Valis

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.19.0-rc8+ #33 **Description** The Linux kernel contains a flaw within the macvlan module. Specifically, a race condition exists in the `macvlan common newlink()` function's error path, potentially leading to a slab-use-after-free issue. This occurs when `macvlan common newlink()` makes a network device (`@dev`) visible before an error is detected, allowing its caller to directly free the device using `free netdev(dev)`. The issue requires respecting an RCU (Read-Copy-Update) period within both macvlan and the core networking stack. Exploitation involves creating a veth pair, configuring addresses, bringing up interfaces, and adding a macvlan interface, which can trigger the vulnerability. The issue was identified through KASAN (Kernel Address Sanitizer) reports during testing. **Recommendations** Update to a newer version of the Linux kernel that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The Linux kernel contains a flaw within the macvlan component, specifically in the `macvlan common newlink()` function. A use-after-free condition can occur when creating a new macvlan link with MACVLAN MODE SOURCE mode and MACVLAN MACADDR ADD or MACVLAN MACADDR SET parameters, if the lower device already has a macvlan port and `register netdevice()` fails. This failure leads to a call to `free netdev()`, which frees the `struct net device` while it is still referenced in a source entry attached to the lower device's macvlan port. Subsequently, packets sent on the macvlan port with a matching source MAC address can trigger the use-after-free in `macvlan forward source()`. The issue was identified through a reproduction scenario involving the creation of veth pairs and macvlan interfaces, and a detailed analysis provided by valis. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to a race condition between async notify and socket close in the Linux kernel's TLS implementation. This can cause the submitting thread to exit prematurely, potentially leading to the use of already freed data. The vulnerability may allow an attacker to cause a denial of service. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to a synchronization error when using a shared resource in the Linux kernel's tls encrypt done function. This can lead to a denial of service. The problem arises from a race between tx work scheduling and socket close, where the submitting thread may exit as soon as the async crypto handler calls complete. To fix this, the scheduling of work is reordered to occur before calling complete, which is a more logical approach. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A use-after-free vulnerability in the Linux kernel's net/sched: sch qfq component can be exploited to achieve local privilege escalation. When the plug qdisc is used as a class of the qfq qdisc, sending network packets triggers use-after-free in `qfq dequeue()` due to the incorrect `.peek` handler of `sch plug` and lack of error checking in `agg dequeue()`. **Recommendations** Upgrade past commit 8fc134fee27f2263988ae38920bc03da416b03d8 to resolve the issue. As a temporary workaround, consider disabling the `qfq dequeue()` function until a patch is available. Restrict access to the vulnerable `sch qfq` component to minimize the risk of exploitation. Avoid using the `sch plug` qdisc as a class of the `qfq` qdisc until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A use-after-free vulnerability in the Linux kernel's net/sched: cls route component can be exploited to achieve local privilege escalation. When `route4 change()` is called on an existing filter, the whole `tcf result` struct is always copied into the new instance of the filter. This causes a problem when updating a filter bound to a class, as `tcf unbind filter()` is always called on the old instance in the success path, decreasing `filter cnt` of the still referenced class and allowing it to be deleted, leading to a use-after-free. **Recommendations** Upgrade past commit b80b829e9e2c1b3f7aae34855e04d8f6ecaf13c8 to resolve the issue. As a temporary workaround, consider restricting access to the `net/sched: cls route` component until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A use-after-free vulnerability in the Linux kernel's net/sched: cls fw component can be exploited to achieve local privilege escalation. When `fw change()` is called on an existing filter, the whole `tcf result` struct is always copied into the new instance of the filter. This causes a problem when updating a filter bound to a class, as `tcf unbind filter()` is always called on the old instance in the success path, decreasing `filter cnt` of the still referenced class and allowing it to be deleted, leading to a use-after-free. **Recommendations** Upgrade past commit 76e42ae831991c828cffa8c37736ebfb831ad5ec.