Report Name: Linux Patch Wednesday March 2024
Generated: 2024-06-16 02:20:35

Product Name	Prevalence	U	C	H	M	L	A	Comment
Linux Kernel	0.9		1	3	43	21	68	The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
Sudo	0.9			1			1	Sudo is a program for Unix-like computer operating systems that allows users to run programs with the security privileges of another user
Windows Kernel	0.9		1				1	Windows Kernel
APT	0.8			1			1	A free-software user interface that works with core libraries to handle the installation and removal of software on Debian
Chromium	0.8		3	2	9		14	Chromium is a free and open-source web browser project, mainly developed and maintained by Google
Mozilla Firefox	0.8		3	3	5	3	14	Mozilla Firefox, or simply Firefox, is a free and open-source web browser developed by the Mozilla Foundation and its subsidiary, the Mozilla Corporation
Node.js	0.8				1		1	Node.js is a cross-platform, open-source server environment that can run on Windows, Linux, Unix, macOS, and more
PHP	0.8		1		2		3	PHP is a general-purpose scripting language geared towards web development. It was originally created by Danish-Canadian programmer Rasmus Lerdorf in 1993 and released in 1995.
.NET and Visual Studio	0.7				1		1	.NET and Visual Studio
Apache Tomcat	0.7				1		1	Apache Tomcat is a free and open-source implementation of the Jakarta Servlet, Jakarta Expression Language, and WebSocket technologies
ImageMagick	0.6			1			1	ImageMagick, invoked from the command line as magick, is a free and open-source cross-platform software suite for displaying, creating, converting, modifying, and editing raster images
Perl	0.6				1		1	Perl is a family of two high-level, general-purpose, interpreted, dynamic programming languages
Puma	0.6			1			1	Puma is a Ruby/Rack web server built for parallelism
Python	0.6		3	2	1		6	Python is a high-level, general-purpose programming language
libxml2	0.6			1			1	libxml2 is an XML toolkit implemented in C, originally developed for the GNOME Project
FRRouting	0.5				1		1	Free Range Routing or FRRouting or FRR is a network routing software suite running on Unix-like platforms, particularly Linux, Solaris, OpenBSD, FreeBSD and NetBSD
Git	0.4				1		1	Git
Unknown Product	0			4	16	15	35	Unknown Product

Vulnerability Type	Criticality	U	C	H	M	L	A
Remote Code Execution	1.0		3	1			4
Authentication Bypass	0.98				2		2
Code Injection	0.97			1			1
Command Injection	0.97		3	3		3	9
Security Feature Bypass	0.9		4	2	11		17
Elevation of Privilege	0.85		1	1	1		3
Information Disclosure	0.83			2	4	1	7
Cross Site Scripting	0.8				2		2
Denial of Service	0.7			3	20	3	26
Incorrect Calculation	0.5			1	1		2
Memory Corruption	0.5		1	5	39		45
Unknown Vulnerability Type	0				2	32	34

Source	U	C	H	M	L	A
almalinux		2	6	17	13	38
debian		10	17	79	34	140
oraclelinux		2	7	21	13	43
redhat		2	7	21	17	47
redos		7	10	19	4	40
ubuntu		6	12	60	33	111

Urgent (0)

Critical (12)

1. Command Injection - Windows Kernel (CVE-2024-24806) - Critical [656]

Description: libuv is a multi-platform support library with a focus on asynchronous I/O. The `uv_getaddrinfo` function in `src/unix/getaddrinfo.c` (and its windows counterpart `src/win/getaddrinfo.c`), truncates hostnames to 256 characters before calling `getaddrinfo`. This behavior can be exploited to create addresses like `0x00007f000001`, which are considered valid by `getaddrinfo` and could allow an attacker to craft payloads that resolve to unintended IP addresses, bypassing developer checks. The vulnerability arises due to how the `hostname_ascii` variable (with a length of 256 bytes) is handled in `uv_getaddrinfo` and subsequently in `uv__idna_toascii`. When the hostname exceeds 256 characters, it gets truncated without a terminating null byte. As a result attackers may be able to access internal APIs or for websites (similar to MySpace) that allows users to have `username.example.com` pages. Internal services that crawl or cache these user pages can be exposed to SSRF attacks if a malicious user chooses a long vulnerable username. This issue has been addressed in release version 1.48.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.

debian: CVE-2024-24806 was patched at 2024-03-10, 2024-05-15

redos: CVE-2024-24806 was patched at 2024-06-11

ubuntu: CVE-2024-24806 was patched at 2024-02-28

2. Remote Code Execution - Mozilla Firefox (CVE-2024-2607) - Critical [639]

Description: Return registers were overwritten which could have allowed an attacker to execute arbitrary code. *Note:* This issue only affected Armv7-A systems. Other operating systems are unaffected. This vulnerability affects Firefox < 124, Firefox ESR < 115.9, and Thunderbird < 115.9.

almalinux: CVE-2024-2607 was patched at 2024-03-25

debian: CVE-2024-2607 was patched at 2024-03-21, 2024-05-15

oraclelinux: CVE-2024-2607 was patched at 2024-03-25, 2024-03-26

redhat: CVE-2024-2607 was patched at 2024-03-25

ubuntu: CVE-2024-2607 was patched at 2024-03-20, 2024-03-26

3. Remote Code Execution - Mozilla Firefox (CVE-2024-2612) - Critical [639]

Description: If an attacker could find a way to trigger a particular code path in `SafeRefPtr`, it could have triggered a crash or potentially be leveraged to achieve code execution. This vulnerability affects Firefox < 124, Firefox ESR < 115.9, and Thunderbird < 115.9.

almalinux: CVE-2024-2612 was patched at 2024-03-25

debian: CVE-2024-2612 was patched at 2024-03-21, 2024-05-15

oraclelinux: CVE-2024-2612 was patched at 2024-03-25, 2024-03-26

redhat: CVE-2024-2612 was patched at 2024-03-25

ubuntu: CVE-2024-2612 was patched at 2024-03-20, 2024-03-26

4. Remote Code Execution - PHP (CVE-2024-25117) - Critical [621]

Description: php-svg-lib is a scalable vector graphics (SVG) file parsing/rendering library. Prior to version 0.5.2, php-svg-lib fails to validate that font-family doesn't contain a PHAR url, which might leads to RCE on PHP < 8.0, and doesn't validate if external references are allowed. This might leads to bypass of restrictions or RCE on projects that are using it, if they do not strictly revalidate the fontName that is passed by php-svg-lib. The `Style::fromAttributes(`), or the `Style::parseCssStyle()` should check the content of the `font-family` and prevents it to use a PHAR url, to avoid passing an invalid and dangerous `fontName` value to other libraries. The same check as done in the `Style::fromStyleSheets` might be reused. Libraries using this library as a dependency might be vulnerable to some bypass of restrictions, or even remote code execution, if they do not double check the value of the `fontName` that is passed by php-svg-lib. Version 0.5.2 contains a fix for this issue.

debian: CVE-2024-25117 was patched at 2024-03-20, 2024-05-15

5. Security Feature Bypass - Chromium (CVE-2024-1671) - Critical [621]

Description: Inappropriate implementation in Site Isolation in Google Chrome prior to 122.0.6261.57 allowed a remote attacker to bypass content security policy via a crafted HTML page. (Chromium security severity: Medium)

debian: CVE-2024-1671 was patched at 2024-02-23, 2024-05-15

redos: CVE-2024-1671 was patched at 2024-05-07

6. Security Feature Bypass - Chromium (CVE-2024-1672) - Critical [621]

Description: Inappropriate implementation in Content Security Policy in Google Chrome prior to 122.0.6261.57 allowed a remote attacker to bypass content security policy via a crafted HTML page. (Chromium security severity: Medium)

debian: CVE-2024-1672 was patched at 2024-02-23, 2024-05-15

redos: CVE-2024-1672 was patched at 2024-05-07

7. Security Feature Bypass - Chromium (CVE-2024-1674) - Critical [621]

Description: Inappropriate implementation in Navigation in Google Chrome prior to 122.0.6261.57 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Medium)

debian: CVE-2024-1674 was patched at 2024-02-23, 2024-05-15

redos: CVE-2024-1674 was patched at 2024-05-07

8. Security Feature Bypass - Mozilla Firefox (CVE-2024-2606) - Critical [621]

Description: {'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'Passing invalid data could have led to invalid wasm values being created, such as arbitrary integers turning into pointer values. This vulnerability affects Firefox < 124.', 'bdu_cve_data_all': '', 'combined_cve_data_all': ''}

ubuntu: CVE-2024-2606 was patched at 2024-03-20

9. Command Injection - Python (CVE-2023-37276) - Critical [618]

Description: aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. aiohttp v3.8.4 and earlier are bundled with llhttp v6.0.6. Vulnerable code is used by aiohttp for its HTTP request parser when available which is the default case when installing from a wheel. This vulnerability only affects users of aiohttp as an HTTP server (ie `aiohttp.Application`), you are not affected by this vulnerability if you are using aiohttp as an HTTP client library (ie `aiohttp.ClientSession`). Sending a crafted HTTP request will cause the server to misinterpret one of the HTTP header values leading to HTTP request smuggling. This issue has been addressed in version 3.8.5. Users are advised to upgrade. Users unable to upgrade can reinstall aiohttp using `AIOHTTP_NO_EXTENSIONS=1` as an environment variable to disable the llhttp HTTP request parser implementation. The pure Python implementation isn't vulnerable.

