Tao Liu

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A divide by zero error has been fixed in the Linux kernel, specifically in the rdma dim stats compare() function when prev->cpe ratio equals 0. This issue is related to the RDMA DIM (Remote Direct Memory Access Device-Specific Interface for Memory) functionality. The error occurs due to a division by zero in the backport rdma dim function. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.7.0-rc3 **Description** The Linux kernel has a vulnerability in the net/sched module, specifically in the act ct function. This function adds a reference to the skb (socket buffer) before defragmentation, which can lead to a crash when the skb is cloned and shared at the same time. The issue arises when fragments arrive out of order, causing the last fragment's reference to be reset, resulting in a memory leak. The situation worsens when packet capture is initiated, leading to a crash. The vulnerability is fixed by removing the skb get() call before defragmentation. **Recommendations** For Linux kernel versions prior to 6.7.0-rc3, update to a newer version that includes the fix for this vulnerability. If updating is not possible, consider disabling the act ct function or restricting its use to minimize the risk of exploitation. Additionally, avoid using the skb clone() function in conjunction with act ct to prevent the crash.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A listener leak issue in the RDMA/cma component of the Linux kernel has been resolved. The issue occurs when `cma listen on all()` fails, leaving the per-device ID on the `listen list` without setting the state to `RDMA CM ADDR BOUND`. As a result, when the `cmid` is eventually destroyed, `cma cancel listens()` is not called due to the incorrect state, and the per-device IDs still hold the refcount, preventing the ID from being destroyed and causing a deadlock. The issue is resolved by ensuring that `cma listen on all()` atomically unwinds its action under the lock during error. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.