Zheng Wang

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.6.58 **Description** The issue is related to a use after free bug in the `venus remove` function due to a race condition. This bug can be exploited to impact the confidentiality, integrity, and availability of protected information. The vulnerability is caused by the `core->work` being bound with `venus sys error handler` in `venus probe`, and the code using `core->sys err done` to make sync work. The `core->work` is started in `venus event notify`. If `venus remove` is called, there might be an unfinished work, leading to a possible sequence where the `hdev` is used after being freed. **Recommendations** For Linux kernel versions prior to 6.6.58, update to version 6.6.58 or later to resolve the issue. As a temporary workaround, consider disabling the `venus remove` function until a patch is available. Restrict access to the vulnerable `venus sys error handler` function to minimize the risk of exploitation. Avoid using the `core->work` in the affected `venus probe` function until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to a use-after-free bug in the Linux kernel's mtk-jpeg component, specifically due to error path handling in `mtk jpeg dec device run`. This bug can be triggered in two ways: by removing the module, which calls `mtk jpeg remove` for cleanup, or by closing the file descriptor, which calls `mtk jpeg release`. The bug causes a use-after-free condition because the `mtk jpeg job timeout work` function is started while the job is marked as finished by invoking `v4l2 m2m job finish`. The fix involves starting the timeout worker only if the jpegdec worker is started successfully, ensuring that `v4l2 m2m job finish` is only called in either `mtk jpeg job timeout work` or `mtk jpeg dec device run`. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.6.28 **Description** The issue is related to a use-after-free vulnerability in the brcmf cfg80211 detach function of the brcm80211 component in the Linux kernel. This vulnerability can be exploited by physically proximate attackers with local access, potentially allowing them to cause a denial of service. The vulnerability is related to the brcmf cfg80211 escan timeout worker function in the drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c file. **Recommendations** For Linux kernel versions prior to 6.6.28, update to version 6.6.28 or later to resolve the issue. As a temporary workaround, consider restricting local access to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to a use-after-free problem in the `ravb tx timeout work()` function. This occurs when `ravb stop()` fails to call `cancel work sync()`, allowing `ravb tx timeout work()` to use freed memory after `ravb remove()` has been called. The vulnerability can be exploited to potentially elevate privileges. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to a use-after-free error in the bttv component of the Linux kernel, specifically due to a race condition between the `bttv irq timeout` timer function and the `bttv remove` function. The timer is set up in the probe and there is no timer delete operation in the remove function, which can cause the `bttv irq timeout` function to still be invoked after the `btv` object has been freed, leading to a use-after-free bug. This bug was found through static analysis and may be a false positive. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions through 6.3.8 **Description** A use-after-free issue was found in the `ravb remove()` function in the drivers/net/ethernet/renesas/ravb main.c module of the Linux kernel. This issue is related to a race condition that allows for the reuse of previously freed memory. Exploitation of this issue may allow an attacker to impact the confidentiality, integrity, and availability of protected information. **Recommendations** For Linux kernel versions through 6.3.8, as a temporary workaround, consider disabling the `ravb remove()` function until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.3.2 **Description** A use-after-free issue was found in the `dm1105 remove()` function in the drivers/media/pci/dm1105/dm1105.c module of the Linux kernel. This issue is related to a race condition that allows for the reuse of previously freed memory due to concurrent access to a resource. Exploitation of this issue may allow an attacker to impact the confidentiality, integrity, and availability of protected information. **Recommendations** For Linux kernel versions prior to 6.3.2, update to version 6.3.2 or later to resolve the issue. As a temporary workaround, consider disabling the `dm1105 remove()` function until a patch is available. Restrict access to the vulnerable module drivers/media/pci/dm1105/dm1105.c to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.3.2 **Description** The issue is related to a use-after-free in the `saa7134 finidev()` function in the Philips SAA7134 driver, located in `drivers/media/pci/saa7134/saa7134-core.c`. This is due to a race condition caused by concurrent access to a resource. Exploitation of this issue may allow an attacker to impact the confidentiality, integrity, and availability of protected information. **Recommendations** For Linux kernel versions prior to 6.3.2, update to version 6.3.