* [CVE-2022-47518](https://nvd.nist.gov/vuln/detail/CVE-2022-47518) CVSSv3 score: 7.8(High) An issue was discovered in the Linux kernel before 6.0.11. Missing validation of the number of channels in drivers/net/wireless/microchip/wilc1000/cfg80211.c in the WILC1000 wireless driver can trigger a heap-based buffer overflow when copying the list of operating channels from Wi-Fi management frames. * [CVE-2022-48619](https://nvd.nist.gov/vuln/detail/CVE-2022-48619) CVSSv3 score: n/a An issue was discovered in drivers/input/input.c in the Linux kernel before 5.17.10. An attacker can cause a denial of service (panic) because input_set_capability mishandles the situation in which an event code falls outside of a bitmap. * [CVE-2023-0045](https://nvd.nist.gov/vuln/detail/CVE-2023-0045) CVSSv3 score: 7.5(High) The current implementation of the prctl syscall does not issue an IBPB immediately during the syscall. The ib_prctl_set  function updates the Thread Information Flags (TIFs) for the task and updates the SPEC_CTRL MSR on the function __speculation_ctrl_update, but the IBPB is only issued on the next schedule, when the TIF bits are checked. This leaves the victim vulnerable to values already injected on the BTB, prior to the prctl syscall.  The patch that added the support for the conditional mitigation via prctl (ib_prctl_set) dates back to the kernel 4.9.176. We recommend upgrading past commit a664ec9158eeddd75121d39c9a0758016097fa96 * [CVE-2023-0160](https://nvd.nist.gov/vuln/detail/CVE-2023-0160) CVSSv3 score: 5.5(Medium) A deadlock flaw was found in the Linux kernel’s BPF subsystem. This flaw allows a local user to potentially crash the system. * [CVE-2023-0179](https://nvd.nist.gov/vuln/detail/CVE-2023-0179) CVSSv3 score: 7.8(High) A buffer overflow vulnerability was found in the Netfilter subsystem in the Linux Kernel. This issue could allow the leakage of both stack and heap addresses, and potentially allow Local Privilege Escalation to the root user via arbitrary code execution. * [CVE-2023-0210](https://nvd.nist.gov/vuln/detail/CVE-2023-0210) CVSSv3 score: 7.5(High) A bug affects the Linux kernel’s ksmbd NTLMv2 authentication and is known to crash the OS immediately in Linux-based systems. * [CVE-2023-0266](https://nvd.nist.gov/vuln/detail/CVE-2023-0266) CVSSv3 score: 7.8(High) A use after free vulnerability exists in the ALSA PCM package in the Linux Kernel. SNDRV_CTL_IOCTL_ELEM_{READ|WRITE}32 is missing locks that can be used in a use-after-free that can result in a priviledge escalation to gain ring0 access from the system user. We recommend upgrading past commit 56b88b50565cd8b946a2d00b0c83927b7ebb055e * [CVE-2023-0386](https://nvd.nist.gov/vuln/detail/CVE-2023-0386) CVSSv3 score: 7.8(High) A flaw was found in the Linux kernel, where unauthorized access to the execution of the setuid file with capabilities was found in the Linux kernel’s OverlayFS subsystem in how a user copies a capable file from a nosuid mount into another mount. This uid mapping bug allows a local user to escalate their privileges on the system. * [CVE-2023-0394](https://nvd.nist.gov/vuln/detail/CVE-2023-0394) CVSSv3 score: 5.5(Medium) A NULL pointer dereference flaw was found in rawv6_push_pending_frames in net/ipv6/raw.c in the network subcomponent in the Linux kernel. This flaw causes the system to crash. * [CVE-2023-0458](https://nvd.nist.gov/vuln/detail/CVE-2023-0458) CVSSv3 score: 4.7(Medium) A speculative pointer dereference problem exists in the Linux Kernel on the do_prlimit() function. The resource argument value is controlled and is used in pointer arithmetic for the 'rlim' variable and can be used to leak the contents. We recommend upgrading past version 6.1.8 or commit 739790605705ddcf18f21782b9c99ad7d53a8c11 * [CVE-2023-0459](https://nvd.nist.gov/vuln/detail/CVE-2023-0459) CVSSv3 score: 5.5(Medium) Copy_from_user on 64-bit versions of the Linux kernel does not implement the __uaccess_begin_nospec allowing a user to bypass the "access_ok" check and pass a kernel pointer to copy_from_user(). This would allow an attacker to leak information. We recommend upgrading beyond commit 74e19ef0ff8061ef55957c3abd71614ef0f42f47 * [CVE-2023-0461](https://nvd.nist.gov/vuln/detail/CVE-2023-0461) CVSSv3 score: n/a There is a use-after-free vulnerability in the Linux Kernel which can be exploited to achieve local privilege escalation. To reach the vulnerability kernel configuration flag CONFIG_TLS or CONFIG_XFRM_ESPINTCP has to be configured, but the operation does not require any privilege. There is a use-after-free bug of icsk_ulp_data of a struct inet_connection_sock. When CONFIG_TLS is enabled, user can install a tls context (struct tls_context) on a connected tcp socket. The context is not cleared if this socket is disconnected and reused as a listener. If a new socket is created from the listener, the context is inherited and vulnerable. The setsockopt TCP_ULP operation does not require any privilege. We recommend upgrading past commit 2c02d41d71f90a5168391b6a5f2954112ba2307c * [CVE-2023-0468](https://nvd.nist.gov/vuln/detail/CVE-2023-0468) CVSSv3 score: 4.7(Medium) A use-after-free flaw was found in io_uring/poll.c in io_poll_check_events in the io_uring subcomponent in the Linux Kernel due to a race condition of poll_refs. This flaw may cause a NULL pointer dereference. * [CVE-2023-0469](https://nvd.nist.gov/vuln/detail/CVE-2023-0469) CVSSv3 score: 5.5(Medium) A use-after-free flaw was found in io_uring/filetable.c in io_install_fixed_file in the io_uring subcomponent in the Linux Kernel during call cleanup. This flaw may lead to a denial of service. * [CVE-2023-0590](https://nvd.nist.gov/vuln/detail/CVE-2023-0590) CVSSv3 score: 4.7(Medium) A use-after-free flaw was found in qdisc_graft in net/sched/sch_api.c in the Linux Kernel due to a race problem. This flaw leads to a denial of service issue. If patch ebda44da44f6 ("net: sched: fix race condition in qdisc_graft()") not applied yet, then kernel could be affected. * [CVE-2023-0615](https://nvd.nist.gov/vuln/detail/CVE-2023-0615) CVSSv3 score: 5.5(Medium) A memory leak flaw and potential divide by zero and Integer overflow was found in the Linux kernel V4L2 and vivid test code functionality. This issue occurs when a user triggers ioctls, such as VIDIOC_S_DV_TIMINGS ioctl. This could allow a local user to crash the system if vivid test code enabled. * [CVE-2023-1032](https://nvd.nist.gov/vuln/detail/CVE-2023-1032) CVSSv3 score: 5.5(Medium) The Linux kernel io_uring IORING_OP_SOCKET operation contained a double free in function __sys_socket_file() in file net/socket.c. This issue was introduced in da214a475f8bd1d3e9e7a19ddfeb4d1617551bab and fixed in 649c15c7691e9b13cbe9bf6c65c365350e056067. * [CVE-2023-1073](https://nvd.nist.gov/vuln/detail/CVE-2023-1073) CVSSv3 score: 6.6(Medium) A memory corruption flaw was found in the Linux kernel’s human interface device (HID) subsystem in how a user inserts a malicious USB device. This flaw allows a local user to crash or potentially escalate their privileges on the system. * [CVE-2023-1074](https://nvd.nist.gov/vuln/detail/CVE-2023-1074) CVSSv3 score: 5.5(Medium) A memory leak flaw was found in the Linux kernel's Stream Control Transmission Protocol. This issue may occur when a user starts a malicious networking service and someone connects to this service. This could allow a local user to starve resources, causing a denial of service. * [CVE-2023-1075](https://nvd.nist.gov/vuln/detail/CVE-2023-1075) CVSSv3 score: 3.3(Low) A flaw was found in the Linux Kernel. The tls_is_tx_ready() incorrectly checks for list emptiness, potentially accessing a type confused entry to the list_head, leaking the last byte of the confused field that overlaps with rec->tx_ready. * [CVE-2023-1076](https://nvd.nist.gov/vuln/detail/CVE-2023-1076) CVSSv3 score: 5.5(Medium) A flaw was found in the Linux Kernel. The tun/tap sockets have their socket UID hardcoded to 0 due to a type confusion in their initialization function. While it will be often correct, as tuntap devices require CAP_NET_ADMIN, it may not always be the case, e.g., a non-root user only having that capability. This would make tun/tap sockets being incorrectly treated in filtering/routing decisions, possibly bypassing network filters. * [CVE-2023-1077](https://nvd.nist.gov/vuln/detail/CVE-2023-1077) CVSSv3 score: 7(High) In the Linux kernel, pick_next_rt_entity() may return a type confused entry, not detected by the BUG_ON condition, as the confused entry will not be NULL, but list_head.The buggy error condition would lead to a type confused entry with the list head,which would then be used as a type confused sched_rt_entity,causing memory corruption. * [CVE-2023-1078](https://nvd.nist.gov/vuln/detail/CVE-2023-1078) CVSSv3 score: 7.8(High) A flaw was found in the Linux Kernel in RDS (Reliable Datagram Sockets) protocol. The rds_rm_zerocopy_callback() uses list_entry() on the head of a list causing a type confusion. Local user can trigger this with rds_message_put(). Type confusion leads to `struct rds_msg_zcopy_info *info` actually points to something else that is potentially controlled by local user. It is known how to trigger this, which causes an out of bounds access, and a lock corruption. * [CVE-2023-1079](https://nvd.nist.gov/vuln/detail/CVE-2023-1079) CVSSv3 score: 6.8(Medium) A flaw was found in the Linux kernel. A use-after-free may be triggered in asus_kbd_backlight_set when plugging/disconnecting in a malicious USB device, which advertises itself as an Asus device. Similarly to the previous known CVE-2023-25012, but in asus devices, the work_struct may be scheduled by the LED controller while the device is disconnecting, triggering a use-after-free on the struct asus_kbd_leds *led structure. A malicious USB device may exploit the issue to cause memory corruption with controlled data. * [CVE-2023-1095](https://nvd.nist.gov/vuln/detail/CVE-2023-1095) CVSSv3 score: 5.5(Medium) In nf_tables_updtable, if nf_tables_table_enable returns an error, nft_trans_destroy is called to free the transaction object. nft_trans_destroy() calls list_del(), but the transaction was never placed on a list -- the list head is all zeroes, this results in a NULL pointer dereference. * [CVE-2023-1118](https://nvd.nist.gov/vuln/detail/CVE-2023-1118) CVSSv3 score: 7.8(High) A flaw use after free in the Linux kernel integrated infrared receiver/transceiver driver was found in the way user detaching rc device. A local user could use this flaw to crash the system or potentially escalate their privileges on the system. * [CVE-2023-1192](https://nvd.nist.gov/vuln/detail/CVE-2023-1192) CVSSv3 score: n/a A use-after-free flaw was found in smb2_is_status_io_timeout() in CIFS in the Linux Kernel. After CIFS transfers response data to a system call, there are still local variable points to the memory region, and if the system call frees it faster than CIFS uses it, CIFS will access a free memory region, leading to a denial of service. * [CVE-2023-1193](https://nvd.nist.gov/vuln/detail/CVE-2023-1193) CVSSv3 score: n/a A use-after-free flaw was found in setup_async_work in the KSMBD implementation of the in-kernel samba server and CIFS in the Linux kernel. This issue could allow an attacker to crash the system by accessing freed work. * [CVE-2023-1194](https://nvd.nist.gov/vuln/detail/CVE-2023-1194) CVSSv3 score: 8.1(High) An out-of-bounds (OOB) memory read flaw was found in parse_lease_state in the KSMBD implementation of the in-kernel samba server and CIFS in the Linux kernel. When an attacker sends the CREATE command with a malformed payload to KSMBD, due to a missing check of `NameOffset` in the `parse_lease_state()` function, the `create_context` object can access invalid memory. * [CVE-2023-1206](https://nvd.nist.gov/vuln/detail/CVE-2023-1206) CVSSv3 score: 5.7(Medium) A hash collision flaw was found in the IPv6 connection lookup table in the Linux kernel’s IPv6 functionality when a user makes a new kind of SYN flood attack. A user located in the local network or with a high bandwidth connection can increase the CPU usage of the server that accepts IPV6 connections up to 95%. * [CVE-2023-1249](https://nvd.nist.gov/vuln/detail/CVE-2023-1249) CVSSv3 score: 5.5(Medium) A use-after-free flaw was found in the Linux kernel’s core dump subsystem. This flaw allows a local user to crash the system. Only if patch 390031c94211 ("coredump: Use the vma snapshot in fill_files_note") not applied yet, then kernel could be affected. * [CVE-2023-1281](https://nvd.nist.gov/vuln/detail/CVE-2023-1281) CVSSv3 score: n/a Use After Free vulnerability in Linux kernel traffic control index filter (tcindex) allows Privilege Escalation. The imperfect hash area can be updated while packets are traversing, which will cause a use-after-free when 'tcf_exts_exec()' is called with the destroyed tcf_ext. A local attacker user can use this vulnerability to elevate its privileges to root. This issue affects Linux Kernel: from 4.14 before git commit ee059170b1f7e94e55fa6cadee544e176a6e59c2. * [CVE-2023-1380](https://nvd.nist.gov/vuln/detail/CVE-2023-1380) CVSSv3 score: 7.1(High) A slab-out-of-bound read problem was found in brcmf_get_assoc_ies in drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c in the Linux Kernel. This issue could occur when assoc_info->req_len data is bigger than the size of the buffer, defined as WL_EXTRA_BUF_MAX, leading to a denial of service. * [CVE-2023-1382](https://nvd.nist.gov/vuln/detail/CVE-2023-1382) CVSSv3 score: 4.7(Medium) A data race flaw was found in the Linux kernel, between where con is allocated and con->sock is set. This issue leads to a NULL pointer dereference when accessing con->sock->sk in net/tipc/topsrv.c in the tipc protocol in the Linux kernel. * [CVE-2023-1513](https://nvd.nist.gov/vuln/detail/CVE-2023-1513) CVSSv3 score: 3.3(Low) A flaw was found in KVM. When calling the KVM_GET_DEBUGREGS ioctl, on 32-bit systems, there might be some uninitialized portions of the kvm_debugregs structure that could be copied to userspace, causing an information leak. * [CVE-2023-1582](https://nvd.nist.gov/vuln/detail/CVE-2023-1582) CVSSv3 score: 4.7(Medium) A race problem was found in fs/proc/task_mmu.c in the memory management sub-component in the Linux kernel. This issue may allow a local attacker with user privilege to cause a denial of service. * [CVE-2023-1583](https://nvd.nist.gov/vuln/detail/CVE-2023-1583) CVSSv3 score: 5.5(Medium) A NULL pointer dereference was found in io_file_bitmap_get in io_uring/filetable.c in the io_uring sub-component in the Linux Kernel. When fixed files are unregistered, some context information (file_alloc_{start,end} and alloc_hint) is not cleared. A subsequent request that has auto index selection enabled via IORING_FILE_INDEX_ALLOC can cause a NULL pointer dereference. An unprivileged user can use the flaw to cause a system crash. * [CVE-2023-1611](https://nvd.nist.gov/vuln/detail/CVE-2023-1611) CVSSv3 score: 6.3(Medium) A use-after-free flaw was found in btrfs_search_slot in fs/btrfs/ctree.c in btrfs in the Linux Kernel.This flaw allows an attacker to crash the system and possibly cause a kernel information lea * [CVE-2023-1637](https://nvd.nist.gov/vuln/detail/CVE-2023-1637) CVSSv3 score: 5.5(Medium) A flaw that boot CPU could be vulnerable for the speculative execution behavior kind of attacks in the Linux kernel X86 CPU Power management options functionality was found in the way user resuming CPU from suspend-to-RAM. A local user could use this flaw to potentially get unauthorized access to some memory of the CPU similar to the speculative execution behavior kind of attacks. * [CVE-2023-1652](https://nvd.nist.gov/vuln/detail/CVE-2023-1652) CVSSv3 score: 7.1(High) A use-after-free flaw was found in nfsd4_ssc_setup_dul in fs/nfsd/nfs4proc.c in the NFS filesystem in the Linux Kernel. This issue could allow a local attacker to crash the system or it may lead to a kernel information leak problem. * [CVE-2023-1670](https://nvd.nist.gov/vuln/detail/CVE-2023-1670) CVSSv3 score: 7.8(High) A flaw use after free in the Linux kernel Xircom 16-bit PCMCIA (PC-card) Ethernet driver was found.A local user could use this flaw to crash the system or potentially escalate their privileges on the system. * [CVE-2023-1829](https://nvd.nist.gov/vuln/detail/CVE-2023-1829) CVSSv3 score: n/a A use-after-free vulnerability in the Linux Kernel traffic control index filter (tcindex) can be exploited to achieve local privilege escalation. The tcindex_delete function which does not properly deactivate filters in case of a perfect hashes while deleting the underlying structure which can later lead to double freeing the structure. A local attacker user can use this vulnerability to elevate its privileges to root. We recommend upgrading past commit 8c710f75256bb3cf05ac7b1672c82b92c43f3d28. * [CVE-2023-1838](https://nvd.nist.gov/vuln/detail/CVE-2023-1838) CVSSv3 score: 7.1(High) A use-after-free flaw was found in vhost_net_set_backend in drivers/vhost/net.c in virtio network subcomponent in the Linux kernel due to a double fget. This flaw could allow a local attacker to crash the system, and could even lead to a kernel information leak problem. * [CVE-2023-1855](https://nvd.nist.gov/vuln/detail/CVE-2023-1855) CVSSv3 score: 6.3(Medium) A use-after-free flaw was found in xgene_hwmon_remove in drivers/hwmon/xgene-hwmon.c in the Hardware Monitoring Linux Kernel Driver (xgene-hwmon). This flaw could allow a local attacker to crash the system due to a race problem. This vulnerability could even lead to a kernel information leak problem. * [CVE-2023-1859](https://nvd.nist.gov/vuln/detail/CVE-2023-1859) CVSSv3 score: 4.7(Medium) A use-after-free flaw was found in xen_9pfs_front_removet in net/9p/trans_xen.c in Xen transport for 9pfs in the Linux Kernel. This flaw could allow a local attacker to crash the system due to a race problem, possibly leading to a kernel information leak. * [CVE-2023-1872](https://nvd.nist.gov/vuln/detail/CVE-2023-1872) CVSSv3 score: 7(High) A use-after-free vulnerability in the Linux Kernel io_uring system can be exploited to achieve local privilege escalation. The io_file_get_fixed function lacks the presence of ctx->uring_lock which can lead to a Use-After-Free vulnerability due a race condition with fixed files getting unregistered. We recommend upgrading past commit da24142b1ef9fd5d36b76e36bab328a5b27523e8. * [CVE-2023-1989](https://nvd.nist.gov/vuln/detail/CVE-2023-1989) CVSSv3 score: 7(High) A use-after-free flaw was found in btsdio_remove in drivers\bluetooth\btsdio.c in the Linux Kernel. In this flaw, a call to btsdio_remove with an unfinished job, may cause a race problem leading to a UAF on hdev devices. * [CVE-2023-1990](https://nvd.nist.gov/vuln/detail/CVE-2023-1990) CVSSv3 score: 4.7(Medium) A use-after-free flaw was found in ndlc_remove in drivers/nfc/st-nci/ndlc.c in the Linux Kernel. This flaw could allow an attacker to crash the system due to a race problem. * [CVE-2023-1998](https://nvd.nist.gov/vuln/detail/CVE-2023-1998) CVSSv3 score: n/a The Linux kernel allows userspace processes to enable mitigations by calling prctl with PR_SET_SPECULATION_CTRL which disables the speculation feature as well as by using seccomp. We had noticed that on VMs of at least one major cloud provider, the kernel still left the victim process exposed to attacks in some cases even after enabling the spectre-BTI mitigation with prctl. The same behavior can be observed on a bare-metal machine when forcing the mitigation to IBRS on boot command line. This happened because when plain IBRS was enabled (not enhanced IBRS), the kernel had some logic that determined that STIBP was not needed. The IBRS bit implicitly protects against cross-thread branch target injection. However, with legacy IBRS, the IBRS bit was cleared on returning to userspace, due to performance reasons, which disabled the implicit STIBP and left userspace threads vulnerable to cross-thread branch target injection against which STIBP protects. * [CVE-2023-2002](https://nvd.nist.gov/vuln/detail/CVE-2023-2002) CVSSv3 score: 6.8(Medium) A vulnerability was found in the HCI sockets implementation due to a missing capability check in net/bluetooth/hci_sock.c in the Linux Kernel. This flaw allows an attacker to unauthorized execution of management commands, compromising the confidentiality, integrity, and availability of Bluetooth communication. * [CVE-2023-2006](https://nvd.nist.gov/vuln/detail/CVE-2023-2006) CVSSv3 score: 7(High) A race condition was found in the Linux kernel's RxRPC network protocol, within the processing of RxRPC bundles. This issue results from the lack of proper locking when performing operations on an object. This may allow an attacker to escalate privileges and execute arbitrary code in the context of the kernel. * [CVE-2023-2008](https://nvd.nist.gov/vuln/detail/CVE-2023-2008) CVSSv3 score: 7.8(High) A flaw was found in the Linux kernel's udmabuf device driver. The specific flaw exists within a fault handler. The issue results from the lack of proper validation of user-supplied data, which can result in a memory access past the end of an array. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the kernel. * [CVE-2023-2019](https://nvd.nist.gov/vuln/detail/CVE-2023-2019) CVSSv3 score: 4.4(Medium) A flaw was found in the Linux kernel's netdevsim device driver, within the scheduling of events. This issue results from the improper management of a reference count. This may allow an attacker to create a denial of service condition on the system. * [CVE-2023-20569](https://nvd.nist.gov/vuln/detail/CVE-2023-20569) CVSSv3 score: 4.7(Medium) A side channel vulnerability on some of the AMD CPUs may allow an attacker to influence the return address prediction. This may result in speculative execution at an attacker-controlled address, potentially leading to information disclosure. * [CVE-2023-20588](https://nvd.nist.gov/vuln/detail/CVE-2023-20588) CVSSv3 score: 5.5(Medium) A division-by-zero error on some AMD processors can potentially return speculative data resulting in loss of confidentiality.  * [CVE-2023-20593](https://nvd.nist.gov/vuln/detail/CVE-2023-20593) CVSSv3 score: 5.5(Medium) An issue in “Zen 2” CPUs, under specific microarchitectural circumstances, may allow an attacker to potentially access sensitive information. * [CVE-2023-20928](https://nvd.nist.gov/vuln/detail/CVE-2023-20928) CVSSv3 score: 7.8(High) In binder_vma_close of binder.c, there is a possible use after free due to improper locking. