Maxim Mikityanskiy

**Name of the Vulnerable Software and Affected Versions** Linux Kernel (affected versions not specified) **Description** A critical vulnerability was found in the Linux Kernel, affecting the `l2cap reassemble sdu` function of the Bluetooth component. The issue is related to use after free, which can be exploited by a remote attacker to execute arbitrary code. **Recommendations** To fix this issue, it is recommended to apply a patch. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The TCP option parser in the Linux kernel's cake qdisc could read one byte out of bounds when parsing TCP options and headers. This occurs when the length is 1, and the execution flow reads one byte of the opcode. If the opcode is neither TCPOPT EOL nor TCPOPT NOP, it reads one more byte, exceeding the length of 1. The fix adds doff validation in cake get tcphdr to avoid parsing garbage as a TCP header. Garbage values could be read where CAKE expected the TCP header if doff was smaller than 5. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The TCP option parser in mptcp (`mptcp get options`) could read one byte out of bounds. When the length is 1, the execution flow gets into the loop, reads one byte of the opcode, and if the opcode is neither `TCPOPT EOL` nor `TCPOPT NOP`, it reads one more byte, which exceeds the length of 1. This issue is related to the parsing of TCP options. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The TCP option parser in synproxy (synproxy parse options) could read one byte out of bounds. When the length is 1, the execution flow gets into the loop, reads one byte of the opcode, and if the opcode is neither TCPOPT EOL nor TCPOPT NOP, it reads one more byte, which exceeds the length of 1. This fix is inspired by commit 9609dad263f8 ("ipv4: tcp input: fix stack out of bounds when parsing TCP options."). **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A refcount leak issue has been identified in the Linux kernel, specifically in the htb parent to leaf offload function. The commit ae81feb7338c, which aimed to fix a NULL pointer dereference bug, was found to be incorrect. The htb graft helper function properly handles the case when new q is NULL, but skipping this call creates an inconsistency where dev queue->qdisc points to the old qdisc, while cl->parent->leaf.q points to the new one, which can be noop qdisc if new q is NULL. This inconsistency can lead to refcount leaks. The correct fix involves adding a NULL pointer check to protect qdisc refcount inc inside htb parent to leaf offload. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A use-after-free vulnerability has been resolved in the Linux kernel. The issue occurs when a netdev with active TLS offload goes down, and the TLS context is deallocated, but the socket still points to it. If the netdev goes up while the connection is still active, it can lead to a use-after-free of the TLS context. The commit addresses this bug by keeping the context alive until its normal destruction and implementing necessary fallbacks to resume the connection in software (non-offloaded) kTLS mode. On the TX side, `tls sw fallback` is used to encrypt all packets. The RX side already has the necessary fallbacks, and the new flag `TLS RX DEV DEGRADED` is added to indicate the fallback mode. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.