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the `saa7134 finidev()` function in the affected driver until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.3.2 **Description** The issue is related to a use-after-free vulnerability in the `cedrus remove()` function in the `drivers/staging/media/sunxi/cedrus/cedrus.c` module of the Linux kernel. This vulnerability is caused by a race condition due to concurrent access to a resource, allowing an attacker to potentially impact the confidentiality, integrity, and availability of protected information. **Recommendations** For Linux kernel versions prior to 6.3.2, update to version 6.3.2 or later to resolve the issue. As a temporary workaround, consider disabling the `cedrus remove()` function until a patch is available. Restrict access to the vulnerable module `drivers/staging/media/sunxi/cedrus/cedrus.c` to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.3.2 **Description** The issue is related to a use-after-free vulnerability in the `rkvdec remove()` function within the Rockchip Video Decoder driver in the Linux kernel. This vulnerability is caused by a race condition due to concurrent access to a resource, allowing an attacker to potentially impact the confidentiality, integrity, and availability of protected information. A proof-of-concept exploit has been discovered, which can silently execute a malicious bash script disguised as a kernel-level process. **Recommendations** For Linux kernel versions prior to 6.3.2, update to version 6.3.2 or later to resolve the issue. As a temporary workaround, consider disabling the `rkvdec remove()` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.2.9 **Description** The issue is related to a race condition and resultant use-after-free in the Linux kernel, specifically in the drivers/net/ethernet/qualcomm/emac/emac.c module. This occurs when a physically proximate attacker unplugs an emac based device, potentially allowing the attacker to impact the confidentiality, integrity, and availability of protected information. The vulnerability is associated with the emac remove() function. **Recommendations** For Linux kernel versions prior to 6.2.9, update to version 6.2.9 or later to resolve the issue. As a temporary workaround, consider restricting access to the emac module to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A flaw use after free in the Linux kernel Xircom 16-bit PCMCIA (PC-card) Ethernet driver was found. A local user could use this flaw to crash the system or potentially escalate their privileges on the system. The vulnerability is related to the `xirc2ps detach()` function of the Xircom 16-bit PCMCIA (PC-card) network adapter driver. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux Kernel (affected versions not specified) **Description** The issue is related to a use-after-free flaw in the `ndlc remove()` function, which can cause a system crash due to a race problem. This flaw may allow an attacker to disrupt service. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.2.9 **Description** The issue is related to a race condition and resultant use-after-free in the drivers/power/supply/da9150-charger.c driver of the Linux kernel. This occurs when a physically proximate attacker unplugs a device, potentially leading to a denial of service. The vulnerability is associated with the `da9150 charger remove()` function and the use of shared resources. **Recommendations** For Linux kernel versions prior to 6.2.9, update to version 6.2.9 or later to resolve the issue. As a temporary workaround, consider restricting access to the `da9150-charger.c` driver to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.2.9 **Description** A use-after-free issue was found in the `bq24190 remove()` function in the `drivers/power/supply/bq24190 charger.c` module of the Linux kernel. This issue could allow a local attacker to crash the system due to a race condition. The exploitation of this issue may result in a denial of service. **Recommendations** For Linux kernel versions prior to 6.2.9, update to version 6.2.9 or later to resolve the issue. As a temporary workaround, consider restricting access to the `bq24190 remove()` function in the `drivers/power/supply/bq24190 charger.c` module to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Linux Kernel (affected versions not specified) **Description** A use-after-free flaw was found in the `xgene hwmon remove` function in `drivers/hwmon/xgene-hwmon.c` of the Hardware Monitoring Linux Kernel Driver (xgene-hwmon). This issue could allow a local attacker to crash the system due to a race problem, potentially leading to a kernel information leak problem. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux Kernel (affected versions not specified) **Description** A use-after-free flaw was found in the `btsdio remove` function in the `driversbluetoothbtsdio.c` module of the Linux Kernel. This flaw may cause a race problem leading to a use-after-free issue on `hdev` devices when `btsdio remove` is called with an unfinished job. The exploitation of this issue can lead to a denial of service. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux Kernel (affected versions not specified) **Description** A use-after-free flaw was found in the `r592 remove` function in `drivers/memstick/host/r592.c` related to media access in the Linux Kernel. This issue allows a local attacker to crash the system at device disconnect, possibly leading to a kernel information leak. The flaw is associated with a race condition due to concurrent access to resources, which could impact the confidentiality and availability of protected information. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A double-free memory flaw was found in the Linux kernel, specifically in the Intel GVT-g graphics driver, which triggers VGA card system resource overload. This issue could allow a local user to crash the system by causing a fail in the `intel gvt dma map guest page` function. The flaw is related to improper cleanup when handling exceptions, which could lead to a denial of service. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, consider disabling the `intel gvt dma map guest page` function until a patch is available. Restrict access to the Intel GVT-g graphics driver to minimize the risk of exploitation. Avoid using the Intel GVT-g graphics driver until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Linux Kernel (affected versions not specified) **Description** A critical vulnerability has been found in the Linux Kernel, affecting the `spl2sw nvmem get mac address` function in the `drivers/net/ethernet/sunplus/spl2sw driver.c` file of the BPF component. This vulnerability leads to use after free, allowing an attacker to impact the confidentiality, integrity, and availability of protected information. **Recommendations** To fix this issue, it is recommended to apply a patch. At the moment, there is no information about a newer version that contains a fix for this vulnerability.