Flatcar Container Linux Release Detailed Security Reports - June 1, 2023 - Page 2

# Flatcar Container Linux Release Detailed Security Reports - June 1, 2023 - Page 2 ### Detailed Security Report #### Alpha 3619.0.0 ... continued from the [page 1](https://hackmd.io/Rhav_jDVRk-FV2qo5gb1Ow?view). * Linux * [CVE-2023-0045](https://nvd.nist.gov/vuln/detail/CVE-2023-0045) CVSSv3 score: 7.5(High) The current implementation of the prctl syscall does not issue an IBPB immediately during the syscall. The ib_prctl_set function updates the Thread Information Flags (TIFs) for the task and updates the SPEC_CTRL MSR on the function __speculation_ctrl_update, but the IBPB is only issued on the next schedule, when the TIF bits are checked. This leaves the victim vulnerable to values already injected on the BTB, prior to the prctl syscall. The patch that added the support for the conditional mitigation via prctl (ib_prctl_set) dates back to the kernel 4.9.176. We recommend upgrading past commit a664ec9158eeddd75121d39c9a0758016097fa96 * [CVE-2023-0179](https://nvd.nist.gov/vuln/detail/CVE-2023-0179) CVSSv3 score: 7.8(High) A buffer overflow vulnerability was found in the Netfilter subsystem in the Linux Kernel. This issue could allow the leakage of both stack and heap addresses, and potentially allow Local Privilege Escalation to the root user via arbitrary code execution. * [CVE-2023-0210](https://nvd.nist.gov/vuln/detail/CVE-2023-0210) CVSSv3 score: 7.5(High) A bug affects the Linux kernel’s ksmbd NTLMv2 authentication and is known to crash the OS immediately in Linux-based systems. * [CVE-2023-0266](https://nvd.nist.gov/vuln/detail/CVE-2023-0266) CVSSv3 score: 7.8(High) A use after free vulnerability exists in the ALSA PCM package in the Linux Kernel. SNDRV_CTL_IOCTL_ELEM_{READ|WRITE}32 is missing locks that can be used in a use-after-free that can result in a priviledge escalation to gain ring0 access from the system user. We recommend upgrading past commit 56b88b50565cd8b946a2d00b0c83927b7ebb055e * [CVE-2023-0386](https://nvd.nist.gov/vuln/detail/CVE-2023-0386) CVSSv3 score: 7.8(High) A flaw was found in the Linux kernel, where unauthorized access to the execution of the setuid file with capabilities was found in the Linux kernel’s OverlayFS subsystem in how a user copies a capable file from a nosuid mount into another mount. This uid mapping bug allows a local user to escalate their privileges on the system. * [CVE-2023-0394](https://nvd.nist.gov/vuln/detail/CVE-2023-0394) CVSSv3 score: 5.5(Medium) A NULL pointer dereference flaw was found in rawv6_push_pending_frames in net/ipv6/raw.c in the network subcomponent in the Linux kernel. This flaw causes the system to crash. * [CVE-2023-0458](https://nvd.nist.gov/vuln/detail/CVE-2023-0458) CVSSv3 score: 4.7(Medium) A speculative pointer dereference problem exists in the Linux Kernel on the do_prlimit() function. The resource argument value is controlled and is used in pointer arithmetic for the 'rlim' variable and can be used to leak the contents. We recommend upgrading past version 6.1.8 or commit 739790605705ddcf18f21782b9c99ad7d53a8c11 * [CVE-2023-0459](https://nvd.nist.gov/vuln/detail/CVE-2023-0459) CVSSv3 score: n/a Copy_from_user on 64-bit versions of the Linux kernel does not implement the __uaccess_begin_nospec allowing a user to bypass the "access_ok" check and pass a kernel pointer to copy_from_user(). This would allow an attacker to leak information. We recommend upgrading beyond commit 74e19ef0ff8061ef55957c3abd71614ef0f42f47 * [CVE-2023-0461](https://nvd.nist.gov/vuln/detail/CVE-2023-0461) CVSSv3 score: n/a There is a use-after-free vulnerability in the Linux Kernel which can be exploited to achieve local privilege escalation. To reach the vulnerability kernel configuration flag CONFIG_TLS or CONFIG_XFRM_ESPINTCP has to be configured, but the operation does not require any privilege. There is a use-after-free bug of icsk_ulp_data of a struct inet_connection_sock. When CONFIG_TLS is enabled, user can install a tls context (struct tls_context) on a connected tcp socket. The context is not cleared if this socket is disconnected and reused as a listener. If a new socket is created from the listener, the context is inherited and vulnerable. The setsockopt TCP_ULP operation does not require any privilege. We recommend upgrading past commit 2c02d41d71f90a5168391b6a5f2954112ba2307c * [CVE-2023-0468](https://nvd.nist.gov/vuln/detail/CVE-2023-0468) CVSSv3 score: 4.7(Medium) A use-after-free flaw was found in io_uring/poll.c in io_poll_check_events in the io_uring subcomponent in the Linux Kernel due to a race condition of poll_refs. This flaw may cause a NULL pointer dereference. * [CVE-2023-0469](https://nvd.nist.gov/vuln/detail/CVE-2023-0469) CVSSv3 score: 5.5(Medium) A use-after-free flaw was found in io_uring/filetable.c in io_install_fixed_file in the io_uring subcomponent in the Linux Kernel during call cleanup. This flaw may lead to a denial of service. * [CVE-2023-0590](https://nvd.nist.gov/vuln/detail/CVE-2023-0590) CVSSv3 score: 4.7(Medium) A use-after-free flaw was found in qdisc_graft in net/sched/sch_api.c in the Linux Kernel due to a race problem. This flaw leads to a denial of service issue. If patch ebda44da44f6 ("net: sched: fix race condition in qdisc_graft()") not applied yet, then kernel could be affected. * [CVE-2023-1032](https://nvd.nist.gov/vuln/detail/CVE-2023-1032) CVSSv3 score: n/a * [CVE-2023-1073](https://nvd.nist.gov/vuln/detail/CVE-2023-1073) CVSSv3 score: 6.6(Medium) A memory corruption flaw was found in the Linux kernel’s human interface device (HID) subsystem in how a user inserts a malicious USB device. This flaw allows a local user to crash or potentially escalate their privileges on the system. * [CVE-2023-1074](https://nvd.nist.gov/vuln/detail/CVE-2023-1074) CVSSv3 score: 5.5(Medium) A memory leak flaw was found in the Linux kernel's Stream Control Transmission Protocol. This issue may occur when a user starts a malicious networking service and someone connects to this service. This could allow a local user to starve resources, causing a denial of service. * [CVE-2023-1075](https://nvd.nist.gov/vuln/detail/CVE-2023-1075) CVSSv3 score: 3.3(Low) A flaw was found in the Linux Kernel. The tls_is_tx_ready() incorrectly checks for list emptiness, potentially accessing a type confused entry to the list_head, leaking the