debian: CVE-2023-37276 was patched at 2024-05-15

redos: CVE-2023-37276 was patched at 2024-03-18

10. Elevation of Privilege - Linux Kernel (CVE-2024-0582) - Critical [611]

Description: A memory leak flaw was found in the Linux kernel’s io_uring functionality in how a user registers a buffer ring with IORING_REGISTER_PBUF_RING, mmap() it, and then frees it. This flaw allows a local user to crash or potentially escalate their privileges on the system.

ubuntu: CVE-2024-0582 was patched at 2024-02-23, 2024-02-28, 2024-02-29

11. Memory Corruption - Python (CVE-2024-26130) - Critical [611]

Description: {'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Starting in version 38.0.0 and prior to version 42.0.4, if `pkcs12.serialize_key_and_certificates` is called with both a certificate whose public key did not match the provided private key and an `encryption_algorithm` with `hmac_hash` set (via `PrivateFormat.PKCS12.encryption_builder().hmac_hash(...)`, then a NULL pointer dereference would occur, crashing the Python process. This has been resolved in version 42.0.4, the first version in which a `ValueError` is properly raised.', 'bdu_cve_data_all': '', 'combined_cve_data_all': ''}

debian: CVE-2024-26130 was patched at 2024-05-15

redos: CVE-2024-26130 was patched at 2024-04-22

ubuntu: CVE-2024-26130 was patched at 2024-03-04, 2024-05-27

12. Command Injection - Python (CVE-2023-47627) - Critical [606]

Description: aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. The HTTP parser in AIOHTTP has numerous problems with header parsing, which could lead to request smuggling. This parser is only used when AIOHTTP_NO_EXTENSIONS is enabled (or not using a prebuilt wheel). These bugs have been addressed in commit `d5c12ba89` which has been included in release version 3.8.6. Users are advised to upgrade. There are no known workarounds for these issues.

debian: CVE-2023-47627 was patched at 2024-05-15

redos: CVE-2023-47627 was patched at 2024-03-18

High (19)

13. Denial of Service - Linux Kernel (CVE-2023-6560) - High [560]

Description: An out-of-bounds memory access flaw was found in the io_uring SQ/CQ rings functionality in the Linux kernel. This issue could allow a local user to crash the system.

ubuntu: CVE-2023-6560 was patched at 2024-03-06, 2024-03-08, 2024-03-19

14. Code Injection - Unknown Product (CVE-2024-1597) - High [554]

Description: {'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'pgjdbc, the PostgreSQL JDBC Driver, allows attacker to inject SQL if using PreferQueryMode=SIMPLE. Note this is not the default. In the default mode there is no vulnerability. A placeholder for a numeric value must be immediately preceded by a minus. There must be a second placeholder for a string value after the first placeholder; both must be on the same line. By constructing a matching string payload, the attacker can inject SQL to alter the query,bypassing the protections that parameterized queries bring against SQL Injection attacks. Versions before 42.7.2, 42.6.1, 42.5.5, 42.4.4, 42.3.9, and 42.2.28 are affected.', 'bdu_cve_data_all': '', 'combined_cve_data_all': ''}

almalinux: CVE-2024-1597 was patched at 2024-03-20

debian: CVE-2024-1597 was patched at 2024-05-15

oraclelinux: CVE-2024-1597 was patched at 2024-03-20

redhat: CVE-2024-1597 was patched at 2024-03-20, 2024-04-02, 2024-04-23, 2024-04-30, 2024-05-23

15. Incorrect Calculation - Mozilla Firefox (CVE-2024-2608) - High [550]

Description: `AppendEncodedAttributeValue(), ExtraSpaceNeededForAttrEncoding()` and `AppendEncodedCharacters()` could have experienced integer overflows, causing underallocation of an output buffer leading to an out of bounds write. This vulnerability affects Firefox < 124, Firefox ESR < 115.9, and Thunderbird < 115.9.

almalinux: CVE-2024-2608 was patched at 2024-03-25

debian: CVE-2024-2608 was patched at 2024-03-21, 2024-05-15

oraclelinux: CVE-2024-2608 was patched at 2024-03-25, 2024-03-26

redhat: CVE-2024-2608 was patched at 2024-03-25

ubuntu: CVE-2024-2608 was patched at 2024-03-20, 2024-03-26

16. Memory Corruption - Chromium (CVE-2024-1669) - High [550]

Description: Out of bounds memory access in Blink in Google Chrome prior to 122.0.6261.57 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)

debian: CVE-2024-1669 was patched at 2024-02-23, 2024-05-15

redos: CVE-2024-1669 was patched at 2024-05-07

17. Memory Corruption - Chromium (CVE-2024-1670) - High [550]

Description: Use after free in Mojo in Google Chrome prior to 122.0.6261.57 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

debian: CVE-2024-1670 was patched at 2024-02-23, 2024-05-15

redos: CVE-2024-1670 was patched at 2024-05-07

18. Memory Corruption - Mozilla Firefox (CVE-2024-2614) - High [550]

Description: Memory safety bugs present in Firefox 123, Firefox ESR 115.8, and Thunderbird 115.8. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 124, Firefox ESR < 115.9, and Thunderbird < 115.9.

almalinux: CVE-2024-2614 was patched at 2024-03-25

almalinux: CVE-2024-26141 was patched at 2024-04-30, 2024-05-22

almalinux: CVE-2024-26146 was patched at 2024-04-30, 2024-05-22

debian: CVE-2024-2614 was patched at 2024-03-21, 2024-05-15

debian: CVE-2024-26141 was patched at 2024-05-15, 2024-05-24

debian: CVE-2024-26146 was patched at 2024-05-15, 2024-05-24

oraclelinux: CVE-2024-2614 was patched at 2024-03-25, 2024-03-26

oraclelinux: CVE-2024-26141 was patched at 2024-05-02, 2024-05-23

oraclelinux: CVE-2024-26146 was patched at 2024-05-02, 2024-05-23

redhat: CVE-2024-2614 was patched at 2024-03-25

redhat: CVE-2024-26141 was patched at 2024-04-16, 2024-04-23, 2024-04-30, 2024-05-22, 2024-05-28

redhat: CVE-2024-26146 was patched at 2024-04-16, 2024-04-23, 2024-04-30, 2024-05-22, 2024-05-28

redos: CVE-2024-26141 was patched at 2024-05-08

redos: CVE-2024-26146 was patched at 2024-05-08

ubuntu: CVE-2024-2614 was patched at 2024-03-20, 2024-03-26

ubuntu: CVE-2024-26141 was patched at 2024-03-12

ubuntu: CVE-2024-26146 was patched at 2024-03-12

19. Memory Corruption - Mozilla Firefox (CVE-2024-2615) - High [550]

Description: Memory safety bugs present in Firefox 123. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 124.

ubuntu: CVE-2024-2615 was patched at 2024-03-20

20. Denial of Service - ImageMagick (CVE-2022-1115) - High [546]

Description: A heap-buffer-overflow flaw was found in ImageMagick’s PushShortPixel() function of quantum-private.h file. This vulnerability is triggered when an attacker passes a specially crafted TIFF image file to ImageMagick for conversion, potentially leading to a denial of service.

debian: CVE-2022-1115 was patched at 2024-02-22, 2024-05-15

redos: CVE-2022-1115 was patched at 2024-06-11

21. Security Feature Bypass - Python (CVE-2023-49081) - High [546]

Description: {'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Improper validation made it possible for an attacker to modify the HTTP request (e.g. to insert a new header) or create a new HTTP request if the attacker controls the HTTP version. The vulnerability only occurs if the attacker can control the HTTP version of the request. This issue has been patched in version 3.9.0.', 'bdu_cve_data_all': '', 'combined_cve_data_all': ''}

debian: CVE-2023-49081 was patched at 2024-05-15

redos: CVE-2023-49081 was patched at 2024-03-18

22. Memory Corruption - libxml2 (CVE-2024-25062) - High [498]

Description: An issue was discovered in libxml2 before 2.11.7 and 2.12.x before 2.12.5. When using the XML Reader interface with DTD validation and XInclude expansion enabled, processing crafted XML documents can lead to an xmlValidatePopElement use-after-free.

almalinux: CVE-2024-25062 was patched at 2024-05-02, 2024-06-05

debian: CVE-2024-25062 was patched at 2024-05-15

oraclelinux: CVE-2024-25062 was patched at 2024-05-07, 2024-06-05

redhat: CVE-2024-25062 was patched at 2024-05-02, 2024-05-22, 2024-05-23, 2024-06-05

redos: CVE-2024-25062 was patched at 2024-04-10

ubuntu: CVE-2024-25062 was patched at 2024-02-26, 2024-03-11

23. Command Injection - Unknown Product (CVE-2023-32668) - High [482]

Description: {'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'LuaTeX before 1.17.0 allows a document (compiled with the default settings) to make arbitrary network requests. This occurs because full access to the socket library is permitted by default, as stated in the documentation. This also affects TeX Live before 2023 r66984 and MiKTeX before 23.5.', 'bdu_cve_data_all': '', 'combined_cve_data_all': ''}

debian: CVE-2023-32668 was patched at 2024-05-15

ubuntu: CVE-2023-32668 was patched at 2024-03-14

24. Command Injection - Puma (CVE-2023-40175) - High [463]

Description: Puma is a Ruby/Rack web server built for parallelism. Prior to versions 6.3.1 and 5.6.7, puma exhibited incorrect behavior when parsing chunked transfer encoding bodies and zero-length Content-Length headers in a way that allowed HTTP request smuggling. Severity of this issue is highly dependent on the nature of the web site using puma is. This could be caused by either incorrect parsing of trailing fields in chunked transfer encoding bodies or by parsing of blank/zero-length Content-Length headers. Both issues have been addressed and this vulnerability has been fixed in versions 6.3.1 and 5.6.7. Users are advised to upgrade. There are no known workarounds for this vulnerability.