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-254837884References: Upstream kernel * [CVE-2023-20938](https://nvd.nist.gov/vuln/detail/CVE-2023-20938) CVSSv3 score: 7.8(High) In binder_transaction_buffer_release of binder.c, there is a possible use after free due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-257685302References: Upstream kernel * [CVE-2023-21102](https://nvd.nist.gov/vuln/detail/CVE-2023-21102) CVSSv3 score: 7.8(High) In __efi_rt_asm_wrapper of efi-rt-wrapper.S, there is a possible bypass of shadow stack protection due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-260821414References: Upstream kernel * [CVE-2023-21106](https://nvd.nist.gov/vuln/detail/CVE-2023-21106) CVSSv3 score: 7.8(High) In adreno_set_param of adreno_gpu.c, there is a possible memory corruption due to a double free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-265016072References: Upstream kernel * [CVE-2023-2124](https://nvd.nist.gov/vuln/detail/CVE-2023-2124) CVSSv3 score: 7.8(High) An out-of-bounds memory access flaw was found in the Linux kernel’s XFS file system in how a user restores an XFS image after failure (with a dirty log journal). This flaw allows a local user to crash or potentially escalate their privileges on the system. * [CVE-2023-21255](https://nvd.nist.gov/vuln/detail/CVE-2023-21255) CVSSv3 score: 7.8(High) In multiple functions of binder.c, there is a possible memory corruption due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. * [CVE-2023-2156](https://nvd.nist.gov/vuln/detail/CVE-2023-2156) CVSSv3 score: 7.5(High) A flaw was found in the networking subsystem of the Linux kernel within the handling of the RPL protocol. This issue results from the lack of proper handling of user-supplied data, which can lead to an assertion failure. This may allow an unauthenticated remote attacker to create a denial of service condition on the system. * [CVE-2023-2162](https://nvd.nist.gov/vuln/detail/CVE-2023-2162) CVSSv3 score: 5.5(Medium) A use-after-free vulnerability was found in iscsi_sw_tcp_session_create in drivers/scsi/iscsi_tcp.c in SCSI sub-component in the Linux Kernel. In this flaw an attacker could leak kernel internal information. * [CVE-2023-2163](https://nvd.nist.gov/vuln/detail/CVE-2023-2163) CVSSv3 score: 8.8(High) Incorrect verifier pruning in BPF in Linux Kernel >=5.4 leads to unsafe code paths being incorrectly marked as safe, resulting in arbitrary read/write in kernel memory, lateral privilege escalation, and container escape. * [CVE-2023-2166](https://nvd.nist.gov/vuln/detail/CVE-2023-2166) CVSSv3 score: 5.5(Medium) A null pointer dereference issue was found in can protocol in net/can/af_can.c in the Linux before Linux. ml_priv may not be initialized in the receive path of CAN frames. A local user could use this flaw to crash the system or potentially cause a denial of service. * [CVE-2023-2177](https://nvd.nist.gov/vuln/detail/CVE-2023-2177) CVSSv3 score: 5.5(Medium) A null pointer dereference issue was found in the sctp network protocol in net/sctp/stream_sched.c in Linux Kernel. If stream_in allocation is failed, stream_out is freed which would further be accessed. A local user could use this flaw to crash the system or potentially cause a denial of service. * [CVE-2023-2194](https://nvd.nist.gov/vuln/detail/CVE-2023-2194) CVSSv3 score: 6.7(Medium) An out-of-bounds write vulnerability was found in the Linux kernel's SLIMpro I2C device driver. The userspace "data->block[0]" variable was not capped to a number between 0-255 and was used as the size of a memcpy, possibly writing beyond the end of dma_buffer. This flaw could allow a local privileged user to crash the system or potentially achieve code execution. * [CVE-2023-2235](https://nvd.nist.gov/vuln/detail/CVE-2023-2235) CVSSv3 score: n/a A use-after-free vulnerability in the Linux Kernel Performance Events system can be exploited to achieve local privilege escalation. The perf_group_detach function did not check the event's siblings' attach_state before calling add_event_to_groups(), but remove_on_exec made it possible to call list_del_event() on before detaching from their group, making it possible to use a dangling pointer causing a use-after-free vulnerability. We recommend upgrading past commit fd0815f632c24878e325821943edccc7fde947a2. * [CVE-2023-2236](https://nvd.nist.gov/vuln/detail/CVE-2023-2236) CVSSv3 score: n/a A use-after-free vulnerability in the Linux Kernel io_uring subsystem can be exploited to achieve local privilege escalation. Both io_install_fixed_file and its callers call fput in a file in case of an error, causing a reference underflow which leads to a use-after-free vulnerability. We recommend upgrading past commit 9d94c04c0db024922e886c9fd429659f22f48ea4. * [CVE-2023-2269](https://nvd.nist.gov/vuln/detail/CVE-2023-2269) CVSSv3 score: 4.4(Medium) A denial of service problem was found, due to a possible recursive locking scenario, resulting in a deadlock in table_clear in drivers/md/dm-ioctl.c in the Linux Kernel Device Mapper-Multipathing sub-component. * [CVE-2023-22996](https://nvd.nist.gov/vuln/detail/CVE-2023-22996) CVSSv3 score: 5.5(Medium) In the Linux kernel before 5.17.2, drivers/soc/qcom/qcom_aoss.c does not release an of_find_device_by_node reference after use, e.g., with put_device. * [CVE-2023-22997](https://nvd.nist.gov/vuln/detail/CVE-2023-22997) CVSSv3 score: 5.5(Medium) In the Linux kernel before 6.1.2, kernel/module/decompress.c misinterprets the module_get_next_page return value (expects it to be NULL in the error case, whereas it is actually an error pointer). * [CVE-2023-22998](https://nvd.nist.gov/vuln/detail/CVE-2023-22998) CVSSv3 score: 5.5(Medium) In the Linux kernel before 6.0.3, drivers/gpu/drm/virtio/virtgpu_object.c misinterprets the drm_gem_shmem_get_sg_table return value (expects it to be NULL in the error case, whereas it is actually an error pointer). * [CVE-2023-22999](https://nvd.nist.gov/vuln/detail/CVE-2023-22999) CVSSv3 score: 5.5(Medium) In the Linux kernel before 5.16.3, drivers/usb/dwc3/dwc3-qcom.c misinterprets the dwc3_qcom_create_urs_usb_platdev return value (expects it to be NULL in the error case, whereas it is actually an error pointer). * [CVE-2023-23001](https://nvd.nist.gov/vuln/detail/CVE-2023-23001) CVSSv3 score: 5.5(Medium) In the Linux kernel before 5.16.3, drivers/scsi/ufs/ufs-mediatek.c misinterprets the regulator_get return value (expects it to be NULL in the error case, whereas it is actually an error pointer). * [CVE-2023-23002](https://nvd.nist.gov/vuln/detail/CVE-2023-23002) CVSSv3 score: 5.5(Medium) In the Linux kernel before 5.16.3, drivers/bluetooth/hci_qca.c misinterprets the devm_gpiod_get_index_optional return value (expects it to be NULL in the error case, whereas it is actually an error pointer). * [CVE-2023-23454](https://nvd.nist.gov/vuln/detail/CVE-2023-23454) CVSSv3 score: 5.5(Medium) cbq_classify in net/sched/sch_cbq.c in the Linux kernel through 6.1.4 allows attackers to cause a denial of service (slab-out-of-bounds read) because of type confusion (non-negative numbers can sometimes indicate a TC_ACT_SHOT condition rather than valid classification results). * [CVE-2023-23455](https://nvd.nist.gov/vuln/detail/CVE-2023-23455) CVSSv3 score: 5.5(Medium) atm_tc_enqueue in net/sched/sch_atm.c in the Linux kernel through 6.1.4 allows attackers to cause a denial of service because of type confusion (non-negative numbers can sometimes indicate a TC_ACT_SHOT condition rather than valid classification results). * [CVE-2023-23559](https://nvd.nist.gov/vuln/detail/CVE-2023-23559) CVSSv3 score: 7.8(High) In rndis_query_oid in drivers/net/wireless/rndis_wlan.c in the Linux kernel through 6.1.5, there is an integer overflow in an addition. * [CVE-2023-23908](https://nvd.nist.gov/vuln/detail/CVE-2023-23908) CVSSv3 score: 4.4(Medium) Improper access control in some 3rd Generation Intel(R) Xeon(R) Scalable processors may allow a privileged user to potentially enable information disclosure via local access. * [CVE-2023-2430](https://nvd.nist.gov/vuln/detail/CVE-2023-2430) CVSSv3 score: 5.5(Medium) A vulnerability was found due to missing lock for IOPOLL flaw in io_cqring_event_overflow() in io_uring.c in Linux Kernel. This flaw allows a local attacker with user privilege to trigger a Denial of Service threat. * [CVE-2023-25012](https://nvd.nist.gov/vuln/detail/CVE-2023-25012) CVSSv3 score: 4.6(Medium) The Linux kernel through 6.1.9 has a Use-After-Free in bigben_remove in drivers/hid/hid-bigbenff.c via a crafted USB device because the LED controllers remain registered for too long. * [CVE-2023-2513](https://nvd.nist.gov/vuln/detail/CVE-2023-2513) CVSSv3 score: 6.7(Medium) A use-after-free vulnerability was found in the Linux kernel's ext4 filesystem in the way it handled the extra inode size for extended attributes. This flaw could allow a privileged local user to cause a system crash or other undefined behaviors. * [CVE-2023-25775](https://nvd.nist.gov/vuln/detail/CVE-2023-25775) CVSSv3 score: 9.8(Critical) Improper access control in the Intel(R) Ethernet Controller RDMA driver for linux before version 1.9.30 may allow an unauthenticated user to potentially enable escalation of privilege via network access. * [CVE-2023-26544](https://nvd.nist.gov/vuln/detail/CVE-2023-26544) CVSSv3 score: 7.8(High) In the Linux kernel 6.0.8, there is a use-after-free in run_unpack in fs/ntfs3/run.c, related to a difference between NTFS sector size and media sector size. * [CVE-2023-26545](https://nvd.nist.gov/vuln/detail/CVE-2023-26545) CVSSv3 score: 4.7(Medium) In the Linux kernel before 6.1.13, there is a double free in net/mpls/af_mpls.c upon an allocation failure (for registering the sysctl table under a new location) during the renaming of a device. * [CVE-2023-26606](https://nvd.nist.gov/vuln/detail/CVE-2023-26606) CVSSv3 score: 7.8(High) In the Linux kernel 6.0.8, there is a use-after-free in ntfs_trim_fs in fs/ntfs3/bitmap.c. * [CVE-2023-26607](https://nvd.nist.gov/vuln/detail/CVE-2023-26607) CVSSv3 score: 7.1(High) In the Linux kernel 6.0.8, there is an out-of-bounds read in ntfs_attr_find in fs/ntfs/attrib.c. * [CVE-2023-28327](https://nvd.nist.gov/vuln/detail/CVE-2023-28327) CVSSv3 score: 5.5(Medium) A NULL pointer dereference flaw was found in the UNIX protocol in net/unix/diag.c In unix_diag_get_exact in the Linux Kernel. The newly allocated skb does not have sk, leading to a NULL pointer. This flaw allows a local user to crash or potentially cause a denial of service. * [CVE-2023-28328](https://nvd.nist.gov/vuln/detail/CVE-2023-28328) CVSSv3 score: 5.5(Medium) A NULL pointer dereference flaw was found in the az6027 driver in drivers/media/usb/dev-usb/az6027.c in the Linux Kernel. The message from user space is not checked properly before transferring into the device. This flaw allows a local user to crash the system or potentially cause a denial of service. * [CVE-2023-28410](https://nvd.nist.gov/vuln/detail/CVE-2023-28410) CVSSv3 score: 7.8(High) Improper restriction of operations within the bounds of a memory buffer in some Intel(R) i915 Graphics drivers for linux before kernel version 6.2.10 may allow an authenticated user to potentially enable escalation of privilege via local access. * [CVE-2023-28466](https://nvd.nist.gov/vuln/detail/CVE-2023-28466) CVSSv3 score: 7(High) do_tls_getsockopt in net/tls/tls_main.c in the Linux kernel through 6.2.6 lacks a lock_sock call, leading to a race condition (with a resultant use-after-free or NULL pointer dereference). * [CVE-2023-28866](https://nvd.nist.gov/vuln/detail/CVE-2023-28866) CVSSv3 score: 5.3(Medium) In the Linux kernel through 6.2.8, net/bluetooth/hci_sync.c allows out-of-bounds access because amp_init1[] and amp_init2[] are supposed to have an intentionally invalid element, but do not. * [CVE-2023-2898](https://nvd.nist.gov/vuln/detail/CVE-2023-2898) CVSSv3 score: 4.7(Medium) There is a null-pointer-dereference flaw found in f2fs_write_end_io in fs/f2fs/data.c in the Linux kernel. This flaw allows a local privileged user to cause a denial of service problem. * [CVE-2023-2985](https://nvd.nist.gov/vuln/detail/CVE-2023-2985) CVSSv3 score: 5.5(Medium) A use after free flaw was found in hfsplus_put_super in fs/hfsplus/super.c in the Linux Kernel. This flaw could allow a local user to cause a denial of service problem. * [CVE-2023-3006](https://nvd.nist.gov/vuln/detail/CVE-2023-3006) CVSSv3 score: 5.5(Medium) A known