Vincent Whitchurch

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 5.18.0+ **Description** The issue is related to an out-of-bounds read in LDT setup. The `syscall stub data()` function expects the `data count` parameter to be the number of longs, not bytes. This can lead to a stack-out-of-bounds read. The problem occurs in the `syscall stub data+0x70/0xe0` function and is caused by a `memcpy` operation. The estimated number of potentially affected devices is not specified. **Recommendations** For Linux kernel versions prior to 5.18.0+, update to a version that includes the fix for the out-of-bounds read in LDT setup. As a temporary workaround, consider restricting access to the `syscall stub data()` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to v6.9 **Description** The issue occurs when the stream verdict program returns SK PASS, placing the received skb into its own receive queue, but a recursive lock eventually occurs, leading to an operating system deadlock. This problem has been present since version v6.9. The `sk psock strp data ready` function is involved, which calls `write lock bh(&sk->sk callback lock)` and later `read lock bh(&sk->sk callback lock)`, resulting in a deadlock. **Recommendations** For Linux kernel versions prior to v6.9, update to a version that includes the fix for the recursive lock issue. As a temporary workaround, consider disabling the `stream verdict` program or restricting its use to minimize the risk of exploitation. Avoid using the `sk psock strp data ready` function until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: Linux kernel (affected versions not specified) Description: The issue is related to the Linux kernel's virtio component, where the driver incorrectly assumes that the notify callback is only received when the device is done with all the queued buffers. However, the notify callback can be called without any of the queued buffers being completed, or with only some of the buffers being completed. This can lead to incorrect data on the I2C bus or memory corruption in the guest if the device operates on buffers that have been freed by the driver. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Linux kernel (affected versions not specified) Description: The issue is related to the i2c virtio component in the Linux kernel. If a timeout occurs, it can result in incorrect data on the I2C bus and/or memory corruptions in the guest since the device can still be operating on the buffers it was given while the guest has freed them. This can lead to a denial of service. The `virtio i2c xfer` function is involved in the issue, and the problem can be triggered when a timeout is forced, for example, by setting a breakpoint in the backend. The estimated number of potentially affected devices worldwide is not available. There is no information about real-world incidents where this issue was exploited. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, consider disabling the timeout support for the i2c virtio component to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 5.15.149 Linux kernel versions prior to 6.1.77 Linux kernel versions prior to 6.6.16 Linux kernel versions prior to 6.7.4 **Description** The issue is related to time corruption in the Linux kernel's 'basic' time-travel mode. Timer interrupts can occur at arbitrary points, causing time to go backwards and resulting in a crash. The problem arises when the interrupt happens after calculating the new time but before finishing the adjustment. To fix this, the time travel time is read, the adjustment is calculated, and the adjustment is made with interrupts disabled. The `timer read` function is involved in this process. **Recommendations** For Linux kernel versions prior to 5.15.149, update to version 5.15.149 or later. For Linux kernel versions prior to 6.1.77, update to version 6.1.77 or later. For Linux kernel versions prior to 6.6.16, update to version 6.6.16 or later. For Linux kernel versions prior to 6.7.4, update to version 6.7.4 or later. As a temporary workaround, consider disabling the `timer read` function until a patch is available. Restrict access to the vulnerable time-travel mode to minimize the risk of exploitation. Avoid using the `time travel time` variable in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A use-after-free issue has been identified in the Linux kernel, specifically in the iio trigger sysfs. The problem occurs when the irq work has not completed before the trigger is freed, leading to a potential read of size 8 at an address that has already been freed. This issue is related to the `irq work run list` function and can be triggered through the `sysfs kf write` and `kernfs fop write iter` functions, which are used for writing to sysfs files. The estimated number of potentially affected devices worldwide is not available. **Recommendations** Ensure that the irq work has completed before the trigger is freed. As a temporary workaround, consider disabling the `irq work run list` function until a patch is available. Restrict access to the vulnerable sysfs files to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.