Flatcar Container Linux Release - October 4th, 2023 page 4

* [CVE-2022-3564](https://nvd.nist.gov/vuln/detail/CVE-2022-3564) CVSSv3 score: 7.1(High) A vulnerability classified as critical was found in Linux Kernel. Affected by this vulnerability is the function l2cap_reassemble_sdu of the file net/bluetooth/l2cap_core.c of the component Bluetooth. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-211087. * [CVE-2022-3565](https://nvd.nist.gov/vuln/detail/CVE-2022-3565) CVSSv3 score: 7.8(High) A vulnerability, which was classified as critical, has been found in Linux Kernel. Affected by this issue is the function del_timer of the file drivers/isdn/mISDN/l1oip_core.c of the component Bluetooth. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211088. * [CVE-2022-3577](https://nvd.nist.gov/vuln/detail/CVE-2022-3577) CVSSv3 score: 7.8(High) An out-of-bounds memory write flaw was found in the Linux kernel’s Kid-friendly Wired Controller driver. This flaw allows a local user to crash or potentially escalate their privileges on the system. It is in bigben_probe of drivers/hid/hid-bigbenff.c. The reason is incorrect assumption - bigben devices all have inputs. However, malicious devices can break this assumption, leaking to out-of-bound write. * [CVE-2022-3586](https://nvd.nist.gov/vuln/detail/CVE-2022-3586) CVSSv3 score: 5.5(Medium) A flaw was found in the Linux kernel’s networking code. A use-after-free was found in the way the sch_sfb enqueue function used the socket buffer (SKB) cb field after the same SKB had been enqueued (and freed) into a child qdisc. This flaw allows a local, unprivileged user to crash the system, causing a denial of service. * [CVE-2022-3594](https://nvd.nist.gov/vuln/detail/CVE-2022-3594) CVSSv3 score: n/a A vulnerability was found in Linux Kernel. It has been declared as problematic. Affected by this vulnerability is the function intr_callback of the file drivers/net/usb/r8152.c of the component BPF. The manipulation leads to logging of excessive data. The attack can be launched remotely. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-211363. * [CVE-2022-3595](https://nvd.nist.gov/vuln/detail/CVE-2022-3595) CVSSv3 score: 5.5(Medium) A vulnerability was found in Linux Kernel. It has been rated as problematic. Affected by this issue is the function sess_free_buffer of the file fs/cifs/sess.c of the component CIFS Handler. The manipulation leads to double free. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211364. * [CVE-2022-36123](https://nvd.nist.gov/vuln/detail/CVE-2022-36123) CVSSv3 score: 7.8(High) The Linux kernel before 5.18.13 lacks a certain clear operation for the block starting symbol (.bss). This allows Xen PV guest OS users to cause a denial of service or gain privileges. * [CVE-2022-3619](https://nvd.nist.gov/vuln/detail/CVE-2022-3619) CVSSv3 score: 4.3(Medium) A vulnerability has been found in Linux Kernel and classified as problematic. This vulnerability affects the function l2cap_recv_acldata of the file net/bluetooth/l2cap_core.c of the component Bluetooth. The manipulation leads to memory leak. It is recommended to apply a patch to fix this issue. VDB-211918 is the identifier assigned to this vulnerability. * [CVE-2022-3621](https://nvd.nist.gov/vuln/detail/CVE-2022-3621) CVSSv3 score: 6.5(Medium) A vulnerability was found in Linux Kernel. It has been classified as problematic. Affected is the function nilfs_bmap_lookup_at_level of the file fs/nilfs2/inode.c of the component nilfs2. The manipulation leads to null pointer dereference. It is possible to launch the attack remotely. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211920. * [CVE-2022-3623](https://nvd.nist.gov/vuln/detail/CVE-2022-3623) CVSSv3 score: 7.5(High) A vulnerability was found in Linux Kernel. It has been declared as problematic. Affected by this vulnerability is the function follow_page_pte of the file mm/gup.c of the component BPF. The manipulation leads to race condition. The attack can be launched remotely. It is recommended to apply a patch to fix this issue. The identifier VDB-211921 was assigned to this vulnerability. * [CVE-2022-3625](https://nvd.nist.gov/vuln/detail/CVE-2022-3625) CVSSv3 score: 7.8(High) A vulnerability was found in Linux Kernel. It has been classified as critical. This affects the function devlink_param_set/devlink_param_get of the file net/core/devlink.c of the component IPsec. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. The identifier VDB-211929 was assigned to this vulnerability. * [CVE-2022-3628](https://nvd.nist.gov/vuln/detail/CVE-2022-3628) CVSSv3 score: 6.6(Medium) A buffer overflow flaw was found in the Linux kernel Broadcom Full MAC Wi-Fi driver. This issue occurs when a user connects to a malicious USB device. This can allow a local user to crash the system or escalate their privileges. * [CVE-2022-36280](https://nvd.nist.gov/vuln/detail/CVE-2022-36280) CVSSv3 score: 5.5(Medium) An out-of-bounds(OOB) memory access vulnerability was found in vmwgfx driver in drivers/gpu/vmxgfx/vmxgfx_kms.c in GPU component in the Linux kernel with device file '/dev/dri/renderD128 (or Dxxx)'. This flaw allows a local attacker with a user account on the system to gain privilege, causing a denial of service(DoS). * [CVE-2022-3635](https://nvd.nist.gov/vuln/detail/CVE-2022-3635) CVSSv3 score: 7(High) A vulnerability, which was classified as critical, has been found in Linux Kernel. Affected by this issue is the function tst_timer of the file drivers/atm/idt77252.c of the component IPsec. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. VDB-211934 is the identifier assigned to this vulnerability. * [CVE-2022-3640](https://nvd.nist.gov/vuln/detail/CVE-2022-3640) CVSSv3 score: 8.8(High) A vulnerability, which was classified as critical, was found in Linux Kernel. Affected is the function l2cap_conn_del of the file net/bluetooth/l2cap_core.c of the component Bluetooth. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211944. * [CVE-2022-3643](https://nvd.nist.gov/vuln/detail/CVE-2022-3643) CVSSv3 score: 6.5(Medium) Guests can trigger NIC interface reset/abort/crash via netback It is possible for a guest to trigger a NIC interface reset/abort/crash in a Linux based network backend by sending certain kinds of packets. It appears to be an (unwritten?) assumption in the rest of the Linux network stack that packet protocol headers are all contained within the linear section of the SKB and some NICs behave badly if this is not the case. This has been reported to occur with Cisco (enic) and Broadcom NetXtrem II BCM5780 (bnx2x) though it may be an issue with other NICs/drivers as well. In case the frontend is sending requests with split headers, netback will forward those violating above mentioned assumption to the networking core, resulting in said misbehavior. * [CVE-2022-3646](https://nvd.nist.gov/vuln/detail/CVE-2022-3646) CVSSv3 score: 4.3(Medium) A vulnerability, which was classified as problematic, has been found in Linux Kernel. This issue affects the function nilfs_attach_log_writer of the file fs/nilfs2/segment.c of the component BPF. The manipulation leads to memory leak. The attack may be initiated remotely. It is recommended to apply a patch to fix this issue. The identifier VDB-211961 was assigned to this vulnerability. * [CVE-2022-3649](https://nvd.nist.gov/vuln/detail/CVE-2022-3649) CVSSv3 score: 7(High) A vulnerability was found in Linux Kernel. It has been classified as problematic. Affected is the function nilfs_new_inode of the file fs/nilfs2/inode.c of the component BPF. The manipulation leads to use after free. It is possible to launch the attack remotely. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211992. * [CVE-2022-36879](https://nvd.nist.gov/vuln/detail/CVE-2022-36879) CVSSv3 score: 5.5(Medium) An issue was discovered in the Linux kernel through 5.18.14. xfrm_expand_policies in net/xfrm/xfrm_policy.c can cause a refcount to be dropped twice. * [CVE-2022-36946](https://nvd.nist.gov/vuln/detail/CVE-2022-36946) CVSSv3 score: 7.5(High) nfqnl_mangle in net/netfilter/nfnetlink_queue.c in the Linux kernel through 5.18.14 allows remote attackers to cause a denial of service (panic) because, in the case of an nf_queue verdict with a one-byte nfta_payload attribute, an skb_pull can encounter a negative skb->len. * [CVE-2022-3707](https://nvd.nist.gov/vuln/detail/CVE-2022-3707) CVSSv3 score: 5.5(Medium) A double-free memory flaw was found in the Linux kernel. The Intel GVT-g graphics driver triggers VGA card system resource overload, causing a fail in the intel_gvt_dma_map_guest_page function. This issue could allow a local user to crash the system. * [CVE-2022-38457](https://nvd.nist.gov/vuln/detail/CVE-2022-38457) CVSSv3 score: 5.5(Medium) A use-after-free(UAF) vulnerability was found in function 'vmw_cmd_res_check' in drivers/gpu/vmxgfx/vmxgfx_execbuf.c in Linux kernel's vmwgfx driver with device file '/dev/dri/renderD128 (or Dxxx)'. This flaw allows a local attacker with a user account on the system to gain privilege, causing a denial of service(DoS). * [CVE-2022-3910](https://nvd.nist.gov/vuln/detail/CVE-2022-3910) CVSSv3 score: n/a Use After Free vulnerability in Linux Kernel allows Privilege Escalation. An improper Update of Reference Count in io_uring leads to Use-After-Free and Local Privilege Escalation. When io_msg_ring was invoked with a fixed file, it called io_fput_file() which improperly decreased its reference count (leading to Use-After-Free and Local Privilege Escalation). Fixed files are permanently registered to the ring, and should not be put separately. We recommend upgrading past commit https://github.com/torvalds/linux/commit/fc7222c3a9f56271fba02aabbfbae999042f1679 https://github.com/torvalds/linux/commit/fc7222c3a9f56271fba02aabbfbae999042f1679 * [CVE-2022-39189](https://nvd.nist.gov/vuln/detail/CVE-2022-39189) CVSSv3 score: 7.8(High) An issue was discovered the x86 KVM subsystem in the Linux kernel before 5.18.17. Unprivileged guest users can compromise the guest kernel because TLB flush operations are mishandled in certain KVM_VCPU_PREEMPTED situations. * [CVE-2022-39190](https://nvd.nist.gov/vuln/detail/CVE-2022-39190) CVSSv3 score: 5.5(Medium) An issue was discovered in net/netfilter/nf_tables_api.c in the Linux kernel before 5.19.6. A denial of service can occur upon binding to an already bound chain. * [CVE-2022-3977](https://nvd.nist.gov/vuln/detail/CVE-2022-3977) CVSSv3 score: 7.8(High) A use-after-free flaw was found in the Linux kernel MCTP (Management Component Transport Protocol) functionality. This issue occurs when a user simultaneously calls DROPTAG ioctl and socket close happens, which could allow a local user to crash the system or potentially escalate their privileges on the system. * [CVE-2022-40133](https://nvd.nist.gov/vuln/detail/CVE-2022-40133) CVSSv3 score: 5.5(Medium) A use-after-free(UAF) vulnerability was found in function 'vmw_execbuf_tie_context' in drivers/gpu/vmxgfx/vmxgfx_execbuf.c in Linux kernel's vmwgfx driver with device file '/dev/dri/renderD128 (or Dxxx)'. This flaw allows a local attacker with a user account on the system to gain privilege, causing a denial of service(DoS). * [CVE-2022-40307](https://nvd.nist.gov/vuln/detail/CVE-2022-40307) CVSSv3 score: 4.7(Medium) An issue was discovered in the Linux kernel through 5.19.8. drivers/firmware/efi/capsule-loader.c has a race condition with a resultant use-after-free. * [CVE-2022-40768](https://nvd.nist.gov/vuln/detail/CVE-2022-40768) CVSSv3 score: 