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A use-after-free vulnerability in the Linux kernel's net/sched: cls u32 component can be exploited to achieve local privilege escalation. When `u32 change()` is called on an existing filter, the whole `tcf result` struct is always copied into the new instance of the filter. This causes a problem when updating a filter bound to a class, as `tcf unbind filter()` is always called on the old instance in the success path, decreasing `filter cnt` of the still referenced class and allowing it to be deleted, leading to a use-after-free. **Recommendations** Upgrade past commit 3044b16e7c6fe5d24b1cdbcf1bd0a9d92d1ebd81 to resolve the issue. As a temporary workaround, consider restricting access to the `net/sched: cls u32` component to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Linux Kernel versions 4.14 through the version before git commit ee059170b1f7e94e55fa6cadee544e176a6e59c2 **Description** A Use After Free vulnerability in the Linux kernel traffic control index filter (tcindex) allows Privilege Escalation. The imperfect hash area can be updated while packets are traversing, which will cause a use-after-free when `tcf exts exec()` is called with the destroyed `tcf ext`. A local attacker user can use this vulnerability to elevate its privileges to root. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux Kernel (affected versions not specified) **Description** A use-after-free vulnerability in the Linux Kernel traffic control index filter (tcindex) can be exploited to achieve local privilege escalation. The `tcindex delete` function does not properly deactivate filters in case of a perfect hash while deleting the underlying structure, which can later lead to double freeing the structure. A local attacker user can use this vulnerability to elevate their privileges to root. **Recommendations** Upgrade past commit 8c710f75256bb3cf05ac7b1672c82b92c43f3d28 to resolve the issue. As a temporary workaround, consider disabling the `tcindex delete` function until a patch is available. Restrict access to the vulnerable `tcindex` filter to minimize the risk of exploitation. Avoid using the `tcindex` filter in the affected API endpoints until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 5.16.15 Linux kernel versions prior to 5.17 **Description** A heap buffer overflow flaw was found in IPsec ESP transformation code in net/ipv4/esp4.c and net/ipv6/esp6.c. This flaw allows a local attacker with a normal user privilege to overwrite kernel heap objects and may cause a local privilege escalation threat. The vulnerability can be exploited by sending a large message, allowing the attacker to gain root privileges via modprobe path overwrite. Technical details about exploitation include page-level heap fengshui to gain page alloc-to-slab overflow, constructing arbitrary read/write using the `msg msg` kernel object. **Recommendations** For Linux kernel versions prior to 5.16.15, update to version 5.16.15 or later to resolve the issue. For Linux kernel versions prior to 5.17, update to version 5.17 or later to resolve the issue. As a temporary workaround, consider disabling the vulnerable `esp4` and `esp6` modules until a patch is available. Restrict access to the vulnerable `net/ipv4/esp4.c` and `net/ipv6/esp6.c` files to minimize the risk of exploitation. Avoid using the `msg msg` kernel object in the affected API endpoints until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: GitLab Community and Enterprise Edition versions 11.7.8 and earlier, 11.8.x before 11.8.4, and 11.9.x before 11.9.2 GitLab Community and Enterprise Edition versions 11.7.10 and earlier, 11.8.x before 11.8.6, and 11.9.x before 11.9.4 Description: The issue allows for persistent XSS in the merge request "resolve conflicts" page. Recommendations: For versions 11.7.8 and earlier, update to version 11.7.8 or later to resolve the issue. For versions 11.8.x before 11.8.4, update to version 11.8.4 or later to resolve the issue. For versions 11.9.x before 11.9.2, update to version 11.9.2 or later to resolve the issue. For versions 11.7.10 and earlier, update to version 11.7.10 or later to resolve the issue. For versions 11.8.x before 11.8.6, update to version 11.8.6 or later to resolve the issue. For versions 11.9.x before 11.9.4, update to version 11.9.4 or later to resolve the issue.