Toke Høiland-Jørgensen

Name of the Vulnerable Software and Affected Versions: Linux kernel (affected versions not specified) Description: The issue is related to an integer overflow in the stackmap code of the Linux kernel on 32-bit architectures. This overflow occurs when the roundup pow of two() function is used to compute the number of hash buckets, and it contains an overflow check by verifying if the resulting value is 0. However, on 32-bit architectures, the roundup code itself can overflow due to a 32-bit left-shift of an unsigned long value, which is undefined behavior and may not truncate neatly. The problem was triggered by syzbot on the DEVMAP HASH type, which includes the same check copied from the hashtab code. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Linux kernel (affected versions not specified) Description: The issue is related to an integer overflow in the hashtab code of the Linux kernel on 32-bit architectures. The hashtab code uses the roundup pow of two() function to compute the number of hash buckets and contains an overflow check. However, on 32-bit architectures, the roundup code itself can overflow due to a 32-bit left-shift of an unsigned long value, which is undefined behavior. This was triggered by syzbot on the DEVMAP HASH type. The exploitation of this issue may allow an attacker to impact the confidentiality, integrity, and availability of protected information. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to the libbpf component in the Linux kernel. When the `feature flags` and `xdp zc max segs` fields were added to the `libbpf bpf xdp query opts`, the code did not use the `OPTS SET()` macro, causing libbpf to write to those fields unconditionally. This results in stack corruption for programs compiled against an older version of libbpf with a smaller size of the `bpf xdp query opts` struct. The vulnerability can be exploited to cause a denial of service. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to a race condition in the Linux kernel, specifically in the cfg80211 component. This condition can occur when cfg80211 destroy ifaces() runs while nl80211 netlink notify() is still marking some interfaces as nl owner dead. The problem arises from having two loops: one for closing netdevs and another for destroying them. If there are two netdevs, the first one can be closed during the first iteration, and then during the second iteration, the code may try to destroy both, including the one that was not closed yet. This can lead to a deadlock. The estimated number of potentially affected devices worldwide is not available. There is no information about real-world incidents where this issue was exploited. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.