last byte of the confused field that overlaps with rec->tx_ready. * [CVE-2023-1076](https://nvd.nist.gov/vuln/detail/CVE-2023-1076) CVSSv3 score: 5.5(Medium) A flaw was found in the Linux Kernel. The tun/tap sockets have their socket UID hardcoded to 0 due to a type confusion in their initialization function. While it will be often correct, as tuntap devices require CAP_NET_ADMIN, it may not always be the case, e.g., a non-root user only having that capability. This would make tun/tap sockets being incorrectly treated in filtering/routing decisions, possibly bypassing network filters. * [CVE-2023-1077](https://nvd.nist.gov/vuln/detail/CVE-2023-1077) CVSSv3 score: 7.8(High) In the Linux kernel, pick_next_rt_entity() may return a type confused entry, not detected by the BUG_ON condition, as the confused entry will not be NULL, but list_head.The buggy error condition would lead to a type confused entry with the list head,which would then be used as a type confused sched_rt_entity,causing memory corruption. * [CVE-2023-1078](https://nvd.nist.gov/vuln/detail/CVE-2023-1078) CVSSv3 score: 7.8(High) A flaw was found in the Linux Kernel in RDS (Reliable Datagram Sockets) protocol. The rds_rm_zerocopy_callback() uses list_entry() on the head of a list causing a type confusion. Local user can trigger this with rds_message_put(). Type confusion leads to `struct rds_msg_zcopy_info *info` actually points to something else that is potentially controlled by local user. It is known how to trigger this, which causes an out of bounds access, and a lock corruption. * [CVE-2023-1079](https://nvd.nist.gov/vuln/detail/CVE-2023-1079) CVSSv3 score: 6.8(Medium) A flaw was found in the Linux kernel. A use-after-free may be triggered in asus_kbd_backlight_set when plugging/disconnecting in a malicious USB device, which advertises itself as an Asus device. Similarly to the previous known CVE-2023-25012, but in asus devices, the work_struct may be scheduled by the LED controller while the device is disconnecting, triggering a use-after-free on the struct asus_kbd_leds *led structure. A malicious USB device may exploit the issue to cause memory corruption with controlled data. * [CVE-2023-1095](https://nvd.nist.gov/vuln/detail/CVE-2023-1095) CVSSv3 score: 5.5(Medium) In nf_tables_updtable, if nf_tables_table_enable returns an error, nft_trans_destroy is called to free the transaction object. nft_trans_destroy() calls list_del(), but the transaction was never placed on a list -- the list head is all zeroes, this results in a NULL pointer dereference. * [CVE-2023-1118](https://nvd.nist.gov/vuln/detail/CVE-2023-1118) CVSSv3 score: 7.8(High) A flaw use after free in the Linux kernel integrated infrared receiver/transceiver driver was found in the way user detaching rc device. A local user could use this flaw to crash the system or potentially escalate their privileges on the system. * [CVE-2023-1249](https://nvd.nist.gov/vuln/detail/CVE-2023-1249) CVSSv3 score: 5.5(Medium) A use-after-free flaw was found in the Linux kernel’s core dump subsystem. This flaw allows a local user to crash the system. Only if patch 390031c94211 ("coredump: Use the vma snapshot in fill_files_note") not applied yet, then kernel could be affected. * [CVE-2023-1281](https://nvd.nist.gov/vuln/detail/CVE-2023-1281) CVSSv3 score: n/a Use After Free vulnerability in Linux kernel traffic control index filter (tcindex) allows Privilege Escalation. The imperfect hash area can be updated while packets are traversing, which will cause a use-after-free when 'tcf_exts_exec()' is called with the destroyed tcf_ext. A local attacker user can use this vulnerability to elevate its privileges to root. This issue affects Linux Kernel: from 4.14 before git commit ee059170b1f7e94e55fa6cadee544e176a6e59c2. * [CVE-2023-1380](https://nvd.nist.gov/vuln/detail/CVE-2023-1380) CVSSv3 score: 7.1(High) A slab-out-of-bound read problem was found in brcmf_get_assoc_ies in drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c in the Linux Kernel. This issue could occur when assoc_info->req_len data is bigger than the size of the buffer, defined as WL_EXTRA_BUF_MAX, leading to a denial of service. * [CVE-2023-1382](https://nvd.nist.gov/vuln/detail/CVE-2023-1382) CVSSv3 score: 4.7(Medium) A data race flaw was found in the Linux kernel, between where con is allocated and con->sock is set. This issue leads to a NULL pointer dereference when accessing con->sock->sk in net/tipc/topsrv.c in the tipc protocol in the Linux kernel. * [CVE-2023-1513](https://nvd.nist.gov/vuln/detail/CVE-2023-1513) CVSSv3 score: 3.3(Low) A flaw was found in KVM. When calling the KVM_GET_DEBUGREGS ioctl, on 32-bit systems, there might be some uninitialized portions of the kvm_debugregs structure that could be copied to userspace, causing an information leak. * [CVE-2023-1582](https://nvd.nist.gov/vuln/detail/CVE-2023-1582) CVSSv3 score: 4.7(Medium) A race problem was found in fs/proc/task_mmu.c in the memory management sub-component in the Linux kernel. This issue may allow a local attacker with user privilege to cause a denial of service. * [CVE-2023-1583](https://nvd.nist.gov/vuln/detail/CVE-2023-1583) CVSSv3 score: 5.5(Medium) A NULL pointer dereference was found in io_file_bitmap_get in io_uring/filetable.c in the io_uring sub-component in the Linux Kernel. When fixed files are unregistered, some context information (file_alloc_{start,end} and alloc_hint) is not cleared. A subsequent request that has auto index selection enabled via IORING_FILE_INDEX_ALLOC can cause a NULL pointer dereference. An unprivileged user can use the flaw to cause a system crash. * [CVE-2023-1611](https://nvd.nist.gov/vuln/detail/CVE-2023-1611) CVSSv3 score: 6.3(Medium) A use-after-free flaw was found in btrfs_search_slot in fs/btrfs/ctree.c in btrfs in the Linux Kernel.This flaw allows an attacker to crash the system and possibly cause a kernel information lea * [CVE-2023-1637](https://nvd.nist.gov/vuln/detail/CVE-2023-1637) CVSSv3 score: 5.5(Medium) A flaw that boot CPU could be vulnerable for the speculative execution behavior kind of attacks in the Linux kernel X86 CPU Power management options functionality was found in the way user resuming CPU from suspend-to-RAM. A local user could use this flaw to potentially get unauthorized access to some memory of the CPU similar to the speculative execution behavior kind of