5.5(Medium) drivers/scsi/stex.c in the Linux kernel through 5.19.9 allows local users to obtain sensitive information from kernel memory because stex_queuecommand_lck lacks a memset for the PASSTHRU_CMD case. * [CVE-2022-4095](https://nvd.nist.gov/vuln/detail/CVE-2022-4095) CVSSv3 score: 7.8(High) A use-after-free flaw was found in Linux kernel before 5.19.2. This issue occurs in cmd_hdl_filter in drivers/staging/rtl8712/rtl8712_cmd.c, allowing an attacker to launch a local denial of service attack and gain escalation of privileges. * [CVE-2022-40982](https://nvd.nist.gov/vuln/detail/CVE-2022-40982) CVSSv3 score: n/a Information exposure through microarchitectural state after transient execution in certain vector execution units for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access. * [CVE-2022-41218](https://nvd.nist.gov/vuln/detail/CVE-2022-41218) CVSSv3 score: 5.5(Medium) In drivers/media/dvb-core/dmxdev.c in the Linux kernel through 5.19.10, there is a use-after-free caused by refcount races, affecting dvb_demux_open and dvb_dmxdev_release. * [CVE-2022-4128](https://nvd.nist.gov/vuln/detail/CVE-2022-4128) CVSSv3 score: 5.5(Medium) A NULL pointer dereference issue was discovered in the Linux kernel in the MPTCP protocol when traversing the subflow list at disconnect time. A local user could use this flaw to potentially crash the system causing a denial of service. * [CVE-2022-4139](https://nvd.nist.gov/vuln/detail/CVE-2022-4139) CVSSv3 score: 7.8(High) An incorrect TLB flush issue was found in the Linux kernel’s GPU i915 kernel driver, potentially leading to random memory corruption or data leaks. This flaw could allow a local user to crash the system or escalate their privileges on the system. * [CVE-2022-41674](https://nvd.nist.gov/vuln/detail/CVE-2022-41674) CVSSv3 score: 8.1(High) An issue was discovered in the Linux kernel before 5.19.16. Attackers able to inject WLAN frames could cause a buffer overflow in the ieee80211_bss_info_update function in net/mac80211/scan.c. * [CVE-2022-41849](https://nvd.nist.gov/vuln/detail/CVE-2022-41849) CVSSv3 score: 4.2(Medium) drivers/video/fbdev/smscufx.c in the Linux kernel through 5.19.12 has a race condition and resultant use-after-free if a physically proximate attacker removes a USB device while calling open(), aka a race condition between ufx_ops_open and ufx_usb_disconnect. * [CVE-2022-41850](https://nvd.nist.gov/vuln/detail/CVE-2022-41850) CVSSv3 score: 4.7(Medium) roccat_report_event in drivers/hid/hid-roccat.c in the Linux kernel through 5.19.12 has a race condition and resultant use-after-free in certain situations where a report is received while copying a report->value is in progress. * [CVE-2022-41858](https://nvd.nist.gov/vuln/detail/CVE-2022-41858) CVSSv3 score: 7.1(High) A flaw was found in the Linux kernel. A NULL pointer dereference may occur while a slip driver is in progress to detach in sl_tx_timeout in drivers/net/slip/slip.c. This issue could allow an attacker to crash the system or leak internal kernel information. * [CVE-2022-42328](https://nvd.nist.gov/vuln/detail/CVE-2022-42328) CVSSv3 score: 5.5(Medium) Guests can trigger deadlock in Linux netback driver T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] The patch for XSA-392 introduced another issue which might result in a deadlock when trying to free the SKB of a packet dropped due to the XSA-392 handling (CVE-2022-42328). Additionally when dropping packages for other reasons the same deadlock could occur in case of netpoll being active for the interface the xen-netback driver is connected to (CVE-2022-42329). * [CVE-2022-42329](https://nvd.nist.gov/vuln/detail/CVE-2022-42329) CVSSv3 score: 5.5(Medium) Guests can trigger deadlock in Linux netback driver T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] The patch for XSA-392 introduced another issue which might result in a deadlock when trying to free the SKB of a packet dropped due to the XSA-392 handling (CVE-2022-42328). Additionally when dropping packages for other reasons the same deadlock could occur in case of netpoll being active for the interface the xen-netback driver is connected to (CVE-2022-42329). * [CVE-2022-42432](https://nvd.nist.gov/vuln/detail/CVE-2022-42432) CVSSv3 score: 4.4(Medium) This vulnerability allows local attackers to disclose sensitive information on affected installations of the Linux Kernel 6.0-rc2. An attacker must first obtain the ability to execute high-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the nft_osf_eval function. The issue results from the lack of proper initialization of memory prior to accessing it. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the kernel. Was ZDI-CAN-18540. * [CVE-2022-4269](https://nvd.nist.gov/vuln/detail/CVE-2022-4269) CVSSv3 score: 5.5(Medium) A flaw was found in the Linux kernel Traffic Control (TC) subsystem. Using a specific networking configuration (redirecting egress packets to ingress using TC action "mirred") a local unprivileged user could trigger a CPU soft lockup (ABBA deadlock) when the transport protocol in use (TCP or SCTP) does a retransmission, resulting in a denial of service condition. * [CVE-2022-42703](https://nvd.nist.gov/vuln/detail/CVE-2022-42703) CVSSv3 score: 5.5(Medium) mm/rmap.c in the Linux kernel before 5.19.7 has a use-after-free related to leaf anon_vma double reuse. * [CVE-2022-42719](https://nvd.nist.gov/vuln/detail/CVE-2022-42719) CVSSv3 score: 8.8(High) A use-after-free in the mac80211 stack when parsing a multi-BSSID element in the Linux kernel 5.2 through 5.19.x before 5.19.16 could be used by attackers (able to inject WLAN frames) to crash the kernel and potentially execute code. * [CVE-2022-42720](https://nvd.nist.gov/vuln/detail/CVE-2022-42720) CVSSv3 score: 7.8(High) Various refcounting bugs in the multi-BSS handling in the mac80211 stack in the Linux kernel 5.1 through 5.19.x before 5.19.16 could be used by local attackers (able to inject WLAN frames) to trigger use-after-free conditions to potentially execute code. * [CVE-2022-42721](https://nvd.nist.gov/vuln/detail/CVE-2022-42721) CVSSv3 score: 5.5(Medium) A list management bug in BSS handling in the mac80211 stack in the Linux kernel 5.1 through 5.19.x before 5.19.16 could be used by local attackers (able to inject WLAN frames) to corrupt a linked list and, in turn, potentially execute code. * [CVE-2022-42722](https://nvd.nist.gov/vuln/detail/CVE-2022-42722) CVSSv3 score: 5.5(Medium) In the Linux kernel 5.8 through 5.19.x before 5.19.16, local attackers able to inject WLAN frames into the mac80211 stack could cause a NULL pointer dereference denial-of-service attack against the beacon protection of P2P devices. * [CVE-2022-42895](https://nvd.nist.gov/vuln/detail/CVE-2022-42895) CVSSv3 score: 6.5(Medium) There is an infoleak vulnerability in the Linux kernel's net/bluetooth/l2cap_core.c's l2cap_parse_conf_req function which can be used to leak kernel pointers remotely. We recommend upgrading past commit https://github.com/torvalds/linux/commit/b1a2cd50c0357f243b7435a732b4e62ba3157a2e https://www.google.com/url * [CVE-2022-42896](https://nvd.nist.gov/vuln/detail/CVE-2022-42896) CVSSv3 score: 8.8(High) There are use-after-free vulnerabilities in the Linux kernel's net/bluetooth/l2cap_core.c's l2cap_connect and l2cap_le_connect_req functions which may allow code execution and leaking kernel memory (respectively) remotely via Bluetooth. A remote attacker could execute code leaking kernel memory via Bluetooth if within proximity of the victim. We recommend upgrading past commit https://www.google.com/url https://github.com/torvalds/linux/commit/711f8c3fb3db61897080468586b970c87c61d9e4 https://www.google.com/url * [CVE-2022-43750](https://nvd.nist.gov/vuln/detail/CVE-2022-43750) CVSSv3 score: 6.7(Medium) drivers/usb/mon/mon_bin.c in usbmon in the Linux kernel before 5.19.15 and 6.x before 6.0.1 allows a user-space client to corrupt the monitor's internal memory. * [CVE-2022-4378](https://nvd.nist.gov/vuln/detail/CVE-2022-4378) CVSSv3 score: 7.8(High) A stack overflow flaw was found in the Linux kernel's SYSCTL subsystem in how a user changes certain kernel parameters and variables. This flaw allows a local user to crash or potentially escalate their privileges on the system. * [CVE-2022-4379](https://nvd.nist.gov/vuln/detail/CVE-2022-4379) CVSSv3 score: 7.5(High) A use-after-free vulnerability was found in __nfs42_ssc_open() in fs/nfs/nfs4file.c in the Linux kernel. This flaw allows an attacker to conduct a remote denial * [CVE-2022-4382](https://nvd.nist.gov/vuln/detail/CVE-2022-4382) CVSSv3 score: 6.4(Medium) A use-after-free flaw caused by a race among the superblock operations in the gadgetfs Linux driver was found. It could be triggered by yanking out a device that is running the gadgetfs side. * [CVE-2022-43945](https://nvd.nist.gov/vuln/detail/CVE-2022-43945) CVSSv3 score: 7.5(High) The Linux kernel NFSD implementation prior to versions 5.19.17 and 6.0.2 are vulnerable to buffer overflow. NFSD tracks the number of pages held by each NFSD thread by combining the receive and send buffers of a remote procedure call (RPC) into a single array of pages. A client can force the send buffer to shrink by sending an RPC message over TCP with garbage data added at the end of the message. The RPC message with garbage data is still correctly formed according to the specification and is passed forward to handlers. Vulnerable code in NFSD is not expecting the oversized request and writes beyond the allocated buffer space. CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H * [CVE-2022-45869](https://nvd.nist.gov/vuln/detail/CVE-2022-45869) CVSSv3 score: 5.5(Medium) A race condition in the x86 KVM subsystem in the Linux kernel through 6.1-rc6 allows guest OS users to cause a denial of service (host OS crash or host OS memory corruption) when nested virtualisation and the TDP MMU are enabled. * [CVE-2022-45886](https://nvd.nist.gov/vuln/detail/CVE-2022-45886) CVSSv3 score: 7(High) An issue was discovered in the Linux kernel through 6.0.9. drivers/media/dvb-core/dvb_net.c has a .disconnect versus dvb_device_open race condition that leads to a use-after-free. * [CVE-2022-45887](https://nvd.nist.gov/vuln/detail/CVE-2022-45887) CVSSv3 score: 4.7(Medium) An issue was discovered in the Linux kernel through 6.0.9. drivers/media/usb/ttusb-dec/ttusb_dec.c has a memory leak because of the lack of a dvb_frontend_detach call. * [CVE-2022-45919](https://nvd.nist.gov/vuln/detail/CVE-2022-45919) CVSSv3 score: 7(High) An issue was discovered in the Linux kernel through 6.0.10. In drivers/media/dvb-core/dvb_ca_en50221.c, a use-after-free can occur is there is a disconnect after an open, because of the lack of a wait_event. * [CVE-2022-45934](https://nvd.nist.gov/vuln/detail/CVE-2022-45934) CVSSv3 score: 7.8(High) An issue was discovered in the Linux kernel through 6.0.10. l2cap_config_req in net/bluetooth/l2cap_core.c has an integer wraparound via L2CAP_CONF_REQ packets. * [CVE-2022-4662](https://nvd.nist.gov/vuln/detail/CVE-2022-4662) CVSSv3 score: 5.5(Medium) A flaw incorrect access control in the Linux kernel USB core subsystem was found in the way user attaches usb device. A local user could use this flaw to crash the system. * [CVE-2022-47518](https://nvd.nist.gov/vuln/detail/CVE-2022-47518) CVSSv3 score: 7.8(High) An issue was discovered in the Linux kernel before 6.0.11. Missing validation of the number of channels in drivers/net/wireless/microchip/wilc1000/cfg80211.c in the WILC1000 