Sabrina Dubroca

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A reference count leak occurs in `struct xfrm state` within the Linux kernel. This issue arises because the `xfrm dev unregister()` function was implemented as a no-op, even though `xfrm dev state add()` (called via `xfrm state construct()`) acquires a reference to `struct net device`. Consequently, when a `NETDEV UNREGISTER` event occurs, the reference to the network device is not properly released, leading to a memory leak. The problem is exacerbated when the `NETIF F HW ESP` bit is cleared after the reference has been acquired, as the system fails to unconditionally flush the state and policy. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to the igb driver in the Linux kernel, which does not handle large MAX SKB FRAGS values properly. Setting MAX SKB FRAG to 45 causes payload corruption on TX. The root cause of the issue is that the driver does not take into account properly the shared info size when selecting the ring layout, and will try to fit two packets inside the same 4K page even when the 1st fraglist will trump over the 2nd head. An easy reproducer is to run ssh to connect to the machine, which works with MAX SKB FRAGS=17 but fails with MAX SKB FRAGS=45. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to a memory leak in the Linux kernel's ipv6 component, specifically in the seg6 hmac init algo function. This function returns without cleaning up previous allocations if one fails, leading to a memory leak and potential denial of service. The vulnerability can be exploited to cause a denial of service. **Recommendations** Update the Linux kernel to a version that includes the fix for the memleak in seg6 hmac init algo. As a temporary workaround, consider disabling the seg6 hmac init algo function until a patch is available. Restrict access to the ipv6 component to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to a use-after-free vulnerability in the Linux kernel's TLS implementation. When the decrypt request goes to the backlog and `crypto aead decrypt` returns `-EBUSY`, `tls do decryption` will wait until all async decryptions have completed. If one of them fails, `tls do decryption` will return `-EBADMSG` and `tls decrypt sg` jumps to the error path, releasing all the pages. However, the pages have been passed to the async callback and have already been released by `tls decrypt done`. The only true async case is when `crypto aead decrypt` returns `-EINPROGRESS`. With `-EBUSY`, the kernel has already waited, so it can tell `tls sw recvmsg` that the data is available for immediate copy, but it needs to notify `tls decrypt sg` (via the new `->async done` flag) that the memory has already been released. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to a use-after-free vulnerability in the Linux kernel's TLS implementation, specifically in the `tls decrypt done()` function. This vulnerability can be exploited to impact the confidentiality, integrity, and availability of protected information. The vulnerability occurs when `tls decrypt sg` does not take a reference on the pages from `clear skb`, causing `put page()` in `tls decrypt done` to release them, leading to a use-after-free in `process rx list` when trying to read from the partially-read skb. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.