Flatcar Container Linux Release - October 4th, 2023 page 7

* [CVE-2022-23036](https://nvd.nist.gov/vuln/detail/CVE-2022-23036) CVSSv3 score: 7(High) Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious backends: blkfront, netfront, scsifront and the gntalloc driver are testing whether a grant reference is still in use. If this is not the case, they assume that a following removal of the granted access will always succeed, which is not true in case the backend has mapped the granted page between those two operations. As a result the backend can keep access to the memory page of the guest no matter how the page will be used after the frontend I/O has finished. The xenbus driver has a similar problem, as it doesn't check the success of removing the granted access of a shared ring buffer. blkfront: CVE-2022-23036 netfront: CVE-2022-23037 scsifront: CVE-2022-23038 gntalloc: CVE-2022-23039 xenbus: CVE-2022-23040 blkfront, netfront, scsifront, usbfront, dmabuf, xenbus, 9p, kbdfront, and pvcalls are using a functionality to delay freeing a grant reference until it is no longer in use, but the freeing of the related data page is not synchronized with dropping the granted access. As a result the backend can keep access to the memory page even after it has been freed and then re-used for a different purpose. CVE-2022-23041 netfront will fail a BUG_ON() assertion if it fails to revoke access in the rx path. This will result in a Denial of Service (DoS) situation of the guest which can be triggered by the backend. CVE-2022-23042 * [CVE-2022-23037](https://nvd.nist.gov/vuln/detail/CVE-2022-23037) CVSSv3 score: 7(High) Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious backends: blkfront, netfront, scsifront and the gntalloc driver are testing whether a grant reference is still in use. If this is not the case, they assume that a following removal of the granted access will always succeed, which is not true in case the backend has mapped the granted page between those two operations. As a result the backend can keep access to the memory page of the guest no matter how the page will be used after the frontend I/O has finished. The xenbus driver has a similar problem, as it doesn't check the success of removing the granted access of a shared ring buffer. blkfront: CVE-2022-23036 netfront: CVE-2022-23037 scsifront: CVE-2022-23038 gntalloc: CVE-2022-23039 xenbus: CVE-2022-23040 blkfront, netfront, scsifront, usbfront, dmabuf, xenbus, 9p, kbdfront, and pvcalls are using a functionality to delay freeing a grant reference until it is no longer in use, but the freeing of the related data page is not synchronized with dropping the granted access. As a result the backend can keep access to the memory page even after it has been freed and then re-used for a different purpose. CVE-2022-23041 netfront will fail a BUG_ON() assertion if it fails to revoke access in the rx path. This will result in a Denial of Service (DoS) situation of the guest which can be triggered by the backend. CVE-2022-23042 * [CVE-2022-23038](https://nvd.nist.gov/vuln/detail/CVE-2022-23038) CVSSv3 score: 7(High) Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious backends: blkfront, netfront, scsifront and the gntalloc driver are testing whether a grant reference is still in use. If this is not the case, they assume that a following removal of the granted access will always succeed, which is not true in case the backend has mapped the granted page between those two operations. As a result the backend can keep access to the memory page of the guest no matter how the page will be used after the frontend I/O has finished. The xenbus driver has a similar problem, as it doesn't check the success of removing the granted access of a shared ring buffer. blkfront: CVE-2022-23036 netfront: CVE-2022-23037 scsifront: CVE-2022-23038 gntalloc: CVE-2022-23039 xenbus: CVE-2022-23040 blkfront, netfront, scsifront, usbfront, dmabuf, xenbus, 9p, kbdfront, and pvcalls are using a functionality to delay freeing a grant reference until it is no longer in use, but the freeing of the related data page is not synchronized with dropping the granted access. As a result the backend can keep access to the memory page even after it has been freed and then re-used for a different purpose. CVE-2022-23041 netfront will fail a BUG_ON() assertion if it fails to revoke access in the rx path. This will result in a Denial of Service (DoS) situation of the guest which can be triggered by the backend. CVE-2022-23042 * [CVE-2022-23039](https://nvd.nist.gov/vuln/detail/CVE-2022-23039) CVSSv3 score: 7(High) Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious backends: blkfront, netfront, scsifront and the gntalloc driver are testing whether a grant reference is still in use. If this is not the case, they assume that a following removal of the granted access will always succeed, which is not true in case the backend has mapped the granted page between those two operations. As a result the backend can keep access to the memory page of the guest no matter how the page will be used after the frontend I/O has finished. The xenbus driver has a similar problem, as it doesn't check the success of removing the granted access of a shared ring buffer. blkfront: CVE-2022-23036 netfront: CVE-2022-23037 scsifront: CVE-2022-23038 gntalloc: CVE-2022-23039 xenbus: CVE-2022-23040 blkfront, netfront, scsifront, usbfront, dmabuf, xenbus, 9p, kbdfront, and pvcalls are using a functionality to delay freeing a grant reference until it is no longer in use, but the freeing of the related data page is not synchronized with dropping the granted access. As a result the backend can keep access to the memory page even after it has been freed and then re-used for a different purpose. CVE-2022-23041 netfront will fail a BUG_ON() assertion if it fails to revoke access in the rx path. This will result in a Denial of Service (DoS) situation of the guest which can be triggered by the backend. CVE-2022-23042 * [CVE-2022-23040](https://nvd.nist.gov/vuln/detail/CVE-2022-23040) CVSSv3 score: 7(High) Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious backends: blkfront, netfront, scsifront and the gntalloc driver are testing whether a grant reference is still in use. If this is not the case, they assume that a following removal of the granted access will always succeed, which is not true in case the backend has mapped the granted page between those two operations. As a result the backend can keep access to the memory page of the guest no matter how the page will be used after the frontend I/O has finished. The xenbus driver has a similar problem, as it doesn't check the success of removing the granted access of a shared ring buffer. blkfront: CVE-2022-23036 netfront: CVE-2022-23037 scsifront: CVE-2022-23038 gntalloc: CVE-2022-23039 xenbus: CVE-2022-23040 blkfront, netfront, scsifront, usbfront, dmabuf, xenbus, 9p, kbdfront, and pvcalls are using a functionality to delay freeing a grant reference until it is no longer in use, but the freeing of the related data page is not synchronized with dropping the granted access. As a result the backend can keep access to the memory page even after it has been freed and then re-used for a different purpose. CVE-2022-23041 netfront will fail a BUG_ON() assertion if it fails to revoke access in the rx path. This will result in a Denial of Service (DoS) situation of the guest which can be triggered by the backend. CVE-2022-23042 * [CVE-2022-23041](https://nvd.nist.gov/vuln/detail/CVE-2022-23041) CVSSv3 score: 7(High) Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious backends: blkfront, netfront, scsifront and the gntalloc driver are testing whether a grant reference is still in use. If this is not the case, they assume that a following removal of the granted access will always succeed, which is not true in case the backend has mapped the granted page between those two operations. As a result the backend can keep access to the memory page of the guest no matter how the page will be used after the frontend I/O has finished. The xenbus driver has a similar problem, as it doesn't check the success of removing the granted access of a shared ring buffer. blkfront: CVE-2022-23036 netfront: CVE-2022-23037 scsifront: CVE-2022-23038 gntalloc: CVE-2022-23039 xenbus: CVE-2022-23040 blkfront, netfront, scsifront, usbfront, dmabuf, xenbus, 9p, kbdfront, and pvcalls are using a functionality to delay freeing a grant reference until it is no longer in use, but the freeing of the related data page is not synchronized with dropping the granted access. As a result the backend can keep access to the memory page even after it has been freed and then re-used for a different purpose. CVE-2022-23041 netfront will fail a BUG_ON() assertion if it fails to revoke access in the rx path. This will result in a Denial of Service (DoS) situation of the guest which can be triggered by the backend. CVE-2022-23042 * [CVE-2022-23042](https://nvd.nist.gov/vuln/detail/CVE-2022-23042) CVSSv3 score: 7(High) Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious backends: blkfront, netfront, scsifront and the gntalloc driver are testing whether a grant reference is still in use. If this is not the case, they assume that a following removal of the granted access will always succeed, which is not true in case the backend has mapped the granted page between those two operations. As a result the backend can keep access to the memory page of the guest no matter how the page will be used after the frontend I/O has finished. The xenbus driver has a similar problem, as it doesn't check the success of removing the granted access of a shared ring buffer. blkfront: CVE-2022-23036 netfront: CVE-2022-23037 scsifront: CVE-2022-23038 gntalloc: CVE-2022-23039 xenbus: CVE-2022-23040 blkfront, netfront, scsifront, usbfront, dmabuf, xenbus, 9p, kbdfront, and pvcalls are using a functionality to delay freeing a grant reference until it is no longer in use, but the freeing of the related data page is not synchronized with dropping the granted access. As a result the backend can keep access to the memory page even after it has been freed and then re-used for a different purpose. CVE-2022-23041 netfront will fail a BUG_ON() assertion if it fails to revoke access in the rx path. This will result in a Denial of Service (DoS) situation of the guest which can be triggered by the backend. CVE-2022-23042 * [CVE-2022-2308](https://nvd.nist.gov/vuln/detail/CVE-2022-2308) CVSSv3 score: 6.5(Medium) A flaw was found in vDPA with VDUSE backend. There are currently no checks in VDUSE kernel driver to ensure the size of the device config space is in line with the features advertised by the VDUSE userspace application. In case of a mismatch, Virtio drivers config read helpers do not initialize the memory indirectly passed to vduse_vdpa_get_config() returning uninitialized memory from the stack. This could cause undefined behavior or data leaks in Virtio drivers. * [CVE-2022-2318](https://nvd.nist.gov/vuln/detail/CVE-2022-2318) CVSSv3 score: 5.5(Medium) There are use-after-free vulnerabilities caused by timer handler in net/rose/rose_timer.c of linux that allow attackers to crash linux kernel without any privileges. * [CVE-2022-23222](https://nvd.nist.gov/vuln/detail/CVE-2022-23222) CVSSv3 score: 7.8(High) kernel/bpf/verifier.c