wireless driver can trigger a heap-based buffer overflow when copying the list of operating channels from Wi-Fi management frames. * [CVE-2022-47519](https://nvd.nist.gov/vuln/detail/CVE-2022-47519) CVSSv3 score: 7.8(High) An issue was discovered in the Linux kernel before 6.0.11. Missing validation of IEEE80211_P2P_ATTR_OPER_CHANNEL in drivers/net/wireless/microchip/wilc1000/cfg80211.c in the WILC1000 wireless driver can trigger an out-of-bounds write when parsing the channel list attribute from Wi-Fi management frames. * [CVE-2022-47520](https://nvd.nist.gov/vuln/detail/CVE-2022-47520) CVSSv3 score: 7.1(High) An issue was discovered in the Linux kernel before 6.0.11. Missing offset validation in drivers/net/wireless/microchip/wilc1000/hif.c in the WILC1000 wireless driver can trigger an out-of-bounds read when parsing a Robust Security Network (RSN) information element from a Netlink packet. * [CVE-2022-47521](https://nvd.nist.gov/vuln/detail/CVE-2022-47521) CVSSv3 score: 7.8(High) An issue was discovered in the Linux kernel before 6.0.11. Missing validation of IEEE80211_P2P_ATTR_CHANNEL_LIST in drivers/net/wireless/microchip/wilc1000/cfg80211.c in the WILC1000 wireless driver can trigger a heap-based buffer overflow when parsing the operating channel attribute from Wi-Fi management frames. * [CVE-2022-47929](https://nvd.nist.gov/vuln/detail/CVE-2022-47929) CVSSv3 score: 5.5(Medium) In the Linux kernel before 6.1.6, a NULL pointer dereference bug in the traffic control subsystem allows an unprivileged user to trigger a denial of service (system crash) via a crafted traffic control configuration that is set up with "tc qdisc" and "tc class" commands. This affects qdisc_graft in net/sched/sch_api.c. * [CVE-2022-47938](https://nvd.nist.gov/vuln/detail/CVE-2022-47938) CVSSv3 score: 6.5(Medium) An issue was discovered in ksmbd in the Linux kernel 5.15 through 5.19 before 5.19.2. fs/ksmbd/smb2misc.c has an out-of-bounds read and OOPS for SMB2_TREE_CONNECT. * [CVE-2022-47939](https://nvd.nist.gov/vuln/detail/CVE-2022-47939) CVSSv3 score: 9.8(Critical) An issue was discovered in ksmbd in the Linux kernel 5.15 through 5.19 before 5.19.2. fs/ksmbd/smb2pdu.c has a use-after-free and OOPS for SMB2_TREE_DISCONNECT. * [CVE-2022-47940](https://nvd.nist.gov/vuln/detail/CVE-2022-47940) CVSSv3 score: 8.1(High) An issue was discovered in ksmbd in the Linux kernel 5.15 through 5.18 before 5.18.18. fs/ksmbd/smb2pdu.c lacks length validation in the non-padding case in smb2_write. * [CVE-2022-47941](https://nvd.nist.gov/vuln/detail/CVE-2022-47941) CVSSv3 score: 7.5(High) An issue was discovered in ksmbd in the Linux kernel 5.15 through 5.19 before 5.19.2. fs/ksmbd/smb2pdu.c omits a kfree call in certain smb2_handle_negotiate error conditions, aka a memory leak. * [CVE-2022-47942](https://nvd.nist.gov/vuln/detail/CVE-2022-47942) CVSSv3 score: 8.8(High) An issue was discovered in ksmbd in the Linux kernel 5.15 through 5.19 before 5.19.2. There is a heap-based buffer overflow in set_ntacl_dacl, related to use of SMB2_QUERY_INFO_HE after a malformed SMB2_SET_INFO_HE command. * [CVE-2022-47943](https://nvd.nist.gov/vuln/detail/CVE-2022-47943) CVSSv3 score: 8.1(High) An issue was discovered in ksmbd in the Linux kernel 5.15 through 5.19 before 5.19.2. There is an out-of-bounds read and OOPS for SMB2_WRITE, when there is a large length in the zero DataOffset case. * [CVE-2022-4842](https://nvd.nist.gov/vuln/detail/CVE-2022-4842) CVSSv3 score: 5.5(Medium) A flaw NULL Pointer Dereference in the Linux kernel NTFS3 driver function attr_punch_hole() was found. A local user could use this flaw to crash the system. * [CVE-2022-48423](https://nvd.nist.gov/vuln/detail/CVE-2022-48423) CVSSv3 score: 7.8(High) In the Linux kernel before 6.1.3, fs/ntfs3/record.c does not validate resident attribute names. An out-of-bounds write may occur. * [CVE-2022-48424](https://nvd.nist.gov/vuln/detail/CVE-2022-48424) CVSSv3 score: 7.8(High) In the Linux kernel before 6.1.3, fs/ntfs3/inode.c does not validate the attribute name offset. An unhandled page fault may occur. * [CVE-2022-48425](https://nvd.nist.gov/vuln/detail/CVE-2022-48425) CVSSv3 score: 7.8(High) In the Linux kernel through 6.2.7, fs/ntfs3/inode.c has an invalid kfree because it does not validate MFT flags before replaying logs. * [CVE-2022-48502](https://nvd.nist.gov/vuln/detail/CVE-2022-48502) CVSSv3 score: 7.1(High) An issue was discovered in the Linux kernel before 6.2. The ntfs3 subsystem does not properly check for correctness during disk reads, leading to an out-of-bounds read in ntfs_set_ea in fs/ntfs3/xattr.c. * [CVE-2023-0045](https://nvd.nist.gov/vuln/detail/CVE-2023-0045) CVSSv3 score: 7.5(High) The current implementation of the prctl syscall does not issue an IBPB immediately during the syscall. The ib_prctl_set function updates the Thread Information Flags (TIFs) for the task and updates the SPEC_CTRL MSR on the function __speculation_ctrl_update, but the IBPB is only issued on the next schedule, when the TIF bits are checked. This leaves the victim vulnerable to values already injected on the BTB, prior to the prctl syscall. The patch that added the support for the conditional mitigation via prctl (ib_prctl_set) dates back to the kernel 4.9.176. We recommend upgrading past commit a664ec9158eeddd75121d39c9a0758016097fa96 * [CVE-2023-0160](https://nvd.nist.gov/vuln/detail/CVE-2023-0160) CVSSv3 score: 5.5(Medium) A deadlock flaw was found in the Linux kernel’s BPF subsystem. This flaw allows a local user to potentially crash the system. * [CVE-2023-0179](https://nvd.nist.gov/vuln/detail/CVE-2023-0179) CVSSv3 score: 7.8(High) A buffer overflow vulnerability was found in the Netfilter subsystem in the Linux Kernel. This issue could allow the leakage of both stack and heap addresses, and potentially allow Local Privilege Escalation to the root user via arbitrary code execution. * [CVE-2023-0210](https://nvd.nist.gov/vuln/detail/CVE-2023-0210) CVSSv3 score: 7.5(High) A bug affects the Linux kernel’s ksmbd NTLMv2 authentication and is known to crash the OS immediately in Linux-based systems. * [CVE-2023-0266](https://nvd.nist.gov/vuln/detail/CVE-2023-0266) CVSSv3 score: 7.8(High) A use after free vulnerability exists in the ALSA PCM package in the Linux Kernel. SNDRV_CTL_IOCTL_ELEM_{READ|WRITE}32 is missing locks that can be used in a use-after-free that can result in a priviledge escalation to gain ring0 access from the system user. We recommend upgrading past commit 56b88b50565cd8b946a2d00b0c83927b7ebb055e * [CVE-2023-0386](https://nvd.nist.gov/vuln/detail/CVE-2023-0386) CVSSv3 score: 7.8(High) A flaw was found in the Linux kernel, where unauthorized access to the execution of the setuid file with capabilities was found in the Linux kernel’s OverlayFS subsystem in how a user copies a capable file from a nosuid mount into another mount. This uid mapping bug allows a local user to escalate their privileges on the system. * [CVE-2023-0394](https://nvd.nist.gov/vuln/detail/CVE-2023-0394) CVSSv3 score: 5.5(Medium) A NULL pointer dereference flaw was found in rawv6_push_pending_frames in net/ipv6/raw.c in the network subcomponent in the Linux kernel. This flaw causes the system to crash. * [CVE-2023-0458](https://nvd.nist.gov/vuln/detail/CVE-2023-0458) CVSSv3 score: 4.7(Medium) A speculative pointer dereference problem exists in the Linux Kernel on the do_prlimit() function. The resource argument value is controlled and is used in pointer arithmetic for the 'rlim' variable and can be used to leak the contents. We recommend upgrading past version 6.1.8 or commit 739790605705ddcf18f21782b9c99ad7d53a8c11 * [CVE-2023-0459](https://nvd.nist.gov/vuln/detail/CVE-2023-0459) CVSSv3 score: 5.5(Medium) Copy_from_user on 64-bit versions of the Linux kernel does not implement the __uaccess_begin_nospec allowing a user to bypass the "access_ok" check and pass a kernel pointer to copy_from_user(). This would allow an attacker to leak information. We recommend upgrading beyond commit 74e19ef0ff8061ef55957c3abd71614ef0f42f47 * [CVE-2023-0461](https://nvd.nist.gov/vuln/detail/CVE-2023-0461) CVSSv3 score: n/a There is a use-after-free vulnerability in the Linux Kernel which can be exploited to achieve local privilege escalation. To reach the vulnerability kernel configuration flag CONFIG_TLS or CONFIG_XFRM_ESPINTCP has to be configured, but the operation does not require any privilege. There is a use-after-free bug of icsk_ulp_data of a struct inet_connection_sock. When CONFIG_TLS is enabled, user can install a tls context (struct tls_context) on a connected tcp socket. The context is not cleared if this socket is disconnected and reused as a listener. If a new socket is created from the listener, the context is inherited and vulnerable. The setsockopt TCP_ULP operation does not require any privilege. We recommend upgrading past commit 2c02d41d71f90a5168391b6a5f2954112ba2307c * [CVE-2023-0468](https://nvd.nist.gov/vuln/detail/CVE-2023-0468) CVSSv3 score: 4.7(Medium) A use-after-free flaw was found in io_uring/poll.c in io_poll_check_events in the io_uring subcomponent in the Linux Kernel due to a race condition of poll_refs. This flaw may cause a NULL pointer dereference. * [CVE-2023-0469](https://nvd.nist.gov/vuln/detail/CVE-2023-0469) CVSSv3 score: 5.5(Medium) A use-after-free flaw was found in io_uring/filetable.c in io_install_fixed_file in the io_uring subcomponent in the Linux Kernel during call cleanup. This flaw may lead to a denial of service. * [CVE-2023-0590](https://nvd.nist.gov/vuln/detail/CVE-2023-0590) CVSSv3 score: 4.7(Medium) A use-after-free flaw was found in qdisc_graft in net/sched/sch_api.c in the Linux Kernel due to a race problem. This flaw leads to a denial of service issue. If patch ebda44da44f6 ("net: sched: fix race condition in qdisc_graft()") not applied yet, then kernel could be affected. * [CVE-2023-0615](https://nvd.nist.gov/vuln/detail/CVE-2023-0615) CVSSv3 score: 5.5(Medium) A memory leak flaw and potential divide by zero and Integer overflow was found in the Linux kernel V4L2 and vivid test code functionality. This issue occurs when a user triggers ioctls, such as VIDIOC_S_DV_TIMINGS ioctl. This could allow a local user to crash the system if vivid test code enabled. * [CVE-2023-1032](https://nvd.nist.gov/vuln/detail/CVE-2023-1032) CVSSv3 score: n/a * [CVE-2023-1073](https://nvd.nist.gov/vuln/detail/CVE-2023-1073) CVSSv3 score: 6.6(Medium) A memory corruption flaw was found in the Linux kernel’s human interface device (HID) subsystem in how a user inserts a malicious USB device. This flaw allows a local user to crash or potentially escalate their privileges on the system. * [CVE-2023-1074](https://nvd.nist.gov/vuln/detail/CVE-2023-1074) CVSSv3 score: 5.5(Medium) A memory leak flaw was found in the Linux kernel's Stream Control Transmission Protocol. This issue may occur when a user starts a malicious networking service and someone connects to this service. This could allow a local user to starve resources, causing a denial of service. * [CVE-2023-1075](https://nvd.nist.gov/vuln/detail/CVE-2023-1075) CVSSv3 score: 3.3(Low) A flaw was found in the Linux Kernel. The tls_is_tx_ready() incorrectly checks for list emptiness, potentially accessing a type confused entry to the list_head, leaking the last byte of the confused field that overlaps with rec->tx_ready. * [CVE-2023-1076](https://nvd.nist.gov/vuln/detail/CVE-2023-1076) CVSSv3 score: 5.5(Medium) A flaw was found in the Linux Kernel. The tun/tap sockets have