-rc7 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 3.9-rc7 **Description** The issue allows local users to obtain sensitive information from kernel stack memory. This is due to the l2tp ip6 recvmsg function in net/l2tp/l2tp ip6.c not initializing a certain structure member, which can be exploited via a crafted recvmsg or recvfrom system call. **Recommendations** For Linux kernel versions prior to 3.9-rc7, update to version 3.9-rc7 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 3.9-rc7 **Description** The issue allows local users to obtain sensitive information from kernel stack memory. This is due to the `vsock stream sendmsg` function in `net/vmw vsock/af vsock.c` not initializing a certain length variable, which can be exploited via a crafted `recvmsg` or `recvfrom` system call. **Recommendations** For Linux kernel versions prior to 3.9-rc7, update to version 3.9-rc7 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 3.8.4 **Description** The issue allows local users to obtain sensitive information from kernel stack memory. This is due to the failure of the net/dcb/dcbnl.c module in the Linux kernel to initialize certain structures, which can be exploited via a crafted application. **Recommendations** For versions prior to 3.8.4, update to version 3.8.4 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 3.8.3 **Description** The issue concerns the report API in the crypto user configuration API of the Linux kernel. It uses an incorrect C library function for copying strings, allowing local users with the CAP NET ADMIN capability to obtain sensitive information from kernel stack memory. **Recommendations** For versions prior to 3.8.3, update to version 3.8.3 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 3.8.3 **Description** The issue concerns the crypto report one function in the Linux kernel, which fails to initialize certain structure members. This allows local users with the CAP NET ADMIN capability to obtain sensitive information from kernel heap memory. **Recommendations** For versions prior to 3.8.3, update to version 3.8.3 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 3.8.3 **Description** The issue allows local users to obtain sensitive information from kernel memory by leveraging the CAP NET ADMIN capability. This is due to the crypto report one function in crypto/crypto user.c using an incorrect length value during a copy operation. **Recommendations** For Linux kernel versions prior to 3.8.3, update to version 3.8.3 or later to resolve the issue.