in the Linux kernel through 5.15.14 allows local users to gain privileges because of the availability of pointer arithmetic via certain *_OR_NULL pointer types. * [CVE-2022-2380](https://nvd.nist.gov/vuln/detail/CVE-2022-2380) CVSSv3 score: 5.5(Medium) The Linux kernel was found vulnerable out of bounds memory access in the drivers/video/fbdev/sm712fb.c:smtcfb_read() function. The vulnerability could result in local attackers being able to crash the kernel. * [CVE-2022-23960](https://nvd.nist.gov/vuln/detail/CVE-2022-23960) CVSSv3 score: 5.6(Medium) Certain Arm Cortex and Neoverse processors through 2022-03-08 do not properly restrict cache speculation, aka Spectre-BHB. An attacker can leverage the shared branch history in the Branch History Buffer (BHB) to influence mispredicted branches. Then, cache allocation can allow the attacker to obtain sensitive information. * [CVE-2022-24122](https://nvd.nist.gov/vuln/detail/CVE-2022-24122) CVSSv3 score: 7.8(High) kernel/ucount.c in the Linux kernel 5.14 through 5.16.4, when unprivileged user namespaces are enabled, allows a use-after-free and privilege escalation because a ucounts object can outlive its namespace. * [CVE-2022-24448](https://nvd.nist.gov/vuln/detail/CVE-2022-24448) CVSSv3 score: 3.3(Low) An issue was discovered in fs/nfs/dir.c in the Linux kernel before 5.16.5. If an application sets the O_DIRECTORY flag, and tries to open a regular file, nfs_atomic_open() performs a regular lookup. If a regular file is found, ENOTDIR should occur, but the server instead returns uninitialized data in the file descriptor. * [CVE-2022-24958](https://nvd.nist.gov/vuln/detail/CVE-2022-24958) CVSSv3 score: 7.8(High) drivers/usb/gadget/legacy/inode.c in the Linux kernel through 5.16.8 mishandles dev->buf release. * [CVE-2022-24959](https://nvd.nist.gov/vuln/detail/CVE-2022-24959) CVSSv3 score: 5.5(Medium) An issue was discovered in the Linux kernel before 5.16.5. There is a memory leak in yam_siocdevprivate in drivers/net/hamradio/yam.c. * [CVE-2022-2503](https://nvd.nist.gov/vuln/detail/CVE-2022-2503) CVSSv3 score: 6.7(Medium) Dm-verity is used for extending root-of-trust to root filesystems. LoadPin builds on this property to restrict module/firmware loads to just the trusted root filesystem. Device-mapper table reloads currently allow users with root privileges to switch out the target with an equivalent dm-linear target and bypass verification till reboot. This allows root to bypass LoadPin and can be used to load untrusted and unverified kernel modules and firmware, which implies arbitrary kernel execution and persistence for peripherals that do not verify firmware updates. We recommend upgrading past commit 4caae58406f8ceb741603eee460d79bacca9b1b5 * [CVE-2022-25258](https://nvd.nist.gov/vuln/detail/CVE-2022-25258) CVSSv3 score: 4.6(Medium) An issue was discovered in drivers/usb/gadget/composite.c in the Linux kernel before 5.16.10. The USB Gadget subsystem lacks certain validation of interface OS descriptor requests (ones with a large array index and ones associated with NULL function pointer retrieval). Memory corruption might occur. * [CVE-2022-25375](https://nvd.nist.gov/vuln/detail/CVE-2022-25375) CVSSv3 score: 5.5(Medium) An issue was discovered in drivers/usb/gadget/function/rndis.c in the Linux kernel before 5.16.10. The RNDIS USB gadget lacks validation of the size of the RNDIS_MSG_SET command. Attackers can obtain sensitive information from kernel memory. * [CVE-2022-25636](https://nvd.nist.gov/vuln/detail/CVE-2022-25636) CVSSv3 score: 7.8(High) net/netfilter/nf_dup_netdev.c in the Linux kernel 5.4 through 5.6.10 allows local users to gain privileges because of a heap out-of-bounds write. This is related to nf_tables_offload. * [CVE-2022-2585](https://nvd.nist.gov/vuln/detail/CVE-2022-2585) CVSSv3 score: n/a * [CVE-2022-2586](https://nvd.nist.gov/vuln/detail/CVE-2022-2586) CVSSv3 score: n/a * [CVE-2022-2588](https://nvd.nist.gov/vuln/detail/CVE-2022-2588) CVSSv3 score: n/a * [CVE-2022-2602](https://nvd.nist.gov/vuln/detail/CVE-2022-2602) CVSSv3 score: n/a * [CVE-2022-26365](https://nvd.nist.gov/vuln/detail/CVE-2022-26365) CVSSv3 score: 7.1(High) Linux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740). Additionally the granularity of the grant table doesn't allow sharing less than a 4K page, leading to unrelated data residing in the same 4K page as data shared with a backend being accessible by such backend (CVE-2022-33741, CVE-2022-33742). * [CVE-2022-26373](https://nvd.nist.gov/vuln/detail/CVE-2022-26373) CVSSv3 score: 5.5(Medium) Non-transparent sharing of return predictor targets between contexts in some Intel(R) Processors may allow an authorized user to potentially enable information disclosure via local access. * [CVE-2022-2639](https://nvd.nist.gov/vuln/detail/CVE-2022-2639) CVSSv3 score: 7.8(High) An integer coercion error was found in the openvswitch kernel module. Given a sufficiently large number of actions, while copying and reserving memory for a new action of a new flow, the reserve_sfa_size() function does not return -EMSGSIZE as expected, potentially leading to an out-of-bounds write access. This flaw allows a local user to crash or potentially escalate their privileges on the system. * [CVE-2022-26490](https://nvd.nist.gov/vuln/detail/CVE-2022-26490) CVSSv3 score: 7.8(High) st21nfca_connectivity_event_received in drivers/nfc/st21nfca/se.c in the Linux kernel through 5.16.12 has EVT_TRANSACTION buffer overflows because of untrusted length parameters. * [CVE-2022-2663](https://nvd.nist.gov/vuln/detail/CVE-2022-2663) CVSSv3 score: 5.3(Medium) An issue was found in the Linux kernel in nf_conntrack_irc where the message handling can be confused and incorrectly matches the message. A firewall may be able to be bypassed when users are using unencrypted IRC with nf_conntrack_irc configured. * [CVE-2022-26966](https://nvd.nist.gov/vuln/detail/CVE-2022-26966) CVSSv3 score: 5.5(Medium) An issue was discovered in the Linux kernel before 5.16.12. drivers/net/usb/sr9700.c allows attackers to obtain sensitive information from heap memory via crafted frame lengths from a device. * [CVE-2022-27223](https://nvd.nist.gov/vuln/detail/CVE-2022-27223) CVSSv3 score: 8.8(High) In drivers/usb/gadget/udc/udc-xilinx.c in the Linux kernel before 5.16.12, the endpoint index is not validated and might be manipulated by the host for out-of-array access. * [CVE-2022-27666](https://nvd.nist.gov/vuln/detail/CVE-2022-27666) CVSSv3 score: 7.8(High) A heap buffer overflow flaw was found in IPsec ESP transformation code in net/ipv4/esp4.c and net/ipv6/esp6.c. This flaw allows a local attacker with a normal user privilege to overwrite kernel heap objects and may cause a local privilege escalation threat. * [CVE-2022-27672](https://nvd.nist.gov/vuln/detail/CVE-2022-27672) CVSSv3 score: 4.7(Medium) When SMT is enabled, certain AMD processors may speculatively execute instructions using a target from the sibling thread after an SMT mode switch potentially resulting in information disclosure. * [CVE-2022-27950](https://nvd.nist.gov/vuln/detail/CVE-2022-27950) CVSSv3 score: 5.5(Medium) In drivers/hid/hid-elo.c in the Linux kernel before 5.16.11, a memory leak exists for a certain hid_parse error condition. * [CVE-2022-28356](https://nvd.nist.gov/vuln/detail/CVE-2022-28356) CVSSv3 score: 5.5(Medium) In the Linux kernel before 5.17.1, a refcount leak bug was found in net/llc/af_llc.c. * [CVE-2022-28388](https://nvd.nist.gov/vuln/detail/CVE-2022-28388) CVSSv3 score: 5.5(Medium) usb_8dev_start_xmit in drivers/net/can/usb/usb_8dev.c in the Linux kernel through 5.17.1 has a double free. * [CVE-2022-28389](https://nvd.nist.gov/vuln/detail/CVE-2022-28389) CVSSv3 score: 5.5(Medium) mcba_usb_start_xmit in drivers/net/can/usb/mcba_usb.c in the Linux kernel through 5.17.1 has a double free. * [CVE-2022-28390](https://nvd.nist.gov/vuln/detail/CVE-2022-28390) CVSSv3 score: 7.8(High) ems_usb_start_xmit in drivers/net/can/usb/ems_usb.c in the Linux kernel through 5.17.1 has a double free. * [CVE-2022-2873](https://nvd.nist.gov/vuln/detail/CVE-2022-2873) CVSSv3 score: 5.5(Medium) An out-of-bounds memory access flaw was found in the Linux kernel Intel’s iSMT SMBus host controller driver in the way a user triggers the I2C_SMBUS_BLOCK_DATA (with the ioctl I2C_SMBUS) with malicious input data. This flaw allows a local user to crash the system. * [CVE-2022-28893](https://nvd.nist.gov/vuln/detail/CVE-2022-28893) CVSSv3 score: 7.8(High) The SUNRPC subsystem in the Linux kernel through 5.17.2 can call xs_xprt_free before ensuring that sockets are in the intended state. * [CVE-2022-2905](https://nvd.nist.gov/vuln/detail/CVE-2022-2905) CVSSv3 score: 5.5(Medium) An out-of-bounds memory read flaw was found in the Linux kernel's BPF subsystem in how a user calls the bpf_tail_call function with a key larger than the max_entries of the map. This flaw allows a local user to gain unauthorized access to data. * [CVE-2022-29156](https://nvd.nist.gov/vuln/detail/CVE-2022-29156) CVSSv3 score: 7.8(High) drivers/infiniband/ulp/rtrs/rtrs-clt.c in the Linux kernel before 5.16.12 has a double free related to rtrs_clt_dev_release. * [CVE-2022-2938](https://nvd.nist.gov/vuln/detail/CVE-2022-2938) CVSSv3 score: 7.8(High) A flaw was found in the Linux kernel's implementation of Pressure Stall Information. While the feature is disabled by default, it could allow an attacker to crash the system or have other memory-corruption side effects. * [CVE-2022-29581](https://nvd.nist.gov/vuln/detail/CVE-2022-29581) CVSSv3 score: n/a Improper Update of Reference Count vulnerability in net/sched of Linux Kernel allows local attacker to cause privilege escalation to root. This issue affects: Linux Kernel versions prior to 5.18; version 4.14 and later versions. * [CVE-2022-29582](https://nvd.nist.gov/vuln/detail/CVE-2022-29582) CVSSv3 score: 7(High) In the Linux kernel before 5.17.3, fs/io_uring.c has a use-after-free due to a race condition in io_uring timeouts. This can be triggered by a local user who has no access to any user namespace; however, the race condition perhaps can only be exploited infrequently. * [CVE-2022-2959](https://nvd.nist.gov/vuln/detail/CVE-2022-2959) CVSSv3 score: 7(High) A race condition was found in the Linux kernel's watch queue due to a missing lock in pipe_resize_ring(). The specific flaw exists within the handling of pipe buffers. The issue results from the lack of proper locking when performing operations on an object. This flaw allows a local user to crash the system or escalate their privileges on the system. * [CVE-2022-2964](https://nvd.nist.gov/vuln/detail/CVE-2022-2964) CVSSv3 score: 7.8(High) A flaw was found in the Linux kernel’s driver for the ASIX AX88179_178A-based USB 2.0/3.0 Gigabit Ethernet Devices. The vulnerability contains multiple out-of-bounds reads and possible out-of-bounds writes. * [CVE-2022-2977](https://nvd.nist.gov/vuln/detail/CVE-2022-2977) CVSSv3 score: 7.8(High) A flaw was found in the Linux kernel implementation of proxied virtualized TPM devices. On a system where virtualized TPM devices are configured (this is not the default) a local attacker can create a use-after-free and create a situation where it may be possible to escalate privileges on the system. * [CVE-2022-2978](https://nvd.nist.gov/vuln/detail/CVE-2022-2978) CVSSv3 score: 7.8(High) A flaw