attacks. * [CVE-2023-1652](https://nvd.nist.gov/vuln/detail/CVE-2023-1652) CVSSv3 score: 7.1(High) A use-after-free flaw was found in nfsd4_ssc_setup_dul in fs/nfsd/nfs4proc.c in the NFS filesystem in the Linux Kernel. This issue could allow a local attacker to crash the system or it may lead to a kernel information leak problem. * [CVE-2023-1670](https://nvd.nist.gov/vuln/detail/CVE-2023-1670) CVSSv3 score: 7.8(High) A flaw use after free in the Linux kernel Xircom 16-bit PCMCIA (PC-card) Ethernet driver was found.A local user could use this flaw to crash the system or potentially escalate their privileges on the system. * [CVE-2023-1829](https://nvd.nist.gov/vuln/detail/CVE-2023-1829) CVSSv3 score: n/a A use-after-free vulnerability in the Linux Kernel traffic control index filter (tcindex) can be exploited to achieve local privilege escalation. The tcindex_delete function which does not properly deactivate filters in case of a perfect hashes while deleting the underlying structure which can later lead to double freeing the structure. A local attacker user can use this vulnerability to elevate its privileges to root. We recommend upgrading past commit 8c710f75256bb3cf05ac7b1672c82b92c43f3d28. * [CVE-2023-1838](https://nvd.nist.gov/vuln/detail/CVE-2023-1838) CVSSv3 score: 7.1(High) A use-after-free flaw was found in vhost_net_set_backend in drivers/vhost/net.c in virtio network subcomponent in the Linux kernel due to a double fget. This flaw could allow a local attacker to crash the system, and could even lead to a kernel information leak problem. * [CVE-2023-1855](https://nvd.nist.gov/vuln/detail/CVE-2023-1855) CVSSv3 score: 6.3(Medium) A use-after-free flaw was found in xgene_hwmon_remove in drivers/hwmon/xgene-hwmon.c in the Hardware Monitoring Linux Kernel Driver (xgene-hwmon). This flaw could allow a local attacker to crash the system due to a race problem. This vulnerability could even lead to a kernel information leak problem. * [CVE-2023-1859](https://nvd.nist.gov/vuln/detail/CVE-2023-1859) CVSSv3 score: 4.7(Medium) A use-after-free flaw was found in xen_9pfs_front_removet in net/9p/trans_xen.c in Xen transport for 9pfs in the Linux Kernel. This flaw could allow a local attacker to crash the system due to a race problem, possibly leading to a kernel information leak. * [CVE-2023-1872](https://nvd.nist.gov/vuln/detail/CVE-2023-1872) CVSSv3 score: 7(High) A use-after-free vulnerability in the Linux Kernel io_uring system can be exploited to achieve local privilege escalation. The io_file_get_fixed function lacks the presence of ctx->uring_lock which can lead to a Use-After-Free vulnerability due a race condition with fixed files getting unregistered. We recommend upgrading past commit da24142b1ef9fd5d36b76e36bab328a5b27523e8. * [CVE-2023-1989](https://nvd.nist.gov/vuln/detail/CVE-2023-1989) CVSSv3 score: 7(High) A use-after-free flaw was found in btsdio_remove in drivers\bluetooth\btsdio.c in the Linux Kernel. In this flaw, a call to btsdio_remove with an unfinished job, may cause a race problem leading to a UAF on hdev devices. * [CVE-2023-1990](https://nvd.nist.gov/vuln/detail/CVE-2023-1990) CVSSv3 score: 4.7(Medium) A use-after-free flaw was found in ndlc_remove in drivers/nfc/st-nci/ndlc.c in the Linux Kernel. This flaw could allow an attacker to crash the system due to a race problem. * [CVE-2023-1998](https://nvd.nist.gov/vuln/detail/CVE-2023-1998) CVSSv3 score: n/a The Linux kernel allows userspace processes to enable mitigations by calling prctl with PR_SET_SPECULATION_CTRL which disables the speculation feature as well as by using seccomp. We had noticed that on VMs of at least one major cloud provider, the kernel still left the victim process exposed to attacks in some cases even after enabling the spectre-BTI mitigation with prctl. The same behavior can be observed on a bare-metal machine when forcing the mitigation to IBRS on boot command line. This happened because when plain IBRS was enabled (not enhanced IBRS), the kernel had some logic that determined that STIBP was not needed. The IBRS bit implicitly protects against cross-thread branch target injection. However, with legacy IBRS, the IBRS bit was cleared on returning to userspace, due to performance reasons, which disabled the implicit STIBP and left userspace threads vulnerable to cross-thread branch target injection against which STIBP protects. * [CVE-2023-2002](https://nvd.nist.gov/vuln/detail/CVE-2023-2002) CVSSv3 score: n/a A vulnerability was found in the HCI sockets implementation due to a missing capability check in net/bluetooth/hci_sock.c in the Linux Kernel. This flaw allows an attacker to unauthorized execution of management commands, compromising the confidentiality, integrity, and availability of Bluetooth communication. * [CVE-2023-2006](https://nvd.nist.gov/vuln/detail/CVE-2023-2006) CVSSv3 score: 7(High) A race condition was found in the Linux kernel's RxRPC network protocol, within the processing of RxRPC bundles. This issue results from the lack of proper locking when performing operations on an object. This may allow an attacker to escalate privileges and execute arbitrary code in the context of the kernel. * [CVE-2023-2008](https://nvd.nist.gov/vuln/detail/CVE-2023-2008) CVSSv3 score: 7.8(High) A flaw was found in the Linux kernel's udmabuf device driver. The specific flaw exists within a fault handler. The issue results from the lack of proper validation of user-supplied data, which can result in a memory access past the end of an array. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the kernel. * [CVE-2023-2019](https://nvd.nist.gov/vuln/detail/CVE-2023-2019) CVSSv3 score: 4.4(Medium) A flaw was found in the Linux kernel's netdevsim device driver, within the scheduling of events. This issue results from the improper management of a reference count. This may allow an attacker to create a denial of service condition on the system. * [CVE-2023-20928](https://nvd.nist.gov/vuln/detail/CVE-2023-20928) CVSSv3 score: 7.8(High) In binder_vma_close of binder.c, there is a possible use after free due to improper locking. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-254837884References: Upstream kernel * [CVE-2023-20938](https://nvd.nist.gov/vuln/detail/CVE-2023-20938) CVSSv3 score: 7.8(High) In binder_transaction_buffer_release of binder.c, there is a possible use after free due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-257685302References: Upstream kernel * [CVE-2023-21102](https://nvd.nist.gov/vuln/detail/CVE-2023-21102) CVSSv3 score: 7.8(High) In __efi_rt_asm_wrapper of efi-rt-wrapper.S, there is a possible bypass of shadow stack protection due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-260821414References: Upstream kernel * [CVE-2023-21106](https://nvd.nist.gov/vuln/detail/CVE-2023-21106) CVSSv3 score: 7.8(High) In adreno_set_param of adreno_gpu.c, there is a possible memory corruption due to a double free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-265016072References: Upstream kernel * [CVE-2023-2162](https://nvd.nist.gov/vuln/detail/CVE-2023-2162) CVSSv3 score: 5.5(Medium) A use-after-free vulnerability was found in iscsi_sw_tcp_session_create in drivers/scsi/iscsi_tcp.c in SCSI sub-component in the Linux Kernel. In this flaw an attacker could leak kernel internal information. * [CVE-2023-2166](https://nvd.nist.gov/vuln/detail/CVE-2023-2166) CVSSv3 score: 5.5(Medium) A null pointer dereference issue was found in can protocol in net/can/af_can.c in the Linux before Linux. ml_priv may not be initialized in the receive path of CAN frames. A local user could use this flaw to crash the system or potentially cause a denial of service. * [CVE-2023-2177](https://nvd.nist.gov/vuln/detail/CVE-2023-2177) CVSSv3 score: 5.5(Medium) A null pointer dereference issue was found in the sctp network protocol in net/sctp/stream_sched.c in Linux Kernel. If stream_in allocation is failed, stream_out is freed which would further be accessed. A local user could use this flaw to crash the system or potentially cause a denial of service. * [CVE-2023-2194](https://nvd.nist.gov/vuln/detail/CVE-2023-2194) CVSSv3 score: 6.7(Medium) An out-of-bounds write vulnerability was found in the Linux kernel's SLIMpro I2C device driver. The userspace "data->block[0]" variable was not capped to a number between 0-255 and was used as the size of a memcpy, possibly writing beyond the end of dma_buffer. This flaw could allow a local privileged user to crash the system or potentially achieve code execution. * [CVE-2023-2235](https://nvd.nist.gov/vuln/detail/CVE-2023-2235) CVSSv3 score: n/a A use-after-free vulnerability in the Linux Kernel Performance Events system can be exploited to achieve local privilege escalation. The perf_group_detach function did not check the event's siblings' attach_state before calling add_event_to_groups(), but remove_on_exec made it possible to call list_del_event() on before detaching from their group, making it possible to use a dangling pointer causing a use-after-free vulnerability. We recommend upgrading past commit fd0815f632c24878e325821943edccc7fde947a2. * [CVE-2023-2236](https://nvd.nist.gov/vuln/detail/CVE-2023-2236) CVSSv3 score: n/a A use-after-free vulnerability in the Linux Kernel io_uring subsystem can be exploited to achieve local privilege escalation. Both io_install_fixed_file and its callers call fput in a file in case of an error, causing a reference underflow which leads to a use-after-free vulnerability. We recommend upgrading past commit 9d94c04c0db024922e886c9fd429659f22f48ea4. * [CVE-2023-2269](https://nvd.nist.gov/vuln/detail/CVE-2023-2269) CVSSv3 score: 4.4(Medium) A denial of service problem was found, due to a possible recursive locking scenario, resulting in a deadlock in table_clear in drivers/md/dm-ioctl.c in the Linux Kernel Device Mapper-Multipathing sub-component. * [CVE-2023-22996](https://nvd.nist.gov/vuln/detail/CVE-2023-22996) CVSSv3 score: 5.5(Medium) In the Linux kernel before 5.17.2, drivers/soc/qcom/qcom_aoss.c does not release an of_find_device_by_node reference after use, e.g., with put_device. * [CVE-2023-22997](https://nvd.nist.gov/vuln/detail/CVE-2023-22997) CVSSv3 score: 5.5(Medium) In the Linux kernel before 6.1.2, kernel/module/decompress.c misinterprets the module_get_next_page return value (expects it to be NULL in the error case, whereas it is actually an error pointer). * [CVE-2023-22998](https://nvd.nist.gov/vuln/detail/CVE-2023-22998) CVSSv3 score: 5.5(Medium) In the Linux kernel before 6.0.3, drivers/gpu/drm/virtio/virtgpu_object.c misinterprets the drm_gem_shmem_get_sg_table return value (expects it to be NULL in the error case, whereas it is actually an error pointer). * [CVE-2023-22999](https://nvd.nist.gov/vuln/detail/CVE-2023-22999) CVSSv3 score: 5.5(Medium) In the Linux kernel before 5.16.3, drivers/usb/dwc3/dwc3-qcom.c misinterprets the dwc3_qcom_create_urs_usb_platdev return value (expects it to be NULL in the error case, whereas it is actually an error pointer). * [CVE-2023-23001](https://nvd.nist.gov/vuln/detail/CVE-2023-23001) CVSSv3 score: 5.5(Medium) In the Linux kernel before 5.16.3, drivers/scsi/ufs/ufs-mediatek.c misinterprets the regulator_get return value (expects it to be NULL in the error case, whereas it is actually an error pointer). * [CVE-2023-23002](https://nvd.nist.gov/vuln/detail/CVE-2023-23002) CVSSv3 score: 5.5(Medium) In the Linux kernel before 5.16.3, drivers/bluetooth/hci_qca.c misinterprets the devm_gpiod_get_index_optional return value (expects it to be NULL in the error case, whereas it is actually an error pointer). * [CVE-2023-23454](https://nvd.nist.gov/vuln/detail/CVE-2023-23454) CVSSv3 score: 5.5(Medium) cbq_classify in net/sched/sch_cbq.c in the Linux kernel through 6.1.4 allows attackers to cause a denial of service (slab-out-of-bounds read) because of type confusion (non-negative numbers can sometimes indicate a TC_ACT_SHOT condition rather than valid classification results). * [CVE-2023-23455](https://nvd.nist.gov/vuln/detail/CVE-2023-23455) CVSSv3 score: 5.5(Medium) atm_tc_enqueue in net/sched/sch_atm.c in the Linux kernel through 6.1.4 allows attackers to cause a denial of service because of type confusion (non-negative numbers can sometimes indicate a TC_ACT_SHOT condition rather than valid classification results). * [CVE-2023-23559](https://nvd.nist.gov/vuln/detail/CVE-2023-23559) CVSSv3 score: 7.8(High) In rndis_query_oid in drivers/net/wireless/rndis_wlan.c in the Linux kernel through 6.1.5, there is an integer overflow in an addition. * [CVE-2023-25012](https://nvd.nist.gov/vuln/detail/CVE-2023-25012) CVSSv3 score: 4.6(Medium) The Linux kernel through 6.1.9 has a Use-After-Free in bigben_remove in drivers/hid/hid-bigbenff.c via a crafted USB device because