Stefano Brivio

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to the netfilter module in the Linux kernel, specifically with the `nf set pipapo` function. The problem arises when the initial buffer is not properly initialized, leading to incorrect results in the map search step. This occurs when the size of the first field is smaller than the maximum size, causing one-bits to leak into future rounds' result maps. As a result, `pipapo` finds incorrect matching results for sets where the first field size is not the largest. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Oracle VM VirtualBox versions prior to 7.0.20 **Description** The issue is related to errors in resource release in the Core component of Oracle VM VirtualBox, allowing a low-privileged attacker with logon to the infrastructure to compromise Oracle VM VirtualBox. Successful attacks can result in unauthorized ability to cause a hang or frequently repeatable crash of Oracle VM VirtualBox. This issue applies to Linux hosts only. **Recommendations** For versions prior to 7.0.20, update to version 7.0.20 or later to resolve the issue. As a temporary workaround, consider restricting access to the Core component of Oracle VM VirtualBox to minimize the risk of exploitation. Additionally, ensure that Oracle VM VirtualBox is running with the least privileges necessary to reduce the impact of a potential attack.

Name of the Vulnerable Software and Affected Versions: Linux kernel versions 4.7-rc1 through 4.13 Description: A kernel data leak was found due to an out-of-bound read in the Linux kernel. This issue affects the inet diag msg sctp{,l}addr fill() and sctp get sctp info() functions, where a data leak occurs when filling in sockaddr data structures used for exporting socket's diagnostic information. As a result, up to 100 bytes of slab data could be leaked to userspace. The vulnerability can be exploited by a local attacker to cause a memory leak. Recommendations: For Linux kernel versions 4.7-rc1 through 4.13, consider disabling the `inet diag msg sctp{,l}addr fill()` and `sctp get sctp info()` functions as a temporary workaround until a patch is available. Restrict access to the vulnerable functions to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.