use after free in the Linux kernel NILFS file system was found in the way user triggers function security_inode_alloc to fail with following call to function nilfs_mdt_destroy. A local user could use this flaw to crash the system or potentially escalate their privileges on the system. * [CVE-2022-29900](https://nvd.nist.gov/vuln/detail/CVE-2022-29900) CVSSv3 score: 6.5(Medium) Mis-trained branch predictions for return instructions may allow arbitrary speculative code execution under certain microarchitecture-dependent conditions. * [CVE-2022-29901](https://nvd.nist.gov/vuln/detail/CVE-2022-29901) CVSSv3 score: 6.5(Medium) Intel microprocessor generations 6 to 8 are affected by a new Spectre variant that is able to bypass their retpoline mitigation in the kernel to leak arbitrary data. An attacker with unprivileged user access can hijack return instructions to achieve arbitrary speculative code execution under certain microarchitecture-dependent conditions. * [CVE-2022-3028](https://nvd.nist.gov/vuln/detail/CVE-2022-3028) CVSSv3 score: 7(High) A race condition was found in the Linux kernel's IP framework for transforming packets (XFRM subsystem) when multiple calls to xfrm_probe_algs occurred simultaneously. This flaw could allow a local attacker to potentially trigger an out-of-bounds write or leak kernel heap memory by performing an out-of-bounds read and copying it into a socket. * [CVE-2022-30594](https://nvd.nist.gov/vuln/detail/CVE-2022-30594) CVSSv3 score: 7.8(High) The Linux kernel before 5.17.2 mishandles seccomp permissions. The PTRACE_SEIZE code path allows attackers to bypass intended restrictions on setting the PT_SUSPEND_SECCOMP flag. * [CVE-2022-3061](https://nvd.nist.gov/vuln/detail/CVE-2022-3061) CVSSv3 score: 5.5(Medium) Found Linux Kernel flaw in the i740 driver. The Userspace program could pass any values to the driver through ioctl() interface. The driver doesn't check the value of 'pixclock', so it may cause a divide by zero error. * [CVE-2022-3077](https://nvd.nist.gov/vuln/detail/CVE-2022-3077) CVSSv3 score: 5.5(Medium) A buffer overflow vulnerability was found in the Linux kernel Intel’s iSMT SMBus host controller driver in the way it handled the I2C_SMBUS_BLOCK_PROC_CALL case (via the ioctl I2C_SMBUS) with malicious input data. This flaw could allow a local user to crash the system. * [CVE-2022-3078](https://nvd.nist.gov/vuln/detail/CVE-2022-3078) CVSSv3 score: 5.5(Medium) An issue was discovered in the Linux kernel through 5.16-rc6. There is a lack of check after calling vzalloc() and lack of free after allocation in drivers/media/test-drivers/vidtv/vidtv_s302m.c. * [CVE-2022-3104](https://nvd.nist.gov/vuln/detail/CVE-2022-3104) CVSSv3 score: 5.5(Medium) An issue was discovered in the Linux kernel through 5.16-rc6. lkdtm_ARRAY_BOUNDS in drivers/misc/lkdtm/bugs.c lacks check of the return value of kmalloc() and will cause the null pointer dereference. * [CVE-2022-3105](https://nvd.nist.gov/vuln/detail/CVE-2022-3105) CVSSv3 score: 5.5(Medium) An issue was discovered in the Linux kernel through 5.16-rc6. uapi_finalize in drivers/infiniband/core/uverbs_uapi.c lacks check of kmalloc_array(). * [CVE-2022-3106](https://nvd.nist.gov/vuln/detail/CVE-2022-3106) CVSSv3 score: 5.5(Medium) An issue was discovered in the Linux kernel through 5.16-rc6. ef100_update_stats in drivers/net/ethernet/sfc/ef100_nic.c lacks check of the return value of kmalloc(). * [CVE-2022-3107](https://nvd.nist.gov/vuln/detail/CVE-2022-3107) CVSSv3 score: 5.5(Medium) An issue was discovered in the Linux kernel through 5.16-rc6. netvsc_get_ethtool_stats in drivers/net/hyperv/netvsc_drv.c lacks check of the return value of kvmalloc_array() and will cause the null pointer dereference. * [CVE-2022-3108](https://nvd.nist.gov/vuln/detail/CVE-2022-3108) CVSSv3 score: 5.5(Medium) An issue was discovered in the Linux kernel through 5.16-rc6. kfd_parse_subtype_iolink in drivers/gpu/drm/amd/amdkfd/kfd_crat.c lacks check of the return value of kmemdup(). * [CVE-2022-3110](https://nvd.nist.gov/vuln/detail/CVE-2022-3110) CVSSv3 score: 5.5(Medium) An issue was discovered in the Linux kernel through 5.16-rc6. _rtw_init_xmit_priv in drivers/staging/r8188eu/core/rtw_xmit.c lacks check of the return value of rtw_alloc_hwxmits() and will cause the null pointer dereference. * [CVE-2022-3111](https://nvd.nist.gov/vuln/detail/CVE-2022-3111) CVSSv3 score: 5.5(Medium) An issue was discovered in the Linux kernel through 5.16-rc6. free_charger_irq() in drivers/power/supply/wm8350_power.c lacks free of WM8350_IRQ_CHG_FAST_RDY, which is registered in wm8350_init_charger(). * [CVE-2022-3112](https://nvd.nist.gov/vuln/detail/CVE-2022-3112) CVSSv3 score: 5.5(Medium) An issue was discovered in the Linux kernel through 5.16-rc6. amvdec_set_canvases in drivers/staging/media/meson/vdec/vdec_helpers.c lacks check of the return value of kzalloc() and will cause the null pointer dereference. * [CVE-2022-3113](https://nvd.nist.gov/vuln/detail/CVE-2022-3113) CVSSv3 score: 5.5(Medium) An issue was discovered in the Linux kernel through 5.16-rc6. mtk_vcodec_fw_vpu_init in drivers/media/platform/mtk-vcodec/mtk_vcodec_fw_vpu.c lacks check of the return value of devm_kzalloc() and will cause the null pointer dereference. * [CVE-2022-3115](https://nvd.nist.gov/vuln/detail/CVE-2022-3115) CVSSv3 score: 5.5(Medium) An issue was discovered in the Linux kernel through 5.16-rc6. malidp_crtc_reset in drivers/gpu/drm/arm/malidp_crtc.c lacks check of the return value of kzalloc() and will cause the null pointer dereference. * [CVE-2022-3169](https://nvd.nist.gov/vuln/detail/CVE-2022-3169) CVSSv3 score: 5.5(Medium) A flaw was found in the Linux kernel. A denial of service flaw may occur if there is a consecutive request of the NVME_IOCTL_RESET and the NVME_IOCTL_SUBSYS_RESET through the device file of the driver, resulting in a PCIe link disconnect. * [CVE-2022-3176](https://nvd.nist.gov/vuln/detail/CVE-2022-3176) CVSSv3 score: n/a There exists a use-after-free in io_uring in the Linux kernel. Signalfd_poll() and binder_poll() use a waitqueue whose lifetime is the current task. It will send a POLLFREE notification to all waiters before the queue is freed. Unfortunately, the io_uring poll doesn't handle POLLFREE. This allows a use-after-free to occur if a signalfd or binder fd is polled with io_uring poll, and the waitqueue gets freed. We recommend upgrading past commit fc78b2fc21f10c4c9c4d5d659a685710ffa63659 * [CVE-2022-3202](https://nvd.nist.gov/vuln/detail/CVE-2022-3202) CVSSv3 score: 7.1(High) A NULL pointer dereference flaw in diFree in fs/jfs/inode.c in Journaled File System (JFS)in the Linux kernel. This could allow a local attacker to crash the system or leak kernel internal information. * [CVE-2022-32250](https://nvd.nist.gov/vuln/detail/CVE-2022-32250) CVSSv3 score: 7.8(High) net/netfilter/nf_tables_api.c in the Linux kernel through 5.18.1 allows a local user (able to create user/net namespaces) to escalate privileges to root because an incorrect NFT_STATEFUL_EXPR check leads to a use-after-free. * [CVE-2022-32296](https://nvd.nist.gov/vuln/detail/CVE-2022-32296) CVSSv3 score: 3.3(Low) The Linux kernel before 5.17.9 allows TCP servers to identify clients by observing what source ports are used. This occurs because of use of Algorithm 4 ("Double-Hash Port Selection Algorithm") of RFC 6056. * [CVE-2022-3239](https://nvd.nist.gov/vuln/detail/CVE-2022-3239) CVSSv3 score: 7.8(High) A flaw use after free in the Linux kernel video4linux driver was found in the way user triggers em28xx_usb_probe() for the Empia 28xx based TV cards. A local user could use this flaw to crash the system or potentially escalate their privileges on the system. * [CVE-2022-32981](https://nvd.nist.gov/vuln/detail/CVE-2022-32981) CVSSv3 score: 7.8(High) An issue was discovered in the Linux kernel through 5.18.3 on powerpc 32-bit platforms. There is a buffer overflow in ptrace PEEKUSER and POKEUSER (aka PEEKUSR and POKEUSR) when accessing floating point registers. * [CVE-2022-3303](https://nvd.nist.gov/vuln/detail/CVE-2022-3303) CVSSv3 score: 4.7(Medium) A race condition flaw was found in the Linux kernel sound subsystem due to improper locking. It could lead to a NULL pointer dereference while handling the SNDCTL_DSP_SYNC ioctl. A privileged local user (root or member of the audio group) could use this flaw to crash the system, resulting in a denial of service condition * [CVE-2022-3344](https://nvd.nist.gov/vuln/detail/CVE-2022-3344) CVSSv3 score: 5.5(Medium) A flaw was found in the KVM's AMD nested virtualization (SVM). A malicious L1 guest could purposely fail to intercept the shutdown of a cooperative nested guest (L2), possibly leading to a page fault and kernel panic in the host (L0). * [CVE-2022-33740](https://nvd.nist.gov/vuln/detail/CVE-2022-33740) CVSSv3 score: 7.1(High) Linux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740). Additionally the granularity of the grant table doesn't allow sharing less than a 4K page, leading to unrelated data residing in the same 4K page as data shared with a backend being accessible by such backend (CVE-2022-33741, CVE-2022-33742). * [CVE-2022-33741](https://nvd.nist.gov/vuln/detail/CVE-2022-33741) CVSSv3 score: 7.1(High) Linux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740). Additionally the granularity of the grant table doesn't allow sharing less than a 4K page, leading to unrelated data residing in the same 4K page as data shared with a backend being accessible by such backend (CVE-2022-33741, CVE-2022-33742). * [CVE-2022-33742](https://nvd.nist.gov/vuln/detail/CVE-2022-33742) CVSSv3 score: 7.1(High) Linux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740). Additionally the granularity of the grant table doesn't allow sharing less than a 4K page, leading to unrelated data residing in the same 4K page as data shared with a backend being accessible by such backend (CVE-2022-33741, CVE-2022-33742). * [CVE-2022-33743](https://nvd.nist.gov/vuln/detail/CVE-2022-33743) CVSSv3 score: 7.8(High) network backend may cause Linux netfront to use freed SKBs While adding logic to support XDP (eXpress Data Path), a code label was moved in a way allowing for SKBs having references (pointers) retained for further processing to nevertheless be freed. * [CVE-2022-33744](https://nvd.nist.gov/vuln/detail/CVE-2022-33744) CVSSv3 score: 4.7(Medium) Arm guests can cause Dom0 DoS via PV devices When mapping pages of guests on Arm, dom0 is using an rbtree to keep track of the foreign mappings. Updating of that rbtree is not always done completely with the related lock held, resulting in a small race window, which can be used by unprivileged guests via PV devices to cause inconsistencies of the rbtree. These inconsistencies can lead to Denial of Service (DoS) of dom0, e.g. by causing crashes or the inability to perform further mappings of other guests' memory pages. * [CVE-2022-33981](https://nvd.nist.gov/vuln/detail/CVE-2022-33981) CVSSv3 score: 3.3(Low) drivers/block/floppy.c in the Linux kernel before 5.17.6 is vulnerable to a denial of service, because of a concurrency use-after-free flaw after deallocating raw_cmd in the raw_cmd_ioctl function. * [CVE-2022-3424](https://nvd.nist.gov/vuln/detail/CVE-2022-3424) CVSSv3 score: 7.8(High) A use-after-free flaw was found in the Linux kernel’s SGI GRU driver in the way the first