Flatcar Container Linux Release - January 18, 2024 2/5

- libpcap ([1.10.4](https://github.com/the-tcpdump-group/libpcap/blob/24832dd2728bd95ed9b9464ef27b47a943c38003/CHANGES#L51)) - libpcre ([8.45](https://www.pcre.org/original/changelog.txt)) - libpipeline ([1.5.7](https://gitlab.com/libpipeline/libpipeline/-/tags/1.5.7)) - libselinux ([3.5](https://github.com/SELinuxProject/selinux/releases/tag/3.5)) - libsemanage ([3.5](https://github.com/SELinuxProject/selinux/releases/tag/3.5)) - libsepol ([3.5](https://github.com/SELinuxProject/selinux/releases/tag/3.5)) - libtirpc ([1.3.4](https://marc.info/?l=linux-nfs&m=169667640909830&w=2)) - libusb ([1.0.26](https://github.com/libusb/libusb/blob/v1.0.26/ChangeLog)) - libuv ([1.46.0](https://github.com/libuv/libuv/releases/tag/v1.46.0) (includes [1.45.0](https://github.com/libuv/libuv/releases/tag/v1.45.0))) - libxml2 ([2.11.5](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.11.5) (includes [2.11.4](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.11.4))) - lsof ([4.98.0](https://github.com/lsof-org/lsof/blob/4.98.0/00DIST#L5471)) - lua ([5.4.6](https://www.lua.org/manual/5.4/readme.html#changes) (includes [5.4.4](https://www.lua.org/manual/5.4/readme.html#changes))) - mit-krb5 ([1.21.2](http://web.mit.edu/kerberos/krb5-1.21/)) - multipath-tools ([0.9.5](https://github.com/opensvc/multipath-tools/commits/0.9.5)) - ncurses ([6.4](https://invisible-island.net/ncurses/announce.html#h2-release-notes)) - nettle ([3.9.1](https://git.lysator.liu.se/nettle/nettle/-/blob/nettle_3.9.1_release_20230601/ChangeLog)) - nmap ([7.94](https://nmap.org/changelog.html#7.94)) - nvidia-drivers ([535.104.05](https://docs.nvidia.com/datacenter/tesla/tesla-release-notes-535-104-05/index.html)) - nvme-cli ([2.5](https://github.com/linux-nvme/nvme-cli/releases/tag/v2.5) (includes [2.3](https://github.com/linux-nvme/nvme-cli/releases/tag/v2.3))) - open-isns ([0.102](https://github.com/open-iscsi/open-isns/blob/v0.102/ChangeLog)) - openldap ([2.6.4](https://git.openldap.org/openldap/openldap/-/blob/OPENLDAP_REL_ENG_2_6_4/CHANGES) (includes [2.6.3](https://lists.openldap.org/hyperkitty/list/openldap-announce@openldap.org/thread/FQJM2JSSSOMLQH7XC7Q5IZJYOGCTV2LK/), [2.6](https://lists.openldap.org/hyperkitty/list/openldap-announce@openldap.org/thread/IHS5V46H6NFNFUERMC6AWMPHTWRVNLFA/), [2.5.14](https://lists.openldap.org/hyperkitty/list/openldap-announce@openldap.org/thread/TZQHR4SIWUA5BZTKDAKSFDOOGDVU4TU7/), [2.5](https://lists.openldap.org/hyperkitty/list/openldap-announce@openldap.org/thread/BH3VDPG6IYYF5L5U6LZGHHKMJY5HFA3L/))) - openssh ([9.5p1](https://www.openssh.com/releasenotes.html#9.5p1) (includes [9.4p1](https://www.openssh.com/releasenotes.html#9.4p1))) - parted ([3.6](https://git.savannah.gnu.org/gitweb/?p=parted.git;a=blob;f=NEWS;h=52bb11697039f70e55120c571750f9ee761a75aa;hb=3b5f327b213d21e9adb9ba933c78dd898fee5b1d)) - pax-utils ([1.3.7](https://gitweb.gentoo.org/proj/pax-utils.git/log/?h=v1.3.7)) - pciutils ([3.9.0](https://github.com/pciutils/pciutils/releases/tag/v3.9.0) (includes [3.10.0](https://github.com/pciutils/pciutils/blob/v3.10.0/ChangeLog))) - pigz ([2.8](https://zlib.net/pipermail/pigz-announce_zlib.net/2023-August/000018.html)) - policycoreutils ([3.5](https://github.com/SELinuxProject/selinux/releases/tag/3.5)) - popt ([1.19](https://github.com/rpm-software-management/popt/releases/tag/popt-1.19-release)) - procps ([4.0.4](https://gitlab.com/procps-ng/procps/-/releases/v4.0.4) (includes [4.0.3](https://gitlab.com/procps-ng/procps/-/releases/v4.0.3), [4.0.0](https://gitlab.com/procps-ng/procps/-/releases/v4.0.0))) - protobuf ([21.9](https://github.com/protocolbuffers/protobuf/releases/tag/v21.9)) - psmisc ([23.6](https://gitlab.com/psmisc/psmisc/-/blob/v23.6/ChangeLog)) - quota ([4.09](https://sourceforge.net/p/linuxquota/code/ci/87d2fd7635e4bca54fa2a00b8d5b073ba9ca521b/tree/Changelog)) - rpcsvc-proto ([1.4.4](https://github.com/thkukuk/rpcsvc-proto/releases/tag/v1.4.4)) - runc ([1.1.9](https://github.com/opencontainers/runc/releases/tag/v1.1.9) (includes [1.1.8](https://github.com/opencontainers/runc/releases/tag/v1.1.8))) - samba ([4.18.4](https://wiki.samba.org/index.php/Samba_4.18_Features_added/changed#Samba_4.18.4)) - sed ([4.9](https://lists.gnu.org/archive/html/info-gnu/2022-11/msg00001.html)) - selinux-base ([2.20221101](https://github.com/SELinuxProject/refpolicy/releases/tag/RELEASE_2_20221101)) - selinux-base-policy ([2.20221101](https://github.com/SELinuxProject/refpolicy/releases/tag/RELEASE_2_20221101)) - selinux-container ([2.20221101](https://github.com/SELinuxProject/refpolicy/releases/tag/RELEASE_2_20221101)) - selinux-sssd ([2.20221101](https://github.com/SELinuxProject/refpolicy/releases/tag/RELEASE_2_20221101)) - selinux-unconfined ([2.20221101](https://github.com/SELinuxProject/refpolicy/releases/tag/RELEASE_2_20221101)) - semodule-utils ([3.5](https://github.com/SELinuxProject/selinux/releases/tag/3.5)) - smartmontools ([7.3](https://github.com/smartmontools/smartmontools/releases/tag/RELEASE_7_3)) - sqlite ([3.42.0](https://sqlite.org/releaselog/3_42_0.html)) - strace ([6.4](https://github.com/strace/strace/releases/tag/v6.4) (includes [6.3](https://github.com/strace/strace/releases/tag/v6.3), [6.2](https://github.com/strace/strace/releases/tag/v6.2))) - sudo ([1.9.13p3](https://www.sudo.ws/releases/stable/#1.9.13p3)) - talloc ([2.4.0](https://gitlab.com/samba-team/samba/-/commit/5224ed98eeba43f22b5f5f87de5947fbb1c1c7c1) (includes [2.3.4](https://gitlab.com/samba-team/samba/-/commit/0189ccf9fc3d2a77cc83cffe180e307bcdccebb4))) - tar ([1.35](https://lists.gnu.org/archive/html/info-gnu/2023-07/msg00005.html)) - tdb ([1.4.8](https://gitlab.com/samba-team/samba/-/commit/eab796a4f9172e602dc262f3c99ead35b35929e7) (includes [1.4.7](https://gitlab.com/samba-team/samba/-/commit/27ceb1c3ad786386e746a5e2968780d791393b9e), [1.4.6](https://gitlab.com/samba-team/samba/-/commit/1c776e54cf33b46b2ed73263f093d596a0cdbb2f))) - tevent ([0.14.1](https://gitlab.com/samba-team/samba/-/commit/d80f28b081e515e32a480daf80b42cf782447a9c) (includes [0.14.0](https://gitlab.com/samba-team/samba/-/commit/3c6d28ebae27dba8e40558ae37ae8138ea0b4bdc), [0.13.0](https://gitlab.com/samba-team/samba/-/commit/63d4db63feda920c8020f8484a8b31065b7f1380), [0.12.1](https://gitlab.com/samba-team/samba/-/commit/53692735c733d01acbd953641f831a1f5e0cf6c5), [0.12.0](https://gitlab.com/samba-team/samba/-/tags/tevent-0.12.0))) - usbutils ([015](https://github.com/gregkh/usbutils/blob/79b796f945ea7d5c2b0e2a74f9b8819cb7948680/NEWS)) - userspace-rcu ([0.14.0](https://github.com/urcu/userspace-rcu/blob/v0.13.2/ChangeLog)) - util-linux ([2.38.1](https://github.com/util-linux/util-linux/releases/tag/v2.38.1)) - vim ([9.0.1678](https://github.com/vim/vim/commits/v9.0.1678) (includes [9.0.1677](https://github.com/vim/vim/commits/v9.0.1677), [9.0.1503](https://github.com/vim/vim/commits/v9.0.1503))) - wget ([1.21.4](https://lists.gnu.org/archive/html/info-gnu/2023-05/msg00003.html)) - whois ([5.5.18](https://github.com/rfc1036/whois/blob/v5.5.18/debian/changelog) (includes [5.5.17](https://github.com/rfc1036/whois/commit/bac7108b01cfd54c517444efa1239e10e6edd5a4))) - xfsprogs ([6.4.0](https://git.kernel.org/pub/scm/fs/xfs/xfsprogs-dev.git/tree/doc/CHANGES?h=v6.4.0) (includes [6.3.0](https://git.kernel.org/pub/scm/fs/xfs/xfsprogs-dev.git/tree/doc/CHANGES?h=v6.3.0))) - zstd ([1.5.5](https://github.com/facebook/zstd/releases/tag/v1.5.5)) **Changes since Beta-3760.1.1** #### Security fixes: - Linux ([CVE-2023-1193](https://nvd.nist.gov/vuln/detail/CVE-2023-1193), [CVE-2023-51779](https://nvd.nist.gov/vuln/detail/CVE-2023-51779), [CVE-2023-51780](https://nvd.nist.gov/vuln/detail/CVE-2023-51780), [CVE-2023-51781](https://nvd.nist.gov/vuln/detail/CVE-2023-51781), [CVE-2023-51782](https://nvd.nist.gov/vuln/detail/CVE-2023-51782), [CVE-2023-6531](https://nvd.nist.gov/vuln/detail/CVE-2023-6531), [CVE-2023-6606](https://nvd.nist.gov/vuln/detail/CVE-2023-6606), [CVE-2023-6622](https://nvd.nist.gov/vuln/detail/CVE-2023-6622), [CVE-2023-6817](https://nvd.nist.gov/vuln/detail/CVE-2023-6817), [CVE-2023-6931](https://nvd.nist.gov/vuln/detail/CVE-2023-6931)) #### Bug fixes: - AWS: Fixed the Amazon SSM agent that was crashing. ([Flatcar#1307](https://github.com/flatcar/Flatcar/issues/1307)) - Fixed a bug resulting in coreos-cloudinit resetting the instance hostname to 'localhost' if no metadata could be found ([coreos-cloudinit#25](https://github.com/flatcar/coreos-cloudinit/pull/25), [Flatcar#1262](https://github.com/flatcar/Flatcar/issues/1262)), with contributions from [MichaelEischer](https://github.com/MichaelEischer) - Fixed supplying extension update payloads with a custom base URL in Nebraska ([Flatcar#1281](https://github.com/flatcar/Flatcar/issues/1281)) #### Updates - Linux ([6.1.73](https://lwn.net/Articles/958343) (includes [6.1.72](https://lwn.net/Articles/957376), [6.1.71](https://lwn.net/Articles/957009), [6.1.70](https://lwn.net/Articles/956526), [6.1.69](https://lwn.net/Articles/955814), [6.1.68](https://lwn.net/Articles/954989), [6.1.67](https://lwn.net/Articles/954455))) - ca-certificates ([3.96.1](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_96_1.html) (includes [3.96](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_96.html))) ### Detailed Security Report **Security fix**: With the Alpha 3850.0.0, Beta 3815.1.0, Stable 3760.2.0 releases we ship fixes for the CVEs listed below. #### Alpha 3850.0.0 * Linux * [CVE-2022-27672](https://nvd.nist.gov/vuln/detail/CVE-2022-27672) CVSSv3 score: 4.7(Medium) When SMT is enabled, certain AMD processors may speculatively execute instructions using a target from the sibling thread after an SMT mode switch potentially resulting in information disclosure. * [CVE-2022-40982](https://nvd.nist.gov/vuln/detail/CVE-2022-40982) CVSSv3 score: n/a Information exposure through microarchitectural state after transient execution in certain vector execution units for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access. * [CVE-2022-4269](https://nvd.nist.gov/vuln/detail/CVE-2022-4269) CVSSv3 score: 5.5(Medium) A flaw was found in the Linux kernel Traffic Control (TC) subsystem. Using a specific networking configuration (redirecting egress packets to ingress using TC action "mirred") a local unprivileged user could trigger a CPU soft lockup (ABBA deadlock) when the transport protocol in use (TCP or SCTP) does a retransmission, resulting in a denial of service condition. * [CVE-2022-45886](https://nvd.nist.gov/vuln/detail/CVE-2022-45886) CVSSv3 score: 7(High) An issue was discovered in the Linux kernel through 6.0.9. drivers/media/dvb-core/dvb_net.c has a .disconnect versus dvb_device_open race condition that leads to a use-after-free. * [CVE-2022-45887](https://nvd.nist.gov/vuln/detail/CVE-2022-45887) CVSSv3 score: 4.7(Medium) An issue was discovered in the Linux kernel through 6.0.9. drivers/media/usb/ttusb-dec/ttusb_dec.c has a memory leak because of the lack of a dvb_frontend_detach call. * [CVE-2022-45919](https://nvd.nist.gov/vuln/detail/CVE-2022-45919) CVSSv3 score: 7(High) An issue was discovered in the Linux kernel through 6.0.10. In drivers/media/dvb-core/dvb_ca_en50221.c, a use-after-free can occur is there is a disconnect after an open, because of the lack of a wait_event. * [CVE-2022-48425](https://nvd.nist.gov/vuln/detail/CVE-2022-48425) CVSSv3 score: 7.8(High) In the Linux kernel through 6.2.7, fs/ntfs3/inode.c has an invalid kfree because it does not validate MFT flags before replaying logs. * [CVE-2023-0160](https://nvd.nist.gov/vuln/detail/CVE-2023-0160) CVSSv3 score: 5.5(Medium) A deadlock