the LED controllers remain registered for too long. * [CVE-2023-2513](https://nvd.nist.gov/vuln/detail/CVE-2023-2513) CVSSv3 score: 6.7(Medium) A use-after-free vulnerability was found in the Linux kernel's ext4 filesystem in the way it handled the extra inode size for extended attributes. This flaw could allow a privileged local user to cause a system crash or other undefined behaviors. * [CVE-2023-26544](https://nvd.nist.gov/vuln/detail/CVE-2023-26544) CVSSv3 score: 7.8(High) In the Linux kernel 6.0.8, there is a use-after-free in run_unpack in fs/ntfs3/run.c, related to a difference between NTFS sector size and media sector size. * [CVE-2023-26545](https://nvd.nist.gov/vuln/detail/CVE-2023-26545) CVSSv3 score: 4.7(Medium) In the Linux kernel before 6.1.13, there is a double free in net/mpls/af_mpls.c upon an allocation failure (for registering the sysctl table under a new location) during the renaming of a device. * [CVE-2023-26606](https://nvd.nist.gov/vuln/detail/CVE-2023-26606) CVSSv3 score: 7.8(High) In the Linux kernel 6.0.8, there is a use-after-free in ntfs_trim_fs in fs/ntfs3/bitmap.c. * [CVE-2023-26607](https://nvd.nist.gov/vuln/detail/CVE-2023-26607) CVSSv3 score: 7.1(High) In the Linux kernel 6.0.8, there is an out-of-bounds read in ntfs_attr_find in fs/ntfs/attrib.c. * [CVE-2023-28327](https://nvd.nist.gov/vuln/detail/CVE-2023-28327) CVSSv3 score: 5.5(Medium) A NULL pointer dereference flaw was found in the UNIX protocol in net/unix/diag.c In unix_diag_get_exact in the Linux Kernel. The newly allocated skb does not have sk, leading to a NULL pointer. This flaw allows a local user to crash or potentially cause a denial of service. * [CVE-2023-28328](https://nvd.nist.gov/vuln/detail/CVE-2023-28328) CVSSv3 score: 5.5(Medium) A NULL pointer dereference flaw was found in the az6027 driver in drivers/media/usb/dev-usb/az6027.c in the Linux Kernel. The message from user space is not checked properly before transferring into the device. This flaw allows a local user to crash the system or potentially cause a denial of service. * [CVE-2023-28410](https://nvd.nist.gov/vuln/detail/CVE-2023-28410) CVSSv3 score: 7.8(High) Improper restriction of operations within the bounds of a memory buffer in some Intel(R) i915 Graphics drivers for linux before kernel version 6.2.10 may allow an authenticated user to potentially enable escalation of privilege via local access. * [CVE-2023-28466](https://nvd.nist.gov/vuln/detail/CVE-2023-28466) CVSSv3 score: 7(High) do_tls_getsockopt in net/tls/tls_main.c in the Linux kernel through 6.2.6 lacks a lock_sock call, leading to a race condition (with a resultant use-after-free or NULL pointer dereference). * [CVE-2023-28866](https://nvd.nist.gov/vuln/detail/CVE-2023-28866) CVSSv3 score: 5.3(Medium) In the Linux kernel through 6.2.8, net/bluetooth/hci_sync.c allows out-of-bounds access because amp_init1[] and amp_init2[] are supposed to have an intentionally invalid element, but do not. * [CVE-2023-30456](https://nvd.nist.gov/vuln/detail/CVE-2023-30456) CVSSv3 score: 6.5(Medium) An issue was discovered in arch/x86/kvm/vmx/nested.c in the Linux kernel before 6.2.8. nVMX on x86_64 lacks consistency checks for CR0 and CR4. * [CVE-2023-30772](https://nvd.nist.gov/vuln/detail/CVE-2023-30772) CVSSv3 score: 6.4(Medium) The Linux kernel before 6.2.9 has a race condition and resultant use-after-free in drivers/power/supply/da9150-charger.c if a physically proximate attacker unplugs a device. * [CVE-2023-31436](https://nvd.nist.gov/vuln/detail/CVE-2023-31436) CVSSv3 score: 7.8(High) qfq_change_class in net/sched/sch_qfq.c in the Linux kernel before 6.2.13 allows an out-of-bounds write because lmax can exceed QFQ_MIN_LMAX. * [CVE-2023-32233](https://nvd.nist.gov/vuln/detail/CVE-2023-32233) CVSSv3 score: 7.8(High) In the Linux kernel through 6.3.1, a use-after-free in Netfilter nf_tables when processing batch requests can be abused to perform arbitrary read and write operations on kernel memory. Unprivileged local users can obtain root privileges. This occurs because anonymous sets are mishandled. * [CVE-2023-32250](https://nvd.nist.gov/vuln/detail/CVE-2023-32250) CVSSv3 score: n/a * [CVE-2023-32254](https://nvd.nist.gov/vuln/detail/CVE-2023-32254) CVSSv3 score: n/a * [CVE-2023-32269](https://nvd.nist.gov/vuln/detail/CVE-2023-32269) CVSSv3 score: 6.7(Medium) An issue was discovered in the Linux kernel before 6.1.11. In net/netrom/af_netrom.c, there is a use-after-free because accept is also allowed for a successfully connected AF_NETROM socket. However, in order for an attacker to exploit this, the system must have netrom routing configured or the attacker must have the CAP_NET_ADMIN capability. * [CVE-2023-33203](https://nvd.nist.gov/vuln/detail/CVE-2023-33203) CVSSv3 score: 6.4(Medium) The Linux kernel before 6.2.9 has a race condition and resultant use-after-free in drivers/net/ethernet/qualcomm/emac/emac.c if a physically proximate attacker unplugs an emac based device. * [CVE-2023-33288](https://nvd.nist.gov/vuln/detail/CVE-2023-33288) CVSSv3 score: 4.7(Medium) An issue was discovered in the Linux kernel before 6.2.9. A use-after-free was found in bq24190_remove in drivers/power/supply/bq24190_charger.c. It could allow a local attacker to crash the system due to a race condition. * curl * [CVE-2023-28319](https://nvd.nist.gov/vuln/detail/CVE-2023-28319) CVSSv3 score: n/a A use after free vulnerability exists in curl <v8.1.0 in the way libcurl offers a feature to verify an SSH server's public key using a SHA 256 hash. When this check fails, libcurl would free the memory for the fingerprint before it returns an error message containing the (now freed) hash. This flaw risks inserting sensitive heap-based data into the error message that might be shown to users or otherwise get leaked and revealed. * [CVE-2023-28320](https://nvd.nist.gov/vuln/detail/CVE-2023-28320) CVSSv3 score: n/a A denial of service vulnerability exists in curl <v8.1.0 in the way libcurl provides several different backends for resolving host names, selected at build time. If it is built to use the synchronous resolver, it allows name resolves to time-out slow operations using `alarm()` and `siglongjmp()`. When doing this, libcurl used a global buffer that was not mutex protected and a multi-threaded application might therefore crash or otherwise misbehave. * [CVE-2023-28321](https://nvd.nist.gov/vuln/detail/CVE-2023-28321) CVSSv3 