gru_file_unlocked_ioctl function is called by the user, where a fail pass occurs in the gru_check_chiplet_assignment function. This flaw allows a local user to crash or potentially escalate their privileges on the system. * [CVE-2022-34494](https://nvd.nist.gov/vuln/detail/CVE-2022-34494) CVSSv3 score: 5.5(Medium) rpmsg_virtio_add_ctrl_dev in drivers/rpmsg/virtio_rpmsg_bus.c in the Linux kernel before 5.18.4 has a double free. * [CVE-2022-34495](https://nvd.nist.gov/vuln/detail/CVE-2022-34495) CVSSv3 score: 5.5(Medium) rpmsg_probe in drivers/rpmsg/virtio_rpmsg_bus.c in the Linux kernel before 5.18.4 has a double free. * [CVE-2022-34918](https://nvd.nist.gov/vuln/detail/CVE-2022-34918) CVSSv3 score: 7.8(High) An issue was discovered in the Linux kernel through 5.18.9. A type confusion bug in nft_set_elem_init (leading to a buffer overflow) could be used by a local attacker to escalate privileges, a different vulnerability than CVE-2022-32250. (The attacker can obtain root access, but must start with an unprivileged user namespace to obtain CAP_NET_ADMIN access.) This can be fixed in nft_setelem_parse_data in net/netfilter/nf_tables_api.c. * [CVE-2022-3521](https://nvd.nist.gov/vuln/detail/CVE-2022-3521) CVSSv3 score: 2.5(Low) A vulnerability has been found in Linux Kernel and classified as problematic. This vulnerability affects the function kcm_tx_work of the file net/kcm/kcmsock.c of the component kcm. The manipulation leads to race condition. It is recommended to apply a patch to fix this issue. VDB-211018 is the identifier assigned to this vulnerability. * [CVE-2022-3524](https://nvd.nist.gov/vuln/detail/CVE-2022-3524) CVSSv3 score: 5.5(Medium) A vulnerability was found in Linux Kernel. It has been declared as problematic. Affected by this vulnerability is the function ipv6_renew_options of the component IPv6 Handler. The manipulation leads to memory leak. The attack can be launched remotely. It is recommended to apply a patch to fix this issue. The identifier VDB-211021 was assigned to this vulnerability. * [CVE-2022-3526](https://nvd.nist.gov/vuln/detail/CVE-2022-3526) CVSSv3 score: 7.5(High) A vulnerability classified as problematic was found in Linux Kernel. This vulnerability affects the function macvlan_handle_frame of the file drivers/net/macvlan.c of the component skb. The manipulation leads to memory leak. The attack can be initiated remotely. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211024. * [CVE-2022-3534](https://nvd.nist.gov/vuln/detail/CVE-2022-3534) CVSSv3 score: 8(High) A vulnerability classified as critical has been found in Linux Kernel. Affected is the function btf_dump_name_dups of the file tools/lib/bpf/btf_dump.c of the component libbpf. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211032. * [CVE-2022-3543](https://nvd.nist.gov/vuln/detail/CVE-2022-3543) CVSSv3 score: 5.5(Medium) A vulnerability, which was classified as problematic, has been found in Linux Kernel. This issue affects the function unix_sock_destructor/unix_release_sock of the file net/unix/af_unix.c of the component BPF. The manipulation leads to memory leak. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-211043. * [CVE-2022-3545](https://nvd.nist.gov/vuln/detail/CVE-2022-3545) CVSSv3 score: 7.8(High) A vulnerability has been found in Linux Kernel and classified as critical. Affected by this vulnerability is the function area_cache_get of the file drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c of the component IPsec. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. The identifier VDB-211045 was assigned to this vulnerability. * [CVE-2022-3564](https://nvd.nist.gov/vuln/detail/CVE-2022-3564) CVSSv3 score: 7.1(High) A vulnerability classified as critical was found in Linux Kernel. Affected by this vulnerability is the function l2cap_reassemble_sdu of the file net/bluetooth/l2cap_core.c of the component Bluetooth. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-211087. * [CVE-2022-3565](https://nvd.nist.gov/vuln/detail/CVE-2022-3565) CVSSv3 score: 7.8(High) A vulnerability, which was classified as critical, has been found in Linux Kernel. Affected by this issue is the function del_timer of the file drivers/isdn/mISDN/l1oip_core.c of the component Bluetooth. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211088. * [CVE-2022-3577](https://nvd.nist.gov/vuln/detail/CVE-2022-3577) CVSSv3 score: 7.8(High) An out-of-bounds memory write flaw was found in the Linux kernel’s Kid-friendly Wired Controller driver. This flaw allows a local user to crash or potentially escalate their privileges on the system. It is in bigben_probe of drivers/hid/hid-bigbenff.c. The reason is incorrect assumption - bigben devices all have inputs. However, malicious devices can break this assumption, leaking to out-of-bound write. * [CVE-2022-3586](https://nvd.nist.gov/vuln/detail/CVE-2022-3586) CVSSv3 score: 5.5(Medium) A flaw was found in the Linux kernel’s networking code. A use-after-free was found in the way the sch_sfb enqueue function used the socket buffer (SKB) cb field after the same SKB had been enqueued (and freed) into a child qdisc. This flaw allows a local, unprivileged user to crash the system, causing a denial of service. * [CVE-2022-3594](https://nvd.nist.gov/vuln/detail/CVE-2022-3594) CVSSv3 score: n/a A vulnerability was found in Linux Kernel. It has been declared as problematic. Affected by this vulnerability is the function intr_callback of the file drivers/net/usb/r8152.c of the component BPF. The manipulation leads to logging of excessive data. The attack can be launched remotely. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-211363. * [CVE-2022-36123](https://nvd.nist.gov/vuln/detail/CVE-2022-36123) CVSSv3 score: 7.8(High) The Linux kernel before 5.18.13 lacks a certain clear operation for the block starting symbol (.bss). This allows Xen PV guest OS users to cause a denial of service or gain privileges. * [CVE-2022-3619](https://nvd.nist.gov/vuln/detail/CVE-2022-3619) CVSSv3 score: 4.3(Medium) A vulnerability has been found in Linux Kernel and classified as problematic. This vulnerability affects the function l2cap_recv_acldata of the file net/bluetooth/l2cap_core.c of the component Bluetooth. The manipulation leads to memory leak. It is recommended to apply a patch to fix this issue. VDB-211918 is the identifier assigned to this vulnerability. * [CVE-2022-3621](https://nvd.nist.gov/vuln/detail/CVE-2022-3621) CVSSv3 score: 6.5(Medium) A vulnerability was found in Linux Kernel. It has been classified as problematic. Affected is the function nilfs_bmap_lookup_at_level of the file fs/nilfs2/inode.c of the component nilfs2. The manipulation leads to null pointer dereference. It is possible to launch the attack remotely. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211920. * [CVE-2022-3623](https://nvd.nist.gov/vuln/detail/CVE-2022-3623) CVSSv3 score: 7.5(High) A vulnerability was found in Linux Kernel. It has been declared as problematic. Affected by this vulnerability is the function follow_page_pte of the file mm/gup.c of the component BPF. The manipulation leads to race condition. The attack can be launched remotely. It is recommended to apply a patch to fix this issue. The identifier VDB-211921 was assigned to this vulnerability. * [CVE-2022-3625](https://nvd.nist.gov/vuln/detail/CVE-2022-3625) CVSSv3 score: 7.8(High) A vulnerability was found in Linux Kernel. It has been classified as critical. This affects the function devlink_param_set/devlink_param_get of the file net/core/devlink.c of the component IPsec. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. The identifier VDB-211929 was assigned to this vulnerability. * [CVE-2022-3628](https://nvd.nist.gov/vuln/detail/CVE-2022-3628) CVSSv3 score: 6.6(Medium) A buffer overflow flaw was found in the Linux kernel Broadcom Full MAC Wi-Fi driver. This issue occurs when a user connects to a malicious USB device. This can allow a local user to crash the system or escalate their privileges. * [CVE-2022-36280](https://nvd.nist.gov/vuln/detail/CVE-2022-36280) CVSSv3 score: 5.5(Medium) An out-of-bounds(OOB) memory access vulnerability was found in vmwgfx driver in drivers/gpu/vmxgfx/vmxgfx_kms.c in GPU component in the Linux kernel with device file '/dev/dri/renderD128 (or Dxxx)'. This flaw allows a local attacker with a user account on the system to gain privilege, causing a denial of service(DoS). * [CVE-2022-3629](https://nvd.nist.gov/vuln/detail/CVE-2022-3629) CVSSv3 score: 3.3(Low) A vulnerability was found in Linux Kernel. It has been declared as problematic. This vulnerability affects the function vsock_connect of the file net/vmw_vsock/af_vsock.c. The manipulation leads to memory leak. It is recommended to apply a patch to fix this issue. VDB-211930 is the identifier assigned to this vulnerability. * [CVE-2022-3633](https://nvd.nist.gov/vuln/detail/CVE-2022-3633) CVSSv3 score: 3.3(Low) A vulnerability classified as problematic has been found in Linux Kernel. Affected is the function j1939_session_destroy of the file net/can/j1939/transport.c. The manipulation leads to memory leak. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211932. * [CVE-2022-3635](https://nvd.nist.gov/vuln/detail/CVE-2022-3635) CVSSv3 score: 7(High) A vulnerability, which was classified as critical, has been found in Linux Kernel. Affected by this issue is the function tst_timer of the file drivers/atm/idt77252.c of the component IPsec. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. VDB-211934 is the identifier assigned to this vulnerability. * [CVE-2022-3643](https://nvd.nist.gov/vuln/detail/CVE-2022-3643) CVSSv3 score: 6.5(Medium) Guests can trigger NIC interface reset/abort/crash via netback It is possible for a guest to trigger a NIC interface reset/abort/crash in a Linux based network backend by sending certain kinds of packets. It appears to be an (unwritten?) assumption in the rest of the Linux network stack that packet protocol headers are all contained within the linear section of the SKB and some NICs behave badly if this is not the case. This has been reported to occur with Cisco (enic) and Broadcom NetXtrem II BCM5780 (bnx2x) though it may be an issue with other NICs/drivers as well. In case the frontend is sending requests with split headers, netback will forward those violating above mentioned assumption to the networking core, resulting in said misbehavior. * [CVE-2022-3646](https://nvd.nist.gov/vuln/detail/CVE-2022-3646) CVSSv3 score: 4.3(Medium) A vulnerability, which was classified as problematic, has been found in Linux Kernel. This issue affects the function nilfs_attach_log_writer of the file fs/nilfs2/segment.c of the component BPF. The manipulation leads to memory leak. The attack may be initiated remotely. It is recommended to apply a patch to fix this issue. The identifier VDB-211961 was assigned to this vulnerability. * [CVE-2022-3649](https://nvd.nist.gov/vuln/detail/CVE-2022-3649) CVSSv3 score: 7(High) A vulnerability was found in Linux Kernel. It has been classified as problematic. Affected is the function nilfs_new_inode of the file fs/nilfs2/inode.c of the component BPF. The manipulation leads to use after free. It is possible to launch the attack remotely. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211992. * [CVE-2022-36879](https://nvd.nist.gov/vuln/detail/CVE-2022-36879) CVSSv3 score: 5.5(Medium) An issue was discovered in the Linux kernel through 5.18.14. xfrm_expand_policies in net/xfrm/xfrm_policy.c can cause a refcount to be dropped twice. * [CVE-2022-36946](https://nvd.nist.gov/vuln/detail/CVE-2022-36946) CVSSv3 score: 7.5(High) nfqnl_mangle in net/netfilter/nfnetlink_queue.c in the Linux kernel through 5.18.14 allows remote attackers to cause a denial of service (panic) because, in the case of an nf_queue verdict with a one-byte nfta_payload attribute, an skb_pull can encounter a negative skb->len. * [CVE-2022-3707](https://nvd.nist.gov/vuln/detail/CVE-2022-3707) CVSSv3 score: 5.5(Medium) A double-free memory flaw was found in the Linux kernel. The Intel GVT-g graphics driver triggers VGA card system resource overload, causing a fail in the intel_gvt_dma_map_guest_page function. This issue could allow a local user to crash the system. * [CVE-2022-39189](https://nvd.nist.gov/vuln/detail/CVE-2022-39189) CVSSv3 score: 7.8(High) An issue was discovered the x86 KVM subsystem in the Linux kernel before 5.18.17. Unprivileged guest users can compromise the guest kernel because TLB flush operations are mishandled in certain KVM_VCPU_PREEMPTED situations. * [CVE-2022-39190](https://nvd.nist.gov/vuln/detail/CVE-2022-39190) CVSSv3 score: 5.5(Medium) An issue was discovered in net/netfilter/nf_tables_api.c in the Linux kernel before 5.19.6. A denial of service can occur upon binding to an already bound chain. * [CVE-2022-40307](https://nvd.nist.gov/vuln/detail/CVE-2022-40307) CVSSv3 score: 4.7(Medium) An issue was discovered in the Linux kernel through 5.19.8. drivers/firmware/efi/capsule-loader.c has a race condition with a resultant use-after-free. * [CVE-2022-40768](https://nvd.nist.gov/vuln/detail/CVE-2022-40768) CVSSv3 score: 5.5(Medium) drivers/scsi/stex.c in the Linux kernel through 5.19.9 allows local users to obtain sensitive information from kernel memory because stex_queuecommand_lck lacks a memset for the PASSTHRU_CMD case. * [CVE-2022-4095](https://nvd.nist.gov/vuln/detail/CVE-2022-4095) CVSSv3 score: 7.8(High) A use-after-free flaw was found in Linux kernel before 5.19.2. This issue occurs in cmd_hdl_filter in drivers/staging/rtl8712/rtl8712_cmd.c, allowing an attacker to launch a local denial of service attack and gain escalation of privileges. * [CVE-2022-40982](https://nvd.nist.gov/vuln/detail/CVE-2022-40982) CVSSv3 score: n/a Information exposure through microarchitectural state after transient execution in certain vector execution units for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access. * [CVE-2022-41218](https://nvd.nist.gov/vuln/detail/CVE-2022-41218) CVSSv3 score: 5.5(Medium) In drivers/media/dvb-core/dmxdev.c in the Linux kernel through 5.19.10, there is a use-after-free caused by refcount races, affecting dvb_demux_open and dvb_dmxdev_release. * [CVE-2022-41222](https://nvd.nist.gov/vuln/detail/CVE-2022-41222) CVSSv3 score: 7(High) mm/mremap.c in the Linux kernel before 5.13.3 has a use-after-free via a stale TLB because an rmap lock is not held during a PUD move. * [CVE-2022-4129](https://nvd.nist.gov/vuln/detail/CVE-2022-4129) CVSSv3 score: 5.5(Medium) A flaw was found in the Linux kernel's Layer 2 Tunneling Protocol (L2TP). A missing lock when clearing sk_user_data can lead to a race condition and NULL pointer dereference. A local user could use this flaw to potentially crash the system causing a denial of service. * [CVE-2022-41674](https://nvd.nist.gov/vuln/detail/CVE-2022-41674) CVSSv3 score: 8.1(High) An issue was discovered in the Linux kernel before 5.19.16. Attackers able to inject WLAN frames could cause a buffer overflow in the ieee80211_bss_info_update function in net/mac80211/scan.c. * [CVE-2022-41849](https://nvd.nist.gov/vuln/detail/CVE-2022-41849) CVSSv3 score: 4.2(Medium) drivers/video/fbdev/smscufx.c in the Linux kernel through 5.19.12 has a race condition and resultant use-after-free if a physically proximate attacker removes a USB device while calling open(), aka a race condition between ufx_ops_open and ufx_usb_disconnect. * [CVE-2022-41850](https://nvd.nist.gov/vuln/detail/CVE-2022-41850) CVSSv3 score: 4.7(Medium) roccat_report_event in drivers/hid/hid-roccat.c in the Linux kernel through 5.19.12 has a race condition and resultant use-after-free in certain situations where a report is received while copying a report->value is in progress. * [CVE-2022-41858](https://nvd.nist.gov/vuln/detail/CVE-2022-41858) CVSSv3 score: 7.1(High) A flaw was found in the Linux kernel. A NULL pointer dereference may occur while a slip driver is in progress to detach in sl_tx_timeout in drivers/net/slip/slip.c. This issue could allow an attacker to crash the system or leak internal kernel information. * [CVE-2022-42432](https://nvd.nist.gov/vuln/detail/CVE-2022-42432) CVSSv3 score: 4.4(Medium) This vulnerability allows local attackers to disclose sensitive information on affected installations of the Linux Kernel 6.0-rc2. An attacker must first obtain the ability to execute high-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the nft_osf_eval function. The issue results from the lack of proper initialization of memory prior to accessing it. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the kernel. Was ZDI-CAN-18540. * [CVE-2022-4269](https://nvd.nist.gov/vuln/detail/CVE-2022-4269) CVSSv3 score: 5.5(Medium) A flaw was found in the Linux kernel Traffic Control (TC) subsystem. Using a specific networking configuration (redirecting egress packets to ingress using TC action "mirred") a local unprivileged user could trigger a CPU soft lockup (ABBA deadlock) when the transport protocol in use (TCP or SCTP) does a retransmission, resulting in a denial of service condition. * [CVE-2022-42703](https://nvd.nist.gov/vuln/detail/CVE-2022-42703) CVSSv3 score: 5.5(Medium) mm/rmap.c in the Linux kernel before 5.19.7 has a use-after-free related to leaf anon_vma double reuse. * [CVE-2022-42719](https://nvd.nist.gov/vuln/detail/CVE-2022-42719) CVSSv3 score: 8.8(High) A use-after-free in the mac80211 stack when parsing a multi-BSSID element in the Linux kernel 5.2 through 5.19.x before 5.19.16 could be used by attackers (able to inject WLAN frames) to crash the kernel and potentially execute code. * [CVE-2022-42720](https://nvd.nist.gov/vuln/detail/CVE-2022-42720) CVSSv3 score: 7.8(High) Various refcounting bugs in the multi-BSS handling in the mac80211 stack in the Linux kernel 5.1 through 5.19.x before 5.19.16 could be used by local attackers (able to inject WLAN frames) to trigger use-after-free conditions to potentially execute code. * [CVE-2022-42721](https://nvd.nist.gov/vuln/detail/CVE-2022-42721) CVSSv3 score: 5.5(Medium) A list management bug in BSS handling in the mac80211 stack in the Linux kernel 5.1 through 5.19.x before 5.19.16 could be used by local attackers (able to inject WLAN frames) to corrupt a linked list and, in turn, potentially execute code. * [CVE-2022-42722](https://nvd.nist.gov/vuln/detail/CVE-2022-42722) CVSSv3 score: 5.5(Medium) In the Linux kernel 5.8 through 5.19.x before 5.19.16, local attackers able to inject WLAN frames into the mac80211 stack could cause a NULL pointer dereference denial-of-service attack against the beacon protection of P2P devices. * [CVE-2022-42895](https://nvd.nist.gov/vuln/detail/CVE-2022-42895) CVSSv3 score: 6.5(Medium) There is an infoleak vulnerability in the Linux kernel's net/bluetooth/l2cap_core.c's l2cap_parse_conf_req function which can be used to leak kernel pointers remotely. We recommend upgrading past commit https://github.com/torvalds/linux/commit/b1a2cd50c0357f243b7435a732b4e62ba3157a2e https://www.google.com/url * [CVE-2022-42896](https://nvd.nist.gov/vuln/detail/CVE-2022-42896) CVSSv3 score: 8.8(High) There are use-after-free vulnerabilities in the Linux kernel's net/bluetooth/l2cap_core.c's l2cap_connect and l2cap_le_connect_req functions which may allow code execution and leaking kernel memory (respectively) remotely via Bluetooth. A remote attacker could execute code leaking kernel memory via Bluetooth if within proximity of the victim. We recommend upgrading past commit https://www.google.com/url https://github.com/torvalds/linux/commit/711f8c3fb3db61897080468586b970c87c61d9e4 https://www.google.com/url * [CVE-2022-43750](https://nvd.nist.gov/vuln/detail/CVE-2022-43750) CVSSv3 score: 6.7(Medium) drivers/usb/mon/mon_bin.c in usbmon in the Linux kernel before 5.19.15 and 6.x before 6.0.1 allows a user-space client to corrupt the monitor's internal memory. * [CVE-2022-4378](https://nvd.nist.gov/vuln/detail/CVE-2022-4378) CVSSv3 score: 7.8(High) A stack overflow flaw was found in the Linux kernel's SYSCTL subsystem in how a user changes certain kernel parameters and variables. This flaw allows a local user to crash or potentially escalate their privileges on the system. * [CVE-2022-4379](https://nvd.nist.gov/vuln/detail/CVE-2022-4379) CVSSv3 score: 7.5(High) A use-after-free vulnerability was found in __nfs42_ssc_open() in fs/nfs/nfs4file.c in the Linux kernel. This flaw allows an attacker to conduct a remote denial * [CVE-2022-4382](https://nvd.nist.gov/vuln/detail/CVE-2022-4382) CVSSv3 score: 6.4(Medium) A use-after-free flaw caused by a race among the superblock operations in the gadgetfs Linux driver was found. It could be triggered by yanking out a device that is running the gadgetfs side. * [CVE-2022-43945](https://nvd.nist.gov/vuln/detail/CVE-2022-43945) CVSSv3 score: 7.5(High) The Linux kernel NFSD implementation prior to versions 5.19.17 and 6.0.2 are vulnerable to buffer overflow. NFSD tracks the number of pages held by each NFSD thread by combining the receive and send buffers of a remote procedure call (RPC) into a single array of pages. A client can force the send buffer to shrink by sending an RPC message over TCP with garbage data added at the end of the message. The RPC message with garbage data is still correctly formed according to the specification and is passed forward to handlers. Vulnerable code in NFSD is not expecting the oversized request and writes beyond the allocated buffer space. CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H * [CVE-2022-45869](https://nvd.nist.gov/vuln/detail/CVE-2022-45869) CVSSv3 score: 5.5(Medium) A race condition in the x86 KVM subsystem in the Linux kernel through 6.1-rc6 allows guest OS users to cause a denial of service (host OS crash or host OS memory corruption) when nested virtualisation and the TDP MMU are enabled. * [CVE-2022-45886](https://nvd.nist.gov/vuln/detail/CVE-2022-45886) CVSSv3 score: 7(High) An issue was discovered in the Linux kernel through 6.0.9. drivers/media/dvb-core/dvb_net.c has a .disconnect versus dvb_device_open race condition that leads to a use-after-free. * [CVE-2022-45887](https://nvd.nist.gov/vuln/detail/CVE-2022-45887) CVSSv3 score: 4.7(Medium) An issue was discovered in the Linux kernel through 6.0.9. drivers/media/usb/ttusb-dec/ttusb_dec.c has a memory leak because of the lack of a dvb_frontend_detach call. * [CVE-2022-45919](https://nvd.nist.gov/vuln/detail/CVE-2022-45919) CVSSv3 score: 7(High) An issue was discovered in the Linux kernel through 6.0.10. In drivers/media/dvb-core/dvb_ca_en50221.c, a use-after-free can occur is there is a disconnect after an open, because of the lack of a wait_event. * [CVE-2022-45934](https://nvd.nist.gov/vuln/detail/CVE-2022-45934) CVSSv3 