Todd Kjos

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A memory leak issue has been resolved in the Linux kernel's PCI subsystem, specifically in the `reset method store()` function. The issue occurred when a string was allocated via `kstrndup()` and assigned to the local `options`. The `options` was then used with `strsep()` to find spaces. If there were no remaining spaces, `strsep()` set `options` to NULL, preventing the subsequent `kfree(options)` from freeing the memory allocated via `kstrndup()`. The fix involved using a separate `tmp options` to iterate with `strsep()` so that `options` is preserved. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions 4.13 and earlier **Description** The issue is related to the `async free space` function in the Linux kernel's binder component. It causes a leak of up to 8 bytes of `async free space` on every async transaction of 8 bytes or less. This happens because the accounting of `async free space` did not add the `sizeof(void *)` back when freeing space. The fix involves using `buffer size` instead of `size` when updating `async free space` during the free operation. **Recommendations** To resolve the issue, update the Linux kernel to a version that includes the fix for the `async free space` accounting issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to the Linux kernel's binder mechanism. During BC FREE BUFFER processing, the BINDER TYPE FDA object cleanup may close one or more file descriptors. The close operations are completed using the task work mechanism, which requires the thread to return to userspace. If this does not happen, the file object may never be dereferenced, leading to hung processes. The binder thread is forced back to userspace if a file descriptor is closed during BC FREE BUFFER handling. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.