Spender

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.6.50 **Description** The Linux kernel has a vulnerability in the tracefs module, where the use of generic inode RCU for synchronizing freeing can cause a list del corruption when running the ftrace selftests. This can lead to a kernel BUG and an invalid opcode error. The vulnerability is caused by the overlapping of RCU-used or initialized-only-once members in the struct inode, such as i lru or i sb list, when structure layout randomization is enabled. **Recommendations** To resolve this issue, update the Linux kernel to version 6.6.50 or later. If updating is not possible, consider disabling the tracefs module or restricting its use to minimize the risk of exploitation. Additionally, ensure that any kernel modules that interact with the tracefs module are updated and configured correctly.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions 4.4.22 through 4.4.28 **Description** The issue allows local users to obtain root access on non-SMEP platforms via a crafted application, due to extended asm statements in the get user asm ex macro that are incompatible with the exception table. This problem arose from incorrect backporting of a patch to older kernels. **Recommendations** For Linux kernel versions 4.4.22 through 4.4.28, consider upgrading to a version that correctly includes the necessary patch to resolve the incompatibility issue with the exception table.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 3.10.6 **Description** The issue is related to a memory leak in the `unshare userns` function, which can be triggered by local users through an invalid `CLONE NEWUSER` unshare call, leading to a denial of service due to memory consumption. **Recommendations** For Linux kernel versions prior to 3.10.6, update to version 3.10.6 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 3.8.6 **Description** The issue concerns multiple vulnerabilities in the Linux operating system, specifically in the Debian GNU/Linux package, which can be exploited by a local attacker to compromise the confidentiality, integrity, and availability of protected information. A heap-based buffer overflow vulnerability exists in the `tg3 read vpd` function in the Linux kernel, allowing physically proximate attackers to cause a denial of service or possibly execute arbitrary code via crafted firmware. **Recommendations** For Linux kernel versions prior to 3.8.6, update to version 3.8.6 or later to resolve the issue. As a temporary workaround, consider restricting physical access to the system to minimize the risk of exploitation.