Mauro Matteo Cascella

**Name of the Vulnerable Software and Affected Versions** QEMU (affected versions not specified) **Description** A heap buffer overflow was found in the virtio-snd device in QEMU. When reading input audio in the virtio-snd input callback, `virtio snd pcm in cb`, the function did not check whether the iov can fit the data buffer. This issue can trigger an out-of-bounds write if the size of the virtio queue element is equal to `virtio snd pcm status`, which makes the available space for audio data zero. The exploitation of this issue may allow an attacker to impact the confidentiality, integrity, and availability of protected information. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** QEMU (affected versions not specified) **Description** A flaw was found in the virtio-net device in QEMU. When enabling the RSS feature on the virtio-net network card, the `indirections table` data within RSS becomes controllable. Setting excessively large values may cause an index out-of-bounds issue, potentially resulting in heap overflow access. This flaw allows a privileged user in the guest to crash the QEMU process on the host. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** QEMU (affected versions not specified) **Description** A flaw was found in the QEMU Virtio PCI Bindings, specifically in the hw/virtio/virtio-pci.c file. This issue is related to an improper release and use of the irqfd for vector 0 during the boot process, which can lead to a guest triggerable crash via the `vhost net stop()` function. This allows a malicious guest to crash the QEMU process on the host. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Keycloak (affected versions not specified) **Description** A flaw was found in Keycloak in OAuth 2.0 Pushed Authorization Requests (PAR). Client-provided parameters were found to be included in plain text in the KC RESTART cookie returned by the authorization server's HTTP response to a `request uri` authorization request, possibly leading to an information disclosure vulnerability. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** QEMU (affected versions not specified) **Description** A flaw was found in the QEMU disk image utility (qemu-img) 'info' command. A specially crafted image file containing a `json:{}` value describing block devices in QMP could cause the qemu-img process on the host to consume large amounts of memory or CPU time, leading to denial of service or read/write to an existing external file. The vulnerability may allow an attacker to access confidential data, compromise its integrity, and cause a denial of service. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** QEMU (affected versions not specified) **Description** A flaw was found in QEMU, related to an assertion failure in the `update sctp checksum()` function when calculating the checksum of a short-sized fragmented packet. This issue allows a malicious guest to crash QEMU, causing a denial of service condition. The flaw is present in the `hw/net/net tx pkt.c` file. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** libvirt (affected versions not specified) **Description** The issue is related to a NULL pointer dereference flaw in the `udevConnectListAllInterfaces()` function in libvirt. This flaw can occur when detaching a host interface while collecting the list of interfaces via `virConnectListAllInterfaces` API. It could be used to perform a denial of service attack by causing the libvirt daemon to crash. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Performance Co-Pilot (PCP) (affected versions not specified) **Description** A vulnerability has been identified in the Performance Co-Pilot (PCP) package, stemming from the mixed privilege levels utilized by systemd services associated with PCP. This disparity in privilege levels poses a risk when privileged root processes interact with directories or directory trees owned by unprivileged PCP users. The vulnerability may lead to the compromise of PCP user isolation and facilitate local PCP-to-root exploits, particularly through symlink attacks. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Keycloak (affected versions not specified) **Description** The issue is related to a flaw in the re-authentication mechanism within Keycloak, specifically in the org.keycloak.authentication module. This flaw allows an attacker to hijack an active Keycloak session by triggering a new authentication process with the query parameter "prompt=login", prompting the user to re-enter their credentials. If the user cancels this re-authentication by selecting "Restart login", an account takeover may occur, as the new session, with a different `SUB`, will possess the same `SID` as the previous session. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.6.28 **Description** A flaw was found in the ATA over Ethernet (AoE) driver in the Linux kernel. The `aoecmd cfg pkts()` function improperly updates the refcnt on `struct net device`, and a use-after-free can be triggered by racing between the free on the struct and the access through the `skbtxq` global queue. This could lead to a denial of service condition or potential code execution. **Recommendations** For Linux kernel versions prior to 6.6.28, update to version 6.6.28 or later to resolve the issue. As a temporary workaround, consider disabling the `aoecmd cfg pkts()` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** QEMU (affected versions not specified) **Description** A stack based buffer overflow was found in the virtio-net device of QEMU. This issue occurs when flushing TX in the `virtio net flush tx` function if guest features `VIRTIO NET F HASH REPORT`, `VIRTIO F VERSION 1`, and `VIRTIO NET F MRG RXBUF` are enabled. This could allow a malicious user to overwrite local variables allocated on the stack. Specifically, the `out sg` variable could be used to read a part of process memory and send it to the wire, causing an information leak. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux Kernel (affected versions not specified) **Description** A use-after-free flaw was found in the netfilter subsystem of the Linux kernel. If the catchall element is garbage-collected when the pipapo set is removed, the element can be deactivated twice. This can cause a use-after-free issue on an NFT CHAIN object or NFT OBJECT object, allowing a local unprivileged user with CAP NET ADMIN capability to escalate their privileges on the system. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A buffer overflow vulnerability was found in the NVM Express (NVMe) driver in the Linux kernel. This issue is related to the `nvme add user metadata()` function and allows a privileged user to specify a small meta buffer, enabling the device to perform larger Direct Memory Access (DMA) into the same buffer. This can overwrite unrelated kernel memory, causing random kernel crashes and memory corruption. The exploitation of this vulnerability may impact the confidentiality, integrity, and availability of protected information. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** KVM (affected versions not specified) **Description** A flaw was found in KVM, related to an improper check in the `svm set x2apic msr interception()` function. This may allow direct access to host x2apic msrs when the guest resets its apic, potentially leading to a denial of service condition. The issue is associated with an incorrect sequence of actions when switching to xapic mode. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to the use of memory after it has been freed in the vmwgfx kernel module of Linux operating systems. This could potentially allow an attacker to elevate their privileges. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Ansible (affected versions not specified) **Description** An absolute path traversal attack exists in the Ansible automation platform, allowing an attacker to craft a malicious Ansible role and make the victim execute the role. A symlink can be used to overwrite a file outside of the extraction path. The vulnerability is related to incorrect link resolution before accessing a file, which can allow an attacker to overwrite arbitrary files. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Ansible (affected versions not specified) **Description** A path traversal issue exists when Ansible extracts tarballs, allowing an attacker to craft a malicious tarball. This could result in a symlink being dropped on the disk when using the galaxy importer of Ansible Automation Hub, leading to files being overwritten. The vulnerability is related to incorrect restriction of directory path names with limited access, which could enable an attacker to overwrite arbitrary files. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** cri-o versions as released for Red Hat OpenShift Container Platform 4.9.48, 4.10.31, and 4.11.6 **Description** The issue concerns an incorrect version of cri-o that is missing a fix, as released for certain versions of Red Hat OpenShift Container Platform. **Recommendations** For versions 4.9.48, 4.10.31, and 4.11.6 of Red Hat OpenShift Container Platform, update cri-o to a version that includes the necessary fix. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** qemu-kvm (affected versions not specified) **Description** The issue is related to a lack of checks for buffer pointer overlap with the MMIO region when transferring USB packets in the QEMU hardware emulator. Exploitation of this issue could allow an attacker to cause a denial of service. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** glibc (affected versions not specified) **Description** A flaw was found in glibc. When the `getaddrinfo` function is called with the AF UNSPEC address family and the system is configured with no-aaaa mode via /etc/resolv.conf, a DNS response via TCP larger than 2048 bytes can potentially disclose stack contents through the function returned address data, and may cause a crash. The issue is related to reading data beyond the buffer boundaries in memory, which can be exploited by a remote attacker to cause a denial of service. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.