their socket UID hardcoded to 0 due to a type confusion in their initialization function. While it will be often correct, as tuntap devices require CAP_NET_ADMIN, it may not always be the case, e.g., a non-root user only having that capability. This would make tun/tap sockets being incorrectly treated in filtering/routing decisions, possibly bypassing network filters. * [CVE-2023-1077](https://nvd.nist.gov/vuln/detail/CVE-2023-1077) CVSSv3 score: 7(High) In the Linux kernel, pick_next_rt_entity() may return a type confused entry, not detected by the BUG_ON condition, as the confused entry will not be NULL, but list_head.The buggy error condition would lead to a type confused entry with the list head,which would then be used as a type confused sched_rt_entity,causing memory corruption. * [CVE-2023-1078](https://nvd.nist.gov/vuln/detail/CVE-2023-1078) CVSSv3 score: 7.8(High) A flaw was found in the Linux Kernel in RDS (Reliable Datagram Sockets) protocol. The rds_rm_zerocopy_callback() uses list_entry() on the head of a list causing a type confusion. Local user can trigger this with rds_message_put(). Type confusion leads to `struct rds_msg_zcopy_info *info` actually points to something else that is potentially controlled by local user. It is known how to trigger this, which causes an out of bounds access, and a lock corruption. * [CVE-2023-1079](https://nvd.nist.gov/vuln/detail/CVE-2023-1079) CVSSv3 score: 6.8(Medium) A flaw was found in the Linux kernel. A use-after-free may be triggered in asus_kbd_backlight_set when plugging/disconnecting in a malicious USB device, which advertises itself as an Asus device. Similarly to the previous known CVE-2023-25012, but in asus devices, the work_struct may be scheduled by the LED controller while the device is disconnecting, triggering a use-after-free on the struct asus_kbd_leds *led structure. A malicious USB device may exploit the issue to cause memory corruption with controlled data. * [CVE-2023-1095](https://nvd.nist.gov/vuln/detail/CVE-2023-1095) CVSSv3 score: 5.5(Medium) In nf_tables_updtable, if nf_tables_table_enable returns an error, nft_trans_destroy is called to free the transaction object. nft_trans_destroy() calls list_del(), but the transaction was never placed on a list -- the list head is all zeroes, this results in a NULL pointer dereference. * [CVE-2023-1118](https://nvd.nist.gov/vuln/detail/CVE-2023-1118) CVSSv3 score: 7.8(High) A flaw use after free in the Linux kernel integrated infrared receiver/transceiver driver was found in the way user detaching rc device. A local user could use this flaw to crash the system or potentially escalate their privileges on the system. * [CVE-2023-1192](https://nvd.nist.gov/vuln/detail/CVE-2023-1192) CVSSv3 score: n/a * [CVE-2023-1194](https://nvd.nist.gov/vuln/detail/CVE-2023-1194) CVSSv3 score: n/a * [CVE-2023-1206](https://nvd.nist.gov/vuln/detail/CVE-2023-1206) CVSSv3 score: 5.7(Medium) A hash collision flaw was found in the IPv6 connection lookup table in the Linux kernel’s IPv6 functionality when a user makes a new kind of SYN flood attack. A user located in the local network or with a high bandwidth connection can increase the CPU usage of the server that accepts IPV6 connections up to 95%. * [CVE-2023-1249](https://nvd.nist.gov/vuln/detail/CVE-2023-1249) CVSSv3 score: 5.5(Medium) A use-after-free flaw was found in the Linux kernel’s core dump subsystem. This flaw allows a local user to crash the system. Only if patch 390031c94211 ("coredump: Use the vma snapshot in fill_files_note") not applied yet, then kernel could be affected. * [CVE-2023-1281](https://nvd.nist.gov/vuln/detail/CVE-2023-1281) CVSSv3 score: n/a Use After Free vulnerability in Linux kernel traffic control index filter (tcindex) allows Privilege Escalation. The imperfect hash area can be updated while packets are traversing, which will cause a use-after-free when 'tcf_exts_exec()' is called with the destroyed tcf_ext. A local attacker user can use this vulnerability to elevate its privileges to root. This issue affects Linux Kernel: from 4.14 before git commit ee059170b1f7e94e55fa6cadee544e176a6e59c2. * [CVE-2023-1380](https://nvd.nist.gov/vuln/detail/CVE-2023-1380) CVSSv3 score: 7.1(High) A slab-out-of-bound read problem was found in brcmf_get_assoc_ies in drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c in the Linux Kernel. This issue could occur when assoc_info->req_len data is bigger than the size of the buffer, defined as WL_EXTRA_BUF_MAX, leading to a denial of service. * [CVE-2023-1382](https://nvd.nist.gov/vuln/detail/CVE-2023-1382) CVSSv3 score: 4.7(Medium) A data race flaw was found in the Linux kernel, between where con is allocated and con->sock is set. This issue leads to a NULL pointer dereference when accessing con->sock->sk in net/tipc/topsrv.c in the tipc protocol in the Linux kernel. * [CVE-2023-1513](https://nvd.nist.gov/vuln/detail/CVE-2023-1513) CVSSv3 score: 3.3(Low) A flaw was found in KVM. When calling the KVM_GET_DEBUGREGS ioctl, on 32-bit systems, there might be some uninitialized portions of the kvm_debugregs structure that could be copied to userspace, causing an information leak. * [CVE-2023-1582](https://nvd.nist.gov/vuln/detail/CVE-2023-1582) CVSSv3 score: 4.7(Medium) A race problem was found in fs/proc/task_mmu.c in the memory management sub-component in the Linux kernel. This issue may allow a local attacker with user privilege to cause a denial of service. * [CVE-2023-1583](https://nvd.nist.gov/vuln/detail/CVE-2023-1583) CVSSv3 score: 5.5(Medium) A NULL pointer dereference was found in io_file_bitmap_get in io_uring/filetable.c in the io_uring sub-component in the Linux Kernel. When fixed files are unregistered, some context information (file_alloc_{start,end} and alloc_hint) is not cleared. A subsequent request that has auto index selection enabled via IORING_FILE_INDEX_ALLOC can cause a NULL pointer dereference. An unprivileged user can use the flaw to cause a system crash. * [CVE-2023-1611](https://nvd.nist.gov/vuln/detail/CVE-2023-1611) CVSSv3 score: 6.3(Medium) A use-after-free flaw was found in btrfs_search_slot in fs/btrfs/ctree.c in btrfs in the Linux Kernel.This flaw allows an attacker to crash the system and possibly cause a kernel information lea * [CVE-2023-1637](https://nvd.nist.gov/vuln/detail/CVE-2023-1637) CVSSv3 score: 5.5(Medium) A flaw that boot CPU could be vulnerable for the speculative execution behavior kind of attacks in the Linux kernel X86 CPU Power management options functionality was found in the way user resuming CPU from suspend-to-RAM. A local user could use this flaw to potentially get unauthorized access to some memory of the CPU similar to the speculative execution behavior kind of attacks. * [CVE-2023-1652](https://nvd.nist.gov/vuln/detail/CVE-2023-1652) CVSSv3 score: 7.1(High) A use-after-free flaw was found in nfsd4_ssc_setup_dul in fs/nfsd/nfs4proc.c in the NFS filesystem in the Linux Kernel. This issue could allow a local attacker to crash the system or it may lead to a kernel information leak problem. * [CVE-2023-1670](https://nvd.nist.gov/vuln/detail/CVE-2023-1670) CVSSv3 score: 7.8(High) A flaw use after free in the Linux kernel Xircom 16-bit PCMCIA (PC-card) Ethernet driver was found.A local user could use this flaw to crash the system or potentially escalate their privileges on the system. * [CVE-2023-1829](https://nvd.nist.gov/vuln/detail/CVE-2023-1829) CVSSv3 score: n/a A use-after-free vulnerability in the Linux Kernel traffic control index filter (tcindex) can be exploited to achieve local privilege escalation. The tcindex_delete function which does not properly deactivate filters in case of a perfect hashes while deleting the underlying structure which can later lead to double freeing the structure. A local attacker user can use this vulnerability to elevate its privileges to root. We recommend upgrading past commit 8c710f75256bb3cf05ac7b1672c82b92c43f3d28. * [CVE-2023-1838](https://nvd.nist.gov/vuln/detail/CVE-2023-1838) CVSSv3 score: 7.1(High) A use-after-free flaw was found in vhost_net_set_backend in drivers/vhost/net.c in virtio network subcomponent in the Linux kernel due to a double fget. This flaw could allow a local attacker to crash the system, and could even lead to a kernel information leak problem. * [CVE-2023-1855](https://nvd.nist.gov/vuln/detail/CVE-2023-1855) CVSSv3 score: 6.3(Medium) A use-after-free flaw was found in xgene_hwmon_remove in drivers/hwmon/xgene-hwmon.c in the Hardware Monitoring Linux Kernel Driver (xgene-hwmon). This flaw could allow a local attacker to crash the system due to a race problem. This vulnerability could even lead to a kernel information leak problem. * [CVE-2023-1859](https://nvd.nist.gov/vuln/detail/CVE-2023-1859) CVSSv3 score: 4.7(Medium) A use-after-free flaw was found in xen_9pfs_front_removet in net/9p/trans_xen.c in Xen transport for 9pfs in the Linux Kernel. This flaw could allow a local attacker to crash the system due to a race problem, possibly leading to a kernel information leak. * [CVE-2023-1872](https://nvd.nist.gov/vuln/detail/CVE-2023-1872) CVSSv3 score: 7(High) A use-after-free vulnerability in the Linux Kernel io_uring system can be exploited to achieve local privilege escalation. The io_file_get_fixed function lacks the presence of ctx->uring_lock which can lead to a Use-After-Free vulnerability due a race condition with fixed files getting unregistered. We recommend upgrading past commit da24142b1ef9fd5d36b76e36bab328a5b27523e8. * [CVE-2023-1989](https://nvd.nist.gov/vuln/detail/CVE-2023-1989) CVSSv3 score: 7(High) A use-after-free flaw was found in btsdio_remove in drivers\bluetooth\btsdio.c in the Linux Kernel. In this flaw, a call to btsdio_remove with an unfinished job, may cause a race problem leading to a UAF on hdev devices. * [CVE-2023-1990](https://nvd.nist.gov/vuln/detail/CVE-2023-1990) CVSSv3 score: 4.7(Medium) A use-after-free flaw was found in ndlc_remove in drivers/nfc/st-nci/ndlc.c in the Linux Kernel. This flaw could allow an attacker to crash the system due to a race problem. * [CVE-2023-1998](https://nvd.nist.gov/vuln/detail/CVE-2023-1998) CVSSv3 score: n/a The Linux kernel allows userspace processes to enable mitigations by calling prctl with PR_SET_SPECULATION_CTRL which disables the speculation feature as well as by using seccomp. We had noticed that on VMs of at least one major cloud provider, the kernel still left the victim process exposed to attacks in some cases even after enabling the spectre-BTI mitigation with prctl. The same behavior can be observed on a bare-metal machine when forcing the mitigation to IBRS on boot command line. This happened because when plain IBRS was enabled (not enhanced IBRS), the kernel had some logic that determined that STIBP was not needed. The IBRS bit implicitly protects against cross-thread branch target injection. However, with legacy IBRS, the IBRS bit was cleared on returning to userspace, due to performance reasons, which disabled the implicit STIBP and left userspace threads vulnerable to cross-thread branch target injection against which STIBP protects. * [CVE-2023-2002](https://nvd.nist.gov/vuln/detail/CVE-2023-2002) CVSSv3 score: 6.8(Medium) A vulnerability was found in the HCI sockets implementation due to a missing capability check in net/bluetooth/hci_sock.c in the Linux Kernel. This flaw allows an attacker to unauthorized execution of management commands, compromising the confidentiality, integrity, and availability of Bluetooth communication. * [CVE-2023-2006](https://nvd.nist.gov/vuln/detail/CVE-2023-2006) CVSSv3 score: 7(High) A race condition was found in the Linux kernel's RxRPC network protocol, within the processing of RxRPC bundles. This issue results from the lack of proper locking when performing operations on an object. This may allow an attacker to escalate privileges and execute arbitrary code in the context of the kernel. * [CVE-2023-2008](https://nvd.nist.gov/vuln/detail/CVE-2023-2008) CVSSv3 score: 7.8(High) A flaw was found in the Linux kernel's udmabuf device driver. The specific flaw exists within a fault handler. The issue results from the lack of proper validation of user-supplied data, which can result in a memory access past the end of an array. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the kernel. * [CVE-2023-2019](https://nvd.nist.gov/vuln/detail/CVE-2023-2019) CVSSv3 score: 4.4(Medium) A flaw was found in the Linux kernel's netdevsim device driver, within the scheduling of events. This issue results from the improper management of a reference count. This may allow an attacker to create a denial of service condition on the system. * [CVE-2023-20569](https://nvd.nist.gov/vuln/detail/CVE-2023-20569) CVSSv3 score: 4.7(Medium) A side channel vulnerability on some of the AMD CPUs may allow an attacker to influence the return address prediction. This may result in speculative execution at an attacker-controlled?address, potentially leading to information disclosure. * [CVE-2023-20588](https://nvd.nist.gov/vuln/detail/CVE-2023-20588) CVSSv3 score: 5.5(Medium) A division-by-zero error on some AMD processors can potentially return speculative data resulting in loss of confidentiality. * [CVE-2023-20593](https://nvd.nist.gov/vuln/detail/CVE-2023-20593) CVSSv3 score: 5.5(Medium) An issue in “Zen 2” CPUs, under specific microarchitectural circumstances, may allow an attacker to potentially access sensitive information. * [CVE-2023-20928](https://nvd.nist.gov/vuln/detail/CVE-2023-20928) CVSSv3 score: 7.8(High) In binder_vma_close of binder.c, there is a possible use after free due to improper locking. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-254837884References: Upstream kernel * [CVE-2023-20938](https://nvd.nist.gov/vuln/detail/CVE-2023-20938) CVSSv3 score: 7.8(High) In binder_transaction_buffer_release of binder.c, there is a possible use after free due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-257685302References: Upstream kernel * [CVE-2023-21102](https://nvd.nist.gov/vuln/detail/CVE-2023-21102) CVSSv3 score: 7.8(High) In __efi_rt_asm_wrapper of efi-rt-wrapper.S, there is a possible bypass of shadow stack protection due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-260821414References: Upstream kernel * [CVE-2023-21106](https://nvd.nist.gov/vuln/detail/CVE-2023-21106) CVSSv3 score: 7.8(High) In adreno_set_param of adreno_gpu.c, there is a possible memory corruption due to a double free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-265016072References: Upstream kernel * [CVE-2023-2124](https://nvd.nist.gov/vuln/detail/CVE-2023-2124) CVSSv3 score: 7.8(High) An out-of-bounds memory access flaw was found in the Linux kernel’s XFS file system in how a user restores an XFS image after failure (with a dirty log journal). This flaw allows a local user to crash or potentially escalate their privileges on the system. * [CVE-2023-21255](https://nvd.nist.gov/vuln/detail/CVE-2023-21255) CVSSv3 score: 7.8(High) In multiple functions of binder.c, there is a possible memory corruption due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. * [CVE-2023-2156](https://nvd.nist.gov/vuln/detail/CVE-2023-2156) CVSSv3 score: 7.5(High) A flaw was found in the networking subsystem of the Linux kernel within the handling of the RPL protocol. This issue results from the lack of proper handling of user-supplied data, which can lead to an assertion failure. This may allow an unauthenticated remote attacker to create a denial of service condition on the system. * [CVE-2023-2162](https://nvd.nist.gov/vuln/detail/CVE-2023-2162) CVSSv3 score: 5.5(Medium) A use-after-free vulnerability was found in iscsi_sw_tcp_session_create in drivers/scsi/iscsi_tcp.c in SCSI sub-component in the Linux Kernel. In this flaw an attacker could leak kernel internal information. * [CVE-2023-2163](https://nvd.nist.gov/vuln/detail/CVE-2023-2163) CVSSv3 score: 8.8(High) Incorrect verifier pruning in BPF in Linux Kernel >=5.4 leads to unsafe code paths being incorrectly marked as safe, resulting in arbitrary read/write in kernel memory, lateral privilege escalation, and container escape. * [CVE-2023-2166](https://nvd.nist.gov/vuln/detail/CVE-2023-2166) CVSSv3 score: 5.5(Medium) A null pointer dereference issue was found in can protocol in net/can/af_can.c in the Linux before Linux. ml_priv may not be initialized in the receive path of CAN frames. A local user could use this flaw to crash the system or potentially cause a denial of service. * [CVE-2023-2177](https://nvd.nist.gov/vuln/detail/CVE-2023-2177) CVSSv3 score: 5.5(Medium) A null pointer dereference issue was found in the sctp network protocol in net/sctp/stream_sched.c in Linux Kernel. If stream_in allocation is failed, stream_out is freed which would further be accessed. A local user could use this flaw to crash the system or potentially cause a denial of service. * [CVE-2023-2194](https://nvd.nist.gov/vuln/detail/CVE-2023-2194) CVSSv3 score: 6.7(Medium) An out-of-bounds write vulnerability was found in the Linux kernel's SLIMpro I2C device driver. The userspace "data->block[0]" variable was not capped to a number between 0-255 and was used as the size of a memcpy, possibly writing beyond the end of dma_buffer. This flaw could allow a local privileged user to crash the system or potentially achieve code execution. * [CVE-2023-2235](https://nvd.nist.gov/vuln/detail/CVE-2023-2235) CVSSv3 score: n/a A use-after-free vulnerability in the Linux Kernel Performance Events system can be exploited to achieve local privilege escalation. The perf_group_detach function did not check the event's siblings' attach_state before calling add_event_to_groups(), but remove_on_exec made it possible to call list_del_event() on before detaching from their group, making it possible to use a dangling pointer causing a use-after-free vulnerability. We recommend upgrading past commit fd0815f632c24878e325821943edccc7fde947a2. * [CVE-2023-2236](https://nvd.nist.gov/vuln/detail/CVE-2023-2236) CVSSv3 score: n/a A use-after-free vulnerability in the Linux Kernel io_uring subsystem can be exploited to achieve local privilege escalation. Both io_install_fixed_file and its callers call fput in a file in case of an error, causing a reference underflow which leads to a use-after-free vulnerability. We recommend upgrading past commit 9d94c04c0db024922e886c9fd429659f22f48ea4. * [CVE-2023-2269](https://nvd.nist.gov/vuln/detail/CVE-2023-2269) CVSSv3 score: 4.4(Medium) A denial of service problem was found, due to a possible recursive locking scenario, resulting in a deadlock in table_clear in drivers/md/dm-ioctl.c in the Linux Kernel Device Mapper-Multipathing sub-component. * [CVE-2023-22996](https://nvd.nist.gov/vuln/detail/CVE-2023-22996) CVSSv3 score: 5.5(Medium) In the Linux kernel before 5.17.2, drivers/soc/qcom/qcom_aoss.c does not release an of_find_device_by_node reference after use, e.g., with put_device. * [CVE-2023-22997](https://nvd.nist.gov/vuln/detail/CVE-2023-22997) CVSSv3 score: 5.5(Medium) In the Linux kernel before 6.1.2, kernel/module/decompress.c misinterprets the module_get_next_page return value (expects it to be NULL in the error case, whereas it is actually an error pointer). * [CVE-2023-22998](https://nvd.nist.gov/vuln/detail/CVE-2023-22998) CVSSv3 score: 5.5(Medium) In the Linux kernel before 6.0.3, drivers/gpu/drm/virtio/virtgpu_object.c misinterprets the drm_gem_shmem_get_sg_table return value (expects it to be NULL in the error case, whereas it is actually an error pointer). * [CVE-2023-22999](https://nvd.nist.gov/vuln/detail/CVE-2023-22999) CVSSv3 score: 5.5(Medium) In the Linux kernel before 5.16.3, drivers/usb/dwc3/dwc3-qcom.c misinterprets the dwc3_qcom_create_urs_usb_platdev return value (expects it to be NULL in the error case, whereas it is actually an error pointer). * [CVE-2023-23001](https://nvd.nist.gov/vuln/detail/CVE-2023-23001) CVSSv3 score: 5.5(Medium) In the Linux kernel before 5.16.3, drivers/scsi/ufs/ufs-mediatek.c misinterprets the regulator_get return value (expects it to be NULL in the error case, whereas it is actually an error pointer). * [CVE-2023-23002](https://nvd.nist.gov/vuln/detail/CVE-2023-23002) CVSSv3 score: 5.5(Medium) In the Linux kernel before 5.16.3, drivers/bluetooth/hci_qca.c misinterprets the devm_gpiod_get_index_optional return value (expects it to be NULL in the error case, whereas it is actually an error pointer). * [CVE-2023-23454](https://nvd.nist.gov/vuln/detail/CVE-2023-23454) CVSSv3 score: 5.5(Medium) cbq_classify in net/sched/sch_cbq.c in the Linux kernel through 6.1.4 allows attackers to cause a denial of service (slab-out-of-bounds read) because of type confusion (non-negative numbers can sometimes indicate a TC_ACT_SHOT condition rather than valid classification results). * [CVE-2023-23455](https://nvd.nist.gov/vuln/detail/CVE-2023-23455) CVSSv3 score: 5.5(Medium) atm_tc_enqueue in net/sched/sch_atm.c in the Linux kernel through 6.1.4 allows attackers to cause a denial of service because of type confusion (non-negative numbers can sometimes indicate a TC_ACT_SHOT condition rather than valid classification results). * [CVE-2023-23559](https://nvd.nist.gov/vuln/detail/CVE-2023-23559) CVSSv3 score: 7.8(High) In rndis_query_oid in drivers/net/wireless/rndis_wlan.c in the Linux kernel through 6.1.5, there is an integer overflow in an addition. * [CVE-2023-2430](https://nvd.nist.gov/vuln/detail/CVE-2023-2430) CVSSv3 score: 5.5(Medium) A vulnerability was found due to missing lock for IOPOLL flaw in io_cqring_event_overflow() in io_uring.c in Linux Kernel. This flaw allows a local attacker with user privilege to trigger a Denial of Service threat. * [CVE-2023-25012](https://nvd.nist.gov/vuln/detail/CVE-2023-25012) CVSSv3 score: 4.6(Medium) The Linux kernel through 6.1.9 has a Use-After-Free in bigben_remove in drivers/hid/hid-bigbenff.c via a crafted USB device because the LED controllers remain registered for too long. * [CVE-2023-2513](https://nvd.nist.gov/vuln/detail/CVE-2023-2513) CVSSv3 score: 6.7(Medium) A use-after-free vulnerability was found in the Linux kernel's ext4 filesystem in the way it handled the extra inode size for extended attributes. This flaw could allow a privileged local user to cause a system crash or other undefined behaviors. * [CVE-2023-25775](https://nvd.nist.gov/vuln/detail/CVE-2023-25775) CVSSv3 score: 9.8(Critical) Improper access control in the Intel(R) Ethernet Controller RDMA driver for linux before version 1.9.30 may allow an unauthenticated user to potentially enable escalation of privilege via network access. * [CVE-2023-26544](https://nvd.nist.gov/vuln/detail/CVE-2023-26544) CVSSv3 score: 7.8(High) In the Linux kernel 6.0.8, there is a use-after-free in run_unpack in fs/ntfs3/run.c, related to a difference between NTFS sector size and media sector size. * [CVE-2023-26545](https://nvd.nist.gov/vuln/detail/CVE-2023-26545) CVSSv3 score: 4.7(Medium) In the Linux kernel before 6.1.13, there is a double free in net/mpls/af_mpls.c upon an