debian: CVE-2023-40175 was patched at 2024-05-15

ubuntu: CVE-2023-40175 was patched at 2024-03-07

25. Command Injection - Python (CVE-2023-49082) - High [457]

Description: aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Improper validation makes it possible for an attacker to modify the HTTP request (e.g. insert a new header) or even create a new HTTP request if the attacker controls the HTTP method. The vulnerability occurs only if the attacker can control the HTTP method (GET, POST etc.) of the request. If the attacker can control the HTTP version of the request it will be able to modify the request (request smuggling). This issue has been patched in version 3.9.0.

debian: CVE-2023-49082 was patched at 2024-05-15

redos: CVE-2023-49082 was patched at 2024-03-18

26. Denial of Service - Unknown Product (CVE-2023-52425) - High [446]

Description: {'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'libexpat through 2.5.0 allows a denial of service (resource consumption) because many full reparsings are required in the case of a large token for which multiple buffer fills are needed.', 'bdu_cve_data_all': '', 'combined_cve_data_all': ''}

almalinux: CVE-2023-52425 was patched at 2024-03-26, 2024-04-02

debian: CVE-2023-52425 was patched at 2024-05-15

oraclelinux: CVE-2023-52425 was patched at 2024-03-26, 2024-04-03

redhat: CVE-2023-52425 was patched at 2024-03-26, 2024-04-02, 2024-04-30, 2024-05-14

ubuntu: CVE-2023-52425 was patched at 2024-03-14

27. Information Disclosure - Linux Kernel (CVE-2023-39197) - High [441]

Description: An out-of-bounds read vulnerability was found in Netfilter Connection Tracking (conntrack) in the Linux kernel. This flaw allows a remote user to disclose sensitive information via the DCCP protocol.

debian: CVE-2023-39197 was patched at 2024-05-15

redos: CVE-2023-39197 was patched at 2024-04-09

ubuntu: CVE-2023-39197 was patched at 2024-03-18, 2024-03-20, 2024-03-21, 2024-03-25, 2024-04-09

28. Remote Code Execution - Sudo (CVE-2024-24821) - High [435]

Description: Composer is a dependency Manager for the PHP language. In affected versions several files within the local working directory are included during the invocation of Composer and in the context of the executing user. As such, under certain conditions arbitrary code execution may lead to local privilege escalation, provide lateral user movement or malicious code execution when Composer is invoked within a directory with tampered files. All Composer CLI commands are affected, including composer.phar's self-update. The following scenarios are of high risk: Composer being run with sudo, Pipelines which may execute Composer on untrusted projects, Shared environments with developers who run Composer individually on the same project. This vulnerability has been addressed in versions 2.7.0 and 2.2.23. It is advised that the patched versions are applied at the earliest convenience. Where not possible, the following should be addressed: Remove all sudo composer privileges for all users to mitigate root privilege escalation, and avoid running Composer within an untrusted directory, or if needed, verify that the contents of `vendor/composer/InstalledVersions.php` and `vendor/composer/installed.php` do not include untrusted code. A reset can also be done on these files by the following:```sh rm vendor/composer/installed.php vendor/composer/InstalledVersions.php composer install --no-scripts --no-plugins ```

debian: CVE-2024-24821 was patched at 2024-02-26, 2024-05-15

redos: CVE-2024-24821 was patched at 2024-03-29

29. Security Feature Bypass - Unknown Product (CVE-2024-25617) - High [434]

Description: {'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'Squid is an open source caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Due to a Collapse of Data into Unsafe Value bug ,Squid may be vulnerable to a Denial of Service attack against HTTP header parsing. This problem allows a remote client or a remote server to perform Denial of Service when sending oversized headers in HTTP messages. In versions of Squid prior to 6.5 this can be achieved if the request_header_max_size or reply_header_max_size settings are unchanged from the default. In Squid version 6.5 and later, the default setting of these parameters is safe. Squid will emit a critical warning in cache.log if the administrator is setting these parameters to unsafe values. Squid will not at this time prevent these settings from being changed to unsafe values. Users are advised to upgrade to version 6.5. There are no known workarounds for this vulnerability. This issue is also tracked as SQUID-2024:2 ', 'bdu_cve_data_all': '', 'combined_cve_data_all': ''}

almalinux: CVE-2024-25617 was patched at 2024-03-19

debian: CVE-2024-25617 was patched at 2024-03-08, 2024-05-15

oraclelinux: CVE-2024-25617 was patched at 2024-03-20, 2024-03-21, 2024-04-11

redhat: CVE-2024-25617 was patched at 2024-03-01, 2024-03-04, 2024-03-06, 2024-03-19, 2024-04-11, 2024-04-16, 2024-05-09

ubuntu: CVE-2024-25617 was patched at 2024-04-10

30. Information Disclosure - APT (CVE-2023-50782) - High [424]

Description: {'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data.', 'bdu_cve_data_all': '', 'combined_cve_data_all': ''}

debian: CVE-2023-50782 was patched at 2024-05-15

redos: CVE-2023-50782 was patched at 2024-05-21

ubuntu: CVE-2023-50782 was patched at 2024-03-04, 2024-03-14

31. Elevation of Privilege - Linux Kernel (CVE-2024-1085) - High [408]

Description: A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation. The nft_setelem_catchall_deactivate() function checks whether the catch-all set element is active in the current generation instead of the next generation before freeing it, but only flags it inactive in the next generation, making it possible to free the element multiple times, leading to a double free vulnerability. We recommend upgrading past commit b1db244ffd041a49ecc9618e8feb6b5c1afcdaa7.

debian: CVE-2024-1085 was patched at 2024-05-15

oraclelinux: CVE-2024-1085 was patched at 2024-03-11, 2024-05-02

redhat: CVE-2024-1085 was patched at 2024-02-28

ubuntu: CVE-2024-1085 was patched at 2024-03-11, 2024-03-20, 2024-03-21, 2024-03-25, 2024-03-28, 2024-04-30

Medium (82)

32. Memory Corruption - Unknown Product (CVE-2024-22667) - Medium [398]

Description: {'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'Vim before 9.0.2142 has a stack-based buffer overflow because did_set_langmap in map.c calls sprintf to write to the error buffer that is passed down to the option callback functions.', 'bdu_cve_data_all': '', 'combined_cve_data_all': ''}

debian: CVE-2024-22667 was patched at 2024-05-15

redos: CVE-2024-22667 was patched at 2024-04-10

ubuntu: CVE-2024-22667 was patched at 2024-03-18

33. Denial of Service - Linux Kernel (CVE-2023-52444) - Medium [382]

Description: {'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to avoid dirent corruption\n\nAs Al reported in link[1]:\n\nf2fs_rename()\n...\n\tif (old_dir != new_dir && !whiteout)\n\t\tf2fs_set_link(old_inode, old_dir_entry,\n\t\t\t\t\told_dir_page, new_dir);\n\telse\n\t\tf2fs_put_page(old_dir_page, 0);\n\nYou want correct inumber in the ".." link. And cross-directory\nrename does move the source to new parent, even if you'd been asked\nto leave a whiteout in the old place.\n\n[1] https://lore.kernel.org/all/20231017055040.GN800259@ZenIV/\n\nWith below testcase, it may cause dirent corruption, due to it missed\nto call f2fs_set_link() to update ".." link to new directory.\n- mkdir -p dir/foo\n- renameat2 -w dir/foo bar\n\n[ASSERT] (__chk_dots_dentries:1421) --> Bad inode number[0x4] for '..', parent parent ino is [0x3]\n[FSCK] other corrupted bugs [Fail]', 'bdu_cve_data_all': '', 'combined_cve_data_all': ''}

debian: CVE-2023-52444 was patched at 2024-05-15

ubuntu: CVE-2023-52444 was patched at 2024-03-11, 2024-04-09, 2024-04-16, 2024-04-17, 2024-06-07, 2024-06-10, 2024-06-11, 2024-06-12, 2024-06-14

34. Information Disclosure - Linux Kernel (CVE-2023-50431) - Medium [381]

Description: {'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'sec_attest_info in drivers/accel/habanalabs/common/habanalabs_ioctl.c in the Linux kernel through 6.6.5 allows an information leak to user space because info->pad0 is not initialized.', 'bdu_cve_data_all': '', 'combined_cve_data_all': ''}

debian: CVE-2023-50431 was patched at 2024-05-15

ubuntu: CVE-2023-50431 was patched at 2024-03-11, 2024-04-09, 2024-04-16

35. Information Disclosure - Linux Kernel (CVE-2024-0340) - Medium [381]

Description: {'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'A vulnerability was found in vhost_new_msg in drivers/vhost/vhost.c in the Linux kernel, which does not properly initialize memory in messages passed between virtual guests and the host operating system in the vhost/vhost.c:vhost_new_msg() function. This issue can allow local privileged users to read some kernel memory contents when reading from the /dev/vhost-net device file.', 'bdu_cve_data_all': '', 'combined_cve_data_all': ''}

almalinux: CVE-2024-0340 was patched at 2024-06-05

debian: CVE-2024-0340 was patched at 2024-05-06, 2024-05-15

oraclelinux: CVE-2024-0340 was patched at 2024-04-08, 2024-06-05

redhat: CVE-2024-0340 was patched at 2024-06-05

ubuntu: CVE-2024-0340 was patched at 2024-03-06, 2024-03-08, 2024-03-11, 2024-03-13, 2024-03-19, 2024-03-20, 2024-03-25, 2024-03-27

