Oleksij Rempel

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A NULL pointer dereference issue has been identified in the Linux kernel, specifically in the at803x driver for the AR9331 PHY. This issue occurs when the kernel attempts to configure the PHY interrupt without allocating the necessary private data, resulting in a kernel paging request error. The problem is not limited to the AR9331 PHY, as other PHYs such as QCA8081 and QCA9561 may also be affected. **Recommendations** To resolve this issue, run the probe to allocate the necessary private data before configuring the PHY interrupt. As a temporary workaround, consider disabling the `at803x config intr()` function until a patch is available. Restrict access to the vulnerable `at803x` driver to minimize the risk of exploitation. Avoid using the `phy request interrupt()` function in the affected kernel versions until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A potential out-of-bounds write issue was found in the Linux kernel's handling of the PCF85063 NVMEM read through the `rtc` subsystem. The issue arises from the difference in buffer size handling between the `nvmem` interface, which supports variable buffer sizes, and the `regmap` interface, which operates with fixed-size storage. Specifically, if an `nvmem` client uses a buffer size less than 4 bytes, the `regmap read` function will write out of bounds because it expects the buffer to point to an unsigned int. This issue was resolved by introducing an intermediary unsigned int to hold the value, thus preventing the out-of-bounds write. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A double free issue was found in the Linux kernel's lan78xx driver. The buffer `buf` was being freed twice, once implicitly through `usb free urb(dev->urb intr)` with the `URB FREE BUFFER` flag and again explicitly by `kfree(buf)`. This caused a double free issue. To resolve this, the `kmalloc()` and `usb alloc urb()` calls were reordered to simplify the initialization sequence, and the redundant `kfree(buf)` was removed. Now, `buf` is allocated after `usb alloc urb()`, ensuring it is correctly managed by `usb fill int urb()` and freed by `usb free urb()` as intended. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to memory corruption by preventing array overflow in the tsc2046 component of the Linux kernel. It occurs because `indio dev->num channels` includes all physical channels plus the timestamp channel, while an array is allocated only for physical channels. The fix involves using `ARRAY SIZE()` instead of the `num channels` variable to prevent memory corruption. The software timestamp channel bit in `active scanmask` is never set by the IIO core, making the first case a cleanup rather than a fix. This issue may allow an attacker to impact the confidentiality, integrity, and availability of protected information. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.