allocation failure (for registering the sysctl table under a new location) during the renaming of a device. * [CVE-2023-26606](https://nvd.nist.gov/vuln/detail/CVE-2023-26606) CVSSv3 score: 7.8(High) In the Linux kernel 6.0.8, there is a use-after-free in ntfs_trim_fs in fs/ntfs3/bitmap.c. * [CVE-2023-26607](https://nvd.nist.gov/vuln/detail/CVE-2023-26607) CVSSv3 score: 7.1(High) In the Linux kernel 6.0.8, there is an out-of-bounds read in ntfs_attr_find in fs/ntfs/attrib.c. * [CVE-2023-28327](https://nvd.nist.gov/vuln/detail/CVE-2023-28327) CVSSv3 score: 5.5(Medium) A NULL pointer dereference flaw was found in the UNIX protocol in net/unix/diag.c In unix_diag_get_exact in the Linux Kernel. The newly allocated skb does not have sk, leading to a NULL pointer. This flaw allows a local user to crash or potentially cause a denial of service. * [CVE-2023-28328](https://nvd.nist.gov/vuln/detail/CVE-2023-28328) CVSSv3 score: 5.5(Medium) A NULL pointer dereference flaw was found in the az6027 driver in drivers/media/usb/dev-usb/az6027.c in the Linux Kernel. The message from user space is not checked properly before transferring into the device. This flaw allows a local user to crash the system or potentially cause a denial of service. * [CVE-2023-28410](https://nvd.nist.gov/vuln/detail/CVE-2023-28410) CVSSv3 score: 7.8(High) Improper restriction of operations within the bounds of a memory buffer in some Intel(R) i915 Graphics drivers for linux before kernel version 6.2.10 may allow an authenticated user to potentially enable escalation of privilege via local access. * [CVE-2023-28466](https://nvd.nist.gov/vuln/detail/CVE-2023-28466) CVSSv3 score: 7(High) do_tls_getsockopt in net/tls/tls_main.c in the Linux kernel through 6.2.6 lacks a lock_sock call, leading to a race condition (with a resultant use-after-free or NULL pointer dereference). * [CVE-2023-28866](https://nvd.nist.gov/vuln/detail/CVE-2023-28866) CVSSv3 score: 5.3(Medium) In the Linux kernel through 6.2.8, net/bluetooth/hci_sync.c allows out-of-bounds access because amp_init1[] and amp_init2[] are supposed to have an intentionally invalid element, but do not. * [CVE-2023-2898](https://nvd.nist.gov/vuln/detail/CVE-2023-2898) CVSSv3 score: 4.7(Medium) There is a null-pointer-dereference flaw found in f2fs_write_end_io in fs/f2fs/data.c in the Linux kernel. This flaw allows a local privileged user to cause a denial of service problem. * [CVE-2023-2985](https://nvd.nist.gov/vuln/detail/CVE-2023-2985) CVSSv3 score: 5.5(Medium) A use after free flaw was found in hfsplus_put_super in fs/hfsplus/super.c in the Linux Kernel. This flaw could allow a local user to cause a denial of service problem. * [CVE-2023-3006](https://nvd.nist.gov/vuln/detail/CVE-2023-3006) CVSSv3 score: 5.5(Medium) A known cache speculation vulnerability, known as Branch History Injection (BHI) or Spectre-BHB, becomes actual again for the new hw AmpereOne. Spectre-BHB is similar to Spectre v2, except that malicious code uses the shared branch history (stored in the CPU Branch History Buffer, or BHB) to influence mispredicted branches within the victim's hardware context. Once that occurs, speculation caused by the mispredicted branches can cause cache allocation. This issue leads to obtaining information that should not be accessible. * [CVE-2023-30456](https://nvd.nist.gov/vuln/detail/CVE-2023-30456) CVSSv3 score: 6.5(Medium) An issue was discovered in arch/x86/kvm/vmx/nested.c in the Linux kernel before 6.2.8. nVMX on x86_64 lacks consistency checks for CR0 and CR4. * [CVE-2023-30772](https://nvd.nist.gov/vuln/detail/CVE-2023-30772) CVSSv3 score: 6.4(Medium) The Linux kernel before 6.2.9 has a race condition and resultant use-after-free in drivers/power/supply/da9150-charger.c if a physically proximate attacker unplugs a device. * [CVE-2023-3090](https://nvd.nist.gov/vuln/detail/CVE-2023-3090) CVSSv3 score: n/a A heap out-of-bounds write vulnerability in the Linux Kernel ipvlan network driver can be exploited to achieve local privilege escalation. The out-of-bounds write is caused by missing skb->cb initialization in the ipvlan network driver. The vulnerability is reachable if CONFIG_IPVLAN is enabled. We recommend upgrading past commit 90cbed5247439a966b645b34eb0a2e037836ea8e. * [CVE-2023-3111](https://nvd.nist.gov/vuln/detail/CVE-2023-3111) CVSSv3 score: 7.8(High) A use after free vulnerability was found in prepare_to_relocate in fs/btrfs/relocation.c in btrfs in the Linux Kernel. This possible flaw can be triggered by calling btrfs_ioctl_balance() before calling btrfs_ioctl_defrag(). * [CVE-2023-31248](https://nvd.nist.gov/vuln/detail/CVE-2023-31248) CVSSv3 score: n/a Linux Kernel nftables Use-After-Free Local Privilege Escalation Vulnerability; `nft_chain_lookup_byid()` failed to check whether a chain was active and CAP_NET_ADMIN is in any user or network namespace * [CVE-2023-3141](https://nvd.nist.gov/vuln/detail/CVE-2023-3141) CVSSv3 score: 7.1(High) A use-after-free flaw was found in r592_remove in drivers/memstick/host/r592.c in media access in the Linux Kernel. This flaw allows a local attacker to crash the system at device disconnect, possibly leading to a kernel information leak. * [CVE-2023-31436](https://nvd.nist.gov/vuln/detail/CVE-2023-31436) CVSSv3 score: 7.8(High) qfq_change_class in net/sched/sch_qfq.c in the Linux kernel before 6.2.13 allows an out-of-bounds write because lmax can exceed QFQ_MIN_LMAX. * [CVE-2023-3159](https://nvd.nist.gov/vuln/detail/CVE-2023-3159) CVSSv3 score: 6.7(Medium) A use after free issue was discovered in driver/firewire in outbound_phy_packet_callback in the Linux Kernel. In this flaw a local attacker with special privilege may cause a use after free problem when queue_event() fails. * [CVE-2023-3161](https://nvd.nist.gov/vuln/detail/CVE-2023-3161) CVSSv3 score: 5.5(Medium) A flaw was found in the Framebuffer Console (fbcon) in the Linux Kernel. When providing font->width and font->height greater than 32 to fbcon_set_font, since there are no checks in place, a shift-out-of-bounds occurs leading to undefined behavior and possible denial of service. * [CVE-2023-3212](https://nvd.nist.gov/vuln/detail/CVE-2023-3212) CVSSv3 score: 4.4(Medium) A NULL pointer dereference issue was found in the gfs2 file system in the Linux kernel. It occurs on corrupt gfs2 file systems when the evict code tries to reference the journal descriptor structure after it has been freed and set to NULL. A privileged local user could use this flaw to cause a kernel panic. * [CVE-2023-3220](https://nvd.nist.gov/vuln/detail/CVE-2023-3220) CVSSv3 score: 5.5(Medium) An issue was discovered in the Linux kernel through 6.1-rc8. dpu_crtc_atomic_check in drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c lacks check of the return value of kzalloc() and will cause the NULL Pointer Dereference. * [CVE-2023-32233](https://nvd.nist.gov/vuln/detail/CVE-2023-32233) CVSSv3 score: 7.8(High) In the Linux kernel through 6.3.1, a use-after-free in Netfilter nf_tables when processing batch requests can be abused to perform arbitrary read and write operations on kernel memory. Unprivileged local users can obtain root privileges. This occurs because anonymous sets are mishandled. * [CVE-2023-32247](https://nvd.nist.gov/vuln/detail/CVE-2023-32247) CVSSv3 score: n/a A flaw was found in the Linux kernel's ksmbd, a high-performance in-kernel SMB server. The specific flaw exists within the handling of SMB2_SESSION_SETUP commands. The issue results from the lack of control of resource consumption. An attacker can leverage this vulnerability to create a denial-of-service condition on the system. * [CVE-2023-32248](https://nvd.nist.gov/vuln/detail/CVE-2023-32248) CVSSv3 score: n/a A flaw was found in the Linux kernel's ksmbd, a high-performance in-kernel SMB server. The specific flaw exists within the handling of SMB2_TREE_CONNECT and SMB2_QUERY_INFO commands. The issue results from the lack of proper validation of a pointer prior to accessing it. An attacker can leverage this vulnerability to create a denial-of-service condition on the system. * [CVE-2023-32250](https://nvd.nist.gov/vuln/detail/CVE-2023-32250) CVSSv3 score: 8.1(High) A flaw was found in the Linux kernel's ksmbd, a high-performance in-kernel SMB server. The specific flaw exists within the processing of SMB2_SESSION_SETUP commands. The issue results from the lack of proper locking when performing operations on an object. An attacker can leverage this vulnerability to execute code in the context of the kernel. * [CVE-2023-32252](https://nvd.nist.gov/vuln/detail/CVE-2023-32252) CVSSv3 score: n/a A flaw was found in the Linux kernel's ksmbd, a high-performance in-kernel SMB server. The specific flaw exists within the handling of SMB2_LOGOFF commands. The issue results from the lack of proper validation of a pointer prior to accessing it. An attacker can leverage this vulnerability to create a denial-of-service condition on the system. * [CVE-2023-32254](https://nvd.nist.gov/vuln/detail/CVE-2023-32254) CVSSv3 score: 8.1(High) A flaw was found in the Linux kernel's ksmbd, a high-performance in-kernel SMB server. The specific flaw exists within the processing of SMB2_TREE_DISCONNECT commands. The issue results from the lack of proper locking when performing operations on an object. An attacker can leverage this vulnerability to execute code in the context of the kernel. * [CVE-2023-32257](https://nvd.nist.gov/vuln/detail/CVE-2023-32257) CVSSv3 score: n/a A flaw was found in the Linux kernel's ksmbd, a high-performance in-kernel SMB server. The specific flaw exists within the processing of SMB2_SESSION_SETUP and SMB2_LOGOFF commands. The issue results from the lack of proper locking when performing operations on an object. An attacker can leverage this vulnerability to execute code in the context of the kernel. * [CVE-2023-32258](https://nvd.nist.gov/vuln/detail/CVE-2023-32258) CVSSv3 score: n/a A flaw was found in the Linux kernel's ksmbd, a high-performance in-kernel SMB server. The specific flaw exists within the processing of SMB2_LOGOFF and SMB2_CLOSE commands. The issue results from the lack of proper locking when performing operations on an object. An attacker can leverage this vulnerability to execute code in the context of the kernel. * [CVE-2023-32269](https://nvd.nist.gov/vuln/detail/CVE-2023-32269) CVSSv3 score: 6.7(Medium) An issue was discovered in the Linux kernel before 6.1.11. In net/netrom/af_netrom.c, there is a use-after-free because accept is also allowed for a successfully connected AF_NETROM socket. However, in order for an attacker to exploit this, the system must have netrom routing configured or the attacker must have the CAP_NET_ADMIN capability. * [CVE-2023-3268](https://nvd.nist.gov/vuln/detail/CVE-2023-3268) CVSSv3 score: 7.1(High) An out of bounds (OOB) memory access flaw was found in the Linux kernel in relay_file_read_start_pos in kernel/relay.c in the relayfs. This flaw could allow a local attacker to crash the system or leak kernel internal information. * [CVE-2023-3269](https://nvd.nist.gov/vuln/detail/CVE-2023-3269) CVSSv3 score: 7.8(High) A vulnerability exists in the memory management subsystem of the Linux kernel. The lock handling for accessing and updating virtual memory areas (VMAs) is incorrect, leading to use-after-free problems. This issue can be successfully exploited to execute arbitrary kernel code, escalate containers, and gain root privileges. * [CVE-2023-33203](https://nvd.nist.gov/vuln/detail/CVE-2023-33203) CVSSv3 