Minsuk Kang

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to a potential array-index-out-of-bounds read in the `ath9k htc txstatus()` function. This occurs when `txs->cnt`, data from a URB provided by a USB device, is bigger than the size of the array `txs->txstatus`, which is `HTC MAX TX STATUS`. Although `WARN ON()` checks for this condition, there is no bug handling code after the check. The function will now return if this condition is met. The bug was found by a modified version of syzkaller and is associated with an array-index-out-of-bounds error in `htc drv txrx.c`, where index 13 is out of range for type `' wmi event txstatus [12]'`. The call trace includes `ath9k htc txstatus`, `ath9k wmi event tasklet`, `tasklet action common`, ` do softirq`, `irq exit rxu`, and `sysvec apic timer interrupt`. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel Broadcom Full MAC Wi-Fi driver (affected versions not specified) **Description** The issue is caused by a buffer overflow flaw in the Linux kernel Broadcom Full MAC Wi-Fi driver. This occurs when a user connects to a malicious device, allowing a local user to potentially crash the system or escalate their privileges. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.