score: n/a An improper certificate validation vulnerability exists in curl <v8.1.0 in the way it supports matching of wildcard patterns when listed as "Subject Alternative Name" in TLS server certificates. curl can be built to use its own name matching function for TLS rather than one provided by a TLS library. This private wildcard matching function would match IDN (International Domain Name) hosts incorrectly and could as a result accept patterns that otherwise should mismatch. IDN hostnames are converted to puny code before used for certificate checks. Puny coded names always start with `xn--` and should not be allowed to pattern match, but the wildcard check in curl could still check for `x*`, which would match even though the IDN name most likely contained nothing even resembling an `x`. * [CVE-2023-28322](https://nvd.nist.gov/vuln/detail/CVE-2023-28322) CVSSv3 score: n/a An information disclosure vulnerability exists in curl <v8.1.0 when doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data to send, even when the `CURLOPT_POSTFIELDS` option has been set, if the same handle previously wasused to issue a `PUT` request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the second transfer. The problem exists in the logic for a reused handle when it is (expected to be) changed from a PUT to a POST. * git * [CVE-2023-25652](https://nvd.nist.gov/vuln/detail/CVE-2023-25652) CVSSv3 score: n/a Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, by feeding specially crafted input to `git apply --reject`, a path outside the working tree can be overwritten with partially controlled contents (corresponding to the rejected hunk(s) from the given patch). A fix is available in versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. As a workaround, avoid using `git apply` with `--reject` when applying patches from an untrusted source. Use `git apply --stat` to inspect a patch before applying; avoid applying one that create a conflict where a link corresponding to the `*.rej` file exists. * [CVE-2023-25815](https://nvd.nist.gov/vuln/detail/CVE-2023-25815) CVSSv3 score: 2.2(Low) In Git for Windows, the Windows port of Git, no localized messages are shipped with the installer. As a consequence, Git is expected not to localize messages at all, and skips the gettext initialization. However, due to a change in MINGW-packages, the `gettext()` function's implicit initialization no longer uses the runtime prefix but uses the hard-coded path `C:\mingw64\share\locale` to look for localized messages. And since any authenticated user has the permission to create folders in `C:\` (and since `C:\mingw64` does not typically exist), it is possible for low-privilege users to place fake messages in that location where `git.exe` will pick them up in version 2.40.1. This vulnerability is relatively hard to exploit and requires social engineering. For example, a legitimate message at the end of a clone could be maliciously modified to ask the user to direct their web browser to a malicious website, and the user might think that the message comes from Git and is legitimate. It does require local write access by the attacker, though, which makes this attack vector less likely. Version 2.40.1 contains a patch for this issue. Some workarounds are available. Do not work on a Windows machine with shared accounts, or alternatively create a `C:\mingw64` folder and leave it empty. Users who have administrative rights may remove the permission to create folders in `C:\`. * [CVE-2023-29007](https://nvd.nist.gov/vuln/detail/CVE-2023-29007) CVSSv3 score: 7.8(High) Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, a specially crafted `.gitmodules` file with submodule URLs that are longer than 1024 characters can used to exploit a bug in `config.c::git_config_copy_or_rename_section_in_file()`. This bug can be used to inject arbitrary configuration into a user's `$GIT_DIR/config` when attempting to remove the configuration section associated with that submodule. When the attacker injects configuration values which specify executables to run (such as `core.pager`, `core.editor`, `core.sshCommand`, etc.) this can lead to a remote code execution. A fix A fix is available in versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. As a workaround, avoid running `git submodule deinit` on untrusted repositories or without prior inspection of any submodule sections in `$GIT_DIR/config`. * libcap * [CVE-2023-2602](https://nvd.nist.gov/vuln/detail/CVE-2023-2602) CVSSv3 score: n/a * Improper Release of Memory Before Removing Last Reference * Affected Component: libcap/psx/psx.c:__wrap_pthread_create() * [CVE-2023-2603](https://nvd.nist.gov/vuln/detail/CVE-2023-2603) CVSSv3 score: n/a * Integer Overflow or Wraparound * Affected Component: libcap/libcap/cap_alloc.c:_libcap_strdup() #### Beta 3602.1.0 * Linux * [CVE-2022-48425](https://nvd.nist.gov/vuln/detail/CVE-2022-48425) CVSSv3 score: 7.8(High) In the Linux kernel through 6.2.7, fs/ntfs3/inode.c has an invalid kfree because it does not validate MFT flags before replaying logs. * Go * [CVE-2023-24539](https://nvd.nist.gov/vuln/detail/CVE-2023-24539) CVSSv3 score: 7.3(High) Angle brackets (<>) are not considered dangerous characters when inserted into CSS contexts. Templates containing multiple actions separated by a '/' character can result in unexpectedly closing the CSS context and allowing for injection of unexpected HTML, if executed with untrusted input. * [CVE-2023-24540](https://nvd.nist.gov/vuln/detail/CVE-2023-24540) CVSSv3 score: 9.8(Critical) Not all valid JavaScript whitespace characters are considered to be whitespace. Templates containing whitespace characters outside of the character set "\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts that also contain actions may not be properly sanitized during execution. * [CVE-2023-29400](https://nvd.nist.gov/vuln/detail/CVE-2023-29400) CVSSv3 score: 7.3(High) Templates containing actions in unquoted HTML attributes (e.g. "attr={{.