flaw was found in the Linux kernel’s BPF subsystem. This flaw allows a local user to potentially crash the system. * [CVE-2023-0459](https://nvd.nist.gov/vuln/detail/CVE-2023-0459) CVSSv3 score: 5.5(Medium) Copy_from_user on 64-bit versions of the Linux kernel does not implement the __uaccess_begin_nospec allowing a user to bypass the "access_ok" check and pass a kernel pointer to copy_from_user(). This would allow an attacker to leak information. We recommend upgrading beyond commit 74e19ef0ff8061ef55957c3abd71614ef0f42f47 * [CVE-2023-1032](https://nvd.nist.gov/vuln/detail/CVE-2023-1032) CVSSv3 score: 5.5(Medium) The Linux kernel io_uring IORING_OP_SOCKET operation contained a double free in function __sys_socket_file() in file net/socket.c. This issue was introduced in da214a475f8bd1d3e9e7a19ddfeb4d1617551bab and fixed in 649c15c7691e9b13cbe9bf6c65c365350e056067. * [CVE-2023-1076](https://nvd.nist.gov/vuln/detail/CVE-2023-1076) CVSSv3 score: 5.5(Medium) A flaw was found in the Linux Kernel. The tun/tap sockets have their socket UID hardcoded to 0 due to a type confusion in their initialization function. While it will be often correct, as tuntap devices require CAP_NET_ADMIN, it may not always be the case, e.g., a non-root user only having that capability. This would make tun/tap sockets being incorrectly treated in filtering/routing decisions, possibly bypassing network filters. * [CVE-2023-1077](https://nvd.nist.gov/vuln/detail/CVE-2023-1077) CVSSv3 score: 7(High) In the Linux kernel, pick_next_rt_entity() may return a type confused entry, not detected by the BUG_ON condition, as the confused entry will not be NULL, but list_head.The buggy error condition would lead to a type confused entry with the list head,which would then be used as a type confused sched_rt_entity,causing memory corruption. * [CVE-2023-1079](https://nvd.nist.gov/vuln/detail/CVE-2023-1079) CVSSv3 score: 6.8(Medium) A flaw was found in the Linux kernel. A use-after-free may be triggered in asus_kbd_backlight_set when plugging/disconnecting in a malicious USB device, which advertises itself as an Asus device. Similarly to the previous known CVE-2023-25012, but in asus devices, the work_struct may be scheduled by the LED controller while the device is disconnecting, triggering a use-after-free on the struct asus_kbd_leds *led structure. A malicious USB device may exploit the issue to cause memory corruption with controlled data. * [CVE-2023-1118](https://nvd.nist.gov/vuln/detail/CVE-2023-1118) CVSSv3 score: 7.8(High) A flaw use after free in the Linux kernel integrated infrared receiver/transceiver driver was found in the way user detaching rc device. A local user could use this flaw to crash the system or potentially escalate their privileges on the system. * [CVE-2023-1192](https://nvd.nist.gov/vuln/detail/CVE-2023-1192) CVSSv3 score: n/a A use-after-free flaw was found in smb2_is_status_io_timeout() in CIFS in the Linux Kernel. After CIFS transfers response data to a system call, there are still local variable points to the memory region, and if the system call frees it faster than CIFS uses it, CIFS will access a free memory region, leading to a denial of service. * [CVE-2023-1193](https://nvd.nist.gov/vuln/detail/CVE-2023-1193) CVSSv3 score: n/a A use-after-free flaw was found in setup_async_work in the KSMBD implementation of the in-kernel samba server and CIFS in the Linux kernel. This issue could allow an attacker to crash the system by accessing freed work. * [CVE-2023-1194](https://nvd.nist.gov/vuln/detail/CVE-2023-1194) CVSSv3 score: 8.1(High) An out-of-bounds (OOB) memory read flaw was found in parse_lease_state in the KSMBD implementation of the in-kernel samba server and CIFS in the Linux kernel. When an attacker sends the CREATE command with a malformed payload to KSMBD, due to a missing check of `NameOffset` in the `parse_lease_state()` function, the `create_context` object can access invalid memory. * [CVE-2023-1206](https://nvd.nist.gov/vuln/detail/CVE-2023-1206) CVSSv3 score: 5.7(Medium) A hash collision flaw was found in the IPv6 connection lookup table in the Linux kernel’s IPv6 functionality when a user makes a new kind of SYN flood attack. A user located in the local network or with a high bandwidth connection can increase the CPU usage of the server that accepts IPV6 connections up to 95%. * [CVE-2023-1281](https://nvd.nist.gov/vuln/detail/CVE-2023-1281) CVSSv3 score: n/a Use After Free vulnerability in Linux kernel traffic control index filter (tcindex) allows Privilege Escalation. The imperfect hash area can be updated while packets are traversing, which will cause a use-after-free when 'tcf_exts_exec()' is called with the destroyed tcf_ext. A local attacker user can use this vulnerability to elevate its privileges to root. This issue affects Linux Kernel: from 4.14 before git commit ee059170b1f7e94e55fa6cadee544e176a6e59c2. * [CVE-2023-1380](https://nvd.nist.gov/vuln/detail/CVE-2023-1380) CVSSv3 score: 7.1(High) A slab-out-of-bound read problem was found in brcmf_get_assoc_ies in drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c in the Linux Kernel. This issue could occur when assoc_info->req_len data is bigger than the size of the buffer, defined as WL_EXTRA_BUF_MAX, leading to a denial of service. * [CVE-2023-1513](https://nvd.nist.gov/vuln/detail/CVE-2023-1513) CVSSv3 score: 3.3(Low) A flaw was found in KVM. When calling the KVM_GET_DEBUGREGS ioctl, on 32-bit systems, there might be some uninitialized portions of the kvm_debugregs structure that could be copied to userspace, causing an information leak. * [CVE-2023-1583](https://nvd.nist.gov/vuln/detail/CVE-2023-1583) CVSSv3 score: 5.5(Medium) A NULL pointer dereference was found in io_file_bitmap_get in io_uring/filetable.c in the io_uring sub-component in the Linux Kernel. When fixed files are unregistered, some context information (file_alloc_{start,end} and alloc_hint) is not cleared. A subsequent request that has auto index selection enabled via IORING_FILE_INDEX_ALLOC can cause a NULL pointer dereference. An unprivileged user can use the flaw to cause a system crash. * [CVE-2023-1611](https://nvd.nist.gov/vuln/detail/CVE-2023-1611) CVSSv3 score: 6.3(Medium) A use-after-free flaw was found in btrfs_search_slot in fs/btrfs/ctree.c in btrfs in the Linux Kernel.This flaw allows an attacker to crash the system and possibly cause a kernel information lea * [CVE-2023-1670](https://nvd.nist.gov/vuln/detail/CVE-2023-1670) CVSSv3 score: 7.8(High) A flaw use after free in the Linux kernel Xircom 16-bit PCMCIA (PC-card) Ethernet driver was found.A local user could use this flaw to crash the system or potentially escalate their privileges on the system. * [CVE-2023-1829](https://nvd.nist.gov/vuln/detail/CVE-2023-1829) CVSSv3 score: n/a A use-after-free vulnerability in the Linux Kernel traffic control index filter (tcindex) can be exploited to achieve local privilege escalation. The tcindex_delete function which does not properly deactivate filters in case of a perfect hashes while deleting the underlying structure which can later lead to double freeing the structure. A local attacker user can use this vulnerability to elevate its privileges to root. We recommend upgrading past commit 8c710f75256bb3cf05ac7b1672c82b92c43f3d28. * [CVE-2023-1855](https://nvd.nist.gov/vuln/detail/CVE-2023-1855) CVSSv3 score: 6.3(Medium) A use-after-free flaw was found in xgene_hwmon_remove in drivers/hwmon/xgene-hwmon.c in the Hardware Monitoring Linux Kernel Driver (xgene-hwmon). This flaw could allow a local attacker to crash the system due to a race problem. This vulnerability could even lead to a kernel information leak problem. * [CVE-2023-1859](https://nvd.nist.gov/vuln/detail/CVE-2023-1859) CVSSv3 score: 4.7(Medium) A use-after-free flaw was found in xen_9pfs_front_removet in net/9p/trans_xen.c in Xen transport for 9pfs in the Linux Kernel. This flaw could allow a local attacker to crash the system due to a race problem, possibly leading to a kernel information leak. * [CVE-2023-1989](https://nvd.nist.gov/vuln/detail/CVE-2023-1989) CVSSv3 score: 7(High) A use-after-free flaw was found in btsdio_remove in drivers\bluetooth\btsdio.c in the Linux Kernel. In this flaw, a call to btsdio_remove with an unfinished job, may cause a race problem leading to a UAF on hdev devices. * [CVE-2023-1990](https://nvd.nist.gov/vuln/detail/CVE-2023-1990) CVSSv3 score: 4.7(Medium) A use-after-free flaw was found in ndlc_remove in drivers/nfc/st-nci/ndlc.c in the Linux Kernel. This flaw could allow an attacker to crash the system due to a race problem. * [CVE-2023-1998](https://nvd.nist.gov/vuln/detail/CVE-2023-1998) CVSSv3 score: n/a The Linux kernel allows userspace processes to enable mitigations by calling prctl with PR_SET_SPECULATION_CTRL which disables the speculation feature as well as by using seccomp. We had noticed that on VMs of at least one major cloud provider, the kernel still left the victim process exposed to attacks in some cases even after enabling the spectre-BTI mitigation with prctl. The same behavior can be observed on a bare-metal machine when forcing the mitigation to IBRS on boot command line. This happened because when plain IBRS was enabled (not enhanced IBRS), the kernel had some logic that determined that STIBP was not needed. The IBRS bit implicitly protects against cross-thread branch target injection. However, with legacy IBRS, the IBRS bit was cleared on returning to userspace, due to performance reasons, which disabled the implicit STIBP and left userspace threads vulnerable to cross-thread branch target injection against which STIBP protects. * [CVE-2023-2002](https://nvd.nist.gov/vuln/detail/CVE-2023-2002) CVSSv3 score: 6.8(Medium) A vulnerability was found in the HCI sockets implementation due to a missing capability check in net/bluetooth/hci_sock.c in the Linux Kernel. This flaw allows an attacker to unauthorized execution of management commands, compromising the confidentiality, integrity, and availability of Bluetooth communication. * [CVE-2023-20569](https://nvd.nist.gov/vuln/detail/CVE-2023-20569) CVSSv3 score: 4.7(Medium) A side channel vulnerability on some of the AMD CPUs may allow an attacker to influence the return address prediction. This may result in speculative execution at an attacker-controlled address, potentially leading to information disclosure. * [CVE-2023-20588](https://nvd.nist.gov/vuln/detail/CVE-2023-20588) CVSSv3 score: 5.5(Medium) A division-by-zero error on some AMD processors can potentially return speculative data resulting in loss of confidentiality. * [CVE-2023-20593](https://nvd.nist.gov/vuln/detail/CVE-2023-20593) CVSSv3 score: 5.5(Medium) An issue in “Zen 2” CPUs, under specific microarchitectural circumstances, may allow an attacker to potentially access sensitive information. * [CVE-2023-2124](https://nvd.nist.gov/vuln/detail/CVE-2023-2124) CVSSv3 score: 7.8(High) An out-of-bounds memory access flaw was found in the Linux kernel’s XFS file system in how a user restores an XFS image after failure (with a dirty log journal). This flaw allows a local user to crash or potentially escalate their privileges on the system. * [CVE-2023-21255](https://nvd.nist.gov/vuln/detail/CVE-2023-21255) CVSSv3 score: 7.8(High) In multiple functions of binder.c, there is a possible memory corruption due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. * [CVE-2023-21264](https://nvd.nist.gov/vuln/detail/CVE-2023-21264) CVSSv3 score: 6.7(Medium) In multiple functions of mem_protect.c, there is a possible way to access hypervisor memory due to a memory access check in the wrong place. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. * [CVE-2023-2156](https://nvd.nist.gov/vuln/detail/CVE-2023-2156) CVSSv3 score: 7.5(High) A flaw was found in the networking subsystem of the Linux kernel within the handling of the RPL protocol. This issue results from the lack of proper handling of user-supplied data, which can lead to an assertion failure. This may allow an unauthenticated remote attacker to create a denial of service condition on the system. * [CVE-2023-2163](https://nvd.nist.gov/vuln/detail/CVE-2023-2163) CVSSv3 score: 8.8(High) Incorrect verifier pruning in BPF in Linux Kernel >=5.4 leads to unsafe code paths being incorrectly marked as safe, resulting in arbitrary read/write in kernel memory, lateral privilege escalation, and container escape. * [CVE-2023-2194](https://nvd.nist.gov/vuln/detail/CVE-2023-2194) CVSSv3 score: 6.7(Medium) An out-of-bounds write vulnerability was found in the Linux kernel's SLIMpro I2C device driver. The userspace "data->block[0]" variable was not capped to a number between 0-255 and was used as the size of a memcpy, possibly writing beyond the end of dma_buffer. This flaw could allow a local privileged user to crash the system or potentially achieve code execution. * [CVE-2023-2235](https://nvd.nist.gov/vuln/detail/CVE-2023-2235) CVSSv3 score: n/a A use-after-free vulnerability in the Linux Kernel Performance Events system can be exploited to achieve local privilege escalation. The perf_group_detach function did not check the event's siblings' attach_state before calling add_event_to_groups(), but remove_on_exec made it possible to call list_del_event() on before detaching from their group, making it possible to use a dangling pointer causing a use-after-free vulnerability. We recommend upgrading past commit fd0815f632c24878e325821943edccc7fde947a2. * [CVE-2023-2269](https://nvd.nist.gov/vuln/detail/CVE-2023-2269) CVSSv3 score: 4.4(Medium) A denial of service problem was found, due to a possible recursive locking scenario, resulting in a deadlock in table_clear in drivers/md/dm-ioctl.c in the Linux Kernel Device Mapper-Multipathing sub-component. * [CVE-2023-25012](https://nvd.nist.gov/vuln/detail/CVE-2023-25012) CVSSv3 score: 4.6(Medium) The Linux kernel through 6.1.9 has a Use-After-Free in bigben_remove in drivers/hid/hid-bigbenff.c via a crafted USB device because the LED controllers remain registered for too long. * [CVE-2023-25775](https://nvd.nist.gov/vuln/detail/CVE-2023-25775) CVSSv3 score: 9.8(Critical) Improper access control in the Intel(R) Ethernet Controller RDMA driver for linux before version 1.9.30 may allow an unauthenticated user to potentially enable escalation of privilege via network access. * [CVE-2023-2598](https://nvd.nist.gov/vuln/detail/CVE-2023-2598) CVSSv3 score: 7.8(High) A flaw was found in the fixed buffer registration code for io_uring (io_sqe_buffer_register in io_uring/rsrc.c) in the Linux kernel that allows out-of-bounds access to physical memory beyond the end of the buffer. This flaw enables full local privilege escalation. * [CVE-2023-26545](https://nvd.nist.gov/vuln/detail/CVE-2023-26545) CVSSv3 score: 4.7(Medium) In the Linux kernel before 6.1.13, there is a double free in net/mpls/af_mpls.c upon an allocation failure (for registering the sysctl table under a new location) during the renaming of a device. * [CVE-2023-28466](https://nvd.nist.gov/vuln/detail/CVE-2023-28466) CVSSv3 score: 7(High) do_tls_getsockopt in net/tls/tls_main.c in the Linux kernel through 6.2.6 lacks a lock_sock call, leading to a race condition (with a resultant use-after-free or NULL pointer dereference). * [CVE-2023-28866](https://nvd.nist.gov/vuln/detail/CVE-2023-28866) CVSSv3 score: 5.3(Medium) In the Linux kernel through 6.2.8, net/bluetooth/hci_sync.c allows out-of-bounds access because amp_init1[] and amp_init2[] are supposed to have an intentionally invalid element, but do not. * [CVE-2023-2898](https://nvd.nist.gov/vuln/detail/CVE-2023-2898) CVSSv3 score: 4.7(Medium) There is a null-pointer-dereference flaw found in f2fs_write_end_io in fs/f2fs/data.c in the Linux kernel. This flaw allows a local privileged user to cause a denial of service problem. * [CVE-2023-2985](https://nvd.nist.gov/vuln/detail/CVE-2023-2985) CVSSv3 score: 5.5(Medium) A use after free flaw was found in hfsplus_put_super in fs/hfsplus/super.c in the Linux Kernel. This flaw could allow a local user to cause a denial of service problem. * [CVE-2023-30456](https://nvd.nist.gov/vuln/detail/CVE-2023-30456) CVSSv3 score: 6.5(Medium) An issue was discovered in arch/x86/kvm/vmx/nested.c in the Linux kernel before 6.2.8. nVMX on x86_64 lacks consistency checks for CR0 and CR4. * [CVE-2023-30772](https://nvd.nist.gov/vuln/detail/CVE-2023-30772) CVSSv3 score: 6.4(Medium) The Linux kernel before 6.2.9 has a race condition and resultant use-after-free in drivers/power/supply/da9150-charger.c if a physically proximate attacker unplugs a device. * [CVE-2023-3090](https://nvd.nist.gov/vuln/detail/CVE-2023-3090) CVSSv3 score: n/a A heap out-of-bounds write vulnerability in the Linux Kernel ipvlan network driver can be exploited to achieve local privilege escalation. The out-of-bounds write is caused by missing skb->cb initialization in the ipvlan network driver. The vulnerability is reachable if CONFIG_IPVLAN is enabled. We recommend upgrading past commit 90cbed5247439a966b645b34eb0a2e037836ea8e. * [CVE-2023-31085](https://nvd.nist.gov/vuln/detail/CVE-2023-31085) CVSSv3 score: 5.5(Medium) An issue was discovered in drivers/mtd/ubi/cdev.c in the Linux kernel 6.2. There is a divide-by-zero error in do_div(sz,mtd->erasesize), used indirectly by ctrl_cdev_ioctl, when mtd->erasesize is 0. * [CVE-2023-31248](https://nvd.nist.gov/vuln/detail/CVE-2023-31248) CVSSv3 score: n/a Linux Kernel nftables Use-After-Free Local Privilege Escalation Vulnerability; `nft_chain_lookup_byid()` failed to check whether a chain was active and CAP_NET_ADMIN is in any user or network namespace * [CVE-2023-3141](https://nvd.nist.gov/vuln/detail/CVE-2023-3141) CVSSv3 score: 7.1(High) A use-after-free flaw was found in r592_remove in drivers/memstick/host/r592.c in media access in the Linux Kernel. This flaw allows a local attacker to crash the system at device disconnect, possibly leading to a kernel information leak. * [CVE-2023-31436](https://nvd.nist.gov/vuln/detail/CVE-2023-31436) CVSSv3 score: 7.8(High) qfq_change_class in net/sched/sch_qfq.c in the Linux kernel before 6.2.13 allows an out-of-bounds write because lmax can exceed QFQ_MIN_LMAX. * [CVE-2023-3212](https://nvd.nist.gov/vuln/detail/CVE-2023-3212) CVSSv3 score: 4.4(Medium) A NULL pointer dereference issue was found in the gfs2 file system in the Linux kernel. It occurs on corrupt gfs2 file systems when the evict code tries to reference the journal descriptor structure after it has been freed and set to NULL. A privileged local user could use this flaw to cause a kernel panic. * [CVE-2023-3220](https://nvd.nist.gov/vuln/detail/CVE-2023-3220) CVSSv3 score: 5.5(Medium) An issue was discovered in the Linux kernel through 6.1-rc8. dpu_crtc_atomic_check in drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c lacks check of the return value of kzalloc() and will cause the NULL Pointer Dereference. * [CVE-2023-32233](https://nvd.nist.gov/vuln/detail/CVE-2023-32233) CVSSv3 score: 7.8(High) In the Linux kernel through 6.3.1, a use-after-free in Netfilter nf_tables when processing batch requests can be abused to perform arbitrary read and write operations on kernel memory. Unprivileged local users can obtain root privileges. This occurs because anonymous sets are mishandled. * [CVE-2023-32247](https://nvd.nist.gov/vuln/detail/CVE-2023-32247) CVSSv3 score: n/a A flaw was found in the Linux kernel's ksmbd, a high-performance in-kernel SMB server. The specific flaw exists within the handling of SMB2_SESSION_SETUP commands. The issue results from the lack of control of resource consumption. An attacker can leverage this vulnerability to create a denial-of-service condition on the system. * [CVE-2023-32248](https://nvd.nist.gov/vuln/detail/CVE-2023-32248) CVSSv3 score: n/a A flaw was found in the Linux kernel's ksmbd, a high-performance in-kernel SMB server. The specific flaw exists within the handling of SMB2_TREE_CONNECT and SMB2_QUERY_INFO commands. The issue results from the lack of proper validation of a pointer prior to accessing it. An attacker can leverage this vulnerability to create a denial-of-service condition on the system. * [CVE-2023-32250](https://nvd.nist.gov/vuln/detail/CVE-2023-32250) CVSSv3 score: 8.1(High) A flaw was found in the Linux kernel's ksmbd, a high-performance in-kernel SMB server. The specific flaw exists within the processing of SMB2_SESSION_SETUP commands. The issue results from the lack of proper locking when performing operations on an object. An attacker can leverage this vulnerability to execute code in the context of the kernel. * [CVE-2023-32252](https://nvd.nist.gov/vuln/detail/CVE-2023-32252) CVSSv3 score: n/a A flaw was found in the Linux kernel's ksmbd, a high-performance in-kernel SMB server. The specific flaw exists within the handling of SMB2_LOGOFF commands. The issue results from the lack of proper validation of a pointer prior to accessing it. An attacker can leverage this vulnerability to create a denial-of-service condition on the system. * [CVE-2023-32254](https://nvd.nist.gov/vuln/detail/CVE-2023-32254) CVSSv3 score: 8.1(High) A flaw was found in the Linux kernel's ksmbd, a high-performance in-kernel SMB server. The specific flaw exists within the processing of SMB2_TREE_DISCONNECT commands. The issue results from the lack of proper locking when performing operations on an object. An attacker can leverage this vulnerability to execute code in the context of the kernel. * [CVE-2023-32257](https://nvd.nist.gov/vuln/detail/CVE-2023-32257) CVSSv3 score: n/a A flaw was found in the Linux kernel's ksmbd, a high-performance in-kernel SMB server. The specific flaw exists within the processing of SMB2_SESSION_SETUP and SMB2_LOGOFF commands. The issue results from the lack of proper locking when performing operations on an object. An attacker can leverage this vulnerability to execute code in the context of the kernel. * [CVE-2023-32258](https://nvd.nist.gov/vuln/detail/CVE-2023-32258) CVSSv3 score: n/a A flaw was found in the Linux kernel's ksmbd, a high-performance in-kernel SMB server. The specific flaw exists within the processing of SMB2_LOGOFF and SMB2_CLOSE commands. The issue results from the lack of proper locking when performing operations on an object. An attacker can leverage this vulnerability to execute code in the context of the kernel. * [CVE-2023-3268](https://nvd.nist.gov/vuln/detail/CVE-2023-3268) CVSSv3 score: 7.1(High) An out of bounds (OOB) memory access flaw was found in the Linux kernel in relay_file_read_start_pos in kernel/relay.c in the relayfs. This flaw could allow a local attacker to crash the system or leak kernel internal information. * [CVE-2023-3269](https://nvd.nist.gov/vuln/detail/CVE-2023-3269) CVSSv3 score: 7.8(High) A vulnerability exists in the memory management subsystem of the Linux kernel. The lock handling for accessing and updating virtual memory areas (VMAs) is incorrect, leading to use-after-free problems. This issue can be successfully exploited to execute arbitrary kernel code, escalate containers, and gain root privileges. * [CVE-2023-3312](https://nvd.nist.gov/vuln/detail/CVE-2023-3312) CVSSv3 score: 7.5(High) A vulnerability was found in drivers/cpufreq/qcom-cpufreq-hw.c in cpufreq subsystem in the Linux Kernel. This flaw, during