Syzbot

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** An out-of-bounds read exists in the IPv6 routing component of the Linux kernel. The issue occurs within the `fib6 add rt2node()` function when an IPv6 route is created using `RTA NH ID`, as the `struct fib6 info` may lack the trailing `struct fib6 nh`. This leads to an out-of-bounds access when the system attempts to read `iter->fib6 nh` without first verifying if `iter->nh` is NULL. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** An issue exists in the hfsplus module where the `hfs brec read()` function fails to validate that the on-disk record size matches the expected size for the record type being read. When mounting a corrupted filesystem, the function may perform a partial read, leaving parts of the data structure uninitialized. This uninitialized data in `tmp.thread.nodeName` is subsequently copied by `hfsplus cat build key uni()` and used by `hfsplus strcasecmp()`, which triggers a memory error when the uninitialized bytes are used as array indices in `case fold()`. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A use-after-free issue exists in the gfs2 iomap inline data write path. The inline data buffer head `dibh` is released prematurely in the `gfs2 iomap begin()` function via `release metapath()`, while `iomap->inline data` still points to `dibh->b data`. This leads to a use-after-free condition when `iomap write end inline()` subsequently attempts to write to the inline data area. The process involves `gfs2 iomap begin()` calling `gfs2 meta inode buffer()` to read inode metadata into `dibh`, setting `iomap->inline data`, and then calling `release metapath()`, which triggers `brelse(dibh)` and drops the reference count to zero, allowing the page to be reclaimed before the write operation occurs. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 7.0.11-1.1 **Description** A reference count leak occurs in the ALSA caiaq component of the Linux kernel during probe failure. The `create card()` function increases the reference count of the USB device using `usb get dev()`, but the corresponding `usb put dev()` is only executed via the `card free()` destructor. Because the `->private free` destructor is assigned late in the `init card()` process, any failure occurring before this assignment—such as errors in `usb set interface()`, endpoint type checks, `usb submit urb()`, or the `EP1 CMD GET DEVICE INFO` exchange—prevents `card free()` from running. This results in a leak of the `struct usb device`, its descriptor allocations, and `device private` data. **Recommendations** Update to version 7.0.11-1.1 or newer.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** An issue exists in the bridge multicast component where the `mdb n entries` count for VLAN contexts is updated conditionally. This can lead to a state where a decrease operation is performed without a corresponding previous increase, triggering a kernel warning. This behavior can be observed when enabling snooping via ` br multicast enable port ctx()` while the interface is not running, followed by a multicast database flush. The problem involves the `br multicast port ngroups dec one()`, `br multicast port ngroups dec()`, and `br multicast del pg()` functions. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** An issue exists in the `fs/ntfs3` component where processing the `valid` range `[valid : pos)` can trigger an infinite loop if the retrieved `valid` value remains constant. This can lead to system hangs, as seen in the `ntfs file write iter()` function. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** An issue exists in the f2fs file system where the `f2fs finish read bio()` function may access uninitialized data in a folio if the system fails to read data from the device into that folio. This can lead to an uninitialized value access within the `f2fs sanity check node footer()` function. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A locking and synchronization error exists in the USB dummy-hcd component. A race condition can occur between a USB reset and a driver unbind process. Specifically, the `stop activity()` function may drop and re-acquire the `dum->lock` spinlock. If this occurs within `set link state()` after checking `dum->ints enabled` but before incrementing `dum->callback usage`, another thread performing a driver unbind can clear `dum->ints enabled` and `dum->driver`. This leads to the `usb gadget udc reset()` function being called with a NULL driver argument, resulting in an addressing exception and system crash. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** An uninitialized value bug exists where `flags valid` is not initialized before the `vfs fileattr get()` function is called. This issue occurs because the `fa` variable is not handled with the same initialization mechanism as the internal `file kattr` structure, potentially leading to instability in filesystem handlers, including those used in WSL and Azure containers. The issue was identified via a KMSAN report involving the `fuse fileattr get()` function. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** An overflow occurs in the 16-bit UDP length field when processing oversized PPPoL2TP packets with UDP encapsulation. The `l2tp xmit core()` function fails to check for overflows during the assignment of the UDP length field, causing the value to be trimmed to 16 bits. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** An issue exists in the hfs component where the use of `BUG ON` to detect overflows in `next id`, `folder count`, and `file count` within the super block info can be triggered if the MDB (Master Directory Block) is corrupted. This leads to a system crash instead of graceful error handling. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A null-pointer dereference exists in the ` udp enqueue schedule skb()` function. This occurs because `udp lib init sock()`, `udp init sock()`, and `udpv6 init sock()` can fail, leading to a null-pointer dereference of the `udp prod queue` variable within the `udp sk(sk)` structure. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A reference count leak occurs in `struct xfrm state` within the Linux kernel. This issue arises because the `xfrm dev unregister()` function was implemented as a no-op, even though `xfrm dev state add()` (called via `xfrm state construct()`) acquires a reference to `struct net device`. Consequently, when a `NETDEV UNREGISTER` event occurs, the reference to the network device is not properly released, leading to a memory leak. The problem is exacerbated when the `NETIF F HW ESP` bit is cleared after the reference has been acquired, as the system fails to unconditionally flush the state and policy. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** An issue exists in the erofs component where plain data is incorrectly classified as interlaced plain extents if the start position and on-disk physical length are not both aligned to the block size. In such cases, the data should be treated as shifted plain extents. This can lead to an out-of-bounds (OOB) read—a condition where the system reads data past the end of the intended buffer—within the `z erofs transform plain()` function when processing a crafted compressed image containing plain extents with unaligned physical lengths. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A circular locking dependency exists in the ntfs3 component, specifically within the `run unpack ex()` function. This issue occurs due to an AB-BA deadlock scenario where `ntfs extend mft()` acquires `ni->file.run lock` followed by `wnd->rw lock`, while `run unpack ex()` acquires `wnd->rw lock` and subsequently attempts to acquire `ni->file.run lock` inside `ntfs refresh zone()`. An AB-BA deadlock is a situation where two different threads are waiting for each other to release locks, causing the system to hang. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** An issue exists in the OCFS2 file system where the `ocfs2 validate inode block()` function fails to validate the size of inline data when reading an inode from disk. In cases of filesystem corruption, the `i size` variable can exceed the actual inline data capacity (`id count`). This discrepancy leads the `ocfs2 dir foreach blk id()` function to iterate beyond the inline data buffer, resulting in a use-after-free (UAF) condition—where the system continues to use a pointer after it has been freed—when accessing directory entries via the `ocfs2 check dir entry()` function. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A race condition exists in the Linux kernel within the `tcp v6 syn recv sock()` function. The issue occurs because certain operations are performed after the call to `tcp v4 syn recv sock()`, at which point the child socket is already visible in the TCP ehash table and accessible by other CPUs. Because `newinet->pinet6` still points to the listener `ipv6 pinfo` during this window, it can lead to unstable system behavior. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A memory leak exists in the f2fs file system. The issue occurs within the `f2fs rename()` function due to a call to `f2fs setup filename()` that lacks a corresponding call to `f2fs free filename()`, preventing the proper cleanup of filename resources. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A use-after-free condition exists in the f2fs component of the Linux kernel. The issue occurs in the `f2fs write end io()` function when `sbi->nr pages[F2FS WB CP DATA]` is decremented to zero. This can lead to a NULL pointer dereference in the `f2fs in warm node list()` function because `f2fs put super()` may set `sbi->node inode` to NULL concurrently. This race condition results in a system panic when the kernel attempts to check if a folio belongs to the node inode. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A memory leak occurs in the comedi component because the `do cmd ioctl()` function does not account for exceptional exit cases where `runflags` is not set. This prevents the `do become nonbusy()` function from properly freeing the `chanlist` memory, as the freeing process depends on `runflags` being correctly set. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.