score: 7.8(High) An issue was discovered in the Linux kernel through 6.0.10. l2cap_config_req in net/bluetooth/l2cap_core.c has an integer wraparound via L2CAP_CONF_REQ packets. * [CVE-2022-4662](https://nvd.nist.gov/vuln/detail/CVE-2022-4662) CVSSv3 score: 5.5(Medium) A flaw incorrect access control in the Linux kernel USB core subsystem was found in the way user attaches usb device. A local user could use this flaw to crash the system. * [CVE-2022-4744](https://nvd.nist.gov/vuln/detail/CVE-2022-4744) CVSSv3 score: 7.8(High) A double-free flaw was found in the Linux kernel’s TUN/TAP device driver functionality in how a user registers the device when the register_netdevice function fails (NETDEV_REGISTER notifier). This flaw allows a local user to crash or potentially escalate their privileges on the system. * [CVE-2022-47518](https://nvd.nist.gov/vuln/detail/CVE-2022-47518) CVSSv3 score: 7.8(High) An issue was discovered in the Linux kernel before 6.0.11. Missing validation of the number of channels in drivers/net/wireless/microchip/wilc1000/cfg80211.c in the WILC1000 wireless driver can trigger a heap-based buffer overflow when copying the list of operating channels from Wi-Fi management frames. * [CVE-2022-47519](https://nvd.nist.gov/vuln/detail/CVE-2022-47519) CVSSv3 score: 7.8(High) An issue was discovered in the Linux kernel before 6.0.11. Missing validation of IEEE80211_P2P_ATTR_OPER_CHANNEL in drivers/net/wireless/microchip/wilc1000/cfg80211.c in the WILC1000 wireless driver can trigger an out-of-bounds write when parsing the channel list attribute from Wi-Fi management frames. * [CVE-2022-47520](https://nvd.nist.gov/vuln/detail/CVE-2022-47520) CVSSv3 score: 7.1(High) An issue was discovered in the Linux kernel before 6.0.11. Missing offset validation in drivers/net/wireless/microchip/wilc1000/hif.c in the WILC1000 wireless driver can trigger an out-of-bounds read when parsing a Robust Security Network (RSN) information element from a Netlink packet. * [CVE-2022-47521](https://nvd.nist.gov/vuln/detail/CVE-2022-47521) CVSSv3 score: 7.8(High) An issue was discovered in the Linux kernel before 6.0.11. Missing validation of IEEE80211_P2P_ATTR_CHANNEL_LIST in drivers/net/wireless/microchip/wilc1000/cfg80211.c in the WILC1000 wireless driver can trigger a heap-based buffer overflow when parsing the operating channel attribute from Wi-Fi management frames. * [CVE-2022-47929](https://nvd.nist.gov/vuln/detail/CVE-2022-47929) CVSSv3 score: 5.5(Medium) In the Linux kernel before 6.1.6, a NULL pointer dereference bug in the traffic control subsystem allows an unprivileged user to trigger a denial of service (system crash) via a crafted traffic control configuration that is set up with "tc qdisc" and "tc class" commands. This affects qdisc_graft in net/sched/sch_api.c. * [CVE-2022-47938](https://nvd.nist.gov/vuln/detail/CVE-2022-47938) CVSSv3 score: 6.5(Medium) An issue was discovered in ksmbd in the Linux kernel 5.15 through 5.19 before 5.19.2. fs/ksmbd/smb2misc.c has an out-of-bounds read and OOPS for SMB2_TREE_CONNECT. * [CVE-2022-47939](https://nvd.nist.gov/vuln/detail/CVE-2022-47939) CVSSv3 score: 9.8(Critical) An issue was discovered in ksmbd in the Linux kernel 5.15 through 5.19 before 5.19.2. fs/ksmbd/smb2pdu.c has a use-after-free and OOPS for SMB2_TREE_DISCONNECT. * [CVE-2022-47941](https://nvd.nist.gov/vuln/detail/CVE-2022-47941) CVSSv3 score: 7.5(High) An issue was discovered in ksmbd in the Linux kernel 5.15 through 5.19 before 5.19.2. fs/ksmbd/smb2pdu.c omits a kfree call in certain smb2_handle_negotiate error conditions, aka a memory leak. * [CVE-2022-47942](https://nvd.nist.gov/vuln/detail/CVE-2022-47942) CVSSv3 score: 8.8(High) An issue was discovered in ksmbd in the Linux kernel 5.15 through 5.19 before 5.19.2. There is a heap-based buffer overflow in set_ntacl_dacl, related to use of SMB2_QUERY_INFO_HE after a malformed SMB2_SET_INFO_HE command. * [CVE-2022-47943](https://nvd.nist.gov/vuln/detail/CVE-2022-47943) CVSSv3 score: 8.1(High) An issue was discovered in ksmbd in the Linux kernel 5.15 through 5.19 before 5.19.2. There is an out-of-bounds read and OOPS for SMB2_WRITE, when there is a large length in the zero DataOffset case. * [CVE-2022-4842](https://nvd.nist.gov/vuln/detail/CVE-2022-4842) CVSSv3 score: 5.5(Medium) A flaw NULL Pointer Dereference in the Linux kernel NTFS3 driver function attr_punch_hole() was found. A local user could use this flaw to crash the system. * [CVE-2022-48423](https://nvd.nist.gov/vuln/detail/CVE-2022-48423) CVSSv3 score: 7.8(High) In the Linux kernel before 6.1.3, fs/ntfs3/record.c does not validate resident attribute names. An out-of-bounds write may occur. * [CVE-2022-48424](https://nvd.nist.gov/vuln/detail/CVE-2022-48424) CVSSv3 score: 7.8(High) In the Linux kernel before 6.1.3, fs/ntfs3/inode.c does not validate the attribute name offset. An unhandled page fault may occur. * [CVE-2022-48425](https://nvd.nist.gov/vuln/detail/CVE-2022-48425) CVSSv3 score: 7.8(High) In the Linux kernel through 6.2.7, fs/ntfs3/inode.c has an invalid kfree because it does not validate MFT flags before replaying logs. * [CVE-2022-48502](https://nvd.nist.gov/vuln/detail/CVE-2022-48502) CVSSv3 score: 7.1(High) An issue was discovered in the Linux kernel before 6.2. The ntfs3 subsystem does not properly check for correctness during disk reads, leading to an out-of-bounds read in ntfs_set_ea in fs/ntfs3/xattr.c. * [CVE-2023-0045](https://nvd.nist.gov/vuln/detail/CVE-2023-0045) CVSSv3 score: 7.5(High) The current implementation of the prctl syscall does not issue an IBPB immediately during the syscall. The ib_prctl_set function updates the Thread Information Flags (TIFs) for the task and updates the SPEC_CTRL MSR on the function __speculation_ctrl_update, but the IBPB is only issued on the next schedule, when the TIF bits are checked. This leaves the victim vulnerable to values already injected on the BTB, prior to the prctl syscall. The patch that added the support for the conditional mitigation via prctl (ib_prctl_set) dates back to the kernel 4.9.176. We recommend upgrading past commit a664ec9158eeddd75121d39c9a0758016097fa96 * [CVE-2023-0160](https://nvd.nist.gov/vuln/detail/CVE-2023-0160) CVSSv3 score: 5.5(Medium) A deadlock flaw was found in the Linux kernel’s BPF subsystem. This flaw allows a local user to potentially crash the system. * [CVE-2023-0179](https://nvd.nist.gov/vuln/detail/CVE-2023-0179) CVSSv3 score: 7.8(High) A buffer overflow vulnerability was found in the Netfilter subsystem in the Linux Kernel. This issue could allow the leakage of both stack and heap addresses, and potentially allow Local Privilege Escalation to the root user via arbitrary code execution. * [CVE-2023-0210](https://nvd.nist.gov/vuln/detail/CVE-2023-0210) CVSSv3 score: 7.5(High) A bug affects the Linux kernel’s ksmbd NTLMv2 authentication and is known to crash the OS immediately in Linux-based systems. * [CVE-2023-0266](https://nvd.nist.gov/vuln/detail/CVE-2023-0266) CVSSv3 score: 7.8(High) A use after free vulnerability exists in the ALSA PCM package in the Linux Kernel. SNDRV_CTL_IOCTL_ELEM_{READ|WRITE}32 is missing locks that can be used in a use-after-free that can result in a priviledge escalation to gain ring0 access from the system user. We recommend upgrading past commit 56b88b50565cd8b946a2d00b0c83927b7ebb055e * [CVE-2023-0386](https://nvd.nist.gov/vuln/detail/CVE-2023-0386) CVSSv3 score: 7.8(High) A flaw was found in the Linux kernel, where unauthorized access to the execution of the setuid file with capabilities was found in the Linux kernel’s OverlayFS subsystem in how a user copies a capable file from a nosuid mount into another mount. This uid mapping bug allows a local user to escalate their privileges on the system. * [CVE-2023-0394](https://nvd.nist.gov/vuln/detail/CVE-2023-0394) CVSSv3 score: 5.5(Medium) A NULL pointer dereference flaw was found in rawv6_push_pending_frames in net/ipv6/raw.c in the network subcomponent in the Linux kernel. This flaw causes the system to crash. * [CVE-2023-0458](https://nvd.nist.gov/vuln/detail/CVE-2023-0458) CVSSv3 score: 4.7(Medium) A speculative pointer dereference problem exists in the Linux Kernel on the do_prlimit() function. The resource argument value is controlled and is used in pointer arithmetic for the 'rlim' variable and can be used to leak the contents. We recommend upgrading past version 6.1.8 or commit 739790605705ddcf18f21782b9c99ad7d53a8c11 * [CVE-2023-0459](https://nvd.nist.gov/vuln/detail/CVE-2023-0459) CVSSv3 score: 5.5(Medium) Copy_from_user on 64-bit versions of the Linux kernel does not implement the __uaccess_begin_nospec allowing a user to bypass the "access_ok" check and pass a kernel pointer to copy_from_user(). This would allow an attacker to leak information. We recommend upgrading beyond commit 74e19ef0ff8061ef55957c3abd71614ef0f42f47 * [CVE-2023-0461](https://nvd.nist.gov/vuln/detail/CVE-2023-0461) CVSSv3 score: n/a There is a use-after-free vulnerability in the Linux Kernel which can be exploited to achieve local privilege escalation. To reach the vulnerability kernel configuration flag CONFIG_TLS or CONFIG_XFRM_ESPINTCP has to be configured, but the operation does not require any privilege. There is a use-after-free bug of icsk_ulp_data of a struct inet_connection_sock. When CONFIG_TLS is enabled, user can install a tls context (struct tls_context) on a connected tcp socket. The context is not cleared if this socket is disconnected and reused as a listener. If a new socket is created from the listener, the context is inherited and vulnerable. The setsockopt TCP_ULP operation does not require any privilege. We recommend upgrading past commit 2c02d41d71f90a5168391b6a5f2954112ba2307c * [CVE-2023-0590](https://nvd.nist.gov/vuln/detail/CVE-2023-0590) CVSSv3 score: 4.7(Medium) A use-after-free flaw was found in qdisc_graft in net/sched/sch_api.c in the Linux Kernel due to a race problem. This flaw leads to a denial of service issue. If patch ebda44da44f6 ("net: sched: fix race condition in qdisc_graft()") not applied yet, then kernel could be affected. * [CVE-2023-0615](https://nvd.nist.gov/vuln/detail/CVE-2023-0615) CVSSv3 score: 5.5(Medium) A memory leak flaw and potential divide by zero and Integer overflow was found in the Linux kernel V4L2 and vivid test code functionality. This issue occurs when a user triggers ioctls, such as VIDIOC_S_DV_TIMINGS ioctl. This could allow a local user to crash the system if vivid test code enabled. * [CVE-2023-1073](https://nvd.nist.gov/vuln/detail/CVE-2023-1073) CVSSv3 score: 6.6(Medium) A memory corruption flaw was found in the Linux kernel’s human interface device (HID) subsystem in how a user inserts a malicious USB device. This flaw allows a local user to crash or potentially escalate their privileges on the system. * [CVE-2023-1074](https://nvd.nist.gov/vuln/detail/CVE-2023-1074) CVSSv3 score: 5.5(Medium) A memory leak flaw was found in the Linux kernel's Stream Control Transmission Protocol. This issue may occur when a user starts a malicious networking service and someone connects to this service. This could allow a local user to starve resources, causing a denial of service. * [CVE-2023-1076](https://nvd.nist.gov/vuln/detail/CVE-2023-1076) CVSSv3 score: 5.5(Medium) A flaw was found in the Linux Kernel. The tun/tap sockets