device unbind will lead to double release problem leading to denial of service. * [CVE-2023-3317](https://nvd.nist.gov/vuln/detail/CVE-2023-3317) CVSSv3 score: 7.1(High) A use-after-free flaw was found in mt7921_check_offload_capability in drivers/net/wireless/mediatek/mt76/mt7921/init.c in wifi mt76/mt7921 sub-component in the Linux Kernel. This flaw could allow an attacker to crash the system after 'features' memory release. This vulnerability could even lead to a kernel information leak problem. * [CVE-2023-33203](https://nvd.nist.gov/vuln/detail/CVE-2023-33203) CVSSv3 score: 6.4(Medium) The Linux kernel before 6.2.9 has a race condition and resultant use-after-free in drivers/net/ethernet/qualcomm/emac/emac.c if a physically proximate attacker unplugs an emac based device. * [CVE-2023-33250](https://nvd.nist.gov/vuln/detail/CVE-2023-33250) CVSSv3 score: 4.4(Medium) The Linux kernel 6.3 has a use-after-free in iopt_unmap_iova_range in drivers/iommu/iommufd/io_pagetable.c. * [CVE-2023-33288](https://nvd.nist.gov/vuln/detail/CVE-2023-33288) CVSSv3 score: 4.7(Medium) An issue was discovered in the Linux kernel before 6.2.9. A use-after-free was found in bq24190_remove in drivers/power/supply/bq24190_charger.c. It could allow a local attacker to crash the system due to a race condition. * [CVE-2023-3355](https://nvd.nist.gov/vuln/detail/CVE-2023-3355) CVSSv3 score: 5.5(Medium) A NULL pointer dereference flaw was found in the Linux kernel's drivers/gpu/drm/msm/msm_gem_submit.c code in the submit_lookup_cmds function, which fails because it lacks a check of the return value of kmalloc(). This issue allows a local user to crash the system. * [CVE-2023-3390](https://nvd.nist.gov/vuln/detail/CVE-2023-3390) CVSSv3 score: n/a A use-after-free vulnerability was found in the Linux kernel's netfilter subsystem in net/netfilter/nf_tables_api.c. Mishandled error handling with NFT_MSG_NEWRULE makes it possible to use a dangling pointer in the same transaction causing a use-after-free vulnerability. This flaw allows a local attacker with user access to cause a privilege escalation issue. We recommend upgrading past commit 1240eb93f0616b21c675416516ff3d74798fdc97. * [CVE-2023-33951](https://nvd.nist.gov/vuln/detail/CVE-2023-33951) CVSSv3 score: 5.3(Medium) A race condition vulnerability was found in the vmwgfx driver in the Linux kernel. The flaw exists within the handling of GEM objects. The issue results from improper locking when performing operations on an object. This flaw allows a local privileged user to disclose information in the context of the kernel. * [CVE-2023-33952](https://nvd.nist.gov/vuln/detail/CVE-2023-33952) CVSSv3 score: n/a A double-free vulnerability was found in handling vmw_buffer_object objects in the vmwgfx driver in the Linux kernel. This issue occurs due to the lack of validating the existence of an object prior to performing further free operations on the object, which may allow a local privileged user to escalate privileges and execute code in the context of the kernel. * [CVE-2023-34256](https://nvd.nist.gov/vuln/detail/CVE-2023-34256) CVSSv3 score: 5.5(Medium) An issue was discovered in the Linux kernel before 6.3.3. There is an out-of-bounds read in crc16 in lib/crc16.c when called from fs/ext4/super.c because ext4_group_desc_csum does not properly check an offset. NOTE: this is disputed by third parties because the kernel is not intended to defend against attackers with the stated "When modifying the block device while it is mounted by the filesystem" access. * [CVE-2023-34319](https://nvd.nist.gov/vuln/detail/CVE-2023-34319) CVSSv3 score: 7.8(High) The fix for XSA-423 added logic to Linux'es netback driver to deal with a frontend splitting a packet in a way such that not all of the headers would come in one piece. Unfortunately the logic introduced there didn't account for the extreme case of the entire packet being split into as many pieces as permitted by the protocol, yet still being smaller than the area that's specially dealt with to keep all (possible) headers together. Such an unusual packet would therefore trigger a buffer overrun in the driver. * [CVE-2023-34324](https://nvd.nist.gov/vuln/detail/CVE-2023-34324) CVSSv3 score: 4.9(Medium) Closing of an event channel in the Linux kernel can result in a deadlock. This happens when the close is being performed in parallel to an unrelated Xen console action and the handling of a Xen console interrupt in an unprivileged guest. The closing of an event channel is e.g. triggered by removal of a paravirtual device on the other side. As this action will cause console messages to be issued on the other side quite often, the chance of triggering the deadlock is not neglectable. Note that 32-bit Arm-guests are not affected, as the 32-bit Linux kernel on Arm doesn't use queued-RW-locks, which are required to trigger the issue (on Arm32 a waiting writer doesn't block further readers to get the lock). * [CVE-2023-35001](https://nvd.nist.gov/vuln/detail/CVE-2023-35001) CVSSv3 score: n/a Linux Kernel nftables Out-Of-Bounds Read/Write Vulnerability; nft_byteorder poorly handled vm register contents when CAP_NET_ADMIN is in any user or network namespace * [CVE-2023-35788](https://nvd.nist.gov/vuln/detail/CVE-2023-35788) CVSSv3 score: 7.8(High) An issue was discovered in fl_set_geneve_opt in net/sched/cls_flower.c in the Linux kernel before 6.3.7. It allows an out-of-bounds write in the flower classifier code via TCA_FLOWER_KEY_ENC_OPTS_GENEVE packets. This may result in denial of service or privilege escalation. * [CVE-2023-35823](https://nvd.nist.gov/vuln/detail/CVE-2023-35823) CVSSv3 score: 7(High) An issue was discovered in the Linux kernel before 6.3.2. A use-after-free was found in saa7134_finidev in drivers/media/pci/saa7134/saa7134-core.c. * [CVE-2023-35824](https://nvd.nist.gov/vuln/detail/CVE-2023-35824) CVSSv3 score: 7(High) An issue was discovered in the Linux kernel before 6.3.2. A use-after-free was found in dm1105_remove in drivers/media/pci/dm1105/dm1105.c. * [CVE-2023-35826](https://nvd.nist.gov/vuln/detail/CVE-2023-35826) CVSSv3 score: 7(High) An issue was discovered in the Linux kernel before 6.3.2. A use-after-free was found in cedrus_remove in drivers/staging/media/sunxi/cedrus/cedrus.c. * [CVE-2023-35827](https://nvd.nist.gov/vuln/detail/CVE-2023-35827) CVSSv3 score: 7(High) An issue was discovered in the Linux kernel through 6.3.8. A use-after-free was found in ravb_remove in drivers/net/ethernet/renesas/ravb_main.c. * [CVE-2023-35828](https://nvd.nist.gov/vuln/detail/CVE-2023-35828) CVSSv3 score: 7(High) An issue was discovered in the Linux kernel before 6.3.2. A use-after-free was found in renesas_usb3_remove in drivers/usb/gadget/udc/renesas_usb3.c. * [CVE-2023-35829](https://nvd.nist.gov/vuln/detail/CVE-2023-35829) CVSSv3 score: 7(High) An issue was discovered in the Linux kernel before 6.3.2. A use-after-free was found in rkvdec_remove in drivers/staging/media/rkvdec/rkvdec.c. * [CVE-2023-3609](https://nvd.nist.gov/vuln/detail/CVE-2023-3609) CVSSv3 score: n/a A use-after-free vulnerability in the Linux kernel's net/sched: cls_u32 component can be exploited to achieve local privilege escalation. If tcf_change_indev() fails, u32_set_parms() will immediately return an error after incrementing or decrementing the reference counter in tcf_bind_filter(). If an attacker can control the reference counter and set it to zero, they can cause the reference to be freed, leading to a use-after-free vulnerability. We recommend upgrading past commit 04c55383fa5689357bcdd2c8036725a55ed632bc. * [CVE-2023-3610](https://nvd.nist.gov/vuln/detail/CVE-2023-3610) CVSSv3 score: n/a A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation. Flaw in the error handling of bound chains causes a use-after-free in the abort path of NFT_MSG_NEWRULE. The vulnerability requires CAP_NET_ADMIN to be triggered. We recommend upgrading past commit 4bedf9eee016286c835e3d8fa981ddece5338795. * [CVE-2023-3611](https://nvd.nist.gov/vuln/detail/CVE-2023-3611) CVSSv3 score: n/a An out-of-bounds write vulnerability in the Linux kernel's net/sched: sch_qfq component can be exploited to achieve local privilege escalation. The qfq_change_agg() function in net/sched/sch_qfq.c allows an out-of-bounds write because lmax is updated according to packet sizes without bounds checks. We recommend upgrading past commit 3e337087c3b5805fe0b8a46ba622a962880b5d64. * [CVE-2023-37453](https://nvd.nist.gov/vuln/detail/CVE-2023-37453) CVSSv3 score: 4.6(Medium) An issue was discovered in the USB subsystem in the Linux kernel through 6.4.2. There is an out-of-bounds and crash in read_descriptors in drivers/usb/core/sysfs.c. * [CVE-2023-3772](https://nvd.nist.gov/vuln/detail/CVE-2023-3772) CVSSv3 score: 4.4(Medium) A flaw was found in the Linux kernel’s IP framework for transforming packets (XFRM subsystem). This issue may allow a malicious user with CAP_NET_ADMIN privileges to directly dereference a NULL pointer in xfrm_update_ae_params(), leading to a possible kernel crash and denial of service. * [CVE-2023-3773](https://nvd.nist.gov/vuln/detail/CVE-2023-3773) CVSSv3 score: 4.4(Medium) A flaw was found in the Linux kernel’s IP framework for transforming packets (XFRM subsystem). This issue may allow a malicious user with CAP_NET_ADMIN privileges to cause a 4 byte out-of-bounds read of XFRMA_MTIMER_THRESH when parsing netlink attributes, leading to potential leakage of sensitive heap data to userspace. * [CVE-2023-3776](https://nvd.nist.gov/vuln/detail/CVE-2023-3776) CVSSv3 score: n/a A use-after-free vulnerability in the Linux kernel's net/sched: cls_fw component can be exploited to achieve local privilege escalation. If tcf_change_indev() fails, fw_set_parms() will immediately return an error after incrementing or decrementing the reference counter in tcf_bind_filter(). If an attacker can control the reference counter and set it to zero, they can cause the reference to be freed, leading to a use-after-free vulnerability. We recommend upgrading past commit 0323bce598eea038714f941ce2b22541c46d488f. * [CVE-2023-3777](https://nvd.nist.gov/vuln/detail/CVE-2023-3777) CVSSv3 score: n/a A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation. When nf_tables_delrule() is flushing table rules, it is not checked whether the chain is bound and the chain's owner rule can also release the objects in certain circumstances. We recommend upgrading past commit 6eaf41e87a223ae6f8e7a28d6e78384ad7e407f8. * [CVE-2023-38409](https://nvd.nist.gov/vuln/detail/CVE-2023-38409) CVSSv3 score: 5.5(Medium) An issue was discovered in set_con2fb_map in drivers/video/fbdev/core/fbcon.c in the Linux kernel before 6.2.12. Because an assignment occurs only for the first vc, the fbcon_registered_fb and fbcon_display arrays can be desynchronized in fbcon_mode_deleted (the con2fb_map points at the old fb_info). * [CVE-2023-38426](https://nvd.nist.gov/vuln/detail/CVE-2023-38426) CVSSv3 score: 9.1(Critical) An issue was discovered in the Linux kernel before 6.3.4. ksmbd has an out-of-bounds read in smb2_find_context_vals when create_context's name_len is larger than the tag length. * [CVE-2023-38427](https://nvd.nist.gov/vuln/detail/CVE-2023-38427) CVSSv3 score: 9.8(Critical) An issue was discovered in the Linux kernel before 6.3.8. fs/smb/server/smb2pdu.c in ksmbd has an integer underflow and out-of-bounds read in deassemble_neg_contexts. * [CVE-2023-38428](https://nvd.nist.gov/vuln/detail/CVE-2023-38428) CVSSv3 score: 9.1(Critical) An issue was discovered in the Linux kernel before 6.3.4. fs/ksmbd/smb2pdu.c in ksmbd does not properly check the UserName value because it does