36. Denial of Service - Git (CVE-2024-24575) - Medium [370]

Description: libgit2 is a portable C implementation of the Git core methods provided as a linkable library with a solid API, allowing to build Git functionality into your application. Using well-crafted inputs to `git_revparse_single` can cause the function to enter an infinite loop, potentially causing a Denial of Service attack in the calling application. The revparse function in `src/libgit2/revparse.c` uses a loop to parse the user-provided spec string. There is an edge-case during parsing that allows a bad actor to force the loop conditions to access arbitrary memory. Potentially, this could also leak memory if the extracted rev spec is reflected back to the attacker. As such, libgit2 versions before 1.4.0 are not affected. Users should upgrade to version 1.6.5 or 1.7.2.

debian: CVE-2024-24575 was patched at 2024-05-15

redos: CVE-2024-24575 was patched at 2024-04-10

ubuntu: CVE-2024-24575 was patched at 2024-03-05

37. Denial of Service - Node.js (CVE-2024-22019) - Medium [365]

Description: A vulnerability in Node.js HTTP servers allows an attacker to send a specially crafted HTTP request with chunked encoding, leading to resource exhaustion and denial of service (DoS). The server reads an unbounded number of bytes from a single connection, exploiting the lack of limitations on chunk extension bytes. The issue can cause CPU and network bandwidth exhaustion, bypassing standard safeguards like timeouts and body size limits.

almalinux: CVE-2024-22019 was patched at 2024-03-20, 2024-03-25, 2024-03-26, 2024-04-08

debian: CVE-2024-22019 was patched at 2024-05-15

oraclelinux: CVE-2024-22019 was patched at 2024-03-21, 2024-03-26, 2024-04-08

redhat: CVE-2024-22019 was patched at 2024-03-18, 2024-03-19, 2024-03-20, 2024-03-25, 2024-03-26, 2024-04-04, 2024-04-08, 2024-04-18, 2024-04-22, 2024-05-02, 2024-05-09

38. Denial of Service - Linux Kernel (CVE-2022-0480) - Medium [358]

Description: {'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'A flaw was found in the filelock_init in fs/locks.c function in the Linux kernel. This issue can lead to host memory exhaustion due to memcg not limiting the number of Portable Operating System Interface (POSIX) file locks.', 'bdu_cve_data_all': '', 'combined_cve_data_all': ''}

debian: CVE-2022-0480 was patched at 2024-05-15

oraclelinux: CVE-2022-0480 was patched at 2024-05-02

redhat: CVE-2022-0480 was patched at 2024-03-12, 2024-03-13

39. Denial of Service - Linux Kernel (CVE-2022-48619) - Medium [358]

Description: An issue was discovered in drivers/input/input.c in the Linux kernel before 5.17.10. An attacker can cause a denial of service (panic) because input_set_capability mishandles the situation in which an event code falls outside of a bitmap.

debian: CVE-2022-48619 was patched at 2024-05-15

oraclelinux: CVE-2022-48619 was patched at 2024-03-01

40. Denial of Service - Linux Kernel (CVE-2023-6915) - Medium [358]

Description: A Null pointer dereference problem was found in ida_free in lib/idr.c in the Linux Kernel. This issue may allow an attacker using this library to cause a denial of service problem due to a missing check at a function return.

almalinux: CVE-2023-6915 was patched at 2024-05-22

debian: CVE-2023-6915 was patched at 2024-05-15

oraclelinux: CVE-2023-6915 was patched at 2024-05-02, 2024-05-23

redhat: CVE-2023-6915 was patched at 2024-05-22

ubuntu: CVE-2023-6915 was patched at 2024-02-22, 2024-02-23, 2024-02-28, 2024-02-29, 2024-03-04, 2024-04-19

41. Denial of Service - Linux Kernel (CVE-2024-26591) - Medium [358]

Description: In the Linux kernel, the following vulnerability has been resolved: bpf: Fix re-attachment branch in bpf_tracing_prog_attach The following case can cause a crash due to missing attach_btf: 1) load rawtp program 2) load fentry program with rawtp as target_fd 3) create tracing link for fentry program with target_fd = 0 4) repeat 3 In the end we have: - prog->aux->dst_trampoline == NULL - tgt_prog == NULL (because we did not provide target_fd to link_create) - prog->aux->attach_btf == NULL (the program was loaded with attach_prog_fd=X) - the program was loaded for tgt_prog but we have no way to find out which one BUG: kernel NULL pointer dereference, address: 0000000000000058 Call Trace: <TASK> ? __die+0x20/0x70 ? page_fault_oops+0x15b/0x430 ? fixup_exception+0x22/0x330 ? exc_page_fault+0x6f/0x170 ? asm_exc_page_fault+0x22/0x30 ? bpf_tracing_prog_attach+0x279/0x560 ? btf_obj_id+0x5/0x10 bpf_tracing_prog_attach+0x439/0x560 __sys_bpf+0x1cf4/0x2de0 __x64_sys_bpf+0x1c/0x30 do_syscall_64+0x41/0xf0 entry_SYSCALL_64_after_hwframe+0x6e/0x76 Return -EINVAL in this situation.

debian: CVE-2024-26591 was patched at 2024-05-15

ubuntu: CVE-2024-26591 was patched at 2024-03-11, 2024-04-09, 2024-04-16, 2024-04-19, 2024-04-22, 2024-04-24

42. Security Feature Bypass - Python (CVE-2023-47641) - Medium [355]

Description: {'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Affected versions of aiohttp have a security vulnerability regarding the inconsistent interpretation of the http protocol. HTTP/1.1 is a persistent protocol, if both Content-Length(CL) and Transfer-Encoding(TE) header values are present it can lead to incorrect interpretation of two entities that parse the HTTP and we can poison other sockets with this incorrect interpretation. A possible Proof-of-Concept (POC) would be a configuration with a reverse proxy(frontend) that accepts both CL and TE headers and aiohttp as backend. As aiohttp parses anything with chunked, we can pass a chunked123 as TE, the frontend entity will ignore this header and will parse Content-Length. The impact of this vulnerability is that it is possible to bypass any proxy rule, poisoning sockets to other users like passing Authentication Headers, also if it is present an Open Redirect an attacker could combine it to redirect random users to another website and log the request. This vulnerability has been addressed in release 3.8.0 of aiohttp. Users are advised to upgrade. There are no known workarounds for this vulnerability.', 'bdu_cve_data_all': '', 'combined_cve_data_all': ''}

debian: CVE-2023-47641 was patched at 2024-05-15

redos: CVE-2023-47641 was patched at 2024-03-18

43. Denial of Service - .NET and Visual Studio (CVE-2024-21392) - Medium [348]

Description: .NET and Visual Studio Denial of Service Vulnerability

almalinux: CVE-2024-21392 was patched at 2024-03-13

oraclelinux: CVE-2024-21392 was patched at 2024-03-14, 2024-03-15

redhat: CVE-2024-21392 was patched at 2024-03-13

ubuntu: CVE-2024-21392 was patched at 2024-03-12

44. Denial of Service - Linux Kernel (CVE-2024-24855) - Medium [346]

Description: A race condition was found in the Linux kernel's scsi device driver in lpfc_unregister_fcf_rescan() function. This can result in a null pointer dereference issue, possibly leading to a kernel panic or denial of service issue.

debian: CVE-2024-24855 was patched at 2024-05-15

ubuntu: CVE-2024-24855 was patched at 2024-03-18, 2024-03-19, 2024-03-20, 2024-03-21, 2024-03-25, 2024-03-28, 2024-04-09

45. Denial of Service - Linux Kernel (CVE-2024-24860) - Medium [346]

Description: A race condition was found in the Linux kernel's bluetooth device driver in {min,max}_key_size_set() function. This can result in a null pointer dereference issue, possibly leading to a kernel panic or denial of service issue.

debian: CVE-2024-24860 was patched at 2024-05-15

ubuntu: CVE-2024-24860 was patched at 2024-03-11, 2024-04-09, 2024-04-16, 2024-06-07, 2024-06-10, 2024-06-11, 2024-06-12, 2024-06-14

46. Memory Corruption - Linux Kernel (CVE-2023-22995) - Medium [346]

Description: {'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'In the Linux kernel before 5.17, an error path in dwc3_qcom_acpi_register_core in drivers/usb/dwc3/dwc3-qcom.c lacks certain platform_device_put and kfree calls.', 'bdu_cve_data_all': '', 'combined_cve_data_all': ''}

debian: CVE-2023-22995 was patched at 2024-05-15

ubuntu: CVE-2023-22995 was patched at 2024-03-06, 2024-03-08, 2024-03-11, 2024-03-13, 2024-03-19, 2024-03-20, 2024-03-25, 2024-03-27