cache speculation vulnerability, known as Branch History Injection (BHI) or Spectre-BHB, becomes actual again for the new hw AmpereOne. Spectre-BHB is similar to Spectre v2, except that malicious code uses the shared branch history (stored in the CPU Branch History Buffer, or BHB) to influence mispredicted branches within the victim's hardware context. Once that occurs, speculation caused by the mispredicted branches can cause cache allocation. This issue leads to obtaining information that should not be accessible. * [CVE-2023-30456](https://nvd.nist.gov/vuln/detail/CVE-2023-30456) CVSSv3 score: 6.5(Medium) An issue was discovered in arch/x86/kvm/vmx/nested.c in the Linux kernel before 6.2.8. nVMX on x86_64 lacks consistency checks for CR0 and CR4. * [CVE-2023-30772](https://nvd.nist.gov/vuln/detail/CVE-2023-30772) CVSSv3 score: 6.4(Medium) The Linux kernel before 6.2.9 has a race condition and resultant use-after-free in drivers/power/supply/da9150-charger.c if a physically proximate attacker unplugs a device. * [CVE-2023-3090](https://nvd.nist.gov/vuln/detail/CVE-2023-3090) CVSSv3 score: n/a A heap out-of-bounds write vulnerability in the Linux Kernel ipvlan network driver can be exploited to achieve local privilege escalation. The out-of-bounds write is caused by missing skb->cb initialization in the ipvlan network driver. The vulnerability is reachable if CONFIG_IPVLAN is enabled. We recommend upgrading past commit 90cbed5247439a966b645b34eb0a2e037836ea8e. * [CVE-2023-31085](https://nvd.nist.gov/vuln/detail/CVE-2023-31085) CVSSv3 score: 5.5(Medium) An issue was discovered in drivers/mtd/ubi/cdev.c in the Linux kernel 6.2. There is a divide-by-zero error in do_div(sz,mtd->erasesize), used indirectly by ctrl_cdev_ioctl, when mtd->erasesize is 0. * [CVE-2023-3111](https://nvd.nist.gov/vuln/detail/CVE-2023-3111) CVSSv3 score: 7.8(High) A use after free vulnerability was found in prepare_to_relocate in fs/btrfs/relocation.c in btrfs in the Linux Kernel. This possible flaw can be triggered by calling btrfs_ioctl_balance() before calling btrfs_ioctl_defrag(). * [CVE-2023-31248](https://nvd.nist.gov/vuln/detail/CVE-2023-31248) CVSSv3 score: n/a Linux Kernel nftables Use-After-Free Local Privilege Escalation Vulnerability; `nft_chain_lookup_byid()` failed to check whether a chain was active and CAP_NET_ADMIN is in any user or network namespace * [CVE-2023-3141](https://nvd.nist.gov/vuln/detail/CVE-2023-3141) CVSSv3 score: 7.1(High) A use-after-free flaw was found in r592_remove in drivers/memstick/host/r592.c in media access in the Linux Kernel. This flaw allows a local attacker to crash the system at device disconnect, possibly leading to a kernel information leak. * [CVE-2023-31436](https://nvd.nist.gov/vuln/detail/CVE-2023-31436) CVSSv3 score: 7.8(High) qfq_change_class in net/sched/sch_qfq.c in the Linux kernel before 6.2.13 allows an out-of-bounds write because lmax can exceed QFQ_MIN_LMAX. * [CVE-2023-3159](https://nvd.nist.gov/vuln/detail/CVE-2023-3159) CVSSv3 score: 6.7(Medium) A use after free issue was discovered in driver/firewire in outbound_phy_packet_callback in the Linux Kernel. In this flaw a local attacker with special privilege may cause a use after free problem when queue_event() fails. * [CVE-2023-3161](https://nvd.nist.gov/vuln/detail/CVE-2023-3161) CVSSv3 score: 5.5(Medium) A flaw was found in the Framebuffer Console (fbcon) in the Linux Kernel. When providing font->width and font->height greater than 32 to fbcon_set_font, since there are no checks in place, a shift-out-of-bounds occurs leading to undefined behavior and possible denial of service. * [CVE-2023-3212](https://nvd.nist.gov/vuln/detail/CVE-2023-3212) CVSSv3 score: 4.4(Medium) A NULL pointer dereference issue was found in the gfs2 file system in the Linux kernel. It occurs on corrupt gfs2 file systems when the evict code tries to reference the journal descriptor structure after it has been freed and set to NULL. A privileged local user could use this flaw to cause a kernel panic. * [CVE-2023-3220](https://nvd.nist.gov/vuln/detail/CVE-2023-3220) CVSSv3 score: 5.5(Medium) An issue was discovered in the Linux kernel through 6.1-rc8. dpu_crtc_atomic_check in drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c lacks check of the return value of kzalloc() and will cause the NULL Pointer Dereference. * [CVE-2023-32233](https://nvd.nist.gov/vuln/detail/CVE-2023-32233) CVSSv3 score: 7.8(High) In the Linux kernel through 6.3.1, a use-after-free in Netfilter nf_tables when processing batch requests can be abused to perform arbitrary read and write operations on kernel memory. Unprivileged local users can obtain root privileges. This occurs because anonymous sets are mishandled. * [CVE-2023-32247](https://nvd.nist.gov/vuln/detail/CVE-2023-32247) CVSSv3 score: n/a A flaw was found in the Linux kernel's ksmbd, a high-performance in-kernel SMB server. The specific flaw exists within the handling of SMB2_SESSION_SETUP commands. The issue results from the lack of control of resource consumption. An attacker can leverage this vulnerability to create a denial-of-service condition on the system. * [CVE-2023-32248](https://nvd.nist.gov/vuln/detail/CVE-2023-32248) CVSSv3 score: n/a A flaw was found in the Linux kernel's ksmbd, a high-performance in-kernel SMB server. The specific flaw exists within the handling of SMB2_TREE_CONNECT and SMB2_QUERY_INFO commands. The issue results from the lack of proper validation of a pointer prior to accessing it. An attacker can leverage this vulnerability to create a denial-of-service condition on the system. * [CVE-2023-32250](https://nvd.nist.gov/vuln/detail/CVE-2023-32250) CVSSv3 score: 8.1(High) A flaw was found in the Linux kernel's ksmbd, a high-performance in-kernel SMB server. The specific flaw exists within the processing of SMB2_SESSION_SETUP commands. The issue results from the lack of proper locking when performing operations on an object. An attacker can leverage this vulnerability to execute code in the context of the kernel. * [CVE-2023-32252](https://nvd.nist.gov/vuln/detail/CVE-2023-32252) CVSSv3 score: n/a A flaw was found in the Linux kernel's ksmbd, a high-performance in-kernel SMB server. The specific flaw exists within the handling of SMB2_LOGOFF commands. The issue results from the lack of proper validation of a pointer prior to accessing it. An attacker can leverage this vulnerability to create a denial-of-service condition on the system. * [CVE-2023-32254](https://nvd.nist.gov/vuln/detail/CVE-2023-32254) CVSSv3 score: 8.1(High) A flaw was found in the Linux kernel's ksmbd, a high-performance in-kernel SMB server. The specific flaw exists within the processing of SMB2_TREE_DISCONNECT commands. The issue results from the lack of proper locking when performing operations on an object. An attacker can leverage this vulnerability to execute code in the context of the kernel. * [CVE-2023-32257](https://nvd.nist.gov/vuln/detail/CVE-2023-32257) CVSSv3 score: n/a A flaw was found in the Linux kernel's ksmbd, a high-performance in-kernel SMB server. The specific flaw exists within the processing of SMB2_SESSION_SETUP and SMB2_LOGOFF commands. The issue results from the lack of proper locking when performing operations on an object. An attacker can leverage this vulnerability to execute code in the context of the kernel. * [CVE-2023-32258](https://nvd.nist.gov/vuln/detail/CVE-2023-32258) CVSSv3 score: n/a A flaw was found in the Linux kernel's ksmbd, a high-performance in-kernel SMB server. The specific flaw exists within the processing of SMB2_LOGOFF and SMB2_CLOSE commands. The issue results from the lack of proper locking when performing operations on an object. An attacker can leverage this vulnerability to execute code in the context of the kernel. * [CVE-2023-32269](https://nvd.nist.gov/vuln/detail/CVE-2023-32269) CVSSv3 score: 6.7(Medium) An issue was discovered in the Linux kernel before 6.1.11. In net/netrom/af_netrom.c, there is a use-after-free because accept is also allowed for a successfully connected AF_NETROM socket. However, in order for an attacker to exploit this, the system must have netrom routing configured or the attacker must have the CAP_NET_ADMIN capability. * [CVE-2023-3268](https://nvd.nist.gov/vuln/detail/CVE-2023-3268) CVSSv3 score: 7.1(High) An out of bounds (OOB) memory access flaw was found in the Linux kernel in relay_file_read_start_pos in kernel/relay.c in the relayfs. This flaw could allow a local attacker to crash the system or leak kernel internal information. * [CVE-2023-3269](https://nvd.nist.gov/vuln/detail/CVE-2023-3269) CVSSv3 score: 7.8(High) A vulnerability exists in the memory management subsystem of the Linux kernel. The lock handling for accessing and updating virtual memory areas (VMAs) is incorrect, leading to use-after-free problems. This issue can be successfully exploited to execute arbitrary kernel code, escalate containers, and gain root privileges. * [CVE-2023-33203](https://nvd.nist.gov/vuln/detail/CVE-2023-33203) CVSSv3 score: 6.4(Medium) The Linux kernel before 6.2.9 has a race condition and resultant use-after-free in drivers/net/ethernet/qualcomm/emac/emac.c if a physically proximate attacker unplugs an emac based device. * [CVE-2023-33288](https://nvd.nist.gov/vuln/detail/CVE-2023-33288) CVSSv3 score: 4.7(Medium) An issue was discovered in the Linux kernel before 6.2.9. A use-after-free was found in bq24190_remove in drivers/power/supply/bq24190_charger.c. It could allow a local attacker to crash the system due to a race condition. * [CVE-2023-3355](https://nvd.nist.gov/vuln/detail/CVE-2023-3355) CVSSv3 score: 5.5(Medium) A NULL pointer dereference flaw was found in the Linux kernel's drivers/gpu/drm/msm/msm_gem_submit.c code in the submit_lookup_cmds function, which fails because it lacks a check of the return value of kmalloc(). This issue allows a local user to crash the system. * [CVE-2023-3357](https://nvd.nist.gov/vuln/detail/CVE-2023-3357) CVSSv3 score: 5.5(Medium) A NULL pointer dereference flaw was found in the Linux kernel AMD Sensor Fusion Hub driver. This flaw allows a local user to crash the system. * [CVE-2023-3358](https://nvd.nist.gov/vuln/detail/CVE-2023-3358) CVSSv3 score: 5.5(Medium) A null pointer dereference was found in the Linux kernel's Integrated Sensor Hub (ISH) driver. This issue could allow a local user to crash the system. * [CVE-2023-3359](https://nvd.nist.gov/vuln/detail/CVE-2023-3359) CVSSv3 score: 5.5(Medium) An issue was discovered in the Linux kernel brcm_nvram_parse in drivers/nvmem/brcm_nvram.c. Lacks for the check of the return value of kzalloc() can cause the NULL Pointer Dereference. * [CVE-2023-3390](https://nvd.nist.gov/vuln/detail/CVE-2023-3390) CVSSv3 score: n/a A use-after-free vulnerability was found in the Linux kernel's netfilter subsystem in net/netfilter/nf_tables_api.c. Mishandled error handling with NFT_MSG_NEWRULE makes it possible to use a dangling pointer in the same transaction causing a use-after-free vulnerability. This flaw allows a local attacker with user access to cause a privilege escalation issue. We recommend upgrading past commit 1240eb93f0616b21c675416516ff3d74798fdc97. * [CVE-2023-33951](https://nvd.nist.gov/vuln/detail/CVE-2023-33951) CVSSv3 score: 5.3(Medium) A race condition vulnerability was found in the vmwgfx driver in the Linux kernel. The flaw exists within the handling of GEM objects. The issue results from improper locking when performing operations on an object. This flaw allows a local privileged user to disclose information in the context of the kernel. * [CVE-2023-33952](https://nvd.nist.gov/vuln/detail/CVE-2023-33952) CVSSv3 