not consider the address of security buffer, leading to an out-of-bounds read. * [CVE-2023-38429](https://nvd.nist.gov/vuln/detail/CVE-2023-38429) CVSSv3 score: 9.8(Critical) An issue was discovered in the Linux kernel before 6.3.4. fs/ksmbd/connection.c in ksmbd has an off-by-one error in memory allocation (because of ksmbd_smb2_check_message) that may lead to out-of-bounds access. * [CVE-2023-38430](https://nvd.nist.gov/vuln/detail/CVE-2023-38430) CVSSv3 score: 9.1(Critical) An issue was discovered in the Linux kernel before 6.3.9. ksmbd does not validate the SMB request protocol ID, leading to an out-of-bounds read. * [CVE-2023-38431](https://nvd.nist.gov/vuln/detail/CVE-2023-38431) CVSSv3 score: 9.1(Critical) An issue was discovered in the Linux kernel before 6.3.8. fs/smb/server/connection.c in ksmbd does not validate the relationship between the NetBIOS header's length field and the SMB header sizes, via pdu_size in ksmbd_conn_handler_loop, leading to an out-of-bounds read. * [CVE-2023-38432](https://nvd.nist.gov/vuln/detail/CVE-2023-38432) CVSSv3 score: 9.1(Critical) An issue was discovered in the Linux kernel before 6.3.10. fs/smb/server/smb2misc.c in ksmbd does not validate the relationship between the command payload size and the RFC1002 length specification, leading to an out-of-bounds read. * [CVE-2023-3863](https://nvd.nist.gov/vuln/detail/CVE-2023-3863) CVSSv3 score: 4.1(Medium) A use-after-free flaw was found in nfc_llcp_find_local in net/nfc/llcp_core.c in NFC in the Linux kernel. This flaw allows a local user with special privileges to impact a kernel information leak issue. * [CVE-2023-3865](https://nvd.nist.gov/vuln/detail/CVE-2023-3865) CVSSv3 score: n/a * [CVE-2023-3866](https://nvd.nist.gov/vuln/detail/CVE-2023-3866) CVSSv3 score: n/a * [CVE-2023-3867](https://nvd.nist.gov/vuln/detail/CVE-2023-3867) CVSSv3 score: n/a * [CVE-2023-39189](https://nvd.nist.gov/vuln/detail/CVE-2023-39189) CVSSv3 score: 6(Medium) A flaw was found in the Netfilter subsystem in the Linux kernel. The nfnl_osf_add_callback function did not validate the user mode controlled opt_num field. This flaw allows a local privileged (CAP_NET_ADMIN) attacker to trigger an out-of-bounds read, leading to a crash or information disclosure. * [CVE-2023-39191](https://nvd.nist.gov/vuln/detail/CVE-2023-39191) CVSSv3 score: n/a An improper input validation flaw was found in the eBPF subsystem in the Linux kernel. The issue occurs due to a lack of proper validation of dynamic pointers within user-supplied eBPF programs prior to executing them. This may allow an attacker with CAP_BPF privileges to escalate privileges and execute arbitrary code in the context of the kernel. * [CVE-2023-39192](https://nvd.nist.gov/vuln/detail/CVE-2023-39192) CVSSv3 score: 6(Medium) A flaw was found in the Netfilter subsystem in the Linux kernel. The xt_u32 module did not validate the fields in the xt_u32 structure. This flaw allows a local privileged attacker to trigger an out-of-bounds read by setting the size fields with a value beyond the array boundaries, leading to a crash or information disclosure. * [CVE-2023-39193](https://nvd.nist.gov/vuln/detail/CVE-2023-39193) CVSSv3 score: 6(Medium) A flaw was found in the Netfilter subsystem in the Linux kernel. The sctp_mt_check did not validate the flag_count field. This flaw allows a local privileged (CAP_NET_ADMIN) attacker to trigger an out-of-bounds read, leading to a crash or information disclosure. * [CVE-2023-39194](https://nvd.nist.gov/vuln/detail/CVE-2023-39194) CVSSv3 score: 4.4(Medium) A flaw was found in the XFRM subsystem in the Linux kernel. The specific flaw exists within the processing of state filters, which can result in a read past the end of an allocated buffer. This flaw allows a local privileged (CAP_NET_ADMIN) attacker to trigger an out-of-bounds read, potentially leading to an information disclosure. * [CVE-2023-39197](https://nvd.nist.gov/vuln/detail/CVE-2023-39197) CVSSv3 score: n/a * [CVE-2023-39198](https://nvd.nist.gov/vuln/detail/CVE-2023-39198) CVSSv3 score: 6.4(Medium) A race condition was found in the QXL driver in the Linux kernel. The qxl_mode_dumb_create() function dereferences the qobj returned by the qxl_gem_object_create_with_handle(), but the handle is the only one holding a reference to it. This flaw allows an attacker to guess the returned handle value and trigger a use-after-free issue, potentially leading to a denial of service or privilege escalation. * [CVE-2023-4004](https://nvd.nist.gov/vuln/detail/CVE-2023-4004) CVSSv3 score: n/a A use-after-free flaw was found in the Linux kernel's netfilter in the way a user triggers the nft_pipapo_remove function with the element, without a NFT_SET_EXT_KEY_END. This issue could allow a local user to crash the system or potentially escalate their privileges on the system. * [CVE-2023-4015](https://nvd.nist.gov/vuln/detail/CVE-2023-4015) CVSSv3 score: n/a A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation. On an error when building a nftables rule, deactivating immediate expressions in nft_immediate_deactivate() can lead unbinding the chain and objects be deactivated but later used. We recommend upgrading past commit 0a771f7b266b02d262900c75f1e175c7fe76fec2. * [CVE-2023-40283](https://nvd.nist.gov/vuln/detail/CVE-2023-40283) CVSSv3 score: 7.8(High) An issue was discovered in l2cap_sock_release in net/bluetooth/l2cap_sock.c in the Linux kernel before 6.4.10. There is a use-after-free because the children of an sk are mishandled. * [CVE-2023-40791](https://nvd.nist.gov/vuln/detail/CVE-2023-40791) CVSSv3 score: 6.3(Medium) extract_user_to_sg in lib/scatterlist.c in the Linux kernel before 6.4.12 fails to unpin pages in a certain situation, as demonstrated by a WARNING for try_grab_page. * [CVE-2023-4132](https://nvd.nist.gov/vuln/detail/CVE-2023-4132) CVSSv3 score: n/a A use-after-free vulnerability was found in the siano smsusb module in the Linux kernel. The bug occurs during device initialization when the siano device is plugged in. This flaw allows a local user to crash the system, causing a denial of service condition. * [CVE-2023-4133](https://nvd.nist.gov/vuln/detail/CVE-2023-4133) CVSSv3 score: n/a A use-after-free vulnerability was found in the cxgb4 driver in the Linux kernel. The bug occurs when the cxgb4 device is detaching due to a possible rearming of the flower_stats_timer from the work queue. This flaw allows a local user to crash the system, causing a denial of service condition. * [CVE-2023-4134](https://nvd.nist.gov/vuln/detail/CVE-2023-4134) CVSSv3 score: n/a * [CVE-2023-4147](https://nvd.nist.gov/vuln/detail/CVE-2023-4147) CVSSv3 score: n/a A use-after-free flaw was found in the Linux kernel’s Netfilter functionality when adding a rule with NFTA_RULE_CHAIN_ID. This flaw allows a local user to crash or escalate their privileges on the system. * [CVE-2023-4155](https://nvd.nist.gov/vuln/detail/CVE-2023-4155) CVSSv3 score: 5.6(Medium) A flaw was found in KVM AMD Secure Encrypted Virtualization (SEV) in the Linux kernel. A KVM guest using SEV-ES or SEV-SNP with multiple vCPUs can trigger a double fetch race condition vulnerability and invoke the `VMGEXIT` handler recursively. If an attacker manages to call the handler multiple times, they can trigger a stack overflow and cause a denial of service or potentially guest-to-host escape in kernel configurations without stack guard pages (`CONFIG_VMAP_STACK`). * [CVE-2023-4194](https://nvd.nist.gov/vuln/detail/CVE-2023-4194) CVSSv3 score: n/a A flaw was found in the Linux kernel's TUN/TAP functionality. This issue could allow a local user to bypass network filters and gain unauthorized access to some resources. The original patches fixing CVE-2023-1076 are incorrect or incomplete. The problem is that the following upstream commits - a096ccca6e50 ("tun: tun_chr_open(): correctly initialize socket uid"), - 66b2c338adce ("tap: tap_open(): correctly initialize socket uid"), pass "inode->i_uid" to sock_init_data_uid() as the last parameter and that turns out to not be accurate. * [CVE-2023-4206](https://nvd.nist.gov/vuln/detail/CVE-2023-4206) CVSSv3 score: n/a A use-after-free vulnerability in the Linux kernel's net/sched: cls_route component can be exploited to achieve local privilege escalation. When route4_change() is called on an existing filter, the whole tcf_result struct is always copied into the new instance of the filter. This causes a problem when updating a filter bound to a class, as tcf_unbind_filter() is always called on the old instance in the success path, decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading to a use-after-free. We recommend upgrading past commit b80b829e9e2c1b3f7aae34855e04d8f6ecaf13c8. * [CVE-2023-4207](https://nvd.nist.gov/vuln/detail/CVE-2023-4207) CVSSv3 score: n/a A use-after-free vulnerability in the Linux kernel's net/sched: cls_fw component can be exploited to achieve local privilege escalation. When fw_change() is called on an existing filter, the whole tcf_result struct is always copied into the new instance of the filter. This causes a problem when updating a filter bound to a class, as tcf_unbind_filter() is always called on the old instance in the success path, decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading to a use-after-free. We recommend upgrading past commit 76e42ae831991c828cffa8c37736ebfb831ad5ec. * [CVE-2023-4208](https://nvd.nist.gov/vuln/detail/CVE-2023-4208) CVSSv3 score: n/a A use-after-free vulnerability in the Linux kernel's net/sched: cls_u32 component can be exploited to achieve local privilege escalation. When u32_change() is called on an existing filter, the whole tcf_result struct is always copied into the new instance of the filter. This causes a problem when updating a filter bound to a class, as tcf_unbind_filter() is always called on the old instance in the success path, decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading to a use-after-free. We recommend upgrading past commit 3044b16e7c6fe5d24b1cdbcf1bd0a9d92d1ebd81. * [CVE-2023-4244](https://nvd.nist.gov/vuln/detail/CVE-2023-4244) CVSSv3 score: 7(High) A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation. Due to a race condition between nf_tables netlink control plane transaction and nft_set element garbage collection, it is possible to underflow the reference counter causing a use-after-free vulnerability. We recommend upgrading past commit 3e91b0ebd994635df2346353322ac51ce84ce6d8. * [CVE-2023-4273](https://nvd.nist.gov/vuln/detail/CVE-2023-4273) CVSSv3 score: 6.7(Medium) A flaw was found in the exFAT driver of the Linux kernel. The vulnerability exists in the implementation of the file name reconstruction function, which is responsible for reading file name entries from a directory index and merging file name parts belonging to one file into a single long file name. Since the file name characters are copied into a stack variable, a local privileged attacker could use this flaw to overflow the kernel stack. * [CVE-2023-42752](https://nvd.nist.gov/vuln/detail/CVE-2023-42752) CVSSv3 score: n/a An integer overflow flaw was found in the Linux kernel. This issue leads to the kernel allocating `skb_shared_info` in the userspace, which is exploitable in systems without SMAP protection since `skb_shared_info` contains references to function pointers. * [CVE-2023-42753](https://nvd.nist.gov/vuln/detail/CVE-2023-42753) CVSSv3 score: 7.8(High) An array indexing vulnerability was found in the netfilter subsystem of the Linux kernel. A missing macro could lead to a miscalculation of the `h->nets` array offset, providing attackers with the primitive to arbitrarily