47. Memory Corruption - Linux Kernel (CVE-2023-52438) - Medium [346]

Description: In the Linux kernel, the following vulnerability has been resolved: binder: fix use-after-free in shinker's callback The mmap read lock is used during the shrinker's callback, which means that using alloc->vma pointer isn't safe as it can race with munmap(). As of commit dd2283f2605e ("mm: mmap: zap pages with read mmap_sem in munmap") the mmap lock is downgraded after the vma has been isolated. I was able to reproduce this issue by manually adding some delays and triggering page reclaiming through the shrinker's debug sysfs. The following KASAN report confirms the UAF: ================================================================== BUG: KASAN: slab-use-after-free in zap_page_range_single+0x470/0x4b8 Read of size 8 at addr ffff356ed50e50f0 by task bash/478 CPU: 1 PID: 478 Comm: bash Not tainted 6.6.0-rc5-00055-g1c8b86a3799f-dirty #70 Hardware name: linux,dummy-virt (DT) Call trace: zap_page_range_single+0x470/0x4b8 binder_alloc_free_page+0x608/0xadc __list_lru_walk_one+0x130/0x3b0 list_lru_walk_node+0xc4/0x22c binder_shrink_scan+0x108/0x1dc shrinker_debugfs_scan_write+0x2b4/0x500 full_proxy_write+0xd4/0x140 vfs_write+0x1ac/0x758 ksys_write+0xf0/0x1dc __arm64_sys_write+0x6c/0x9c Allocated by task 492: kmem_cache_alloc+0x130/0x368 vm_area_alloc+0x2c/0x190 mmap_region+0x258/0x18bc do_mmap+0x694/0xa60 vm_mmap_pgoff+0x170/0x29c ksys_mmap_pgoff+0x290/0x3a0 __arm64_sys_mmap+0xcc/0x144 Freed by task 491: kmem_cache_free+0x17c/0x3c8 vm_area_free_rcu_cb+0x74/0x98 rcu_core+0xa38/0x26d4 rcu_core_si+0x10/0x1c __do_softirq+0x2fc/0xd24 Last potentially related work creation: __call_rcu_common.constprop.0+0x6c/0xba0 call_rcu+0x10/0x1c vm_area_free+0x18/0x24 remove_vma+0xe4/0x118 do_vmi_align_munmap.isra.0+0x718/0xb5c do_vmi_munmap+0xdc/0x1fc __vm_munmap+0x10c/0x278 __arm64_sys_munmap+0x58/0x7c Fix this issue by performing instead a vma_lookup() which will fail to find the vma that was isolated before the mmap lock downgrade. Note that this option has better performance than upgrading to a mmap write lock which would increase contention. Plus, mmap_write_trylock() has been recently removed anyway.

debian: CVE-2023-52438 was patched at 2024-05-15

ubuntu: CVE-2023-52438 was patched at 2024-03-11, 2024-04-09, 2024-04-16, 2024-04-17

48. Memory Corruption - Linux Kernel (CVE-2023-52439) - Medium [346]

Description: In the Linux kernel, the following vulnerability has been resolved: uio: Fix use-after-free in uio_open core-1 core-2 ------------------------------------------------------- uio_unregister_device uio_open idev = idr_find() device_unregister(&idev->dev) put_device(&idev->dev) uio_device_release get_device(&idev->dev) kfree(idev) uio_free_minor(minor) uio_release put_device(&idev->dev) kfree(idev) ------------------------------------------------------- In the core-1 uio_unregister_device(), the device_unregister will kfree idev when the idev->dev kobject ref is 1. But after core-1 device_unregister, put_device and before doing kfree, the core-2 may get_device. Then: 1. After core-1 kfree idev, the core-2 will do use-after-free for idev. 2. When core-2 do uio_release and put_device, the idev will be double freed. To address this issue, we can get idev atomic & inc idev reference with minor_lock.

almalinux: CVE-2023-52439 was patched at 2024-06-05

debian: CVE-2023-52439 was patched at 2024-05-15

oraclelinux: CVE-2023-52439 was patched at 2024-06-05

redhat: CVE-2023-52439 was patched at 2024-06-05

ubuntu: CVE-2023-52439 was patched at 2024-03-11, 2024-04-09, 2024-04-16, 2024-04-17, 2024-05-16, 2024-05-20, 2024-05-21, 2024-05-23

49. Memory Corruption - Linux Kernel (CVE-2023-52445) - Medium [346]

Description: {'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: pvrusb2: fix use after free on context disconnection\n\nUpon module load, a kthread is created targeting the\npvr2_context_thread_func function, which may call pvr2_context_destroy\nand thus call kfree() on the context object. However, that might happen\nbefore the usb hub_event handler is able to notify the driver. This\npatch adds a sanity check before the invalid read reported by syzbot,\nwithin the context disconnection call stack.', 'bdu_cve_data_all': '', 'combined_cve_data_all': ''}

almalinux: CVE-2023-52445 was patched at 2024-06-05

debian: CVE-2023-52445 was patched at 2024-05-15

oraclelinux: CVE-2023-52445 was patched at 2024-06-05

redhat: CVE-2023-52445 was patched at 2024-06-05

ubuntu: CVE-2023-52445 was patched at 2024-03-11, 2024-04-09, 2024-04-16, 2024-04-17, 2024-04-19, 2024-06-07, 2024-06-10, 2024-06-11, 2024-06-12, 2024-06-14

50. Memory Corruption - Linux Kernel (CVE-2023-52447) - Medium [346]

Description: In the Linux kernel, the following vulnerability has been resolved: bpf: Defer the free of inner map when necessary When updating or deleting an inner map in map array or map htab, the map may still be accessed by non-sleepable program or sleepable program. However bpf_map_fd_put_ptr() decreases the ref-counter of the inner map directly through bpf_map_put(), if the ref-counter is the last one (which is true for most cases), the inner map will be freed by ops->map_free() in a kworker. But for now, most .map_free() callbacks don't use synchronize_rcu() or its variants to wait for the elapse of a RCU grace period, so after the invocation of ops->map_free completes, the bpf program which is accessing the inner map may incur use-after-free problem. Fix the free of inner map by invoking bpf_map_free_deferred() after both one RCU grace period and one tasks trace RCU grace period if the inner map has been removed from the outer map before. The deferment is accomplished by using call_rcu() or call_rcu_tasks_trace() when releasing the last ref-counter of bpf map. The newly-added rcu_head field in bpf_map shares the same storage space with work field to reduce the size of bpf_map.

debian: CVE-2023-52447 was patched at 2024-05-06, 2024-05-15

ubuntu: CVE-2023-52447 was patched at 2024-03-11, 2024-06-07, 2024-06-10, 2024-06-11, 2024-06-12, 2024-06-14

51. Memory Corruption - Linux Kernel (CVE-2023-52451) - Medium [346]

Description: {'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/pseries/memhp: Fix access beyond end of drmem array\n\ndlpar_memory_remove_by_index() may access beyond the bounds of the\ndrmem lmb array when the LMB lookup fails to match an entry with the\ngiven DRC index. When the search fails, the cursor is left pointing to\n&drmem_info->lmbs[drmem_info->n_lmbs], which is one element past the\nlast valid entry in the array. The debug message at the end of the\nfunction then dereferences this pointer:\n\n pr_debug("Failed to hot-remove memory at %llx\\n",\n lmb->base_addr);\n\nThis was found by inspection and confirmed with KASAN:\n\n pseries-hotplug-mem: Attempting to hot-remove LMB, drc index 1234\n ==================================================================\n BUG: KASAN: slab-out-of-bounds in dlpar_memory+0x298/0x1658\n Read of size 8 at addr c000000364e97fd0 by task bash/949\n\n dump_stack_lvl+0xa4/0xfc (unreliable)\n print_report+0x214/0x63c\n kasan_report+0x140/0x2e0\n __asan_load8+0xa8/0xe0\n dlpar_memory+0x298/0x1658\n handle_dlpar_errorlog+0x130/0x1d0\n dlpar_store+0x18c/0x3e0\n kobj_attr_store+0x68/0xa0\n sysfs_kf_write+0xc4/0x110\n kernfs_fop_write_iter+0x26c/0x390\n vfs_write+0x2d4/0x4e0\n ksys_write+0xac/0x1a0\n system_call_exception+0x268/0x530\n system_call_vectored_common+0x15c/0x2ec\n\n Allocated by task 1:\n kasan_save_stack+0x48/0x80\n kasan_set_track+0x34/0x50\n kasan_save_alloc_info+0x34/0x50\n __kasan_kmalloc+0xd0/0x120\n __kmalloc+0x8c/0x320\n kmalloc_array.constprop.0+0x48/0x5c\n drmem_init+0x2a0/0x41c\n do_one_initcall+0xe0/0x5c0\n kernel_init_freeable+0x4ec/0x5a0\n kernel_init+0x30/0x1e0\n ret_from_kernel_user_thread+0x14/0x1c\n\n The buggy address belongs to the object at c000000364e80000\n which belongs to the cache kmalloc-128k of size 131072\n The buggy address is located 0 bytes to the right of\n allocated 98256-byte region [c000000364e80000, c000000364e97fd0)\n\n ==================================================================\n pseries-hotplug-mem: Failed to hot-remove memory at 0\n\nLog failed lookups with a separate message and dereference the\ncursor only when it points to a valid entry.', 'bdu_cve_data_all': '', 'combined_cve_data_all': ''}

debian: CVE-2023-52451 was patched at 2024-05-15

ubuntu: CVE-2023-52451 was patched at 2024-03-11, 2024-04-09, 2024-04-16, 2024-04-17, 2024-04-19, 2024-06-07, 2024-06-10, 2024-06-11, 2024-06-12, 2024-06-14

