Michal Luczaj

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A use-after-free issue has been identified in the Linux kernel, specifically in the vsock subsystem. This issue arises when a socket is unbound during a transport reassignment, leading to a potential use-after-free scenario. The problem occurs due to the incorrect handling of socket bindings, both explicit and implicit, during the connect() and bind() operations. Technical details include the involvement of functions such as `vsock create()`, `vsock insert unbound()`, `vsock remove bound()`, and ` vsock bind()`. The issue can lead to a slab-use-after-free error, as reported by KASAN. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.6.73/6.12.10 **Description** The issue is related to a null pointer dereference in the Linux kernel's vsock/bpf module. This can occur when a socket has a null transport, for example, after a failed connect() call. The error can cause a kernel crash, leading to a denial of service. The `vsock bpf recvmsg()` function needs to check the `vsk->transport` especially for connected sockets (stream/seqpacket) to prevent this issue. **Recommendations** To resolve the issue, update the Linux kernel to a version newer than 6.6.73/6.12.10. As a temporary workaround, consider restricting access to the `vsock bpf recvmsg()` function, especially for connected sockets, until a patch is available. Additionally, ensure that the `vsk->transport` is properly checked in the `vsock bpf recvmsg()` function to prevent null pointer dereferences.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to a memory leak in the `bpf sk select reuseport()` function. This leak occurs because a socket's reference is not dropped in error paths, potentially leading to a denial of service. The problem arises when a lookup in `sockmap` returns a TCP ESTABLISHED socket that had `SO ATTACH REUSEPORT EBPF` set before it was established, indicating that a non-NULL `sk reuseport cb` does not imply a non-refcounted socket. Technical details include the `sk reuseport attach bpf()` and `sk setsockopt()` functions being involved in the issue. There is no information provided about the estimated number of potentially affected devices or real-world incidents where this issue was exploited. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to a garbage collector racing against connect() in the Linux kernel, specifically affecting AF UNIX/SOCK STREAM sockets. The garbage collector does not account for the risk of an embryo getting enqueued during garbage collection, leading to an incorrectly elevated inflight count and a dangling pointer within the gc inflight list. This can occur when an unconnected socket (S) is used to send a message to a listening in-flight socket (L) bound to an address, and the file descriptor (V's fd) is passed via sendmsg(), getting the inflight count bumped. The vulnerability can lead to local privilege escalation due to memory corruption, with no additional execution privileges needed, and user interaction is not required for exploitation. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** VLC versions 0.8.6d **Description** A stack-based buffer overflow issue exists, allowing remote attackers to execute arbitrary code via a long subtitle in certain file types, including MicroDvd, SSA, and Vplayer files. **Recommendations** For version 0.8.6d, update to a newer version that contains a fix for this issue.