}}") executed with empty input can result in output with unexpected results when parsed due to HTML normalization rules. This may allow injection of arbitrary attributes into tags. * OpenSSH * [CVE-2023-28531](https://nvd.nist.gov/vuln/detail/CVE-2023-28531) CVSSv3 score: 9.8(Critical) ssh-add in OpenSSH before 9.3 adds smartcard keys to ssh-agent without the intended per-hop destination constraints. The earliest affected version is 8.9. * OpenSSL * [CVE-2023-0464](https://nvd.nist.gov/vuln/detail/CVE-2023-0464) CVSSv3 score: 7.5(High) A security vulnerability has been identified in all supported versions of OpenSSL related to the verification of X.509 certificate chains that include policy constraints. Attackers may be able to exploit this vulnerability by creating a malicious certificate chain that triggers exponential use of computational resources, leading to a denial-of-service (DoS) attack on affected systems. Policy processing is disabled by default but can be enabled by passing the `-policy' argument to the command line utilities or by calling the `X509_VERIFY_PARAM_set1_policies()' function. * [CVE-2023-0465](https://nvd.nist.gov/vuln/detail/CVE-2023-0465) CVSSv3 score: 5.3(Medium) Applications that use a non-default option when verifying certificates may be vulnerable to an attack from a malicious CA to circumvent certain checks. Invalid certificate policies in leaf certificates are silently ignored by OpenSSL and other certificate policy checks are skipped for that certificate. A malicious CA could use this to deliberately assert invalid certificate policies in order to circumvent policy checking on the certificate altogether. Policy processing is disabled by default but can be enabled by passing the `-policy' argument to the command line utilities or by calling the `X509_VERIFY_PARAM_set1_policies()' function. * [CVE-2023-0466](https://nvd.nist.gov/vuln/detail/CVE-2023-0466) CVSSv3 score: 5.3(Medium) The function X509_VERIFY_PARAM_add0_policy() is documented to implicitly enable the certificate policy check when doing certificate verification. However the implementation of the function does not enable the check which allows certificates with invalid or incorrect policies to pass the certificate verification. As suddenly enabling the policy check could break existing deployments it was decided to keep the existing behavior of the X509_VERIFY_PARAM_add0_policy() function. Instead the applications that require OpenSSL to perform certificate policy check need to use X509_VERIFY_PARAM_set1_policies() or explicitly enable the policy check by calling X509_VERIFY_PARAM_set_flags() with the X509_V_FLAG_POLICY_CHECK flag argument. Certificate policy checks are disabled by default in OpenSSL and are not commonly used by applications. * [CVE-2023-1255](https://nvd.nist.gov/vuln/detail/CVE-2023-1255) CVSSv3 score: 5.9(Medium) Issue summary: The AES-XTS cipher decryption implementation for 64 bit ARM platform contains a bug that could cause it to read past the input buffer, leading to a crash. Impact summary: Applications that use the AES-XTS algorithm on the 64 bit ARM platform can crash in rare circumstances. The AES-XTS algorithm is usually used for disk encryption. The AES-XTS cipher decryption implementation for 64 bit ARM platform will read past the end of the ciphertext buffer if the ciphertext size is 4 mod 5 in 16 byte blocks, e.g. 144 bytes or 1024 bytes. If the memory after the ciphertext buffer is unmapped, this will trigger a crash which results in a denial of service. If an attacker can control the size and location of the ciphertext buffer being decrypted by an application using AES-XTS on 64 bit ARM, the application is affected. This is fairly unlikely making this issue a Low severity one. * bash * [CVE-2022-3715](https://nvd.nist.gov/vuln/detail/CVE-2022-3715) CVSSv3 score: 7.8(High) A flaw was found in the bash package, where a heap-buffer overflow can occur in valid parameter_transform. This issue may lead to memory problems. * c-ares * [CVE-2022-4904](https://nvd.nist.gov/vuln/detail/CVE-2022-4904) CVSSv3 score: 8.6(High) A flaw was found in the c-ares package. The ares_set_sortlist is missing checks about the validity of the input string, which allows a possible arbitrary length stack overflow. This issue may cause a denial of service or a limited impact on confidentiality and integrity. * curl * [CVE-2023-27533](https://nvd.nist.gov/vuln/detail/CVE-2023-27533) CVSSv3 score: 8.8(High) A vulnerability in input validation exists in curl <8.0 during communication using the TELNET protocol may allow an attacker to pass on maliciously crafted user name and "telnet options" during server negotiation. The lack of proper input scrubbing allows an attacker to send content or perform option negotiation without the application's intent. This vulnerability could be exploited if an application allows user input, thereby enabling attackers to execute arbitrary code on the system. * [CVE-2023-27534](https://nvd.nist.gov/vuln/detail/CVE-2023-27534) CVSSv3 score: 8.8(High) A path traversal vulnerability exists in curl <8.0.0 SFTP implementation causes the tilde (~) character to be wrongly replaced when used as a prefix in the first path element, in addition to its intended use as the first element to indicate a path relative to the user's home directory. Attackers can exploit this flaw to bypass filtering or execute arbitrary code by crafting a path like /~2/foo while accessing a server with a specific user. * [CVE-2023-27535](https://nvd.nist.gov/vuln/detail/CVE-2023-27535) CVSSv3 score: 7.5(High) An authentication bypass vulnerability exists in libcurl <8.0.0 in the FTP connection reuse feature that can result in wrong credentials being used during subsequent transfers. Previously created connections are kept in a connection pool for reuse if they match the current setup. However, certain FTP settings such as CURLOPT_FTP_ACCOUNT, CURLOPT_FTP_ALTERNATIVE_TO_USER, CURLOPT_FTP_SSL_CCC, and CURLOPT_USE_SSL were not included in the configuration match checks, causing them to match too easily. This could lead to libcurl using the wrong credentials when performing a transfer, potentially allowing unauthorized access to sensitive information. * [CVE-2023-27536](https://nvd.nist.gov/vuln/detail/CVE-2023-27536) CVSSv3 score: 7.5(High) An authentication bypass vulnerability exists libcurl <8.0.0 in the connection reuse feature which can reuse previously established connections with incorrect user permissions due to a failure to check for changes in the CURLOPT_GSSAPI_DELEGATION option. This vulnerability affects krb5/kerberos/negotiate/GSSAPI transfers and could potentially result in unauthorized access to sensitive information. The safest option is to