52. Memory Corruption - Linux Kernel (CVE-2024-26588) - Medium [346]

Description: {'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved:\n\nLoongArch: BPF: Prevent out-of-bounds memory access\n\nThe test_tag test triggers an unhandled page fault:\n\n # ./test_tag\n [ 130.640218] CPU 0 Unable to handle kernel paging request at virtual address ffff80001b898004, era == 9000000003137f7c, ra == 9000000003139e70\n [ 130.640501] Oops[#3]:\n [ 130.640553] CPU: 0 PID: 1326 Comm: test_tag Tainted: G D O 6.7.0-rc4-loong-devel-gb62ab1a397cf #47 61985c1d94084daa2432f771daa45b56b10d8d2a\n [ 130.640764] Hardware name: QEMU QEMU Virtual Machine, BIOS unknown 2/2/2022\n [ 130.640874] pc 9000000003137f7c ra 9000000003139e70 tp 9000000104cb4000 sp 9000000104cb7a40\n [ 130.641001] a0 ffff80001b894000 a1 ffff80001b897ff8 a2 000000006ba210be a3 0000000000000000\n [ 130.641128] a4 000000006ba210be a5 00000000000000f1 a6 00000000000000b3 a7 0000000000000000\n [ 130.641256] t0 0000000000000000 t1 00000000000007f6 t2 0000000000000000 t3 9000000004091b70\n [ 130.641387] t4 000000006ba210be t5 0000000000000004 t6 fffffffffffffff0 t7 90000000040913e0\n [ 130.641512] t8 0000000000000005 u0 0000000000000dc0 s9 0000000000000009 s0 9000000104cb7ae0\n [ 130.641641] s1 00000000000007f6 s2 0000000000000009 s3 0000000000000095 s4 0000000000000000\n [ 130.641771] s5 ffff80001b894000 s6 ffff80001b897fb0 s7 9000000004090c50 s8 0000000000000000\n [ 130.641900] ra: 9000000003139e70 build_body+0x1fcc/0x4988\n [ 130.642007] ERA: 9000000003137f7c build_body+0xd8/0x4988\n [ 130.642112] CRMD: 000000b0 (PLV0 -IE -DA +PG DACF=CC DACM=CC -WE)\n [ 130.642261] PRMD: 00000004 (PPLV0 +PIE -PWE)\n [ 130.642353] EUEN: 00000003 (+FPE +SXE -ASXE -BTE)\n [ 130.642458] ECFG: 00071c1c (LIE=2-4,10-12 VS=7)\n [ 130.642554] ESTAT: 00010000 [PIL] (IS= ECode=1 EsubCode=0)\n [ 130.642658] BADV: ffff80001b898004\n [ 130.642719] PRID: 0014c010 (Loongson-64bit, Loongson-3A5000)\n [ 130.642815] Modules linked in: [last unloaded: bpf_testmod(O)]\n [ 130.642924] Process test_tag (pid: 1326, threadinfo=00000000f7f4015f, task=000000006499f9fd)\n [ 130.643062] Stack : 0000000000000000 9000000003380724 0000000000000000 0000000104cb7be8\n [ 130.643213] 0000000000000000 25af8d9b6e600558 9000000106250ea0 9000000104cb7ae0\n [ 130.643378] 0000000000000000 0000000000000000 9000000104cb7be8 90000000049f6000\n [ 130.643538] 0000000000000090 9000000106250ea0 ffff80001b894000 ffff80001b894000\n [ 130.643685] 00007ffffb917790 900000000313ca94 0000000000000000 0000000000000000\n [ 130.643831] ffff80001b894000 0000000000000ff7 0000000000000000 9000000100468000\n [ 130.643983] 0000000000000000 0000000000000000 0000000000000040 25af8d9b6e600558\n [ 130.644131] 0000000000000bb7 ffff80001b894048 0000000000000000 0000000000000000\n [ 130.644276] 9000000104cb7be8 90000000049f6000 0000000000000090 9000000104cb7bdc\n [ 130.644423] ffff80001b894000 0000000000000000 00007ffffb917790 90000000032acfb0\n [ 130.644572] ...\n [ 130.644629] Call Trace:\n [ 130.644641] [<9000000003137f7c>] build_body+0xd8/0x4988\n [ 130.644785] [<900000000313ca94>] bpf_int_jit_compile+0x228/0x4ec\n [ 130.644891] [<90000000032acfb0>] bpf_prog_select_runtime+0x158/0x1b0\n [ 130.645003] [<90000000032b3504>] bpf_prog_load+0x760/0xb44\n [ 130.645089] [<90000000032b6744>] __sys_bpf+0xbb8/0x2588\n [ 130.645175] [<90000000032b8388>] sys_bpf+0x20/0x2c\n [ 130.645259] [<9000000003f6ab38>] do_syscall+0x7c/0x94\n [ 130.645369] [<9000000003121c5c>] handle_syscall+0xbc/0x158\n [ 130.645507]\n [ 130.645539] Code: 380839f6 380831f9 28412bae <24000ca6> 004081ad 0014cb50 004083e8 02bff34c 58008e91\n [ 130.645729]\n [ 130.646418] ---[ end trace 0000000000000000 ]---\n\nOn my machine, which has CONFIG_PAGE_SIZE_16KB=y, the test failed at\nloading a BPF prog with 2039 instructions:\n\n prog = (struct bpf_prog *)ffff80001b894000\n insn = (struct bpf_insn *)(prog->insnsi)fff\n---truncated---', 'bdu_cve_data_all': '', 'combined_cve_data_all': ''}

debian: CVE-2024-26588 was patched at 2024-05-15

ubuntu: CVE-2024-26588 was patched at 2024-03-11

53. Memory Corruption - Linux Kernel (CVE-2024-26589) - Medium [346]

Description: {'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Reject variable offset alu on PTR_TO_FLOW_KEYS\n\nFor PTR_TO_FLOW_KEYS, check_flow_keys_access() only uses fixed off\nfor validation. However, variable offset ptr alu is not prohibited\nfor this ptr kind. So the variable offset is not checked.\n\nThe following prog is accepted:\n\n func#0 @0\n 0: R1=ctx() R10=fp0\n 0: (bf) r6 = r1 ; R1=ctx() R6_w=ctx()\n 1: (79) r7 = *(u64 *)(r6 +144) ; R6_w=ctx() R7_w=flow_keys()\n 2: (b7) r8 = 1024 ; R8_w=1024\n 3: (37) r8 /= 1 ; R8_w=scalar()\n 4: (57) r8 &= 1024 ; R8_w=scalar(smin=smin32=0,\n smax=umax=smax32=umax32=1024,var_off=(0x0; 0x400))\n 5: (0f) r7 += r8\n mark_precise: frame0: last_idx 5 first_idx 0 subseq_idx -1\n mark_precise: frame0: regs=r8 stack= before 4: (57) r8 &= 1024\n mark_precise: frame0: regs=r8 stack= before 3: (37) r8 /= 1\n mark_precise: frame0: regs=r8 stack= before 2: (b7) r8 = 1024\n 6: R7_w=flow_keys(smin=smin32=0,smax=umax=smax32=umax32=1024,var_off\n =(0x0; 0x400)) R8_w=scalar(smin=smin32=0,smax=umax=smax32=umax32=1024,\n var_off=(0x0; 0x400))\n 6: (79) r0 = *(u64 *)(r7 +0) ; R0_w=scalar()\n 7: (95) exit\n\nThis prog loads flow_keys to r7, and adds the variable offset r8\nto r7, and finally causes out-of-bounds access:\n\n BUG: unable to handle page fault for address: ffffc90014c80038\n [...]\n Call Trace:\n <TASK>\n bpf_dispatcher_nop_func include/linux/bpf.h:1231 [inline]\n __bpf_prog_run include/linux/filter.h:651 [inline]\n bpf_prog_run include/linux/filter.h:658 [inline]\n bpf_prog_run_pin_on_cpu include/linux/filter.h:675 [inline]\n bpf_flow_dissect+0x15f/0x350 net/core/flow_dissector.c:991\n bpf_prog_test_run_flow_dissector+0x39d/0x620 net/bpf/test_run.c:1359\n bpf_prog_test_run kernel/bpf/syscall.c:4107 [inline]\n __sys_bpf+0xf8f/0x4560 kernel/bpf/syscall.c:5475\n __do_sys_bpf kernel/bpf/syscall.c:5561 [inline]\n __se_sys_bpf kernel/bpf/syscall.c:5559 [inline]\n __x64_sys_bpf+0x73/0xb0 kernel/bpf/syscall.c:5559\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0x3f/0x110 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\n\nFix this by rejecting ptr alu with variable offset on flow_keys.\nApplying the patch rejects the program with "R7 pointer arithmetic\non flow_keys prohibited".', 'bdu_cve_data_all': '', 'combined_cve_data_all': ''}

debian: CVE-2024-26589 was patched at 2024-05-15

ubuntu: CVE-2024-26589 was patched at 2024-03-11, 2024-04-09, 2024-04-16, 2024-04-19, 2024-04-22, 2024-04-24

54. Authentication Bypass - Linux Kernel (CVE-2024-26594) - Medium [336]

Description: {'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: validate mech token in session setup\n\nIf client send invalid mech token in session setup request, ksmbd\nvalidate and make the error if it is invalid.', 'bdu_cve_data_all': '', 'combined_cve_data_all': ''}

debian: CVE-2024-26594 was patched at 2024-05-15

ubuntu: CVE-2024-26594 was patched at 2024-03-11, 2024-05-07, 2024-05-15, 2024-05-20, 2024-05-28, 2024-06-07, 2024-06-10, 2024-06-11, 2024-06-12, 2024-06-14

55. Memory Corruption - Linux Kernel (CVE-2024-0775) - Medium [334]

Description: A use-after-free flaw was found in the __ext4_remount in fs/ext4/super.c in ext4 in the Linux kernel. This flaw allows a local user to cause an information leak problem while freeing the old quota file names before a potential failure, leading to a use-after-free.

debian: CVE-2024-0775 was patched at 2024-05-15

oraclelinux: CVE-2024-0775 was patched at 2024-03-01

ubuntu: CVE-2024-0775 was patched at 2024-03-18, 2024-03-20, 2024-03-21, 2024-03-25, 2024-04-09