score: n/a A double-free vulnerability was found in handling vmw_buffer_object objects in the vmwgfx driver in the Linux kernel. This issue occurs due to the lack of validating the existence of an object prior to performing further free operations on the object, which may allow a local privileged user to escalate privileges and execute code in the context of the kernel. * [CVE-2023-34256](https://nvd.nist.gov/vuln/detail/CVE-2023-34256) CVSSv3 score: 5.5(Medium) An issue was discovered in the Linux kernel before 6.3.3. There is an out-of-bounds read in crc16 in lib/crc16.c when called from fs/ext4/super.c because ext4_group_desc_csum does not properly check an offset. NOTE: this is disputed by third parties because the kernel is not intended to defend against attackers with the stated "When modifying the block device while it is mounted by the filesystem" access. * [CVE-2023-34319](https://nvd.nist.gov/vuln/detail/CVE-2023-34319) CVSSv3 score: 7.8(High) The fix for XSA-423 added logic to Linux'es netback driver to deal with a frontend splitting a packet in a way such that not all of the headers would come in one piece. Unfortunately the logic introduced there didn't account for the extreme case of the entire packet being split into as many pieces as permitted by the protocol, yet still being smaller than the area that's specially dealt with to keep all (possible) headers together. Such an unusual packet would therefore trigger a buffer overrun in the driver. * [CVE-2023-34324](https://nvd.nist.gov/vuln/detail/CVE-2023-34324) CVSSv3 score: 4.9(Medium) Closing of an event channel in the Linux kernel can result in a deadlock. This happens when the close is being performed in parallel to an unrelated Xen console action and the handling of a Xen console interrupt in an unprivileged guest. The closing of an event channel is e.g. triggered by removal of a paravirtual device on the other side. As this action will cause console messages to be issued on the other side quite often, the chance of triggering the deadlock is not neglectable. Note that 32-bit Arm-guests are not affected, as the 32-bit Linux kernel on Arm doesn't use queued-RW-locks, which are required to trigger the issue (on Arm32 a waiting writer doesn't block further readers to get the lock). * [CVE-2023-3439](https://nvd.nist.gov/vuln/detail/CVE-2023-3439) CVSSv3 score: 4.7(Medium) A flaw was found in the MCTP protocol in the Linux kernel. The function mctp_unregister() reclaims the device's relevant resource when a netcard detaches. However, a running routine may be unaware of this and cause the use-after-free of the mdev->addrs object, potentially leading to a denial of service. * [CVE-2023-35001](https://nvd.nist.gov/vuln/detail/CVE-2023-35001) CVSSv3 score: n/a Linux Kernel nftables Out-Of-Bounds Read/Write Vulnerability; nft_byteorder poorly handled vm register contents when CAP_NET_ADMIN is in any user or network namespace * [CVE-2023-3567](https://nvd.nist.gov/vuln/detail/CVE-2023-3567) CVSSv3 score: n/a A use-after-free flaw was found in vcs_read in drivers/tty/vt/vc_screen.c in vc_screen in the Linux Kernel. This issue may allow an attacker with local user access to cause a system crash or leak internal kernel information. * [CVE-2023-35788](https://nvd.nist.gov/vuln/detail/CVE-2023-35788) CVSSv3 score: 7.8(High) An issue was discovered in fl_set_geneve_opt in net/sched/cls_flower.c in the Linux kernel before 6.3.7. It allows an out-of-bounds write in the flower classifier code via TCA_FLOWER_KEY_ENC_OPTS_GENEVE packets. This may result in denial of service or privilege escalation. * [CVE-2023-35823](https://nvd.nist.gov/vuln/detail/CVE-2023-35823) CVSSv3 score: 7(High) An issue was discovered in the Linux kernel before 6.3.2. A use-after-free was found in saa7134_finidev in drivers/media/pci/saa7134/saa7134-core.c. * [CVE-2023-35824](https://nvd.nist.gov/vuln/detail/CVE-2023-35824) CVSSv3 score: 7(High) An issue was discovered in the Linux kernel before 6.3.2. A use-after-free was found in dm1105_remove in drivers/media/pci/dm1105/dm1105.c. * [CVE-2023-35826](https://nvd.nist.gov/vuln/detail/CVE-2023-35826) CVSSv3 score: 7(High) An issue was discovered in the Linux kernel before 6.3.2. A use-after-free was found in cedrus_remove in drivers/staging/media/sunxi/cedrus/cedrus.c. * [CVE-2023-35827](https://nvd.nist.gov/vuln/detail/CVE-2023-35827) CVSSv3 score: 7(High) An issue was discovered in the Linux kernel through 6.3.8. A use-after-free was found in ravb_remove in drivers/net/ethernet/renesas/ravb_main.c. * [CVE-2023-35828](https://nvd.nist.gov/vuln/detail/CVE-2023-35828) CVSSv3 score: 7(High) An issue was discovered in the Linux kernel before 6.3.2. A use-after-free was found in renesas_usb3_remove in drivers/usb/gadget/udc/renesas_usb3.c. * [CVE-2023-35829](https://nvd.nist.gov/vuln/detail/CVE-2023-35829) CVSSv3 score: 7(High) An issue was discovered in the Linux kernel before 6.3.2. A use-after-free was found in rkvdec_remove in drivers/staging/media/rkvdec/rkvdec.c. * [CVE-2023-3609](https://nvd.nist.gov/vuln/detail/CVE-2023-3609) CVSSv3 score: n/a A use-after-free vulnerability in the Linux kernel's net/sched: cls_u32 component can be exploited to achieve local privilege escalation. If tcf_change_indev() fails, u32_set_parms() will immediately return an error after incrementing or decrementing the reference counter in tcf_bind_filter(). If an attacker can control the reference counter and set it to zero, they can cause the reference to be freed, leading to a use-after-free vulnerability. We recommend upgrading past commit 04c55383fa5689357bcdd2c8036725a55ed632bc. * [CVE-2023-3610](https://nvd.nist.gov/vuln/detail/CVE-2023-3610) CVSSv3 score: n/a A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation. Flaw in the error handling of bound chains causes a use-after-free in the abort path of NFT_MSG_NEWRULE. The vulnerability requires CAP_NET_ADMIN to be triggered. We recommend upgrading past commit 4bedf9eee016286c835e3d8fa981ddece5338795. * [CVE-2023-3611](https://nvd.nist.gov/vuln/detail/CVE-2023-3611) CVSSv3 score: n/a An out-of-bounds write vulnerability in the Linux kernel's net/sched: sch_qfq component can be exploited to achieve local privilege escalation. The qfq_change_agg() function in net/sched/sch_qfq.c allows an out-of-bounds write because lmax is updated according to packet sizes without bounds checks. We recommend upgrading past commit 3e337087c3b5805fe0b8a46ba622a962880b5d64. * [CVE-2023-3772](https://nvd.nist.gov/vuln/detail/CVE-2023-3772) CVSSv3 score: 4.4(Medium) A flaw was found in the Linux kernel’s IP framework for transforming packets (XFRM subsystem). This issue may allow a malicious user with CAP_NET_ADMIN privileges to directly dereference a NULL pointer in xfrm_update_ae_params(), leading to a possible kernel crash and denial of service. * [CVE-2023-3773](https://nvd.nist.gov/vuln/detail/CVE-2023-3773) CVSSv3 score: 4.4(Medium) A flaw was found in the Linux kernel’s IP framework for transforming packets (XFRM subsystem). This issue may allow a malicious user with CAP_NET_ADMIN privileges to cause a 4 byte out-of-bounds read of XFRMA_MTIMER_THRESH when parsing netlink attributes, leading to potential leakage of sensitive heap data to userspace. * [CVE-2023-3776](https://nvd.nist.gov/vuln/detail/CVE-2023-3776) CVSSv3 score: n/a A use-after-free vulnerability in the Linux kernel's net/sched: cls_fw component can be exploited to achieve local privilege escalation. If tcf_change_indev() fails, fw_set_parms() will immediately return an error after incrementing or decrementing the reference counter in tcf_bind_filter(). If an attacker can control the reference counter and set it to zero, they can cause the reference to be freed, leading to a use-after-free vulnerability. We recommend upgrading past commit 0323bce598eea038714f941ce2b22541c46d488f. * [CVE-2023-3777](https://nvd.nist.gov/vuln/detail/CVE-2023-3777) CVSSv3 score: n/a A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation. When nf_tables_delrule() is flushing table rules, it is not checked whether the chain is bound and the chain's owner rule can also release the objects in certain circumstances. We recommend upgrading past commit 6eaf41e87a223ae6f8e7a28d6e78384ad7e407f8. * [CVE-2023-3812](https://nvd.nist.gov/vuln/detail/CVE-2023-3812) CVSSv3 score: n/a An out-of-bounds memory access flaw was found in the Linux kernel’s TUN/TAP device driver functionality in how a user generates a malicious (too big) networking packet when napi frags is enabled. This flaw allows a local user to crash or potentially escalate their privileges on the system. * [CVE-2023-38409](https://nvd.nist.gov/vuln/detail/CVE-2023-38409) CVSSv3 score: 5.5(Medium) An issue was discovered in set_con2fb_map in drivers/video/fbdev/core/fbcon.c in the Linux kernel before 6.2.12. Because an assignment occurs only for the first vc, the fbcon_registered_fb and fbcon_display arrays can be desynchronized in fbcon_mode_deleted (the con2fb_map points at the old fb_info). * [CVE-2023-38426](https://nvd.nist.gov/vuln/detail/CVE-2023-38426) CVSSv3 score: 9.1(Critical) An issue was discovered in the Linux kernel before 6.3.4. ksmbd has an out-of-bounds read in smb2_find_context_vals when create_context's name_len is larger than the tag length. * [CVE-2023-38427](https://nvd.nist.gov/vuln/detail/CVE-2023-38427) CVSSv3 score: 9.8(Critical) An issue was discovered in the Linux kernel before 6.3.8. fs/smb/server/smb2pdu.c in ksmbd has an integer underflow and out-of-bounds read in deassemble_neg_contexts. * [CVE-2023-38428](https://nvd.nist.gov/vuln/detail/CVE-2023-38428) CVSSv3 score: 9.1(Critical) An issue was discovered in the Linux kernel before 6.3.4. fs/ksmbd/smb2pdu.c in ksmbd does not properly check the UserName value because it does not consider the address of security buffer, leading to an out-of-bounds read. * [CVE-2023-38429](https://nvd.nist.gov/vuln/detail/CVE-2023-38429) CVSSv3 score: 9.8(Critical) An issue was discovered in the Linux kernel before 6.3.4. fs/ksmbd/connection.c in ksmbd has an off-by-one error in memory allocation (because of ksmbd_smb2_check_message) that may lead to out-of-bounds access. * [CVE-2023-38430](https://nvd.nist.gov/vuln/detail/CVE-2023-38430) CVSSv3 score: 9.1(Critical) An issue was discovered in the Linux kernel before 6.3.9. ksmbd does not validate the SMB request protocol ID, leading to an out-of-bounds read. * [CVE-2023-38431](https://nvd.nist.gov/vuln/detail/CVE-2023-38431) CVSSv3 score: 9.1(Critical) An issue was discovered in the Linux kernel before 6.3.8. fs/smb/server/connection.c in ksmbd does not validate the relationship between the NetBIOS header's length field and the SMB header sizes, via pdu_size in ksmbd_conn_handler_loop, leading to an out-of-bounds read. * [CVE-2023-38432](https://nvd.nist.gov/vuln/detail/CVE-2023-38432) CVSSv3 score: 9.1(Critical) An issue was discovered in the Linux kernel before 6.3.10. fs/smb/server/smb2misc.c in ksmbd does not validate the relationship between the command payload size and the RFC1002 length specification, leading to an out-of-bounds read. * [CVE-2023-3863](https://nvd.nist.gov/vuln/detail/CVE-2023-3863) CVSSv3 score: 4.1(Medium) A use-after-free flaw was found in nfc_llcp_find_local in net/nfc/llcp_core.c in NFC in the Linux kernel. This flaw allows a local user with special privileges to impact a kernel information leak issue. * [CVE-2023-3865](https://nvd.nist.gov/vuln/detail/CVE-2023-3865) CVSSv3 score: n/a * [CVE-2023-3866](https://nvd.nist.gov/vuln/detail/CVE-2023-3866) CVSSv3 score: n/a * [CVE-2023-3867](https://nvd.nist.gov/vuln/detail/CVE-2023-3867) CVSSv3 score: n/a * [CVE-2023-39189](https://nvd.nist.gov/vuln/detail/CVE-2023-39189) CVSSv3 score: 6(Medium) A flaw was found in the Netfilter subsystem in the Linux kernel. The nfnl_osf_add_callback function did not validate the user mode controlled opt_num field. This flaw allows a local privileged (CAP_NET_ADMIN) attacker to trigger an out-of-bounds read, leading to a crash or information disclosure. * [CVE-2023-39192](https://nvd.nist.gov/vuln/detail/CVE-2023-39192) CVSSv3 score: 6(Medium) A flaw was found in the Netfilter subsystem in the Linux kernel. The xt_u32 module did not validate the fields in the xt_u32 structure. This flaw allows a local privileged attacker to trigger an out-of-bounds read by setting the size fields with a value beyond the array boundaries, leading to a crash or information disclosure. * [CVE-2023-39193](https://nvd.nist.gov/vuln/detail/CVE-2023-39193) CVSSv3 score: 6(Medium) A flaw was found in the Netfilter subsystem in the Linux kernel. The sctp_mt_check did not validate the flag_count field. This flaw allows a local privileged (CAP_NET_ADMIN) attacker to trigger an out-of-bounds read, leading to a crash or information disclosure. * [CVE-2023-39194](https://nvd.nist.gov/vuln/detail/CVE-2023-39194) CVSSv3 score: 4.4(Medium) A flaw was found in the XFRM subsystem in the Linux kernel. The specific flaw exists within the processing of state filters, which can result in a read past the end of an allocated buffer. This flaw allows a local privileged (CAP_NET_ADMIN) attacker to trigger an out-of-bounds read, potentially leading to an information disclosure. * [CVE-2023-39197](https://nvd.nist.gov/vuln/detail/CVE-2023-39197) CVSSv3 score: n/a * [CVE-2023-39198](https://nvd.nist.gov/vuln/detail/CVE-2023-39198) CVSSv3 score: 6.4(Medium) A race condition was found in the QXL driver in the Linux kernel. The qxl_mode_dumb_create() function dereferences the qobj returned by the qxl_gem_object_create_with_handle(), but the handle is the only one holding a reference to it. This flaw allows an attacker to guess the returned handle value and trigger a use-after-free issue, potentially leading to a denial of service or privilege escalation. * [CVE-2023-4004](https://nvd.nist.gov/vuln/detail/CVE-2023-4004) CVSSv3 score: n/a A use-after-free flaw was found in the Linux kernel's netfilter in the way a user triggers the nft_pipapo_remove function with the element, without a NFT_SET_EXT_KEY_END. This issue could allow a local user to crash the system or potentially escalate their privileges on the system. * [CVE-2023-4015](https://nvd.nist.gov/vuln/detail/CVE-2023-4015) CVSSv3 score: n/a A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation. On an error when building a nftables rule, deactivating immediate expressions in nft_immediate_deactivate() can lead unbinding the chain and objects be deactivated but later used. We recommend upgrading past commit 0a771f7b266b02d262900c75f1e175c7fe76fec2. * [CVE-2023-40283](https://nvd.nist.gov/vuln/detail/CVE-2023-40283) CVSSv3 score: 7.8(High) An issue was discovered in l2cap_sock_release in net/bluetooth/l2cap_sock.c in the Linux kernel before 6.4.10. There is a use-after-free because the children of an sk are mishandled. * [CVE-2023-4132](https://nvd.nist.gov/vuln/detail/CVE-2023-4132) CVSSv3 score: n/a A use-after-free vulnerability was found in the siano smsusb module in the Linux kernel. The bug occurs during device initialization when the siano device is plugged in. This flaw allows a local user to crash the system, causing a denial of service condition. * [CVE-2023-4147](https://nvd.nist.gov/vuln/detail/CVE-2023-4147) CVSSv3 score: n/a A use-after-free flaw was found in the Linux kernel’s Netfilter functionality when adding a rule with NFTA_RULE_CHAIN_ID. This flaw allows a local user to crash or escalate their privileges on the system. * [CVE-2023-4155](https://nvd.nist.gov/vuln/detail/CVE-2023-4155) CVSSv3 score: 5.6(Medium) A flaw was found in KVM AMD Secure Encrypted Virtualization (SEV) in the Linux kernel. A KVM guest using SEV-ES or SEV-SNP with multiple vCPUs can trigger a double fetch race condition vulnerability and invoke the `VMGEXIT` handler recursively. If an attacker manages to call the handler multiple times, they can trigger a stack overflow and cause a denial of service or potentially guest-to-host escape in kernel configurations without stack guard pages (`CONFIG_VMAP_STACK`). * [CVE-2023-4206](https://nvd.nist.gov/vuln/detail/CVE-2023-4206) CVSSv3 score: n/a A use-after-free vulnerability in the Linux kernel's net/sched: cls_route component can be exploited to achieve local privilege escalation. When route4_change() is called on an existing filter, the whole tcf_result struct is always copied into the new instance of the filter. This causes a problem when updating a filter bound to a class, as tcf_unbind_filter() is always called on the old instance in the success path, decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading to a use-after-free. We recommend upgrading past commit b80b829e9e2c1b3f7aae34855e04d8f6ecaf13c8. * [CVE-2023-4207](https://nvd.nist.gov/vuln/detail/CVE-2023-4207) CVSSv3 score: n/a A use-after-free vulnerability in the Linux kernel's net/sched: cls_fw component can be exploited to achieve local privilege escalation. When fw_change() is called on an existing filter, the whole tcf_result struct is always copied into the new instance of the filter. This causes a problem when updating a filter bound to a class, as tcf_unbind_filter() is always called on the old instance in the success path, decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading to a use-after-free. We recommend upgrading past commit 76e42ae831991c828cffa8c37736ebfb831ad5ec. * [CVE-2023-4208](https://nvd.nist.gov/vuln/detail/CVE-2023-4208) CVSSv3 score: n/a A use-after-free vulnerability in the Linux kernel's net/sched: cls_u32 component can be exploited to achieve local privilege escalation. When u32_change() is called on an existing filter, the whole tcf_result struct is always copied into the new instance of the filter. This causes a problem when updating a filter bound to a class, as tcf_unbind_filter() is always called on the old instance in the success path, decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading to a use-after-free. We recommend upgrading past commit 3044b16e7c6fe5d24b1cdbcf1bd0a9d92d1ebd81. * [CVE-2023-4244](https://nvd.nist.gov/vuln/detail/CVE-2023-4244) CVSSv3 score: 7(High) A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation. Due to a race condition between nf_tables netlink control plane transaction and nft_set element garbage collection, it is possible to underflow the reference counter causing a use-after-free vulnerability. We recommend upgrading past commit 3e91b0ebd994635df2346353322ac51ce84ce6d8. * [CVE-2023-4273](https://nvd.nist.gov/vuln/detail/CVE-2023-4273) CVSSv3 score: 6.7(Medium) A flaw was found in the exFAT driver of the Linux kernel. The vulnerability exists in the implementation of the file name reconstruction function, which is responsible for reading file name entries from a directory index and merging file name parts belonging to one file into a single long file name. Since the file name characters are copied into a stack variable, a local privileged attacker could use this flaw to overflow the kernel stack. * [CVE-2023-42752](https://nvd.nist.gov/vuln/detail/CVE-2023-42752) CVSSv3 score: n/a An integer overflow flaw was found in the Linux kernel. This issue leads to the kernel allocating `skb_shared_info` in the userspace, which is exploitable in systems without SMAP protection since `skb_shared_info` contains references to function pointers. * [CVE-2023-42753](https://nvd.nist.gov/vuln/detail/CVE-2023-42753) CVSSv3 score: 7.8(High) An array indexing vulnerability was found in the netfilter subsystem of the Linux kernel. A missing macro could lead to a miscalculation of the `h->nets` array offset, providing attackers with the primitive to arbitrarily increment/decrement a memory buffer out-of-bound. This issue may allow a local user to crash the system or potentially escalate their privileges on the system. * [CVE-2023-42754](https://nvd.nist.gov/vuln/detail/CVE-2023-42754) CVSSv3 score: n/a A NULL pointer dereference flaw was found in the Linux kernel ipv4 stack. The socket buffer (skb) was assumed to be associated with a device before calling __ip_options_compile, which is not always the case if the skb is re-routed by ipvs. This issue may allow a local user with CAP_NET_ADMIN privileges to crash the system. * [CVE-2023-42755](https://nvd.nist.gov/vuln/detail/CVE-2023-42755) CVSSv3 score: 5.5(Medium) A flaw was found in the IPv4 Resource Reservation Protocol (RSVP) classifier in the Linux kernel. The xprt pointer may go beyond the linear part of the skb, leading to an out-of-bounds read in the `rsvp_classify` function. This issue may allow a local user to crash the system and cause a denial of service. * [CVE-2023-4385](https://nvd.nist.gov/vuln/detail/CVE-2023-4385) CVSSv3 score: n/a A NULL pointer dereference flaw was found in dbFree in fs/jfs/jfs_dmap.c in the journaling file system (JFS) in the Linux Kernel. This issue may allow a local attacker to crash the system due to a missing sanity check. * [CVE-2023-4387](https://nvd.nist.gov/vuln/detail/CVE-2023-4387) CVSSv3 score: n/a A use-after-free flaw was found in vmxnet3_rq_alloc_rx_buf in drivers/net/vmxnet3/vmxnet3_drv.c in VMware's vmxnet3 ethernet NIC driver in the Linux Kernel. This issue could allow a local attacker to crash the system due to a double-free while cleaning up vmxnet3_rq_cleanup_all, which could also lead to a kernel information leak problem. * [CVE-2023-4389](https://nvd.nist.gov/vuln/detail/CVE-2023-4389) CVSSv3 score: 7.1(High) A flaw was found in btrfs_get_root_ref in fs/btrfs/disk-io.c in the btrfs filesystem in the Linux Kernel due to a double decrement of the reference count. This issue may allow a local attacker with user privilege to crash the system or may lead to leaked internal kernel information. * [CVE-2023-4394](https://nvd.nist.gov/vuln/detail/CVE-2023-4394) CVSSv3 score: 6(Medium) A use-after-free flaw was found in btrfs_get_dev_args_from_path in fs/btrfs/volumes.c in btrfs file-system in the Linux Kernel. This flaw allows a local attacker with special privileges to cause a system crash or leak internal kernel information * [CVE-2023-44466](https://nvd.nist.gov/vuln/detail/CVE-2023-44466) CVSSv3 score: 8.8(High) An issue was discovered in net/ceph/messenger_v2.c in the Linux kernel before 6.4.5. There is an integer signedness error, leading to a buffer overflow and remote code execution via HELLO or one of the AUTH frames. This occurs because of an untrusted length taken from a TCP packet in ceph_decode_32. * [CVE-2023-4459](https://nvd.nist.gov/vuln/detail/CVE-2023-4459) CVSSv3 score: n/a A NULL pointer dereference flaw was found in vmxnet3_rq_cleanup in drivers/net/vmxnet3/vmxnet3_drv.c in the networking sub-component in vmxnet3 in the Linux Kernel. This issue may allow a local attacker with normal user privilege to cause a denial of service due to a missing sanity check during cleanup. * [CVE-2023-4569](https://nvd.nist.gov/vuln/detail/CVE-2023-4569) CVSSv3 score: 5.5(Medium) A memory leak flaw was found in nft_set_catchall_flush in net/netfilter/nf_tables_api.c in the Linux Kernel. This issue may allow a local attacker to cause double-deactivations of catchall elements, which can result in a memory leak. * [CVE-2023-45862](https://nvd.nist.gov/vuln/detail/CVE-2023-45862) CVSSv3 score: 5.5(Medium) An issue was discovered in drivers/usb/storage/ene_ub6250.c