increment/decrement a memory buffer out-of-bound. This issue may allow a local user to crash the system or potentially escalate their privileges on the system. * [CVE-2023-42754](https://nvd.nist.gov/vuln/detail/CVE-2023-42754) CVSSv3 score: n/a A NULL pointer dereference flaw was found in the Linux kernel ipv4 stack. The socket buffer (skb) was assumed to be associated with a device before calling __ip_options_compile, which is not always the case if the skb is re-routed by ipvs. This issue may allow a local user with CAP_NET_ADMIN privileges to crash the system. * [CVE-2023-42756](https://nvd.nist.gov/vuln/detail/CVE-2023-42756) CVSSv3 score: 4.7(Medium) A flaw was found in the Netfilter subsystem of the Linux kernel. A race condition between IPSET_CMD_ADD and IPSET_CMD_SWAP can lead to a kernel panic due to the invocation of `__ip_set_put` on a wrong `set`. This issue may allow a local user to crash the system. * [CVE-2023-44466](https://nvd.nist.gov/vuln/detail/CVE-2023-44466) CVSSv3 score: 8.8(High) An issue was discovered in net/ceph/messenger_v2.c in the Linux kernel before 6.4.5. There is an integer signedness error, leading to a buffer overflow and remote code execution via HELLO or one of the AUTH frames. This occurs because of an untrusted length taken from a TCP packet in ceph_decode_32. * [CVE-2023-4569](https://nvd.nist.gov/vuln/detail/CVE-2023-4569) CVSSv3 score: 5.5(Medium) A memory leak flaw was found in nft_set_catchall_flush in net/netfilter/nf_tables_api.c in the Linux Kernel. This issue may allow a local attacker to cause double-deactivations of catchall elements, which can result in a memory leak. * [CVE-2023-45862](https://nvd.nist.gov/vuln/detail/CVE-2023-45862) CVSSv3 score: 5.5(Medium) An issue was discovered in drivers/usb/storage/ene_ub6250.c for the ENE UB6250 reader driver in the Linux kernel before 6.2.5. An object could potentially extend beyond the end of an allocation. * [CVE-2023-45863](https://nvd.nist.gov/vuln/detail/CVE-2023-45863) CVSSv3 score: 6.4(Medium) An issue was discovered in lib/kobject.c in the Linux kernel before 6.2.3. With root access, an attacker can trigger a race condition that results in a fill_kobj_path out-of-bounds write. * [CVE-2023-45871](https://nvd.nist.gov/vuln/detail/CVE-2023-45871) CVSSv3 score: 7.5(High) An issue was discovered in drivers/net/ethernet/intel/igb/igb_main.c in the IGB driver in the Linux kernel before 6.5.3. A buffer size may not be adequate for frames larger than the MTU. * [CVE-2023-45898](https://nvd.nist.gov/vuln/detail/CVE-2023-45898) CVSSv3 score: 7.8(High) The Linux kernel before 6.5.4 has an es1 use-after-free in fs/ext4/extents_status.c, related to ext4_es_insert_extent. * [CVE-2023-4611](https://nvd.nist.gov/vuln/detail/CVE-2023-4611) CVSSv3 score: 6.3(Medium) A use-after-free flaw was found in mm/mempolicy.c in the memory management subsystem in the Linux Kernel. This issue is caused by a race between mbind() and VMA-locked page fault, and may allow a local attacker to crash the system or lead to a kernel information leak. * [CVE-2023-4623](https://nvd.nist.gov/vuln/detail/CVE-2023-4623) CVSSv3 score: n/a A use-after-free vulnerability in the Linux kernel's net/sched: sch_hfsc (HFSC qdisc traffic control) component can be exploited to achieve local privilege escalation. If a class with a link-sharing curve (i.e. with the HFSC_FSC flag set) has a parent without a link-sharing curve, then init_vf() will call vttree_insert() on the parent, but vttree_remove() will be skipped in update_vf(). This leaves a dangling pointer that can cause a use-after-free. We recommend upgrading past commit b3d26c5702c7d6c45456326e56d2ccf3f103e60f. * [CVE-2023-46813](https://nvd.nist.gov/vuln/detail/CVE-2023-46813) CVSSv3 score: 7(High) An issue was discovered in the Linux kernel before 6.5.9, exploitable by local users with userspace access to MMIO registers. Incorrect access checking in the #VC handler and instruction emulation of the SEV-ES emulation of MMIO accesses could lead to arbitrary write access to kernel memory (and thus privilege escalation). This depends on a race condition through which userspace can replace an instruction before the #VC handler reads it. * [CVE-2023-46862](https://nvd.nist.gov/vuln/detail/CVE-2023-46862) CVSSv3 score: 4.7(Medium) An issue was discovered in the Linux kernel through 6.5.9. During a race with SQ thread exit, an io_uring/fdinfo.c io_uring_show_fdinfo NULL pointer dereference can occur. * [CVE-2023-4921](https://nvd.nist.gov/vuln/detail/CVE-2023-4921) CVSSv3 score: n/a A use-after-free vulnerability in the Linux kernel's net/sched: sch_qfq component can be exploited to achieve local privilege escalation. When the plug qdisc is used as a class of the qfq qdisc, sending network packets triggers use-after-free in qfq_dequeue() due to the incorrect .peek handler of sch_plug and lack of error checking in agg_dequeue(). We recommend upgrading past commit 8fc134fee27f2263988ae38920bc03da416b03d8. * [CVE-2023-5090](https://nvd.nist.gov/vuln/detail/CVE-2023-5090) CVSSv3 score: 5.5(Medium) A flaw was found in KVM. An improper check in svm_set_x2apic_msr_interception() may allow direct access to host x2apic msrs when the guest resets its apic, potentially leading to a denial of service condition. * [CVE-2023-5158](https://nvd.nist.gov/vuln/detail/CVE-2023-5158) CVSSv3 score: 5.5(Medium) A flaw was found in vringh_kiov_advance in drivers/vhost/vringh.c in the host side of a virtio ring in the Linux Kernel. This issue may result in a denial of service from guest to host via zero length descriptor. * [CVE-2023-51779](https://nvd.nist.gov/vuln/detail/CVE-2023-51779) CVSSv3 score: n/a * [CVE-2023-51780](https://nvd.nist.gov/vuln/detail/CVE-2023-51780) CVSSv3 score: n/a An issue was discovered in the Linux kernel before 6.6.8. do_vcc_ioctl in net/atm/ioctl.c has a use-after-free because of a vcc_recvmsg race condition. * [CVE-2023-51781](https://nvd.nist.gov/vuln/detail/CVE-2023-51781) CVSSv3 score: n/a An issue was discovered in the Linux kernel before 6.6.8. atalk_ioctl in net/appletalk/ddp.c has a use-after-free because of an atalk_recvmsg race condition. * [CVE-2023-51782](https://nvd.nist.gov/vuln/detail/CVE-2023-51782) CVSSv3 score: n/a An issue was discovered in the Linux kernel before 6.6.8. rose_ioctl in net/rose/af_rose.c has a use-after-free because of a rose_accept race condition. * [CVE-2023-5197](https://nvd.nist.gov/vuln/detail/CVE-2023-5197) CVSSv3 score: 6.6(Medium) A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation. Addition and removal of rules from chain bindings within the same transaction causes leads to use-after-free. We recommend upgrading past commit f15f29fd4779be8a418b66e9d52979bb6d6c2325. * [CVE-2023-5345](https://nvd.nist.gov/vuln/detail/CVE-2023-5345) CVSSv3 score: n/a A use-after-free vulnerability in the Linux kernel's fs/smb/client component can be exploited to achieve local privilege escalation. In case of an error in smb3_fs_context_parse_param, ctx->password was freed but the field was not set to NULL which could lead to double free. We recommend upgrading past commit e6e43b8aa7cd3c3af686caf0c2e11819a886d705. * [CVE-2023-5633](https://nvd.nist.gov/vuln/detail/CVE-2023-5633) CVSSv3 score: n/a The reference count changes made as part of the CVE-2023-33951 and CVE-2023-33952 fixes exposed a use-after-free flaw in the way memory objects were handled when they were being used to store a surface. When running inside a VMware guest with 3D acceleration enabled, a local, unprivileged user could potentially use this flaw to escalate their privileges. * [CVE-2023-5717](https://nvd.nist.gov/vuln/detail/CVE-2023-5717) CVSSv3 score: n/a A heap out-of-bounds write vulnerability in the Linux kernel's Linux Kernel Performance Events (perf) component can be exploited to achieve local privilege escalation. If perf_read_group() is called while an event's sibling_list is smaller than its child's sibling_list, it can increment or write to memory locations outside of the allocated buffer. We recommend upgrading past commit 32671e3799ca2e4590773fd0e63aaa4229e50c06. * [CVE-2023-5972](https://nvd.nist.gov/vuln/detail/CVE-2023-5972) CVSSv3 score: 7.8(High) A null pointer dereference flaw was found in the nft_inner.c functionality of netfilter in the Linux kernel. This issue could allow a local user to crash the system or escalate their privileges on the system. * [CVE-2023-6039](https://nvd.nist.gov/vuln/detail/CVE-2023-6039) CVSSv3 score: n/a A use-after-free flaw was found in lan78xx_disconnect in drivers/net/usb/lan78xx.c in the network sub-component, net/usb/lan78xx in the Linux Kernel. This flaw allows a local attacker to crash the system when the LAN78XX USB device detaches. * [CVE-2023-6111](https://nvd.nist.gov/vuln/detail/CVE-2023-6111) CVSSv3 score: n/a A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation. The function nft_trans_gc_catchall did not remove the catchall set element from the catchall_list when the argument sync is true, making it possible to free a catchall set element many times. We recommend upgrading past commit 93995bf4af2c5a99e2a87f0cd5ce547d31eb7630. * [CVE-2023-6121](https://nvd.nist.gov/vuln/detail/CVE-2023-6121) CVSSv3 score: n/a An out-of-bounds read vulnerability was found in the NVMe-oF/TCP subsystem in the Linux kernel. This issue may allow a remote attacker to send a crafted TCP packet, triggering a heap-based buffer overflow that results in kmalloc data being printed and potentially leaked to the kernel ring buffer (dmesg). * [CVE-2023-6176](https://nvd.nist.gov/vuln/detail/CVE-2023-6176) CVSSv3 score: 7.8(High) A null pointer dereference flaw was found in the Linux kernel API for the cryptographic algorithm scatterwalk functionality. This issue occurs when a user constructs a malicious packet with specific socket configuration, which could allow a local user to crash the system or escalate their privileges on the system. * [CVE-2023-6531](https://nvd.nist.gov/vuln/detail/CVE-2023-6531) CVSSv3 score: n/a * [CVE-2023-6546](https://nvd.nist.gov/vuln/detail/CVE-2023-6546) CVSSv3 score: 7(High) A race condition was found in the GSM 0710 tty multiplexor in the Linux kernel. This issue occurs when two threads execute the GSMIOC_SETCONF ioctl on the same tty file descriptor with the gsm line discipline enabled, and can lead to a use-after-free problem on a struct gsm_dlci while restarting the gsm mux. This could allow a local unprivileged user to escalate their privileges on the system. * [CVE-2023-6560](https://nvd.nist.gov/vuln/detail/CVE-2023-6560) CVSSv3 score: n/a An out-of-bounds memory access flaw was found in the io_uring SQ/CQ rings functionality in the Linux kernel. This issue could allow a local user to crash the system. * [CVE-2023-6606](https://nvd.nist.gov/vuln/detail/CVE-2023-6606) CVSSv3 score: n/a An out-of-bounds read vulnerability was found in smbCalcSize in fs/smb/client/netmisc.c in the Linux Kernel. This issue could allow a local attacker to crash the system or leak internal kernel information. * [CVE-2023-6622](https://nvd.nist.gov/vuln/detail/CVE-2023-6622) CVSSv3 score: n/a A null pointer dereference vulnerability was found in nft_dynset_init() in net/netfilter/nft_dynset.c in nf_tables in the Linux kernel. This issue may allow a local attacker with CAP_NET_ADMIN user privilege to trigger a denial of service. * [CVE-2023-6817](https://nvd.nist.gov/vuln/detail/CVE-2023-6817) CVSSv3 score: n/a A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation. The function nft_pipapo_walk did not skip inactive elements during set walk which could lead double deactivations of PIPAPO (Pile Packet