56. Incorrect Calculation - Linux Kernel (CVE-2024-23849) - Medium [322]

Description: {'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'In rds_recv_track_latency in net/rds/af_rds.c in the Linux kernel through 6.7.1, there is an off-by-one error for an RDS_MSG_RX_DGRAM_TRACE_MAX comparison, resulting in out-of-bounds access.', 'bdu_cve_data_all': '', 'combined_cve_data_all': ''}

debian: CVE-2024-23849 was patched at 2024-05-06, 2024-05-15

ubuntu: CVE-2024-23849 was patched at 2024-03-11, 2024-05-07, 2024-05-14, 2024-05-15, 2024-05-20, 2024-05-28, 2024-06-07, 2024-06-10, 2024-06-11, 2024-06-12, 2024-06-14

57. Memory Corruption - Linux Kernel (CVE-2023-23000) - Medium [322]

Description: {'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'In the Linux kernel before 5.17, drivers/phy/tegra/xusb.c mishandles the tegra_xusb_find_port_node return value. Callers expect NULL in the error case, but an error pointer is used.', 'bdu_cve_data_all': '', 'combined_cve_data_all': ''}

debian: CVE-2023-23000 was patched at 2024-05-15

redos: CVE-2023-23000 was patched at 2024-04-01

ubuntu: CVE-2023-23000 was patched at 2024-03-18, 2024-03-19, 2024-03-20, 2024-03-21, 2024-03-25, 2024-03-28, 2024-04-09

58. Memory Corruption - Linux Kernel (CVE-2023-52443) - Medium [322]

Description: {'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved:\n\napparmor: avoid crash when parsed profile name is empty\n\nWhen processing a packed profile in unpack_profile() described like\n\n "profile :ns::samba-dcerpcd /usr/lib*/samba/{,samba/}samba-dcerpcd {...}"\n\na string ":samba-dcerpcd" is unpacked as a fully-qualified name and then\npassed to aa_splitn_fqname().\n\naa_splitn_fqname() treats ":samba-dcerpcd" as only containing a namespace.\nThus it returns NULL for tmpname, meanwhile tmpns is non-NULL. Later\naa_alloc_profile() crashes as the new profile name is NULL now.\n\ngeneral protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN NOPTI\nKASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\nCPU: 6 PID: 1657 Comm: apparmor_parser Not tainted 6.7.0-rc2-dirty #16\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014\nRIP: 0010:strlen+0x1e/0xa0\nCall Trace:\n <TASK>\n ? strlen+0x1e/0xa0\n aa_policy_init+0x1bb/0x230\n aa_alloc_profile+0xb1/0x480\n unpack_profile+0x3bc/0x4960\n aa_unpack+0x309/0x15e0\n aa_replace_profiles+0x213/0x33c0\n policy_update+0x261/0x370\n profile_replace+0x20e/0x2a0\n vfs_write+0x2af/0xe00\n ksys_write+0x126/0x250\n do_syscall_64+0x46/0xf0\n entry_SYSCALL_64_after_hwframe+0x6e/0x76\n </TASK>\n---[ end trace 0000000000000000 ]---\nRIP: 0010:strlen+0x1e/0xa0\n\nIt seems such behaviour of aa_splitn_fqname() is expected and checked in\nother places where it is called (e.g. aa_remove_profiles). Well, there\nis an explicit comment "a ns name without a following profile is allowed"\ninside.\n\nAFAICS, nothing can prevent unpacked "name" to be in form like\n":samba-dcerpcd" - it is passed from userspace.\n\nDeny the whole profile set replacement in such case and inform user with\nEPROTO and an explaining message.\n\nFound by Linux Verification Center (linuxtesting.org).', 'bdu_cve_data_all': '', 'combined_cve_data_all': ''}

debian: CVE-2023-52443 was patched at 2024-05-15

ubuntu: CVE-2023-52443 was patched at 2024-03-11, 2024-04-09, 2024-04-16, 2024-04-17, 2024-06-07, 2024-06-10, 2024-06-11, 2024-06-12, 2024-06-14

59. Memory Corruption - Linux Kernel (CVE-2023-52448) - Medium [322]

Description: {'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved:\n\ngfs2: Fix kernel NULL pointer dereference in gfs2_rgrp_dump\n\nSyzkaller has reported a NULL pointer dereference when accessing\nrgd->rd_rgl in gfs2_rgrp_dump(). This can happen when creating\nrgd->rd_gl fails in read_rindex_entry(). Add a NULL pointer check in\ngfs2_rgrp_dump() to prevent that.', 'bdu_cve_data_all': '', 'combined_cve_data_all': ''}

almalinux: CVE-2023-52448 was patched at 2024-05-22

debian: CVE-2023-52448 was patched at 2024-05-15

oraclelinux: CVE-2023-52448 was patched at 2024-05-02, 2024-05-23

redhat: CVE-2023-52448 was patched at 2024-05-22

ubuntu: CVE-2023-52448 was patched at 2024-03-11, 2024-04-09, 2024-04-16, 2024-04-17, 2024-06-07, 2024-06-10, 2024-06-11, 2024-06-12, 2024-06-14

60. Memory Corruption - Linux Kernel (CVE-2023-52449) - Medium [322]

Description: {'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved:\n\nmtd: Fix gluebi NULL pointer dereference caused by ftl notifier\n\nIf both ftl.ko and gluebi.ko are loaded, the notifier of ftl\ntriggers NULL pointer dereference when trying to access\n‘gluebi->desc’ in gluebi_read().\n\nubi_gluebi_init\n ubi_register_volume_notifier\n ubi_enumerate_volumes\n ubi_notify_all\n gluebi_notify nb->notifier_call()\n gluebi_create\n mtd_device_register\n mtd_device_parse_register\n add_mtd_device\n blktrans_notify_add not->add()\n ftl_add_mtd tr->add_mtd()\n scan_header\n mtd_read\n mtd_read_oob\n mtd_read_oob_std\n gluebi_read mtd->read()\n gluebi->desc - NULL\n\nDetailed reproduction information available at the Link [1],\n\nIn the normal case, obtain gluebi->desc in the gluebi_get_device(),\nand access gluebi->desc in the gluebi_read(). However,\ngluebi_get_device() is not executed in advance in the\nftl_add_mtd() process, which leads to NULL pointer dereference.\n\nThe solution for the gluebi module is to run jffs2 on the UBI\nvolume without considering working with ftl or mtdblock [2].\nTherefore, this problem can be avoided by preventing gluebi from\ncreating the mtdblock device after creating mtd partition of the\ntype MTD_UBIVOLUME.', 'bdu_cve_data_all': '', 'combined_cve_data_all': ''}

debian: CVE-2023-52449 was patched at 2024-05-15

ubuntu: CVE-2023-52449 was patched at 2024-03-11, 2024-04-09, 2024-04-16, 2024-04-17, 2024-06-07, 2024-06-10, 2024-06-11, 2024-06-12, 2024-06-14