for the ENE UB6250 reader driver in the Linux kernel before 6.2.5. An object could potentially extend beyond the end of an allocation. * [CVE-2023-45863](https://nvd.nist.gov/vuln/detail/CVE-2023-45863) CVSSv3 score: 6.4(Medium) An issue was discovered in lib/kobject.c in the Linux kernel before 6.2.3. With root access, an attacker can trigger a race condition that results in a fill_kobj_path out-of-bounds write. * [CVE-2023-45871](https://nvd.nist.gov/vuln/detail/CVE-2023-45871) CVSSv3 score: 7.5(High) An issue was discovered in drivers/net/ethernet/intel/igb/igb_main.c in the IGB driver in the Linux kernel before 6.5.3. A buffer size may not be adequate for frames larger than the MTU. * [CVE-2023-4623](https://nvd.nist.gov/vuln/detail/CVE-2023-4623) CVSSv3 score: n/a A use-after-free vulnerability in the Linux kernel's net/sched: sch_hfsc (HFSC qdisc traffic control) component can be exploited to achieve local privilege escalation. If a class with a link-sharing curve (i.e. with the HFSC_FSC flag set) has a parent without a link-sharing curve, then init_vf() will call vttree_insert() on the parent, but vttree_remove() will be skipped in update_vf(). This leaves a dangling pointer that can cause a use-after-free. We recommend upgrading past commit b3d26c5702c7d6c45456326e56d2ccf3f103e60f. * [CVE-2023-46813](https://nvd.nist.gov/vuln/detail/CVE-2023-46813) CVSSv3 score: 7(High) An issue was discovered in the Linux kernel before 6.5.9, exploitable by local users with userspace access to MMIO registers. Incorrect access checking in the #VC handler and instruction emulation of the SEV-ES emulation of MMIO accesses could lead to arbitrary write access to kernel memory (and thus privilege escalation). This depends on a race condition through which userspace can replace an instruction before the #VC handler reads it. * [CVE-2023-46862](https://nvd.nist.gov/vuln/detail/CVE-2023-46862) CVSSv3 score: 4.7(Medium) An issue was discovered in the Linux kernel through 6.5.9. During a race with SQ thread exit, an io_uring/fdinfo.c io_uring_show_fdinfo NULL pointer dereference can occur. * [CVE-2023-4921](https://nvd.nist.gov/vuln/detail/CVE-2023-4921) CVSSv3 score: n/a A use-after-free vulnerability in the Linux kernel's net/sched: sch_qfq component can be exploited to achieve local privilege escalation. When the plug qdisc is used as a class of the qfq qdisc, sending network packets triggers use-after-free in qfq_dequeue() due to the incorrect .peek handler of sch_plug and lack of error checking in agg_dequeue(). We recommend upgrading past commit 8fc134fee27f2263988ae38920bc03da416b03d8. * [CVE-2023-5090](https://nvd.nist.gov/vuln/detail/CVE-2023-5090) CVSSv3 score: 5.5(Medium) A flaw was found in KVM. An improper check in svm_set_x2apic_msr_interception() may allow direct access to host x2apic msrs when the guest resets its apic, potentially leading to a denial of service condition. * [CVE-2023-5158](https://nvd.nist.gov/vuln/detail/CVE-2023-5158) CVSSv3 score: 5.5(Medium) A flaw was found in vringh_kiov_advance in drivers/vhost/vringh.c in the host side of a virtio ring in the Linux Kernel. This issue may result in a denial of service from guest to host via zero length descriptor. * [CVE-2023-51779](https://nvd.nist.gov/vuln/detail/CVE-2023-51779) CVSSv3 score: n/a * [CVE-2023-51780](https://nvd.nist.gov/vuln/detail/CVE-2023-51780) CVSSv3 score: n/a An issue was discovered in the Linux kernel before 6.6.8. do_vcc_ioctl in net/atm/ioctl.c has a use-after-free because of a vcc_recvmsg race condition. * [CVE-2023-51781](https://nvd.nist.gov/vuln/detail/CVE-2023-51781) CVSSv3 score: n/a An issue was discovered in the Linux kernel before 6.6.8. atalk_ioctl in net/appletalk/ddp.c has a use-after-free because of an atalk_recvmsg race condition. * [CVE-2023-51782](https://nvd.nist.gov/vuln/detail/CVE-2023-51782) CVSSv3 score: n/a An issue was discovered in the Linux kernel before 6.6.8. rose_ioctl in net/rose/af_rose.c has a use-after-free because of a rose_accept race condition. * [CVE-2023-5197](https://nvd.nist.gov/vuln/detail/CVE-2023-5197) CVSSv3 score: 6.6(Medium) A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation. Addition and removal of rules from chain bindings within the same transaction causes leads to use-after-free. We recommend upgrading past commit f15f29fd4779be8a418b66e9d52979bb6d6c2325. * [CVE-2023-5345](https://nvd.nist.gov/vuln/detail/CVE-2023-5345) CVSSv3 score: n/a A use-after-free vulnerability in the Linux kernel's fs/smb/client component can be exploited to achieve local privilege escalation. In case of an error in smb3_fs_context_parse_param, ctx->password was freed but the field was not set to NULL which could lead to double free. We recommend upgrading past commit e6e43b8aa7cd3c3af686caf0c2e11819a886d705. * [CVE-2023-5717](https://nvd.nist.gov/vuln/detail/CVE-2023-5717) CVSSv3 score: n/a A heap out-of-bounds write vulnerability in the Linux kernel's Linux Kernel Performance Events (perf) component can be exploited to achieve local privilege escalation. If perf_read_group() is called while an event's sibling_list is smaller than its child's sibling_list, it can increment or write to memory locations outside of the allocated buffer. We recommend upgrading past commit 32671e3799ca2e4590773fd0e63aaa4229e50c06. * [CVE-2023-6121](https://nvd.nist.gov/vuln/detail/CVE-2023-6121) CVSSv3 score: n/a An out-of-bounds read vulnerability was found in the NVMe-oF/TCP subsystem in the Linux kernel. This issue may allow a remote attacker to send a crafted TCP packet, triggering a heap-based buffer overflow that results in kmalloc data being printed and potentially leaked to the kernel ring buffer (dmesg). * [CVE-2023-6176](https://nvd.nist.gov/vuln/detail/CVE-2023-6176) CVSSv3 score: 7.8(High) A null pointer dereference flaw was found in the Linux kernel API for the cryptographic algorithm scatterwalk functionality. This issue occurs when a user constructs a malicious packet with specific socket configuration, which could allow a local user to crash the system or escalate their privileges on the system. * [CVE-2023-6531](https://nvd.nist.gov/vuln/detail/CVE-2023-6531) CVSSv3 score: n/a * [CVE-2023-6546](https://nvd.nist.gov/vuln/detail/CVE-2023-6546) CVSSv3 score: 7(High) A race condition was found in the GSM 0710 tty multiplexor in the Linux kernel. This issue occurs when two threads execute the GSMIOC_SETCONF ioctl on the same tty file descriptor with the gsm line discipline enabled, and can lead to a use-after-free problem on a struct gsm_dlci while restarting the gsm mux. This could allow a local unprivileged user to escalate their privileges on the system. * [CVE-2023-6606](https://nvd.nist.gov/vuln/detail/CVE-2023-6606) CVSSv3 score: n/a An out-of-bounds read vulnerability was found in smbCalcSize in fs/smb/client/netmisc.c in the Linux Kernel. This issue could allow a local attacker to crash the system or leak internal kernel information. * [CVE-2023-6622](https://nvd.nist.gov/vuln/detail/CVE-2023-6622) CVSSv3 score: n/a A null pointer dereference vulnerability was found in nft_dynset_init() in net/netfilter/nft_dynset.c in nf_tables in the Linux kernel. This issue may allow a local attacker with CAP_NET_ADMIN user privilege to trigger a denial of service. * [CVE-2023-6817](https://nvd.nist.gov/vuln/detail/CVE-2023-6817) CVSSv3 score: n/a A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation. The function nft_pipapo_walk did not skip inactive elements during set walk which could lead double deactivations of PIPAPO (Pile Packet Policies) elements, leading to use-after-free. We recommend upgrading past commit 317eb9685095678f2c9f5a8189de698c5354316a. * [CVE-2023-6931](https://nvd.nist.gov/vuln/detail/CVE-2023-6931) CVSSv3 score: n/a A heap out-of-bounds write vulnerability in the Linux kernel's Performance Events system component can be exploited to achieve local privilege escalation. A perf_event's read_size can overflow, leading to an heap out-of-bounds increment or write in perf_read_group(). We recommend upgrading past commit 382c27f4ed28f803b1f1473ac2d8db0afc795a1b. * [CVE-2023-6932](https://nvd.nist.gov/vuln/detail/CVE-2023-6932) CVSSv3 score: 7(High) A use-after-free vulnerability in the Linux kernel's ipv4: igmp component can be exploited to achieve local privilege escalation. A race condition can be exploited to cause a timer be mistakenly registered on a RCU read locked object which is freed by another thread. We recommend upgrading past commit e2b706c691905fe78468c361aaabc719d0a496f1. * [CVE-2023-7192](https://nvd.nist.gov/vuln/detail/CVE-2023-7192) CVSSv3 score: 4.4(Medium) A memory leak problem was found in ctnetlink_create_conntrack in net/netfilter/nf_conntrack_netlink.c in the Linux Kernel. This issue may allow a local attacker with CAP_NET_ADMIN privileges to cause a denial of service (DoS) attack due to a refcount overflow. * OpenSSL * [CVE-2023-3446](https://nvd.nist.gov/vuln/detail/CVE-2023-3446) CVSSv3 score: 5.3(Medium) Issue summary: Checking excessively long DH keys or parameters may be very slow. Impact summary: Applications that use the functions DH_check(), DH_check_ex() or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a Denial of Service. The function DH_check() performs various checks on DH parameters. One of those checks confirms that the modulus ('p' parameter) is not too large. Trying to use a very large modulus is slow and OpenSSL will not normally use a modulus which is over 10,000 bits in length. However the DH_check() function checks numerous aspects of the key or parameters that have been supplied. Some of those checks use the supplied modulus value even if it has already been found to be too large. An application that calls DH_check() and supplies a key or parameters obtained from an untrusted source could be vulernable to a Denial of Service attack. The function DH_check() is itself called by a number of other OpenSSL functions. An application calling any of those other functions may similarly be affected. The other functions affected by this are DH_check_ex() and EVP_PKEY_param_check(). Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications when using the '-check' option. The OpenSSL SSL/TLS implementation is not affected by this issue. The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue. * [CVE-2023-2975](https://nvd.nist.gov/vuln/detail/CVE-2023-2975) CVSSv3 score: 5.3(Medium) Issue summary: The AES-SIV cipher implementation contains a bug that causes it to ignore empty associated data entries which are unauthenticated as a consequence. Impact summary: Applications that use the AES-SIV algorithm and want to authenticate empty data entries as associated data can be mislead by removing adding or reordering such empty entries as these are ignored by the OpenSSL implementation. We are currently unaware of any such applications. The AES-SIV algorithm allows for authentication of multiple associated data entries along with the encryption. To authenticate empty data the application has to call EVP_EncryptUpdate() (or EVP_CipherUpdate()) with NULL pointer as the output buffer and 0 as the input buffer length. The AES-SIV implementation in OpenSSL just returns success for such a call instead of performing the associated data authentication operation. The empty data thus will not be authenticated. As this issue does not affect non-empty associated data authentication and we expect it to be rare for an application to use empty associated data entries this is qualified as Low severity issue. * [CVE-2023-2650](https://nvd.nist.gov/vuln/detail/CVE-2023-2650) CVSSv3 score: 6.5(Medium) Issue summary: Processing some specially crafted ASN.1 object identifiers or data containing them may be very slow. Impact summary: Applications that use OBJ_obj2txt() directly, or use any of the OpenSSL subsystems OCSP, PKCS7/SMIME, CMS, CMP/CRMF or TS with no message size limit may experience notable to very long delays when processing those messages, which may lead to a Denial of Service. An OBJECT IDENTIFIER is composed of a series of numbers - sub-identifiers - most of which have no size limit. OBJ_obj2txt() may be used to translate an ASN.1 OBJECT IDENTIFIER given in DER encoding form (using the OpenSSL type ASN1_OBJECT) to its canonical numeric text form, which are the sub-identifiers of the OBJECT IDENTIFIER in decimal form, separated by periods. When one of the sub-identifiers in the OBJECT IDENTIFIER is very large (these are sizes that are seen as absurdly large, taking up tens or hundreds of KiBs), the translation to a decimal number in text may take a very long time. The time complexity is O(n^2) with 'n' being the size of the sub-identifiers in bytes (*). With OpenSSL 3.0, support to fetch cryptographic algorithms using names / identifiers in string form was introduced. This includes using OBJECT IDENTIFIERs in canonical numeric text form as identifiers for fetching algorithms. Such OBJECT IDENTIFIERs may be received through the ASN.1 structure AlgorithmIdentifier, which is commonly used in multiple protocols to specify what cryptographic algorithm should be used to sign or verify, encrypt or decrypt, or digest passed data. Applications that call OBJ_obj2txt() directly with untrusted data are affected, with any version of OpenSSL. If the use is for the mere purpose of display, the severity is considered low. In OpenSSL 3.0 and newer, this affects the subsystems OCSP, PKCS7/SMIME, CMS, CMP/CRMF or TS. It also impacts anything that processes X.509 certificates, including simple things like verifying its signature. The impact on TLS is relatively low, because all versions of OpenSSL have a 100KiB limit on the peer's certificate chain. Additionally, this only impacts clients, or servers that have explicitly enabled client authentication. In OpenSSL 1.1.1 and 1.0.2, this only affects displaying diverse objects, such as X.509 certificates. This is assumed to not happen in such a way that it would cause a Denial of Service, so these versions are considered not affected by this issue in such a way that it would be cause for concern, and the severity is therefore considered low. * Python * [CVE-2023-41105](https://nvd.nist.gov/vuln/detail/CVE-2023-41105) CVSSv3 score: 7.5(High) An issue was discovered in Python 3.11 through 3.11.4. If a path containing '\0' bytes is passed to os.path.normpath(), the path will be truncated unexpectedly at the first '\0' byte. There are plausible cases in which an application would have rejected a filename for security reasons in Python 3.10.x or earlier, but that filename is no longer rejected in Python 3.11.x. * [CVE-2023-40217](https://nvd.nist.gov/vuln/detail/CVE-2023-40217) CVSSv3 score: 5.3(Medium) An issue was discovered in Python before 3.8.18, 3.9.x before 3.9.18, 3.10.x before 3.10.13, and 3.11.x before 3.11.5. It primarily affects servers (such as HTTP servers) that use TLS client authentication. If a TLS server-side socket is created, receives data into the socket buffer, and then is closed quickly, there is a brief window where the SSLSocket instance will detect the socket as "not connected" and won't initiate a handshake, but buffered data will still be readable from the socket buffer. This data will not be authenticated if the server-side TLS peer is expecting client certificate authentication, and is indistinguishable from valid TLS stream data. Data is limited in size to the amount that will fit in the buffer. (The TLS connection cannot directly be used for data exfiltration because the vulnerable code path requires that the connection be closed on initialization of the SSLSocket.) * SDK: Rust * [CVE-2023-38497](https://nvd.nist.gov/vuln/detail/CVE-2023-38497) CVSSv3 score: 7.3(High) Cargo downloads the Rust project’s dependencies and compiles the project. Cargo prior to version 0.72.2, bundled with Rust prior to version 1.71.1, did not respect the umask when extracting crate archives on UNIX-like systems. If the user downloaded a crate containing files writeable by any local user, another local user could exploit this to change the source code compiled and executed by the current user. To prevent existing cached extractions from being exploitable, the Cargo binary version 0.72.2 included in Rust 1.71.1 or later will purge caches generated by older Cargo versions automatically. As a workaround, configure one's system to prevent other local users from accessing the Cargo directory, usually located in `~/.cargo`. * VMware: open-vm-tools * [CVE-2023-20900](https://nvd.nist.gov/vuln/detail/CVE-2023-20900) CVSSv3 score: 7.5(High) A malicious actor that has been granted Guest Operation Privileges https://docs.vmware.com/en/VMware-vSphere/8.0/vsphere-security/GUID-6A952214-0E5E-4CCF-9D2A-90948FF643EC.html  in a target virtual machine may be able to elevate their privileges if that target virtual machine has been assigned a more privileged Guest Alias https://vdc-download.vmware.com/vmwb-repository/dcr-public/d1902b0e-d479-46bf-8ac9-cee0e31e8ec0/07ce8dbd-db48-4261-9b8f-c6d3ad8ba472/vim.vm.guest.AliasManager.html . * [CVE-2023-20867](https://nvd.nist.gov/vuln/detail/CVE-2023-20867) CVSSv3 score: n/a A fully compromised ESXi host can force VMware Tools to fail to authenticate host-to-guest operations, impacting the confidentiality and integrity of the guest virtual machine. * binutils * [CVE-2023-1579](https://nvd.nist.gov/vuln/detail/CVE-2023-1579) CVSSv3 score: 7.8(High) Heap based buffer overflow in binutils-gdb/bfd/libbfd.c in bfd_getl64. * [CVE-2022-4285](https://nvd.nist.gov/vuln/detail/CVE-2022-4285) CVSSv3 score: 5.5(Medium) An illegal memory access flaw was found in the binutils package. Parsing an ELF file containing corrupt symbol version information may result in a denial of service. This issue is the result of an incomplete fix for CVE-2020-16599. * [CVE-2022-38533](https://nvd.nist.gov/vuln/detail/CVE-2022-38533) CVSSv3 score: 5.5(Medium) In GNU Binutils before 2.40, there is a heap-buffer-overflow in the error function bfd_getl32 when called from the strip_main function in strip-new via a crafted file. * c-ares * [CVE-2023-32067](https://nvd.nist.gov/vuln/detail/CVE-2023-32067) CVSSv3 score: n/a c-ares is an asynchronous resolver library. c-ares is vulnerable to denial of service. If a target resolver sends a query, the attacker forges a malformed UDP packet with a length of 0 and returns them to the target resolver. The target resolver erroneously interprets the 0 length as a graceful shutdown of the connection. This issue has been patched in version 1.19.1. * [CVE-2023-31147](https://nvd.nist.gov/vuln/detail/CVE-2023-31147) CVSSv3 score: 6.5(Medium) c-ares is an asynchronous resolver library. When /dev/urandom or RtlGenRandom() are unavailable, c-ares uses rand() to generate random numbers used for DNS query ids. This is not a CSPRNG, and it is also not seeded by srand() so will generate predictable output. Input from the random number generator is fed into a non-compilant RC4 implementation and may not be as strong as the original RC4 implementation. No attempt is made to look for modern OS-provided CSPRNGs like arc4random() that is widely available. This issue has been fixed in version 1.19.1. * [CVE-2023-31130](https://nvd.nist.gov/vuln/detail/CVE-2023-31130) CVSSv3 score: 6.4(Medium) c-ares is an asynchronous resolver library. ares_inet_net_pton() is vulnerable to a buffer underflow for certain ipv6 addresses, in particular "0::00:00:00/2" was found to cause an issue. C-ares only uses this function internally for configuration purposes which would require an administrator to configure such an address via ares_set_sortlist(). However, users may externally use ares_inet_net_pton() for other purposes and thus be vulnerable to more severe issues. This issue has been fixed in 1.19.1. * [CVE-2023-31124](https://nvd.nist.gov/vuln/detail/CVE-2023-31124) CVSSv3 score: n/a c-ares is an asynchronous resolver library. When cross-compiling c-ares and using the autotools build system, CARES_RANDOM_FILE will not be set, as seen when cross compiling aarch64 android. This will downgrade to using rand() as a fallback which could allow an attacker to take advantage of the lack of entropy by not using a CSPRNG. This issue was patched in version 1.19.1. * curl * [CVE-2023-38546](https://nvd.nist.gov/vuln/detail/CVE-2023-38546) CVSSv3 score: 3.7(Low) This flaw allows an attacker to insert cookies at will into a running program using libcurl, if the specific series of conditions are met. libcurl performs transfers. In its API, an application creates "easy handles" that are the individual handles for single transfers. libcurl provides a function call that duplicates en easy handle called [curl_easy_duphandle](https://curl.se/libcurl/c/curl_easy_duphandle.html). If a transfer has cookies enabled when the handle is duplicated, the cookie-enable state is also cloned - but without cloning the actual cookies. If the source handle did not read any cookies from a specific file on disk, the cloned version of the handle would instead store the file name as `none` (using the four ASCII letters, no quotes). Subsequent use of the cloned handle that does not explicitly set a source to load cookies from would then inadvertently load cookies from a file named `none` - if such a file exists and is readable in the current directory of the program using libcurl. And if using the correct file format of course. * [CVE-2023-38545](https://nvd.nist.gov/vuln/detail/CVE-2023-38545) CVSSv3 score: 9.8(Critical) This flaw makes curl overflow a heap based buffer in the SOCKS5 proxy handshake. When curl is asked to pass along the host name to the SOCKS5 proxy to allow that to resolve the address instead of it getting done by curl itself, the maximum length that host name can be is 255 bytes. If the host name is detected to be longer, curl switches to local name resolving and instead passes on the resolved address only. Due to this bug, the local variable that means "let the host resolve the name" could get the wrong value during a slow SOCKS5 handshake, and contrary to the intention, copy the too long host name to the target buffer instead of copying just the resolved address there. The target buffer being a heap based buffer, and the host name coming from the URL that curl has been told to operate with. * [CVE-2023-38039](https://nvd.nist.gov/vuln/detail/CVE-2023-38039) CVSSv3 score: 7.5(High) When curl retrieves an HTTP response, it stores the incoming headers so that they can be accessed later via the libcurl headers API. However, curl did not have a limit in how many or how large headers it would accept in a response, allowing a malicious server to stream an endless series of headers and eventually cause curl to run out of heap memory. * [CVE-2023-28322](https://nvd.nist.gov/vuln/detail/CVE-2023-28322) CVSSv3 score: 3.7(Low) An information disclosure vulnerability exists in curl <v8.1.0 when doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data to send, even when the `CURLOPT_POSTFIELDS` option has been set, if the same handle previously wasused to issue a `PUT` request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the second transfer. The problem exists in the logic for a reused handle when it is (expected to be) changed from a PUT to a POST. Next: https://hackmd.io/l9LNp7KNTjqkFdEQQMVmyQ