have their socket UID hardcoded to 0 due to a type confusion in their initialization function. While it will be often correct, as tuntap devices require CAP_NET_ADMIN, it may not always be the case, e.g., a non-root user only having that capability. This would make tun/tap sockets being incorrectly treated in filtering/routing decisions, possibly bypassing network filters. * [CVE-2023-1077](https://nvd.nist.gov/vuln/detail/CVE-2023-1077) CVSSv3 score: 7(High) In the Linux kernel, pick_next_rt_entity() may return a type confused entry, not detected by the BUG_ON condition, as the confused entry will not be NULL, but list_head.The buggy error condition would lead to a type confused entry with the list head,which would then be used as a type confused sched_rt_entity,causing memory corruption. * [CVE-2023-1078](https://nvd.nist.gov/vuln/detail/CVE-2023-1078) CVSSv3 score: 7.8(High) A flaw was found in the Linux Kernel in RDS (Reliable Datagram Sockets) protocol. The rds_rm_zerocopy_callback() uses list_entry() on the head of a list causing a type confusion. Local user can trigger this with rds_message_put(). Type confusion leads to `struct rds_msg_zcopy_info *info` actually points to something else that is potentially controlled by local user. It is known how to trigger this, which causes an out of bounds access, and a lock corruption. * [CVE-2023-1079](https://nvd.nist.gov/vuln/detail/CVE-2023-1079) CVSSv3 score: 6.8(Medium) A flaw was found in the Linux kernel. A use-after-free may be triggered in asus_kbd_backlight_set when plugging/disconnecting in a malicious USB device, which advertises itself as an Asus device. Similarly to the previous known CVE-2023-25012, but in asus devices, the work_struct may be scheduled by the LED controller while the device is disconnecting, triggering a use-after-free on the struct asus_kbd_leds *led structure. A malicious USB device may exploit the issue to cause memory corruption with controlled data. * [CVE-2023-1095](https://nvd.nist.gov/vuln/detail/CVE-2023-1095) CVSSv3 score: 5.5(Medium) In nf_tables_updtable, if nf_tables_table_enable returns an error, nft_trans_destroy is called to free the transaction object. nft_trans_destroy() calls list_del(), but the transaction was never placed on a list -- the list head is all zeroes, this results in a NULL pointer dereference. * [CVE-2023-1118](https://nvd.nist.gov/vuln/detail/CVE-2023-1118) CVSSv3 score: 7.8(High) A flaw use after free in the Linux kernel integrated infrared receiver/transceiver driver was found in the way user detaching rc device. A local user could use this flaw to crash the system or potentially escalate their privileges on the system. * [CVE-2023-1192](https://nvd.nist.gov/vuln/detail/CVE-2023-1192) CVSSv3 score: n/a * [CVE-2023-1206](https://nvd.nist.gov/vuln/detail/CVE-2023-1206) CVSSv3 score: 5.7(Medium) A hash collision flaw was found in the IPv6 connection lookup table in the Linux kernel’s IPv6 functionality when a user makes a new kind of SYN flood attack. A user located in the local network or with a high bandwidth connection can increase the CPU usage of the server that accepts IPV6 connections up to 95%. * [CVE-2023-1249](https://nvd.nist.gov/vuln/detail/CVE-2023-1249) CVSSv3 score: 5.5(Medium) A use-after-free flaw was found in the Linux kernel’s core dump subsystem. This flaw allows a local user to crash the system. Only if patch 390031c94211 ("coredump: Use the vma snapshot in fill_files_note") not applied yet, then kernel could be affected. * [CVE-2023-1252](https://nvd.nist.gov/vuln/detail/CVE-2023-1252) CVSSv3 score: 7.8(High) A use-after-free flaw was found in the Linux kernel’s Ext4 File System in how a user triggers several file operations simultaneously with the overlay FS usage. This flaw allows a local user to crash or potentially escalate their privileges on the system. Only if patch 9a2544037600 ("ovl: fix use after free in struct ovl_aio_req") not applied yet, the kernel could be affected. * [CVE-2023-1281](https://nvd.nist.gov/vuln/detail/CVE-2023-1281) CVSSv3 score: n/a Use After Free vulnerability in Linux kernel traffic control index filter (tcindex) allows Privilege Escalation. The imperfect hash area can be updated while packets are traversing, which will cause a use-after-free when 'tcf_exts_exec()' is called with the destroyed tcf_ext. A local attacker user can use this vulnerability to elevate its privileges to root. This issue affects Linux Kernel: from 4.14 before git commit ee059170b1f7e94e55fa6cadee544e176a6e59c2. * [CVE-2023-1295](https://nvd.nist.gov/vuln/detail/CVE-2023-1295) CVSSv3 score: 7(High) A time-of-check to time-of-use issue exists in io_uring subsystem's IORING_OP_CLOSE operation in the Linux kernel's versions 5.6 - 5.11 (inclusive), which allows a local user to elevate their privileges to root. Introduced in b5dba59e0cf7e2cc4d3b3b1ac5fe81ddf21959eb, patched in 9eac1904d3364254d622bf2c771c4f85cd435fc2, backported to stable in 788d0824269bef539fe31a785b1517882eafed93. * [CVE-2023-1380](https://nvd.nist.gov/vuln/detail/CVE-2023-1380) CVSSv3 score: 7.1(High) A slab-out-of-bound read problem was found in brcmf_get_assoc_ies in drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c in the Linux Kernel. This issue could occur when assoc_info->req_len data is bigger than the size of the buffer, defined as WL_EXTRA_BUF_MAX, leading to a denial of service. * [CVE-2023-1382](https://nvd.nist.gov/vuln/detail/CVE-2023-1382) CVSSv3 score: 4.7(Medium) A data race flaw was found in the Linux kernel, between where con is allocated and con->sock is set. This issue leads to a NULL pointer dereference when accessing con->sock->sk in net/tipc/topsrv.c in the tipc protocol in the Linux kernel. * [CVE-2023-1513](https://nvd.nist.gov/vuln/detail/CVE-2023-1513) CVSSv3 score: 3.3(Low) A flaw was found in KVM. When calling the KVM_GET_DEBUGREGS ioctl, on 32-bit systems, there might be some uninitialized portions of the kvm_debugregs structure that could be copied to userspace, causing an information leak. * [CVE-2023-1582](https://nvd.nist.gov/vuln/detail/CVE-2023-1582) CVSSv3 score: 4.7(Medium) A race problem was found in fs/proc/task_mmu.c in the memory management sub-component in the Linux kernel. This issue may allow a local attacker with user privilege to cause a denial of service. * [CVE-2023-1611](https://nvd.nist.gov/vuln/detail/CVE-2023-1611) CVSSv3 score: 6.3(Medium) A use-after-free flaw was found in btrfs_search_slot in fs/btrfs/ctree.c in btrfs in the Linux Kernel.This flaw allows an attacker to crash the system and possibly cause a kernel information lea * [CVE-2023-1637](https://nvd.nist.gov/vuln/detail/CVE-2023-1637) CVSSv3 score: 5.5(Medium) A flaw that boot CPU could be vulnerable for the speculative execution behavior kind of attacks in the Linux kernel X86 CPU Power management options functionality was found in the way user resuming CPU from suspend-to-RAM. A local user could use this flaw to potentially get unauthorized access to some memory of the CPU similar to the speculative execution behavior kind of attacks. * [CVE-2023-1652](https://nvd.nist.gov/vuln/detail/CVE-2023-1652) CVSSv3 score: 7.1(High) A use-after-free flaw was found in nfsd4_ssc_setup_dul in fs/nfsd/nfs4proc.c in the NFS filesystem in the Linux Kernel. This issue could allow a local attacker to crash the system or it may lead to a kernel information leak problem. * [CVE-2023-1670](https://nvd.nist.gov/vuln/detail/CVE-2023-1670) CVSSv3 score: 7.8(High) A flaw use after free in the Linux kernel Xircom 16-bit PCMCIA (PC-card) Ethernet driver was found.A local user could use this flaw to crash the system or potentially escalate their privileges on the system. * [CVE-2023-1829](https://nvd.nist.gov/vuln/detail/CVE-2023-1829) CVSSv3 score: n/a A use-after-free vulnerability in the Linux Kernel traffic control index filter (tcindex) can be exploited to achieve local privilege escalation. The tcindex_delete function which does not properly deactivate filters in case of a perfect hashes while deleting the underlying structure which can later lead to double freeing the structure. A local attacker user can use this vulnerability to elevate its privileges to root. We recommend upgrading past commit 8c710f75256bb3cf05ac7b1672c82b92c43f3d28. * [CVE-2023-1838](https://nvd.nist.gov/vuln/detail/CVE-2023-1838) CVSSv3 score: 7.1(High) A use-after-free flaw was found in vhost_net_set_backend in drivers/vhost/net.c in virtio network subcomponent in the Linux kernel due to a double fget. This flaw could allow a local attacker to crash the system, and could even lead to a kernel information leak problem. * [CVE-2023-1855](https://nvd.nist.gov/vuln/detail/CVE-2023-1855) CVSSv3 score: 6.3(Medium) A use-after-free flaw was found in xgene_hwmon_remove in drivers/hwmon/xgene-hwmon.c in the Hardware Monitoring Linux Kernel Driver (xgene-hwmon). This flaw could allow a local attacker to crash the system due to a race problem. This vulnerability could even lead to a kernel information leak problem. * [CVE-2023-1859](https://nvd.nist.gov/vuln/detail/CVE-2023-1859) CVSSv3 score: 4.7(Medium) A use-after-free flaw was found in xen_9pfs_front_removet in net/9p/trans_xen.c in Xen transport for 9pfs in the Linux Kernel. This flaw could allow a local attacker to crash the system due to a race problem, possibly leading to a kernel information leak. * [CVE-2023-1989](https://nvd.nist.gov/vuln/detail/CVE-2023-1989) CVSSv3 score: 7(High) A use-after-free flaw was found in btsdio_remove in drivers\bluetooth\btsdio.c in the Linux Kernel. In this flaw, a call to btsdio_remove with an unfinished job, may cause a race problem leading to a UAF on hdev devices. * [CVE-2023-1990](https://nvd.nist.gov/vuln/detail/CVE-2023-1990) CVSSv3 score: 4.7(Medium) A use-after-free flaw was found in ndlc_remove in drivers/nfc/st-nci/ndlc.c in the Linux Kernel. This flaw could allow an attacker to crash the system due to a race problem. * [CVE-2023-2002](https://nvd.nist.gov/vuln/detail/CVE-2023-2002) CVSSv3 score: 6.8(Medium) A vulnerability was found in the HCI sockets implementation due to a missing capability check in net/bluetooth/hci_sock.c in the Linux Kernel. This flaw allows an attacker to unauthorized execution of management commands, compromising the confidentiality, integrity, and availability of Bluetooth communication. * [CVE-2023-2006](https://nvd.nist.gov/vuln/detail/CVE-2023-2006) CVSSv3 score: 7(High) A race condition was found in the Linux kernel's RxRPC network protocol, within the processing of RxRPC bundles. This issue results from the lack of proper locking when performing operations on an object. This may allow an attacker to escalate privileges and execute arbitrary code in the context of the kernel. * [CVE-2023-2008](https://nvd.nist.gov/vuln/detail/CVE-2023-2008) CVSSv3 score: 7.8(High) A flaw was found in the Linux kernel's udmabuf device driver. The specific flaw exists within a fault handler. The issue results from the lack of proper validation of user-supplied data, which can result in a memory access past the end of an array. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the kernel. * [CVE-2023-2019](https://nvd.nist.gov/vuln/detail/CVE-2023-2019) CVSSv3 score: 4.4(Medium) A flaw was found in the Linux kernel's netdevsim device driver, within the scheduling of events. This issue results from the improper management of a reference count. This may allow an attacker to create a denial of service condition on the system. * [CVE-2023-20569](https://nvd.nist.gov/vuln/detail/CVE-2023-20569) CVSSv3 score: 4.7(Medium) A side channel vulnerability on some of the AMD CPUs may allow an attacker to influence the return address prediction. This may result in speculative execution at an attacker-controlled?address, potentially leading to information disclosure. * [CVE-2023-20588](https://nvd.nist.gov/vuln/detail/CVE-2023-20588) CVSSv3 score: 5.5(Medium) A division-by-zero error on some AMD processors can potentially return speculative data resulting in loss of confidentiality. * [CVE-2023-20593](https://nvd.nist.gov/vuln/detail/CVE-2023-20593) CVSSv3 score: 5.5(Medium) An issue in “Zen 2” CPUs, under specific microarchitectural circumstances, may allow an attacker to potentially access sensitive information. * [CVE-2023-20928](https://nvd.nist.gov/vuln/detail/CVE-2023-20928) CVSSv3 score: 7.8(High) In binder_vma_close of binder.c, there is a possible use after free due to improper locking. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-254837884References: Upstream kernel * [CVE-2023-21102](https://nvd.nist.gov/vuln/detail/CVE-2023-21102) CVSSv3 score: 7.8(High) In __efi_rt_asm_wrapper of efi-rt-wrapper.S, there is a possible bypass of shadow stack protection due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-260821414References: Upstream kernel * [CVE-2023-2124](https://nvd.nist.gov/vuln/detail/CVE-2023-2124) CVSSv3 score: 7.8(High) An out-of-bounds memory access flaw was found in the Linux kernel’s XFS file system in how a user restores an XFS image after failure (with a dirty log journal). This flaw allows a local user to crash or potentially escalate their privileges on the system. * [CVE-2023-2156](https://nvd.nist.gov/vuln/detail/CVE-2023-2156) CVSSv3 score: 7.5(High) A flaw was found in the networking subsystem of the Linux kernel within the handling of the RPL protocol. This issue results from the lack of proper handling of user-supplied data, which can lead to an assertion failure. This may allow an unauthenticated remote attacker to create a denial of service condition on the system. * [CVE-2023-2162](https://nvd.nist.gov/vuln/detail/CVE-2023-2162) CVSSv3 score: 5.5(Medium) A use-after-free vulnerability was found in iscsi_sw_tcp_session_create in drivers/scsi/iscsi_tcp.c in SCSI sub-component in the Linux Kernel. In this flaw an attacker could leak kernel internal information. * [CVE-2023-2163](https://nvd.nist.gov/vuln/detail/CVE-2023-2163) CVSSv3 score: 8.8(High) Incorrect verifier pruning in BPF in Linux Kernel >=5.4 leads to unsafe code paths being incorrectly marked as safe, resulting in arbitrary read/write in kernel memory, lateral privilege escalation, and container escape. * [CVE-2023-2166](https://nvd.nist.gov/vuln/detail/CVE-2023-2166) CVSSv3 score: 5.5(Medium) A null pointer dereference issue was found in can protocol in net/can/af_can.c in the Linux before Linux. ml_priv may not be initialized in the receive path of CAN frames. A local user could use this flaw to crash the system or potentially cause a denial of service. * [CVE-2023-2177](https://nvd.nist.gov/vuln/detail/CVE-2023-2177) CVSSv3 score: 5.5(Medium) A null pointer dereference issue was found in the sctp network protocol in net/sctp/stream_sched.c in Linux Kernel. If stream_in allocation is failed, stream_out is freed which would further be accessed. A local user could use this flaw to crash the system or potentially cause a denial of service. * [CVE-2023-2194](https://nvd.nist.gov/vuln/detail/CVE-2023-2194) CVSSv3 score: 6.7(Medium) An out-of-bounds write vulnerability was found in the Linux kernel's SLIMpro I2C device driver. The userspace "data->block[0]" variable was not capped to a number between 0-255 and was used as the size of a memcpy, possibly writing beyond the end of dma_buffer. This flaw could allow a local privileged user to crash the system or potentially achieve code execution. * [CVE-2023-2235](https://nvd.nist.gov/vuln/detail/CVE-2023-2235) CVSSv3 score: n/a A use-after-free vulnerability in the Linux Kernel Performance Events system can be exploited to achieve local privilege escalation. The perf_group_detach function did not check the event's siblings' attach_state before calling add_event_to_groups(), but remove_on_exec made it possible to call list_del_event() on before detaching from their group, making it possible to use a dangling pointer causing a use-after-free vulnerability. We recommend upgrading past commit fd0815f632c24878e325821943edccc7fde947a2. * [CVE-2023-2269](https://nvd.nist.gov/vuln/detail/CVE-2023-2269) CVSSv3 score: 4.4(Medium) A denial of service problem was found, due to a possible recursive locking scenario, resulting in a deadlock in table_clear in drivers/md/dm-ioctl.c in the Linux Kernel Device Mapper-Multipathing sub-component. * [CVE-2023-22998](https://nvd.nist.gov/vuln/detail/CVE-2023-22998) CVSSv3 score: 5.5(Medium) In the Linux kernel before 6.0.3, drivers/gpu/drm/virtio/virtgpu_object.c misinterprets the drm_gem_shmem_get_sg_table return value (expects it to be NULL in the error case, whereas it is actually an error pointer). * [CVE-2023-22999](https://nvd.nist.gov/vuln/detail/CVE-2023-22999) CVSSv3 score: 5.5(Medium) In the Linux kernel before 5.16.3, drivers/usb/dwc3/dwc3-qcom.c misinterprets the dwc3_qcom_create_urs_usb_platdev return value (expects it to be NULL in the error case, whereas it is actually an error pointer). * [CVE-2023-23001](https://nvd.nist.gov/vuln/detail/CVE-2023-23001) CVSSv3 score: 5.5(Medium) In the Linux kernel before 5.16.3, drivers/scsi/ufs/ufs-mediatek.c misinterprets the regulator_get return value (expects it to be NULL in the error case, whereas it is actually an error pointer). * [CVE-2023-23002](https://nvd.nist.gov/vuln/detail/CVE-2023-23002) CVSSv3 score: 5.5(Medium) In the Linux kernel before 5.16.3, drivers/bluetooth/hci_qca.c misinterprets the devm_gpiod_get_index_optional return value (expects it to be NULL in the error case, whereas it is actually an error pointer). * [CVE-2023-23004](https://nvd.nist.gov/vuln/detail/CVE-2023-23004) CVSSv3 score: 5.5(Medium) In the Linux kernel before 5.19, drivers/gpu/drm/arm/malidp_planes.c misinterprets the get_sg_table return value (expects it to be NULL in the error case, whereas it is actually an error pointer). * [CVE-2023-23006](https://nvd.nist.gov/vuln/detail/CVE-2023-23006) CVSSv3 score: 5.5(Medium) In the Linux kernel before 5.15.13, drivers/net/ethernet/mellanox/mlx5/core/steering/dr_domain.c misinterprets the mlx5_get_uars_page return value (expects it to be NULL in the error case, whereas it is actually an error pointer). * [CVE-2023-23454](https://nvd.nist.gov/vuln/detail/CVE-2023-23454) CVSSv3 score: 5.5(Medium) cbq_classify in net/sched/sch_cbq.c in the Linux kernel through 6.1.4 allows attackers to cause a denial of service (slab-out-of-bounds read) because of type confusion (non-negative numbers can sometimes indicate a TC_ACT_SHOT condition rather than valid classification results). * [CVE-2023-23455](https://nvd.nist.gov/vuln/detail/CVE-2023-23455) CVSSv3 score: 5.5(Medium) atm_tc_enqueue in net/sched/sch_atm.c in the Linux kernel through 6.1.4 allows attackers to cause a denial of service because of type confusion (non-negative numbers can sometimes indicate a TC_ACT_SHOT condition rather than valid classification results). * [CVE-2023-23559](https://nvd.nist.gov/vuln/detail/CVE-2023-23559) CVSSv3 score: 7.8(High) In rndis_query_oid in drivers/net/wireless/rndis_wlan.c in the Linux kernel through 6.1.5, there is an integer overflow in an addition. * [CVE-2023-25012](https://nvd.nist.gov/vuln/detail/CVE-2023-25012) CVSSv3 score: 4.6(Medium) The Linux kernel through 6.1.9 has a Use-After-Free in bigben_remove in drivers/hid/hid-bigbenff.c via a crafted USB device because the LED controllers remain registered for too long. * [CVE-2023-2513](https://nvd.nist.gov/vuln/detail/CVE-2023-2513) CVSSv3 score: 6.7(Medium) A use-after-free vulnerability was found in the Linux kernel's ext4 filesystem in the way it handled the extra inode size for extended attributes. This flaw could allow a privileged local user to cause a system crash or other undefined behaviors. * [CVE-2023-26544](https://nvd.nist.gov/vuln/detail/CVE-2023-26544) CVSSv3 score: 7.8(High) In the Linux kernel 6.0.8, there is a use-after-free in run_unpack in fs/ntfs3/run.c, related to a difference between NTFS sector size and media sector size. * [CVE-2023-26545](https://nvd.nist.gov/vuln/detail/CVE-2023-26545) CVSSv3 score: 4.7(Medium) In the Linux kernel before 6.1.13, there is a double free in net/mpls/af_mpls.c upon an allocation failure (for registering the sysctl table under a new location) during the renaming of a device. * [CVE-2023-26606](https://nvd.nist.gov/vuln/detail/CVE-2023-26606) CVSSv3 score: 7.8(High) In the Linux kernel 6.0.8, there is a use-after-free in ntfs_trim_fs in fs/ntfs3/bitmap.c. * [CVE-2023-26607](https://nvd.nist.gov/vuln/detail/CVE-2023-26607) CVSSv3 score: 7.1(High) In the Linux kernel 6.0.8, there is an out-of-bounds read in ntfs_attr_find in fs/ntfs/attrib.c. * [CVE-2023-28327](https://nvd.nist.gov/vuln/detail/CVE-2023-28327) CVSSv3 score: 5.5(Medium) A NULL pointer dereference flaw was found in the UNIX protocol in net/unix/diag.c In unix_diag_get_exact in the Linux Kernel. The newly allocated skb does not have sk, leading to a NULL pointer. This flaw allows a local user to crash or potentially cause a denial of service. * [CVE-2023-28328](https://nvd.nist.gov/vuln/detail/CVE-2023-28328) CVSSv3 score: 5.5(Medium) A NULL pointer dereference flaw was found in the az6027 driver in drivers/media/usb/dev-usb/az6027.c in the Linux Kernel. The message from user space is not checked properly before transferring into the device. This flaw allows a local user to crash the system or potentially cause a denial of service. * [CVE-2023-28410](https://nvd.nist.gov/vuln/detail/CVE-2023-28410) CVSSv3 score: 7.8(High) Improper restriction of operations within the bounds of a memory buffer in some Intel(R) i915 Graphics drivers for linux before kernel version 6.2.10 may allow an authenticated user to potentially enable escalation of privilege via local access. * [CVE-2023-28466](https://nvd.nist.gov/vuln/detail/CVE-2023-28466) CVSSv3 score: 7(High) do_tls_getsockopt in net/tls/tls_main.c in the Linux kernel through 6.2.6 lacks a lock_sock call, leading to a race condition (with a resultant use-after-free or NULL pointer dereference). * [CVE-2023-2860](https://nvd.nist.gov/vuln/detail/CVE-2023-2860) CVSSv3 score: n/a An out-of-bounds read vulnerability was found in the SR-IPv6 implementation in the Linux kernel. The flaw exists within the processing of seg6 attributes. The issue results from the improper validation of user-supplied data, which can result in a read past the end of an allocated buffer. This flaw allows a privileged local user to disclose sensitive information on affected installations of the Linux kernel. * [CVE-2023-28772](https://nvd.nist.gov/vuln/detail/CVE-2023-28772) CVSSv3 score: 6.7(Medium) An issue was discovered in the Linux kernel before 5.13.3. lib/seq_buf.c has a seq_buf_putmem_hex buffer overflow. next page: https://hackmd.io/EgLtX2UQQ320wtWBdKdDVA