not reuse connections if the CURLOPT_GSSAPI_DELEGATION option has been changed. * [CVE-2023-27537](https://nvd.nist.gov/vuln/detail/CVE-2023-27537) CVSSv3 score: 5.9(Medium) A double free vulnerability exists in libcurl <8.0.0 when sharing HSTS data between separate "handles". This sharing was introduced without considerations for do this sharing across separate threads but there was no indication of this fact in the documentation. Due to missing mutexes or thread locks, two threads sharing the same HSTS data could end up doing a double-free or use-after-free. * [CVE-2023-27538](https://nvd.nist.gov/vuln/detail/CVE-2023-27538) CVSSv3 score: 5.5(Medium) An authentication bypass vulnerability exists in libcurl prior to v8.0.0 where it reuses a previously established SSH connection despite the fact that an SSH option was modified, which should have prevented reuse. libcurl maintains a pool of previously used connections to reuse them for subsequent transfers if the configurations match. However, two SSH settings were omitted from the configuration check, allowing them to match easily, potentially leading to the reuse of an inappropriate connection. * libxml2 * [CVE-2023-28484](https://nvd.nist.gov/vuln/detail/CVE-2023-28484) CVSSv3 score: 6.5(Medium) In libxml2 before 2.10.4, parsing of certain invalid XSD schemas can lead to a NULL pointer dereference and subsequently a segfault. This occurs in xmlSchemaFixupComplexType in xmlschemas.c. * [CVE-2023-29469](https://nvd.nist.gov/vuln/detail/CVE-2023-29469) CVSSv3 score: 6.5(Medium) An issue was discovered in libxml2 before 2.10.4. When hashing empty dict strings in a crafted XML document, xmlDictComputeFastKey in dict.c can produce non-deterministic values, leading to various logic and memory errors, such as a double free. This behavior occurs because there is an attempt to use the first byte of an empty string, and any value is possible (not solely the '\0' value). #### Stable 3510.2.2 * Linux * [CVE-2023-1380](https://nvd.nist.gov/vuln/detail/CVE-2023-1380) CVSSv3 score: 7.1(High) A slab-out-of-bound read problem was found in brcmf_get_assoc_ies in drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c in the Linux Kernel. This issue could occur when assoc_info->req_len data is bigger than the size of the buffer, defined as WL_EXTRA_BUF_MAX, leading to a denial of service. * [CVE-2023-1859](https://nvd.nist.gov/vuln/detail/CVE-2023-1859) CVSSv3 score: 4.7(Medium) A use-after-free flaw was found in xen_9pfs_front_removet in net/9p/trans_xen.c in Xen transport for 9pfs in the Linux Kernel. This flaw could allow a local attacker to crash the system due to a race problem, possibly leading to a kernel information leak. * [CVE-2023-2002](https://nvd.nist.gov/vuln/detail/CVE-2023-2002) CVSSv3 score: n/a A vulnerability was found in the HCI sockets implementation due to a missing capability check in net/bluetooth/hci_sock.c in the Linux Kernel. This flaw allows an attacker to unauthorized execution of management commands, compromising the confidentiality, integrity, and availability of Bluetooth communication. * [CVE-2023-2269](https://nvd.nist.gov/vuln/detail/CVE-2023-2269) CVSSv3 score: 4.4(Medium) A denial of service problem was found, due to a possible recursive locking scenario, resulting in a deadlock in table_clear in drivers/md/dm-ioctl.c in the Linux Kernel Device Mapper-Multipathing sub-component. * [CVE-2023-31436](https://nvd.nist.gov/vuln/detail/CVE-2023-31436) CVSSv3 score: 7.8(High) qfq_change_class in net/sched/sch_qfq.c in the Linux kernel before 6.2.13 allows an out-of-bounds write because lmax can exceed QFQ_MIN_LMAX. * [CVE-2023-32233](https://nvd.nist.gov/vuln/detail/CVE-2023-32233) CVSSv3 score: 7.8(High) In the Linux kernel through 6.3.1, a use-after-free in Netfilter nf_tables when processing batch requests can be abused to perform arbitrary read and write operations on kernel memory. Unprivileged local users can obtain root privileges. This occurs because anonymous sets are mishandled. #### LTS 3033.3.13 * Linux * [CVE-2022-39189](https://nvd.nist.gov/vuln/detail/CVE-2022-39189) CVSSv3 score: 7.8(High) An issue was discovered the x86 KVM subsystem in the Linux kernel before 5.18.17. Unprivileged guest users can compromise the guest kernel because TLB flush operations are mishandled in certain KVM_VCPU_PREEMPTED situations. * [CVE-2023-1380](https://nvd.nist.gov/vuln/detail/CVE-2023-1380) CVSSv3 score: 7.1(High) A slab-out-of-bound read problem was found in brcmf_get_assoc_ies in drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c in the Linux Kernel. This issue could occur when assoc_info->req_len data is bigger than the size of the buffer, defined as WL_EXTRA_BUF_MAX, leading to a denial of service. * [CVE-2023-2002](https://nvd.nist.gov/vuln/detail/CVE-2023-2002) CVSSv3 score: n/a A vulnerability was found in the HCI sockets implementation due to a missing capability check in net/bluetooth/hci_sock.c in the Linux Kernel. This flaw allows an attacker to unauthorized execution of management commands, compromising the confidentiality, integrity, and availability of Bluetooth communication. * [CVE-2023-2269](https://nvd.nist.gov/vuln/detail/CVE-2023-2269) CVSSv3 score: 4.4(Medium) A denial of service problem was found, due to a possible recursive locking scenario, resulting in a deadlock in table_clear in drivers/md/dm-ioctl.c in the Linux Kernel Device Mapper-Multipathing sub-component. * [CVE-2023-2513](https://nvd.nist.gov/vuln/detail/CVE-2023-2513) CVSSv3 score: 6.7(Medium) A use-after-free vulnerability was found in the Linux kernel's ext4 filesystem in the way it handled the extra inode size for extended attributes. This flaw could allow a privileged local user to cause a system crash or other undefined behaviors. * [CVE-2023-31436](https://nvd.nist.gov/vuln/detail/CVE-2023-31436) CVSSv3 score: 7.8(High) qfq_change_class in net/sched/sch_qfq.c in the Linux kernel before 6.2.13 allows an out-of-bounds write because lmax can exceed QFQ_MIN_LMAX. * [CVE-2023-32233](https://nvd.nist.gov/vuln/detail/CVE-2023-32233) CVSSv3 score: 7.8(High) In the Linux kernel through 6.3.1, a use-after-free in Netfilter nf_tables when processing batch requests can be abused to perform arbitrary read and write operations on kernel memory. Unprivileged local users can obtain root privileges. This occurs because anonymous sets are mishandled.