Sönke Huster

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A buffer overflow issue has been resolved in the Linux kernel, specifically in the wifi: cfg80211 component. The problem arises from an assumption that 5 octets are present for vendor elements without proper length checking. Since the element's fit is already verified, the fix involves checking the length to prevent the overflow. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 5.19.16 **Description** An issue in the Linux kernel allows attackers who can inject WLAN frames to cause a buffer overflow in the `ieee80211 bss info update` function in `net/mac80211/scan.c`. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation. The issue is also related to an integer overflow in the `cfg80211 update notlisted nontrans` function in `net/wireless/scan.c`, which could result in an out of bounds write. **Recommendations** For Linux kernel versions prior to 5.19.16, update to version 5.19.16 or later to resolve the issue. As a temporary workaround, consider restricting access to WLAN frames to minimize the risk of exploitation. Additionally, disabling the `ieee80211 bss info update` function or restricting the use of the `cfg80211 update notlisted nontrans` function in `net/wireless/scan.c` could help mitigate the risk until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 5.17.0-rc5 **Description** A use-after-free issue has been identified in the Linux kernel's Bluetooth functionality, specifically in the `hci send acl` function. This issue arises when the `HCI EV DISCONN PHY LINK COMPLETE` event is received, which calls `hci conn del` without checking if `conn->type` is `AMP LINK`, leading to improper cleanup of upper layers. The estimated number of potentially affected devices worldwide is not specified. There is no information available about real-world incidents where this issue was exploited. **Recommendations** For Linux kernel versions prior to 5.17.0-rc5, update to a version that includes the fix for the use-after-free issue in the `hci send acl` function. As a temporary workaround, consider disabling the Bluetooth functionality until a patch is available. Restrict access to the vulnerable `hci send acl` function to minimize the risk of exploitation. Avoid using the `hci send acl` function in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 5.16.3 **Description** The issue is related to a memory leak in the Linux kernel, specifically in the drivers/bluetooth/virtio bt.c file. This memory leak occurs because socket buffers have memory allocated but not freed. The exploitation of this issue can allow a remote attacker to cause a denial of service. **Recommendations** For Linux kernel versions prior to 5.16.3, update to version 5.16.3 or later to resolve the memory leak issue. As a temporary workaround, consider restricting access to the vulnerable `virtio bt.c` driver to minimize the risk of exploitation.