Zhipeng Lu

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to a null-pointer dereference in the `load video binaries()` function of the `ssh css` component in the Linux kernel. This occurs after the allocation failure of `mycs->yuv scaler binary` and is followed by a dereference of `mycs->yuv scaler binary` through a specific call chain involving `sh css pipe load binaries()`, `load video binaries()`, `sh css pipe unload binaries()`, and `unload video binaries()`. The vulnerability can be exploited to cause a denial of service. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to a memory leak in the `go7007 load encoder` function. This leak occurs because `bounce` (i.e., `go->boot fw`) is allocated without being deallocated afterwards. The leak happens after a specific call chain: `saa7134 go7007 init` -> `go7007 boot encoder` -> `go7007 load encoder` -> `kfree(go)`, where `go` is freed, resulting in the leak of `bounce`. This could potentially allow an attacker to cause a denial of service. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Linux kernel (affected versions not specified) Description: The issue is related to a use-after-free vulnerability in the `dvb register device` function. In this function, `*pdvbdev` is set equal to `dvbdev`, which is freed in several error-handling paths. However, `*pdvbdev` is not set to NULL after `dvbdev`'s deallocation, causing use-after-frees in many places. This can occur in the following call chain: `budget register` -> `dvb dmxdev init` -> `dvb register device` -> `dvb dmxdev release` -> `dvb unregister device` -> `dvb remove device` -> `dvb device put` -> `kref put`. When calling `dvb unregister device`, `dmxdev->dvbdev` (i.e., `*pdvbdev` in `dvb register device`) could point to memory that had been freed in `dvb register device`, triggering a use-after-free. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Linux kernel (affected versions not specified) Description: The issue is related to a memory leak in the `lbs allocate cmd buffer()` function of the Linux kernel's libertas component. If the allocation of `cmdarray[i].cmdbuf` fails, both `cmdarray` and `cmdarray[i].cmdbuf` need to be freed to prevent memory leaks. Exploitation of this issue may allow an attacker to cause a denial of service. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to a memory leak in the `v4l2 m2m register entity` function. The `entity->name` is allocated but not freed in error-handling paths, leading to a memory leak. This patch adds deallocation to prevent the memory leak. Exploitation of this issue may allow an attacker to cause a denial of service. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Linux kernel (affected versions not specified) Description: The issue is related to a double-free error in the `arfs create groups()` function. When the `in` variable allocated by `kvzalloc` fails, `arfs create groups` will free `ft->g` and return an error. However, `arfs create table`, the only caller of `arfs create groups`, will hold this error and call `mlx5e destroy flow table`, in which `ft->g` will be freed again. This can lead to a denial of service. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to a double-free error in the `si dpm init` function of the Linux kernel's `drm/amd/pm` component. When the allocation of `adev->pm.dpm.dyn state.vddc dependency on dispclk.entries` fails, `amdgpu free extended power table` is called to free some fields of `adev`. However, when the control flow returns to `si dpm sw init`, it goes to label `dpm failed` and calls `si dpm fini`, which calls `amdgpu free extended power table` again and frees those fields again, thus triggering a double-free. This can allow an attacker to cause a denial of service. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to a use-after-free bug in the `kv parse power table` function. When `ps` allocated by `kzalloc` equals to `NULL`, `kv parse power table` frees `adev->pm.dpm.ps` that was allocated before. However, after the control flow goes through the call chains `kv parse power table` -> `kv dpm init` -> `kv dpm sw init` -> `kv dpm fini`, the `adev->pm.dpm.ps` is used in the for loop of `kv dpm fini` after its first free in `kv parse power table`, causing a use-after-free bug. This bug may allow an attacker to execute arbitrary code. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.