score: 6.4(Medium) The Linux kernel before 6.2.9 has a race condition and resultant use-after-free in drivers/net/ethernet/qualcomm/emac/emac.c if a physically proximate attacker unplugs an emac based device. * [CVE-2023-33288](https://nvd.nist.gov/vuln/detail/CVE-2023-33288) CVSSv3 score: 4.7(Medium) An issue was discovered in the Linux kernel before 6.2.9. A use-after-free was found in bq24190_remove in drivers/power/supply/bq24190_charger.c. It could allow a local attacker to crash the system due to a race condition. * [CVE-2023-3355](https://nvd.nist.gov/vuln/detail/CVE-2023-3355) CVSSv3 score: 5.5(Medium) A NULL pointer dereference flaw was found in the Linux kernel's drivers/gpu/drm/msm/msm_gem_submit.c code in the submit_lookup_cmds function, which fails because it lacks a check of the return value of kmalloc(). This issue allows a local user to crash the system. * [CVE-2023-3357](https://nvd.nist.gov/vuln/detail/CVE-2023-3357) CVSSv3 score: 5.5(Medium) A NULL pointer dereference flaw was found in the Linux kernel AMD Sensor Fusion Hub driver. This flaw allows a local user to crash the system. * [CVE-2023-3358](https://nvd.nist.gov/vuln/detail/CVE-2023-3358) CVSSv3 score: 5.5(Medium) A null pointer dereference was found in the Linux kernel's Integrated Sensor Hub (ISH) driver. This issue could allow a local user to crash the system. * [CVE-2023-3359](https://nvd.nist.gov/vuln/detail/CVE-2023-3359) CVSSv3 score: 5.5(Medium) An issue was discovered in the Linux kernel brcm_nvram_parse in drivers/nvmem/brcm_nvram.c. Lacks for the check of the return value of kzalloc() can cause the NULL Pointer Dereference. * [CVE-2023-3390](https://nvd.nist.gov/vuln/detail/CVE-2023-3390) CVSSv3 score: n/a A use-after-free vulnerability was found in the Linux kernel's netfilter subsystem in net/netfilter/nf_tables_api.c. Mishandled error handling with NFT_MSG_NEWRULE makes it possible to use a dangling pointer in the same transaction causing a use-after-free vulnerability. This flaw allows a local attacker with user access to cause a privilege escalation issue. We recommend upgrading past commit 1240eb93f0616b21c675416516ff3d74798fdc97. * [CVE-2023-33951](https://nvd.nist.gov/vuln/detail/CVE-2023-33951) CVSSv3 score: 5.3(Medium) A race condition vulnerability was found in the vmwgfx driver in the Linux kernel. The flaw exists within the handling of GEM objects. The issue results from improper locking when performing operations on an object. This flaw allows a local privileged user to disclose information in the context of the kernel. * [CVE-2023-33952](https://nvd.nist.gov/vuln/detail/CVE-2023-33952) CVSSv3 score: n/a A double-free vulnerability was found in the vmwgfx driver in the Linux kernel. The flaw exists within the handling of vmw_buffer_object objects. The issue results from the lack of validating the existence of an object prior to performing further free operations on the object. This flaw allows a local privileged user to escalate privileges and execute code in the context of the kernel. * [CVE-2023-34319](https://nvd.nist.gov/vuln/detail/CVE-2023-34319) CVSSv3 score: 7.8(High) The fix for XSA-423 added logic to Linux'es netback driver to deal with a frontend splitting a packet in a way such that not all of the headers would come in one piece. Unfortunately the logic introduced there didn't account for the extreme case of the entire packet being split into as many pieces as permitted by the protocol, yet still being smaller than the area that's specially dealt with to keep all (possible) headers together. Such an unusual packet would therefore trigger a buffer overrun in the driver. * [CVE-2023-3439](https://nvd.nist.gov/vuln/detail/CVE-2023-3439) CVSSv3 score: 4.7(Medium) A flaw was found in the MCTP protocol in the Linux kernel. The function mctp_unregister() reclaims the device's relevant resource when a netcard detaches. However, a running routine may be unaware of this and cause the use-after-free of the mdev->addrs object, potentially leading to a denial of service. * [CVE-2023-35001](https://nvd.nist.gov/vuln/detail/CVE-2023-35001) CVSSv3 score: n/a Linux Kernel nftables Out-Of-Bounds Read/Write Vulnerability; nft_byteorder poorly handled vm register contents when CAP_NET_ADMIN is in any user or network namespace * [CVE-2023-3567](https://nvd.nist.gov/vuln/detail/CVE-2023-3567) CVSSv3 score: n/a A use-after-free flaw was found in vcs_read in drivers/tty/vt/vc_screen.c in vc_screen in the Linux Kernel. This issue may allow an attacker with local user access to cause a system crash or leak internal kernel information. * [CVE-2023-35788](https://nvd.nist.gov/vuln/detail/CVE-2023-35788) CVSSv3 score: 7.8(High) An issue was discovered in fl_set_geneve_opt in net/sched/cls_flower.c in the Linux kernel before 6.3.7. It allows an out-of-bounds write in the flower classifier code via TCA_FLOWER_KEY_ENC_OPTS_GENEVE packets. This may result in denial of service or privilege escalation. * [CVE-2023-35823](https://nvd.nist.gov/vuln/detail/CVE-2023-35823) CVSSv3 score: 7(High) An issue was discovered in the Linux kernel before 6.3.2. A use-after-free was found in saa7134_finidev in drivers/media/pci/saa7134/saa7134-core.c. * [CVE-2023-35824](https://nvd.nist.gov/vuln/detail/CVE-2023-35824) CVSSv3 score: 7(High) An issue was discovered in the Linux kernel before 6.3.2. A use-after-free was found in dm1105_remove in drivers/media/pci/dm1105/dm1105.c. * [CVE-2023-35826](https://nvd.nist.gov/vuln/detail/CVE-2023-35826) CVSSv3 score: 7(High) An issue was discovered in the Linux kernel before 6.3.2. A use-after-free was found in cedrus_remove in drivers/staging/media/sunxi/cedrus/cedrus.c. * [CVE-2023-35828](https://nvd.nist.gov/vuln/detail/CVE-2023-35828) CVSSv3 score: 7(High) An issue was discovered in the Linux kernel before 6.3.2. A use-after-free was found in renesas_usb3_remove in drivers/usb/gadget/udc/renesas_usb3.c. * [CVE-2023-35829](https://nvd.nist.gov/vuln/detail/CVE-2023-35829) CVSSv3 score: 7(High) An issue was discovered in the Linux kernel before 6.3.2. A use-after-free was found in rkvdec_remove in drivers/staging/media/rkvdec/rkvdec.c. * [CVE-2023-3609](https://nvd.nist.gov/vuln/detail/CVE-2023-3609) CVSSv3 score: n/a A use-after-free vulnerability in the Linux kernel's net/sched: cls_u32 component can be exploited to achieve local privilege escalation. If tcf_change_indev() fails, u32_set_parms() will immediately return an error after incrementing or decrementing the reference counter in tcf_bind_filter(). If an attacker can control the reference counter and set it to zero, they can cause the reference to be freed, leading to a use-after-free vulnerability. We recommend upgrading past commit 04c55383fa5689357bcdd2c8036725a55ed632bc. * [CVE-2023-3610](https://nvd.nist.gov/vuln/detail/CVE-2023-3610) CVSSv3 score: n/a A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation. Flaw in the error handling of bound chains causes a use-after-free in the abort path of NFT_MSG_NEWRULE. The vulnerability requires CAP_NET_ADMIN to be triggered. We recommend upgrading past commit 4bedf9eee016286c835e3d8fa981ddece5338795. * [CVE-2023-3611](https://nvd.nist.gov/vuln/detail/CVE-2023-3611) CVSSv3 score: n/a An out-of-bounds write vulnerability in the Linux kernel's net/sched: sch_qfq component can be exploited to achieve local privilege escalation. The qfq_change_agg() function in net/sched/sch_qfq.c allows an out-of-bounds write because lmax is updated according to packet sizes without bounds checks. We recommend upgrading past commit 3e337087c3b5805fe0b8a46ba622a962880b5d64. * [CVE-2023-3772](https://nvd.nist.gov/vuln/detail/CVE-2023-3772) CVSSv3 score: 4.4(Medium) A flaw was found in the Linux kernel’s IP framework for transforming packets (XFRM subsystem). This issue may allow a malicious user with CAP_NET_ADMIN privileges to directly dereference a NULL pointer in xfrm_update_ae_params(), leading to a possible kernel crash and denial of service. * [CVE-2023-3773](https://nvd.nist.gov/vuln/detail/CVE-2023-3773) CVSSv3 score: 4.4(Medium) A flaw was found in the Linux kernel’s IP framework for transforming packets (XFRM subsystem). This issue may allow a malicious user with CAP_NET_ADMIN privileges to cause a 4 byte out-of-bounds read of XFRMA_MTIMER_THRESH when parsing netlink attributes, leading to potential leakage of sensitive heap data to userspace. * [CVE-2023-3776](https://nvd.nist.gov/vuln/detail/CVE-2023-3776) CVSSv3 score: n/a A use-after-free vulnerability in the Linux kernel's net/sched: cls_fw component can be exploited to achieve local privilege escalation. If tcf_change_indev() fails, fw_set_parms() will immediately return an error after incrementing or decrementing the reference counter in tcf_bind_filter(). If an attacker can control the reference counter and set it to zero, they can cause the reference to be freed, leading to a use-after-free vulnerability. We recommend upgrading past commit 0323bce598eea038714f941ce2b22541c46d488f. * [CVE-2023-3777](https://nvd.nist.gov/vuln/detail/CVE-2023-3777) CVSSv3 score: n/a A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation. When nf_tables_delrule() is flushing table rules, it is not checked whether the chain is bound and the chain's owner rule can also release the objects in certain circumstances. We recommend upgrading past commit 6eaf41e87a223ae6f8e7a28d6e78384ad7e407f8. * [CVE-2023-3812](https://nvd.nist.gov/vuln/detail/CVE-2023-3812) CVSSv3 score: n/a An out-of-bounds memory access flaw was found in the Linux kernel’s TUN/TAP device driver functionality in how a user generates a malicious (too big) networking packet when napi frags is enabled. This flaw allows a local user to crash or potentially escalate their privileges on the system. * [CVE-2023-38409](https://nvd.nist.gov/vuln/detail/CVE-2023-38409) CVSSv3 score: 5.5(Medium) An issue was discovered in set_con2fb_map in drivers/video/fbdev/core/fbcon.c in the Linux kernel before 6.2.12. Because an assignment occurs only for the first vc, the fbcon_registered_fb and fbcon_display arrays can be desynchronized in fbcon_mode_deleted (the con2fb_map points at the old fb_info). * [CVE-2023-38426](https://nvd.nist.gov/vuln/detail/CVE-2023-38426) CVSSv3 score: 9.1(Critical) An issue was discovered in the Linux kernel before 6.3.4. ksmbd has an out-of-bounds read in smb2_find_context_vals when create_context's name_len is larger than the tag length. * [CVE-2023-38427](https://nvd.nist.gov/vuln/detail/CVE-2023-38427) CVSSv3 score: 9.8(Critical) An issue was discovered in the Linux kernel before 6.3.8. fs/smb/server/smb2pdu.c in ksmbd has an integer underflow and out-of-bounds read in deassemble_neg_contexts. * [CVE-2023-38428](https://nvd.nist.gov/vuln/detail/CVE-2023-38428) CVSSv3 score: 9.1(Critical) An issue was discovered in the Linux kernel before 6.3.4. fs/ksmbd/smb2pdu.c in ksmbd does not properly check the UserName value because it does not consider the address of security buffer, leading to an out-of-bounds read. * [CVE-2023-38429](https://nvd.nist.gov/vuln/detail/CVE-2023-38429) CVSSv3 score: 9.8(Critical) An issue was discovered in the Linux kernel before 6.3.4. fs/ksmbd/connection.c in ksmbd has an off-by-one error in memory allocation (because of ksmbd_smb2_check_message) that may lead to out-of-bounds access. * [CVE-2023-38430](https://nvd.nist.gov/vuln/detail/CVE-2023-38430) CVSSv3 score: 9.1(Critical) An issue was discovered in the Linux kernel before 6.3.9. ksmbd does not validate the SMB request protocol