Policies) elements, leading to use-after-free. We recommend upgrading past commit 317eb9685095678f2c9f5a8189de698c5354316a. * [CVE-2023-6931](https://nvd.nist.gov/vuln/detail/CVE-2023-6931) CVSSv3 score: n/a A heap out-of-bounds write vulnerability in the Linux kernel's Performance Events system component can be exploited to achieve local privilege escalation. A perf_event's read_size can overflow, leading to an heap out-of-bounds increment or write in perf_read_group(). We recommend upgrading past commit 382c27f4ed28f803b1f1473ac2d8db0afc795a1b. * [CVE-2023-6932](https://nvd.nist.gov/vuln/detail/CVE-2023-6932) CVSSv3 score: 7(High) A use-after-free vulnerability in the Linux kernel's ipv4: igmp component can be exploited to achieve local privilege escalation. A race condition can be exploited to cause a timer be mistakenly registered on a RCU read locked object which is freed by another thread. We recommend upgrading past commit e2b706c691905fe78468c361aaabc719d0a496f1. * [CVE-2023-7192](https://nvd.nist.gov/vuln/detail/CVE-2023-7192) CVSSv3 score: 4.4(Medium) A memory leak problem was found in ctnetlink_create_conntrack in net/netfilter/nf_conntrack_netlink.c in the Linux Kernel. This issue may allow a local attacker with CAP_NET_ADMIN privileges to cause a denial of service (DoS) attack due to a refcount overflow. * [CVE-2024-0193](https://nvd.nist.gov/vuln/detail/CVE-2024-0193) CVSSv3 score: 6.7(Medium) A use-after-free flaw was found in the netfilter subsystem of the Linux kernel. If the catchall element is garbage-collected when the pipapo set is removed, the element can be deactivated twice. This can cause a use-after-free issue on an NFT_CHAIN object or NFT_OBJECT object, allowing a local unprivileged user with CAP_NET_ADMIN capability to escalate their privileges on the system. * [CVE-2024-0443](https://nvd.nist.gov/vuln/detail/CVE-2024-0443) CVSSv3 score: n/a A flaw was found in the blkgs destruction path in block/blk-cgroup.c in the Linux kernel, leading to a cgroup blkio memory leakage problem. When a cgroup is being destroyed, cgroup_rstat_flush() is only called at css_release_work_fn(), which is called when the blkcg reference count reaches 0. This circular dependency will prevent blkcg and some blkgs from being freed after they are made offline. This issue may allow an attacker with a local access to cause system instability, such as an out of memory error. * binutils * [CVE-2023-1972](https://nvd.nist.gov/vuln/detail/CVE-2023-1972) CVSSv3 score: 6.5(Medium) A potential heap based buffer overflow was found in _bfd_elf_slurp_version_tables() in bfd/elf.c. This may lead to loss of availability. * curl * [CVE-2023-46218](https://nvd.nist.gov/vuln/detail/CVE-2023-46218) CVSSv3 score: 6.5(Medium) This flaw allows a malicious HTTP server to set "super cookies" in curl that are then passed back to more origins than what is otherwise allowed or possible. This allows a site to set cookies that then would get sent to different and unrelated sites and domains. It could do this by exploiting a mixed case flaw in curl's function that verifies a given cookie domain against the Public Suffix List (PSL). For example a cookie could be set with `domain=co.UK` when the URL used a lower case hostname `curl.co.uk`, even though `co.uk` is listed as a PSL domain. * [CVE-2023-46219](https://nvd.nist.gov/vuln/detail/CVE-2023-46219) CVSSv3 score: 5.3(Medium) When saving HSTS data to an excessively long file name, curl could end up removing all contents, making subsequent requests using that file unaware of the HSTS status they should otherwise use. * gnutls * [CVE-2023-5981](https://nvd.nist.gov/vuln/detail/CVE-2023-5981) CVSSv3 score: n/a A vulnerability was found that the response times to malformed ciphertexts in RSA-PSK ClientKeyExchange differ from response times of ciphertexts with correct PKCS#1 v1.5 padding. * intel-microcode * [CVE-2023-23583](https://nvd.nist.gov/vuln/detail/CVE-2023-23583) CVSSv3 score: 7.8(High) Sequence of processor instructions leads to unexpected behavior for some Intel(R) Processors may allow an authenticated user to potentially enable escalation of privilege and/or information disclosure and/or denial of service via local access. * libxml2 * [CVE-2023-45322](https://nvd.nist.gov/vuln/detail/CVE-2023-45322) CVSSv3 score: 6.5(Medium) libxml2 through 2.11.5 has a use-after-free that can only occur after a certain memory allocation fails. This occurs in xmlUnlinkNode in tree.c. NOTE: the vendor's position is "I don't think these issues are critical enough to warrant a CVE ID ... because an attacker typically can't control when memory allocations fail." * openssh * [CVE-2023-48795](https://nvd.nist.gov/vuln/detail/CVE-2023-48795) CVSSv3 score: 5.9(Medium) The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust. * [CVE-2023-51384](https://nvd.nist.gov/vuln/detail/CVE-2023-51384) CVSSv3 score: 5.5(Medium) In ssh-agent in OpenSSH before 9.6, certain destination constraints can be incompletely applied. When destination constraints are specified during addition of PKCS#11-hosted private keys, these constraints are only applied to the first key, even if a PKCS#11 token returns multiple keys. * [CVE-2023-51385](https://nvd.nist.gov/vuln/detail/CVE-2023-51385) CVSSv3 score: 6.5(Medium) In ssh in OpenSSH before 9.6, OS command injection might occur if a user name or host name has shell metacharacters, and this name is referenced by an expansion token in certain situations. For example, an untrusted Git repository can have a submodule with shell metacharacters in a user name or host name. * openssl * [CVE-2023-3817](https://nvd.nist.gov/vuln/detail/CVE-2023-3817) CVSSv3 score: 5.3(Medium) Issue summary: Checking excessively long DH keys or parameters may be very slow. Impact summary: Applications that use the functions DH_check(), DH_check_ex() or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a Denial of Service. The function DH_check() performs various checks on DH parameters. After fixing CVE-2023-3446 it was discovered that a large q parameter value can also trigger an overly long computation during some of these checks. A correct q value, if present, cannot be larger than the modulus p parameter, thus it is unnecessary to perform these checks if q is larger than p. An application that calls DH_check() and supplies a key or parameters obtained from an untrusted source could be vulnerable to a Denial of Service attack. The function DH_check() is itself called by a number of other OpenSSL functions. An application calling any of those other functions may similarly be affected. The other functions affected by this are DH_check_ex() and EVP_PKEY_param_check(). Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications when using the "-check" option. The OpenSSL SSL/TLS implementation is not affected by this issue. The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue. * [CVE-2023-5363](https://nvd.nist.gov/vuln/detail/CVE-2023-5363) CVSSv3 score: 7.5(High) Issue summary: A bug has been identified in the processing of key and initialisation vector (IV) lengths. This can lead to potential truncation or overruns during the initialisation of some symmetric ciphers. Impact summary: A truncation in the IV can result in non-uniqueness, which could result in loss of confidentiality for some cipher modes. When calling EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() or EVP_CipherInit_ex2() the provided OSSL_PARAM array is processed after the key and IV have been established. Any alterations to the key length, via the "keylen" parameter or the IV length, via the "ivlen" parameter, within the OSSL_PARAM array will not take effect as intended, potentially causing truncation or overreading of these values. The following ciphers and cipher modes are impacted: RC2, RC4, RC5, CCM, GCM and OCB. For the CCM, GCM and OCB cipher modes, truncation of the IV can result in loss of confidentiality. For example, when following NIST's SP 800-38D section 8.2.1 guidance for constructing a deterministic IV for AES in GCM mode, truncation of the counter portion could lead to IV reuse. Both truncations and overruns of the key and overruns of the IV will produce incorrect results and could, in some cases, trigger a memory exception. However, these issues are not currently assessed as security critical. Changing the key and/or IV lengths is not considered to be a common operation and the vulnerable API was recently introduced. Furthermore it is likely that application developers will have spotted this problem during testing since decryption would fail unless both peers in the communication were similarly vulnerable. For these reasons we expect the probability of an application being vulnerable to this to be quite low. However if an application is vulnerable then this issue is considered very serious. For these reasons we have assessed this issue as Moderate severity overall. The OpenSSL SSL/TLS implementation is not affected by this issue. The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this because the issue lies outside of the FIPS provider boundary. OpenSSL 3.1 and 3.0 are vulnerable to this issue. * [CVE-2023-5678](https://nvd.nist.gov/vuln/detail/CVE-2023-5678) CVSSv3 score: 5.3(Medium) Issue summary: Generating excessively long X9.42 DH keys or checking excessively long X9.42 DH keys or parameters may be very slow. Impact summary: Applications that use the functions DH_generate_key() to generate an X9.42 DH key may experience long delays. Likewise, applications that use DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check() to check an X9.42 DH key or X9.42 DH parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a Denial of Service. While DH_check() performs all the necessary checks (as of CVE-2023-3817), DH_check_pub_key() doesn't make any of these checks, and is therefore vulnerable for excessively large P and Q parameters. Likewise, while DH_generate_key() performs a check for an excessively large P, it doesn't check for an excessively large Q. An application that calls DH_generate_key() or DH_check_pub_key() and supplies a key or parameters obtained from an untrusted source could be vulnerable to a Denial of Service attack. DH_generate_key() and DH_check_pub_key() are also called by a number of other OpenSSL functions. An application calling any of those other functions may similarly be affected. The other functions affected by this are DH_check_pub_key_ex(), EVP_PKEY_public_check(), and EVP_PKEY_generate(). Also vulnerable are the OpenSSL pkey command line application when using the "-pubcheck" option, as well as the OpenSSL genpkey command line application. The OpenSSL SSL/TLS implementation is not affected by this issue. The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue. * perl * [CVE-2023-47038](https://nvd.nist.gov/vuln/detail/CVE-2023-47038) CVSSv3 score: 7.8(High) A vulnerability was found in perl. This issue occurs when a crafted regular expression is compiled by perl, which can allow an attacker controlled byte buffer overflow in a heap allocated buffer. * traceroute * [CVE-2023-46316](https://nvd.nist.gov/vuln/detail/CVE-2023-46316) CVSSv3 score: 5.5(Medium) In buc Traceroute 2.0.12 through 2.1.2 before 2.1.3, the wrapper scripts do not properly parse command lines. * vim * [CVE-2023-5344](https://nvd.nist.gov/vuln/detail/CVE-2023-5344) CVSSv3 score: 7.5(High) Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1969. * [CVE-2023-5441](https://nvd.nist.gov/vuln/detail/CVE-2023-5441) CVSSv3 score: 5.5(Medium) NULL Pointer Dereference in GitHub repository vim/vim prior to 