Yiming Qian

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A potential NULL pointer dereference exists in the Linux kernel within the IPv6 IOAM (In-situ Operations, Administration, and Maintenance) component. The issue occurs in the ` ioam6 fill trace data()` function because the return value of ` in6 dev get()` is not properly checked for NULL. This can lead to system instability or crashes. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** An issue exists in the IPv6 sendmsg ancillary-data path where a mismatch occurs between a 16-bit length accumulator `opt flen` and a pointer to the last provided destination-options header `dst1opt` when multiple `IPV6 DSTOPTS` control messages are provided. The function `ip6 datagram send ctl()` accepts repeated `IPV6 DSTOPTS` and increments `opt flen` without rejecting duplicates, allowing the 16-bit value to wrap around. Consequently, the transmit path underestimates the required headroom. When the final socket buffer is built, the actual push length is derived from `dst1opt` rather than the wrapped `opt flen`, leading to a buffer underflow in `skb push()` that triggers a kernel panic. This can be exploited by a local user with `CAP NET RAW` privileges, or an unprivileged user if unprivileged user namespaces are enabled, resulting in a local denial of service. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified) Description A use-after-free (UaF) issue was identified in the netfilter component of the Linux kernel related to the handling of BPF hooks. Specifically, the vulnerability occurs when dumping hooks via nfnetlink hooks, potentially leading to memory corruption. The issue was reported by Yiming Qian and involves a race condition where memory is released before all readers have completed, resulting in a use-after-free condition. Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.