ID, leading to an out-of-bounds read. * [CVE-2023-38431](https://nvd.nist.gov/vuln/detail/CVE-2023-38431) CVSSv3 score: 9.1(Critical) An issue was discovered in the Linux kernel before 6.3.8. fs/smb/server/connection.c in ksmbd does not validate the relationship between the NetBIOS header's length field and the SMB header sizes, via pdu_size in ksmbd_conn_handler_loop, leading to an out-of-bounds read. * [CVE-2023-38432](https://nvd.nist.gov/vuln/detail/CVE-2023-38432) CVSSv3 score: 9.1(Critical) An issue was discovered in the Linux kernel before 6.3.10. fs/smb/server/smb2misc.c in ksmbd does not validate the relationship between the command payload size and the RFC1002 length specification, leading to an out-of-bounds read. * [CVE-2023-3863](https://nvd.nist.gov/vuln/detail/CVE-2023-3863) CVSSv3 score: 4.1(Medium) A use-after-free flaw was found in nfc_llcp_find_local in net/nfc/llcp_core.c in NFC in the Linux kernel. This flaw allows a local user with special privileges to impact a kernel information leak issue. * [CVE-2023-3865](https://nvd.nist.gov/vuln/detail/CVE-2023-3865) CVSSv3 score: n/a * [CVE-2023-3866](https://nvd.nist.gov/vuln/detail/CVE-2023-3866) CVSSv3 score: n/a * [CVE-2023-3867](https://nvd.nist.gov/vuln/detail/CVE-2023-3867) CVSSv3 score: n/a * [CVE-2023-4004](https://nvd.nist.gov/vuln/detail/CVE-2023-4004) CVSSv3 score: n/a A use-after-free flaw was found in the Linux kernel's netfilter in the way a user triggers the nft_pipapo_remove function with the element, without a NFT_SET_EXT_KEY_END. This issue could allow a local user to crash the system or potentially escalate their privileges on the system. * [CVE-2023-4015](https://nvd.nist.gov/vuln/detail/CVE-2023-4015) CVSSv3 score: n/a A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation. On an error when building a nftables rule, deactivating immediate expressions in nft_immediate_deactivate() can lead unbinding the chain and objects be deactivated but later used. We recommend upgrading past commit 0a771f7b266b02d262900c75f1e175c7fe76fec2. * [CVE-2023-40283](https://nvd.nist.gov/vuln/detail/CVE-2023-40283) CVSSv3 score: 7.8(High) An issue was discovered in l2cap_sock_release in net/bluetooth/l2cap_sock.c in the Linux kernel before 6.4.10. There is a use-after-free because the children of an sk are mishandled. * [CVE-2023-4128](https://nvd.nist.gov/vuln/detail/CVE-2023-4128) CVSSv3 score: n/a A use-after-free flaw was found in net/sched/cls_fw.c in classifiers (cls_fw, cls_u32, and cls_route) in the Linux Kernel. This flaw allows a local attacker to perform a local privilege escalation due to incorrect handling of the existing filter, leading to a kernel information leak issue. * [CVE-2023-4132](https://nvd.nist.gov/vuln/detail/CVE-2023-4132) CVSSv3 score: n/a A use-after-free vulnerability was found in the siano smsusb module in the Linux kernel. The bug occurs during device initialization when the siano device is plugged in. This flaw allows a local user to crash the system, causing a denial of service condition. * [CVE-2023-4147](https://nvd.nist.gov/vuln/detail/CVE-2023-4147) CVSSv3 score: n/a A use-after-free flaw was found in the Linux kernel’s Netfilter functionality when adding a rule with NFTA_RULE_CHAIN_ID. This flaw allows a local user to crash or escalate their privileges on the system. * [CVE-2023-4155](https://nvd.nist.gov/vuln/detail/CVE-2023-4155) CVSSv3 score: 5.6(Medium) A flaw was found in KVM AMD Secure Encrypted Virtualization (SEV) in the Linux kernel. A KVM guest using SEV-ES or SEV-SNP with multiple vCPUs can trigger a double fetch race condition vulnerability and invoke the `VMGEXIT` handler recursively. If an attacker manages to call the handler multiple times, they can trigger a stack overflow and cause a denial of service or potentially guest-to-host escape in kernel configurations without stack guard pages (`CONFIG_VMAP_STACK`). * [CVE-2023-4206](https://nvd.nist.gov/vuln/detail/CVE-2023-4206) CVSSv3 score: n/a A use-after-free vulnerability in the Linux kernel's net/sched: cls_route component can be exploited to achieve local privilege escalation. When route4_change() is called on an existing filter, the whole tcf_result struct is always copied into the new instance of the filter. This causes a problem when updating a filter bound to a class, as tcf_unbind_filter() is always called on the old instance in the success path, decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading to a use-after-free. We recommend upgrading past commit b80b829e9e2c1b3f7aae34855e04d8f6ecaf13c8. * [CVE-2023-4207](https://nvd.nist.gov/vuln/detail/CVE-2023-4207) CVSSv3 score: n/a A use-after-free vulnerability in the Linux kernel's net/sched: cls_fw component can be exploited to achieve local privilege escalation. When fw_change() is called on an existing filter, the whole tcf_result struct is always copied into the new instance of the filter. This causes a problem when updating a filter bound to a class, as tcf_unbind_filter() is always called on the old instance in the success path, decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading to a use-after-free. We recommend upgrading past commit 76e42ae831991c828cffa8c37736ebfb831ad5ec. * [CVE-2023-4208](https://nvd.nist.gov/vuln/detail/CVE-2023-4208) CVSSv3 score: n/a A use-after-free vulnerability in the Linux kernel's net/sched: cls_u32 component can be exploited to achieve local privilege escalation. When u32_change() is called on an existing filter, the whole tcf_result struct is always copied into the new instance of the filter. This causes a problem when updating a filter bound to a class, as tcf_unbind_filter() is always called on the old instance in the success path, decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading to a use-after-free. We recommend upgrading past commit 3044b16e7c6fe5d24b1cdbcf1bd0a9d92d1ebd81. * [CVE-2023-4273](https://nvd.nist.gov/vuln/detail/CVE-2023-4273) CVSSv3 score: 6.7(Medium) A flaw was found in the exFAT driver of the Linux kernel. The vulnerability exists in the implementation of the file name reconstruction function, which is responsible for reading file name entries from a directory index and merging file name parts belonging to one file into a single long file name. Since the file name characters are copied into a stack variable, a local privileged attacker could use this flaw to overflow the kernel stack. * [CVE-2023-42752](https://nvd.nist.gov/vuln/detail/CVE-2023-42752) CVSSv3 score: n/a * [CVE-2023-42753](https://nvd.nist.gov/vuln/detail/CVE-2023-42753) CVSSv3 score: 7.8(High) An array indexing vulnerability was found in the netfilter subsystem of the Linux kernel. A missing macro could lead to a miscalculation of the `h->nets` array offset, providing attackers with the primitive to arbitrarily increment/decrement a memory buffer out-of-bound. This issue may allow a local user to crash the system or potentially escalate their privileges on the system. * [CVE-2023-42755](https://nvd.nist.gov/vuln/detail/CVE-2023-42755) CVSSv3 score: n/a * [CVE-2023-4385](https://nvd.nist.gov/vuln/detail/CVE-2023-4385) CVSSv3 score: n/a A NULL pointer dereference flaw was found in dbFree in fs/jfs/jfs_dmap.c in the journaling file system (JFS) in the Linux Kernel. This issue may allow a local attacker to crash the system due to a missing sanity check. * [CVE-2023-4387](https://nvd.nist.gov/vuln/detail/CVE-2023-4387) CVSSv3 score: n/a A use-after-free flaw was found in vmxnet3_rq_alloc_rx_buf in drivers/net/vmxnet3/vmxnet3_drv.c in VMware's vmxnet3 ethernet NIC driver in the Linux Kernel. This issue could allow a local attacker to crash the system due to a double-free while cleaning up vmxnet3_rq_cleanup_all, which could also lead to a kernel information leak problem. * [CVE-2023-4389](https://nvd.nist.gov/vuln/detail/CVE-2023-4389) CVSSv3 score: 7.1(High) A flaw was found in btrfs_get_root_ref in fs/btrfs/disk-io.c in the btrfs filesystem in the Linux Kernel due to a double decrement of the reference count. This issue may allow a local attacker with user privilege to crash the system or may lead to leaked internal kernel information. * [CVE-2023-4394](https://nvd.nist.gov/vuln/detail/CVE-2023-4394) CVSSv3 score: 6(Medium) A use-after-free flaw was found in btrfs_get_dev_args_from_path in fs/btrfs/volumes.c in btrfs file-system in the Linux Kernel. This flaw allows a local attacker with special privileges to cause a system crash or leak internal kernel information * [CVE-2023-4459](https://nvd.nist.gov/vuln/detail/CVE-2023-4459) CVSSv3 score: 5.5(Medium) A NULL pointer dereference flaw was found in vmxnet3_rq_cleanup in drivers/net/vmxnet3/vmxnet3_drv.c in the networking sub-component in vmxnet3 in the Linux Kernel. This issue may allow a local attacker with normal user privilege to cause a denial of service due to a missing sanity check during cleanup. * [CVE-2023-4569](https://nvd.nist.gov/vuln/detail/CVE-2023-4569) CVSSv3 score: 5.5(Medium) A memory leak flaw was found in nft_set_catchall_flush in net/netfilter/nf_tables_api.c in the Linux Kernel. This issue may allow a local attacker to cause a double-deactivations of catchall elements, which results in a memory leak. * [CVE-2023-4623](https://nvd.nist.gov/vuln/detail/CVE-2023-4623) CVSSv3 score: n/a A use-after-free vulnerability in the Linux kernel's net/sched: sch_hfsc (HFSC qdisc traffic control) component can be exploited to achieve local privilege escalation. If a class with a link-sharing curve (i.e. with the HFSC_FSC flag set) has a parent without a link-sharing curve, then init_vf() will call vttree_insert() on the parent, but vttree_remove() will be skipped in update_vf(). This leaves a dangling pointer that can cause a use-after-free. We recommend upgrading past commit b3d26c5702c7d6c45456326e56d2ccf3f103e60f. * [CVE-2023-4921](https://nvd.nist.gov/vuln/detail/CVE-2023-4921) CVSSv3 score: n/a A use-after-free vulnerability in the Linux kernel's net/sched: sch_qfq component can be exploited to achieve local privilege escalation. When the plug qdisc is used as a class of the qfq qdisc, sending network packets triggers use-after-free in qfq_dequeue() due to the incorrect .peek handler of sch_plug and lack of error checking in agg_dequeue(). We recommend upgrading past commit 8fc134fee27f2263988ae38920bc03da416b03d8. * [CVE-2022-40982](https://nvd.nist.gov/vuln/detail/CVE-2022-40982) CVSSv3 score: n/a Information exposure through microarchitectural state after transient execution in certain vector execution units for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access. * [CVE-2022-41804](https://nvd.nist.gov/vuln/detail/CVE-2022-41804) CVSSv3 score: 6.7(Medium) Unauthorized error injection in Intel(R) SGX or Intel(R) TDX for some Intel(R) Xeon(R) Processors may allow a privileged user to potentially enable escalation of privilege via local access. * [CVE-2023-20569](https://nvd.nist.gov/vuln/detail/CVE-2023-20569) CVSSv3 score: 4.7(Medium) A side channel vulnerability on some of the AMD CPUs may allow an attacker to influence the return address prediction. This may result in speculative execution at an attacker-controlled?address, potentially leading to information disclosure. * [CVE-2023-23908](https://nvd.nist.gov/vuln/detail/CVE-2023-23908) CVSSv3 score: 4.4(Medium) Improper access control in some 3rd Generation Intel(R) Xeon(R) Scalable processors may allow a privileged user to potentially enable information disclosure via local access. next page: https://hackmd.io/mEem3BIJSkmXfvAM-rz2kA