Xiao Liang

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.13.0-rc5 **Description** The issue is related to the `pfcp newlink()` function in the Linux kernel, which incorrectly links a device to a list in `dev net(dev)` instead of `net`, where a UDP tunnel socket is created. This can cause the device to remain alive even after the network namespace is removed, leading to a potential denial of service. The vulnerability can be exploited by creating a device in one network namespace and a UDP socket in another, then removing the first network namespace. **Recommendations** To resolve the issue, update the Linux kernel to a version that includes the fix for this vulnerability. As a temporary workaround, consider restricting the use of the `pfcp newlink()` function until a patch is available. Avoid using the `pfcp newlink()` function in scenarios where a UDP tunnel socket is created in a different network namespace than the device.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 5.15.177, 6.1.127, 6.6.74, and 6.12.11 **Description** The issue is related to the `gtp newlink()` function in the Linux kernel's `drivers/net/gtp.c` module. It incorrectly links a device to a list in `dev net(dev)` instead of `src net`, where a UDP tunnel socket is created. This can cause the device to remain active even after `src net` is removed, leading to a potential denial-of-service condition. The vulnerability can be exploited by creating a GTP device in one network namespace and a UDP socket in another, then removing the first namespace. **Recommendations** To resolve the issue, update the Linux kernel to version 5.15.177, 6.1.127, 6.6.74, or 6.12.11, or later. As a temporary workaround, consider restricting the creation of GTP devices and UDP sockets to the same network namespace to minimize the risk of exploitation. Additionally, be cautious when using the `ip netns` command to manage network namespaces, as removing a namespace can trigger the vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.6.50 **Description** The vulnerability is related to a null pointer dereference in the apparmor component of the Linux kernel. This occurs when receiving ICMP packets with secmark set while an ICMP raw socket is being created. The `SK CTX(sk)->label` is updated in `apparmor socket post create()`, but the packet is delivered to the socket before that, causing the null pointer dereference. To mitigate this, the packet should be dropped if the label context is not set. **Recommendations** For Linux kernel versions prior to 6.6.50, update to version 6.6.50 or later to resolve the vulnerability. If updating is not possible, consider disabling the apparmor component or restricting its use as a temporary workaround until a patch is available.