20d161ace307e28690229b68584f2d84556f8960. * [CVE-2023-5535](https://nvd.nist.gov/vuln/detail/CVE-2023-5535) CVSSv3 score: 7.8(High) Use After Free in GitHub repository vim/vim prior to v9.0.2010. * [CVE-2023-46246](https://nvd.nist.gov/vuln/detail/CVE-2023-46246) CVSSv3 score: 5.5(Medium) Vim is an improved version of the good old UNIX editor Vi. Heap-use-after-free in memory allocated in the function `ga_grow_inner` in in the file `src/alloc.c` at line 748, which is freed in the file `src/ex_docmd.c` in the function `do_cmdline` at line 1010 and then used again in `src/cmdhist.c` at line 759. When using the `:history` command, it's possible that the provided argument overflows the accepted value. Causing an Integer Overflow and potentially later an use-after-free. This vulnerability has been patched in version 9.0.2068. #### Beta 3815.1.0 * Go * [CVE-2023-39326](https://nvd.nist.gov/vuln/detail/CVE-2023-39326) CVSSv3 score: 5.3(Medium) A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response body to read many more bytes from the network than are in the body. A malicious HTTP client can further exploit this to cause a server to automatically read a large amount of data (up to about 1GiB) when a handler fails to read the entire body of a request. Chunk extensions are a little-used HTTP feature which permit including additional metadata in a request or response body sent using the chunked encoding. The net/http chunked encoding reader discards this metadata. A sender can exploit this by inserting a large metadata segment with each byte transferred. The chunk reader now produces an error if the ratio of real body to encoded bytes grows too small. * [CVE-2023-45285](https://nvd.nist.gov/vuln/detail/CVE-2023-45285) CVSSv3 score: 7.5(High) Using go get to fetch a module with the ".git" suffix may unexpectedly fallback to the insecure "git://" protocol if the module is unavailable via the secure "https://" and "git+ssh://" protocols, even if GOINSECURE is not set for said module. This only affects users who are not using the module proxy and are fetching modules directly (i.e. GOPROXY=off). * Linux * [CVE-2023-1193](https://nvd.nist.gov/vuln/detail/CVE-2023-1193) CVSSv3 score: n/a A use-after-free flaw was found in setup_async_work in the KSMBD implementation of the in-kernel samba server and CIFS in the Linux kernel. This issue could allow an attacker to crash the system by accessing freed work. * [CVE-2023-51779](https://nvd.nist.gov/vuln/detail/CVE-2023-51779) CVSSv3 score: n/a * [CVE-2023-51780](https://nvd.nist.gov/vuln/detail/CVE-2023-51780) CVSSv3 score: n/a An issue was discovered in the Linux kernel before 6.6.8. do_vcc_ioctl in net/atm/ioctl.c has a use-after-free because of a vcc_recvmsg race condition. * [CVE-2023-51781](https://nvd.nist.gov/vuln/detail/CVE-2023-51781) CVSSv3 score: n/a An issue was discovered in the Linux kernel before 6.6.8. atalk_ioctl in net/appletalk/ddp.c has a use-after-free because of an atalk_recvmsg race condition. * [CVE-2023-51782](https://nvd.nist.gov/vuln/detail/CVE-2023-51782) CVSSv3 score: n/a An issue was discovered in the Linux kernel before 6.6.8. rose_ioctl in net/rose/af_rose.c has a use-after-free because of a rose_accept race condition. * [CVE-2023-6531](https://nvd.nist.gov/vuln/detail/CVE-2023-6531) CVSSv3 score: n/a * [CVE-2023-6606](https://nvd.nist.gov/vuln/detail/CVE-2023-6606) CVSSv3 score: n/a An out-of-bounds read vulnerability was found in smbCalcSize in fs/smb/client/netmisc.c in the Linux Kernel. This issue could allow a local attacker to crash the system or leak internal kernel information. * [CVE-2023-6622](https://nvd.nist.gov/vuln/detail/CVE-2023-6622) CVSSv3 score: n/a A null pointer dereference vulnerability was found in nft_dynset_init() in net/netfilter/nft_dynset.c in nf_tables in the Linux kernel. This issue may allow a local attacker with CAP_NET_ADMIN user privilege to trigger a denial of service. * [CVE-2023-6817](https://nvd.nist.gov/vuln/detail/CVE-2023-6817) CVSSv3 score: n/a A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation. The function nft_pipapo_walk did not skip inactive elements during set walk which could lead double deactivations of PIPAPO (Pile Packet Policies) elements, leading to use-after-free. We recommend upgrading past commit 317eb9685095678f2c9f5a8189de698c5354316a. * [CVE-2023-6931](https://nvd.nist.gov/vuln/detail/CVE-2023-6931) CVSSv3 score: n/a A heap out-of-bounds write vulnerability in the Linux kernel's Performance Events system component can be exploited to achieve local privilege escalation. A perf_event's read_size can overflow, leading to an heap out-of-bounds increment or write in perf_read_group(). We recommend upgrading past commit 382c27f4ed28f803b1f1473ac2d8db0afc795a1b. * VMWare: open-vm-tools * [CVE-2023-34058](https://nvd.nist.gov/vuln/detail/CVE-2023-34058) CVSSv3 score: 7.5(High) VMware Tools contains a SAML token signature bypass vulnerability. A malicious actor that has been granted Guest Operation Privileges https://docs.vmware.com/en/VMware-vSphere/8.0/vsphere-security/GUID-6A952214-0E5E-4CCF-9D2A-90948FF643EC.html in a target virtual machine may be able to elevate their privileges if that target virtual machine has been assigned a more privileged Guest Alias https://vdc-download.vmware.com/vmwb-repository/dcr-public/d1902b0e-d479-46bf-8ac9-cee0e31e8ec0/07ce8dbd-db48-4261-9b8f-c6d3ad8ba472/vim.vm.guest.AliasManager.html . * [CVE-2023-34059](https://nvd.nist.gov/vuln/detail/CVE-2023-34059) CVSSv3 score: 7(High) open-vm-tools contains a file descriptor hijack vulnerability in the vmware-user-suid-wrapper. A malicious actor with non-root privileges may be able to hijack the /dev/uinput file descriptor allowing them to simulate user inputs. * nghttp2 * [CVE-2023-44487](https://nvd.nist.gov/vuln/detail/CVE-2023-44487) CVSSv3 score: 7.5(High) The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. * samba * [CVE-2023-4091](https://nvd.nist.gov/vuln/detail/CVE-2023-4091) CVSSv3 score: n/a A vulnerability was discovered in Samba, where the flaw allows SMB clients to truncate files, even with read-only permissions when the Samba VFS module "acl_xattr" is configured with "acl_xattr:ignore system acls = yes". The SMB protocol allows opening files when the client requests read-only access but then implicitly truncates the opened file to 0 bytes if the client specifies a separate OVERWRITE create disposition request. The issue arises in configurations that bypass kernel file system permissions checks, relying solely on Samba's permissions. * zlib * [CVE-2023-45853](https://nvd.nist.gov/vuln/detail/CVE-2023-45853) CVSSv3 score: 9.8(Critical) MiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product. NOTE: pyminizip through 0.2.6 is also vulnerable because it bundles an affected zlib version, and exposes the applicable MiniZip code through its compress API. #### Stable 3760.2.0 * Go * [CVE-2023-39323](https://nvd.nist.gov/vuln/detail/CVE-2023-39323) CVSSv3 score: 8.1(High) Line directives ("//line") can be used to bypass the restrictions on "//go:cgo_" directives, allowing blocked linker and compiler flags to be passed during compilation. This can result in unexpected execution of arbitrary code when running "go build". The line directive requires the absolute path of the file in which the directive lives, which makes exploiting this issue significantly more complex. * [CVE-2023-39322](https://nvd.nist.gov/vuln/detail/CVE-2023-39322) CVSSv3 score: 7.5(High) QUIC connections do not set an upper bound on the amount of data buffered when reading post-handshake messages, allowing a malicious QUIC connection to cause unbounded memory growth. With fix, connections now consistently reject messages larger than 65KiB in size. * [CVE-2023-39321](https://nvd.nist.gov/vuln/detail/CVE-2023-39321) CVSSv3 score: 7.5(High) Processing an incomplete post-handshake message for a QUIC connection can cause a panic. * [CVE-2023-39320](https://nvd.nist.gov/vuln/detail/CVE-2023-39320) CVSSv3 score: 9.8(Critical) The go.mod toolchain directive, introduced in Go 1.21, can be leveraged to execute scripts and binaries relative to the root of the module when the "go" command was executed within the module. This applies to modules downloaded using the "go" command from the module proxy, as well as modules downloaded directly using VCS software. * [CVE-2023-39319](https://nvd.nist.gov/vuln/detail/CVE-2023-39319) CVSSv3 score: 6.1(Medium) The html/template package does not apply the proper rules for handling occurrences of "<script", "<!--", and "</script" within JS literals in <script> contexts. This may cause the template parser to improperly consider script contexts to be terminated early, causing actions to be improperly escaped. This could be leveraged to perform an XSS attack. * [CVE-2023-39318](https://nvd.nist.gov/vuln/detail/CVE-2023-39318) CVSSv3 score: 6.1(Medium) The html/template package does not properly handle HTML-like "" comment tokens, nor hashbang "#!" comment tokens, in <script> contexts. This may cause the template parser to improperly interpret the contents of <script> contexts, causing actions to be improperly escaped. This may be leveraged to perform an XSS attack. * [CVE-2023-29409](https://nvd.nist.gov/vuln/detail/CVE-2023-29409) CVSSv3 score: 5.3(Medium) Extremely large RSA keys in certificate chains can cause a client/server to expend significant CPU time verifying signatures. With fix, the size of RSA keys transmitted during handshakes is restricted to <= 8192 bits. Based on a survey of publicly trusted RSA keys, there are currently only three certificates in circulation with keys larger than this, and all three appear to be test certificates that are not actively deployed. It is possible there are larger keys in use in private PKIs, but we target the web PKI, so causing breakage here in the interests of increasing the default safety of users of crypto/tls seems reasonable. * [CVE-2023-29406](https://nvd.nist.gov/vuln/detail/CVE-2023-29406) CVSSv3 score: 6.5(Medium) The HTTP/1 client does not fully validate the contents of the Host header. A maliciously crafted Host header can inject additional headers or entire requests. With fix, the HTTP/1 client now refuses to send requests containing an invalid Request.Host or Request.URL.Host value. * [CVE-2023-29405](https://nvd.nist.gov/vuln/detail/CVE-2023-29405) CVSSv3 score: 9.8(Critical) The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. Flags containing embedded spaces are mishandled, allowing disallowed flags to be smuggled through the LDFLAGS sanitization by including them in the argument of another flag. This only affects usage of the gccgo compiler. * [CVE-2023-29404](https://nvd.nist.gov/vuln/detail/CVE-2023-29404) CVSSv3 score: 9.8(Critical) The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. The arguments for a number of flags which are non-optional are incorrectly considered optional, allowing disallowed flags to be smuggled through the LDFLAGS sanitization. This affects usage of both the gc and gccgo compilers. Next https://hackmd.io/Q_nz85CbS1KfLMgGca8FRA

Syntax	Example	Reference
# Header	Header	基本排版
- Unordered List	Unordered List
1. Ordered List	Ordered List
- [ ] Todo List	Todo List
> Blockquote	Blockquote
Bold font	Bold font
Italics font	Italics font
~~Strikethrough~~	~~Strikethrough~~
19^th^	19^th
H~2~O	H₂O
++Inserted text++	Inserted text
==Marked text==	Marked text
[link text](https:// "title")	Link
![image alt](https:// "title")	Image
`Code`	`Code`	在筆記中貼入程式碼
```javascript var i = 0; ```	`var i = 0;`
:smile:		Emoji list
{%youtube youtube_id %}	Externals
$L^aT_eX$	L^aT_eX
:::info This is a alert area. :::	This is a alert area.