61. Security Feature Bypass - Linux Kernel (CVE-2024-26625) - Medium [322]

Description: {'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved:\n\nllc: call sock_orphan() at release time\n\nsyzbot reported an interesting trace [1] caused by a stale sk->sk_wq\npointer in a closed llc socket.\n\nIn commit ff7b11aa481f ("net: socket: set sock->sk to NULL after\ncalling proto_ops::release()") Eric Biggers hinted that some protocols\nare missing a sock_orphan(), we need to perform a full audit.\n\nIn net-next, I plan to clear sock->sk from sock_orphan() and\namend Eric patch to add a warning.\n\n[1]\n BUG: KASAN: slab-use-after-free in list_empty include/linux/list.h:373 [inline]\n BUG: KASAN: slab-use-after-free in waitqueue_active include/linux/wait.h:127 [inline]\n BUG: KASAN: slab-use-after-free in sock_def_write_space_wfree net/core/sock.c:3384 [inline]\n BUG: KASAN: slab-use-after-free in sock_wfree+0x9a8/0x9d0 net/core/sock.c:2468\nRead of size 8 at addr ffff88802f4fc880 by task ksoftirqd/1/27\n\nCPU: 1 PID: 27 Comm: ksoftirqd/1 Not tainted 6.8.0-rc1-syzkaller-00049-g6098d87eaf31 #0\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106\n print_address_description mm/kasan/report.c:377 [inline]\n print_report+0xc4/0x620 mm/kasan/report.c:488\n kasan_report+0xda/0x110 mm/kasan/report.c:601\n list_empty include/linux/list.h:373 [inline]\n waitqueue_active include/linux/wait.h:127 [inline]\n sock_def_write_space_wfree net/core/sock.c:3384 [inline]\n sock_wfree+0x9a8/0x9d0 net/core/sock.c:2468\n skb_release_head_state+0xa3/0x2b0 net/core/skbuff.c:1080\n skb_release_all net/core/skbuff.c:1092 [inline]\n napi_consume_skb+0x119/0x2b0 net/core/skbuff.c:1404\n e1000_unmap_and_free_tx_resource+0x144/0x200 drivers/net/ethernet/intel/e1000/e1000_main.c:1970\n e1000_clean_tx_irq drivers/net/ethernet/intel/e1000/e1000_main.c:3860 [inline]\n e1000_clean+0x4a1/0x26e0 drivers/net/ethernet/intel/e1000/e1000_main.c:3801\n __napi_poll.constprop.0+0xb4/0x540 net/core/dev.c:6576\n napi_poll net/core/dev.c:6645 [inline]\n net_rx_action+0x956/0xe90 net/core/dev.c:6778\n __do_softirq+0x21a/0x8de kernel/softirq.c:553\n run_ksoftirqd kernel/softirq.c:921 [inline]\n run_ksoftirqd+0x31/0x60 kernel/softirq.c:913\n smpboot_thread_fn+0x660/0xa10 kernel/smpboot.c:164\n kthread+0x2c6/0x3a0 kernel/kthread.c:388\n ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242\n </TASK>\n\nAllocated by task 5167:\n kasan_save_stack+0x33/0x50 mm/kasan/common.c:47\n kasan_save_track+0x14/0x30 mm/kasan/common.c:68\n unpoison_slab_object mm/kasan/common.c:314 [inline]\n __kasan_slab_alloc+0x81/0x90 mm/kasan/common.c:340\n kasan_slab_alloc include/linux/kasan.h:201 [inline]\n slab_post_alloc_hook mm/slub.c:3813 [inline]\n slab_alloc_node mm/slub.c:3860 [inline]\n kmem_cache_alloc_lru+0x142/0x6f0 mm/slub.c:3879\n alloc_inode_sb include/linux/fs.h:3019 [inline]\n sock_alloc_inode+0x25/0x1c0 net/socket.c:308\n alloc_inode+0x5d/0x220 fs/inode.c:260\n new_inode_pseudo+0x16/0x80 fs/inode.c:1005\n sock_alloc+0x40/0x270 net/socket.c:634\n __sock_create+0xbc/0x800 net/socket.c:1535\n sock_create net/socket.c:1622 [inline]\n __sys_socket_create net/socket.c:1659 [inline]\n __sys_socket+0x14c/0x260 net/socket.c:1706\n __do_sys_socket net/socket.c:1720 [inline]\n __se_sys_socket net/socket.c:1718 [inline]\n __x64_sys_socket+0x72/0xb0 net/socket.c:1718\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xd3/0x250 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\n\nFreed by task 0:\n kasan_save_stack+0x33/0x50 mm/kasan/common.c:47\n kasan_save_track+0x14/0x30 mm/kasan/common.c:68\n kasan_save_free_info+0x3f/0x60 mm/kasan/generic.c:640\n poison_slab_object mm/kasan/common.c:241 [inline]\n __kasan_slab_free+0x121/0x1b0 mm/kasan/common.c:257\n kasan_slab_free include/linux/kasan.h:184 [inline]\n slab_free_hook mm/slub.c:2121 [inlin\n---truncated---', 'bdu_cve_data_all': '', 'combined_cve_data_all': ''}

debian: CVE-2024-26625 was patched at 2024-05-06, 2024-05-15

ubuntu: CVE-2024-26625 was patched at 2024-03-11, 2024-05-07, 2024-05-14, 2024-05-15, 2024-05-20, 2024-05-28, 2024-06-07, 2024-06-10, 2024-06-11, 2024-06-12, 2024-06-14

62. Authentication Bypass - Unknown Product (CVE-2023-52161) - Medium [305]

Description: {'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'The Access Point functionality in eapol_auth_key_handle in eapol.c in iNet wireless daemon (IWD) before 2.14 allows attackers to gain unauthorized access to a protected Wi-Fi network. An attacker can complete the EAPOL handshake by skipping Msg2/4 and instead sending Msg4/4 with an all-zero key.', 'bdu_cve_data_all': '', 'combined_cve_data_all': ''}

debian: CVE-2023-52161 was patched at 2024-02-25, 2024-05-15

63. Security Feature Bypass - Chromium (CVE-2024-1675) - Medium [305]

Description: Insufficient policy enforcement in Download in Google Chrome prior to 122.0.6261.57 allowed a remote attacker to bypass filesystem restrictions via a crafted HTML page. (Chromium security severity: Medium)

debian: CVE-2024-1675 was patched at 2024-02-23, 2024-05-15

redos: CVE-2024-1675 was patched at 2024-05-07

64. Security Feature Bypass - Chromium (CVE-2024-1676) - Medium [305]

Description: {'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'Inappropriate implementation in Navigation in Google Chrome prior to 122.0.6261.57 allowed a remote attacker to spoof security UI via a crafted HTML page. (Chromium security severity: Low)', 'bdu_cve_data_all': '', 'combined_cve_data_all': ''}

debian: CVE-2024-1676 was patched at 2024-02-23, 2024-05-15

redos: CVE-2024-1676 was patched at 2024-05-07

65. Security Feature Bypass - Chromium (CVE-2024-2174) - Medium [305]

Description: {'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'Inappropriate implementation in V8 in Google Chrome prior to 122.0.6261.111 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)', 'bdu_cve_data_all': '', 'combined_cve_data_all': ''}

debian: CVE-2024-2174 was patched at 2024-03-06, 2024-05-15

redos: CVE-2024-2174 was patched at 2024-05-07

66. Security Feature Bypass - Mozilla Firefox (CVE-2024-2611) - Medium [305]

Description: A missing delay on when pointer lock was used could have allowed a malicious page to trick a user into granting permissions. This vulnerability affects Firefox < 124, Firefox ESR < 115.9, and Thunderbird < 115.9.

almalinux: CVE-2024-2611 was patched at 2024-03-25

debian: CVE-2024-2611 was patched at 2024-03-21, 2024-05-15

oraclelinux: CVE-2024-2611 was patched at 2024-03-25, 2024-03-26

redhat: CVE-2024-2611 was patched at 2024-03-25

ubuntu: CVE-2024-2611 was patched at 2024-03-20, 2024-03-26

67. Denial of Service - Unknown Product (CVE-2024-23638) - Medium [303]

Description: {'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'Squid is a caching proxy for the Web. Due to an expired pointer reference bug, Squid prior to version 6.6 is vulnerable to a Denial of Service attack against Cache Manager error responses. This problem allows a trusted client to perform Denial of Service when generating error pages for Client Manager reports. Squid older than 5.0.5 have not been tested and should be assumed to be vulnerable. All Squid-5.x up to and including 5.9 are vulnerable. All Squid-6.x up to and including 6.5 are vulnerable. This bug is fixed by Squid version 6.6. In addition, patches addressing this problem for the stable releases can be found in Squid's patch archives. As a workaround, prevent access to Cache Manager using Squid's main access control: `http_access deny manager`.', 'bdu_cve_data_all': '', 'combined_cve_data_all': ''}

debian: CVE-2024-23638 was patched at 2024-03-08, 2024-05-15

redos: CVE-2024-23638 was patched at 2024-03-29

ubuntu: CVE-2024-23638 was patched at 2024-04-10

68. Unknown Vulnerability Type - PHP (CVE-2023-50252) - Medium [300]

Description: {'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'php-svg-lib is an SVG file parsing / rendering library. Prior to version 0.5.1, when handling `<use>` tag that references an `<image>` tag, it merges the attributes from the `<use>` tag to the `<image>` tag. The problem pops up especially when the `href` attribute from the `<use>` tag has not been sanitized. This can lead to an unsafe file read that can cause PHAR Deserialization vulnerability in PHP prior to version 8. Version 0.5.1 contains a patch for this issue. ', 'bdu_cve_data_all': '', 'combined_cve_data_all': ''}

debian: CVE-2023-50252 was patched at 2024-03-20, 2024-05-15

69. Security Feature Bypass - Apache Tomcat (CVE-2024-24549) - Medium [289]

Description: {'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'Denial of Service due to improper input validation vulnerability for HTTP/2 requests in Apache Tomcat. When processing an HTTP/2 request, if the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers had been processed.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98.\n\nUsers are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.\n\n', 'bdu_cve_data_all': '', 'combined_cve_data_all': ''}

almalinux: CVE-2024-24549 was patched at 2024-05-23, 2024-06-06

debian: CVE-2024-24549 was patched at 2024-04-17, 2024-04-19, 2024-05-15

oraclelinux: CVE-2024-24549 was patched at 2024-05-23, 2024-06-06

redhat: CVE-2024-24549 was patched at 2024-03-18, 2024-05-23, 2024-06-06, 2024-06-11

70. Cross Site Scripting - Mozilla Firefox (CVE-2024-2610) - Medium [288]

Description: {'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'Using a markup injection an attacker could have stolen nonce values. This could have been used to bypass strict content security policies. This vulnerability affects Firefox < 124, Firefox ESR < 115.9, and Thunderbird < 115.9.', 'bdu_cve_data_all': '', 'combined_cve_data_all': ''}

almalinux: CVE-2024-2610 was patched at 2024-03-25

debian: CVE-2024-2610 was patched at 2024-03-21, 2024-05-15

oraclelinux: CVE-2024-2610 was patched at 2024-03-25, 2024-03-26

redhat: CVE-2024-2610 was patched at 2024-03-25

ubuntu: CVE-2024-2610 was patched at 2024-03-20, 2024-03-26

71. Denial of Service - Linux Kernel (CVE-2023-52456) - Medium [286]

Description: In the Linux kernel, the following vulnerability has been resolved: serial: imx: fix tx statemachine deadlock When using the serial port as RS485 port, the tx statemachine is used to control the RTS pin to drive the RS485 transceiver TX_EN pin. When the TTY port is closed in the middle of a transmission (for instance during userland application crash), imx_uart_shutdown disables the interface and disables the Transmission Complete interrupt. afer that, imx_uart_stop_tx bails on an incomplete transmission, to be retriggered by the TC interrupt. This interrupt is disabled and therefore the tx statemachine never transitions out of SEND. The statemachine is in deadlock now, and the TX_EN remains low, making the interface useless. imx_uart_stop_tx now checks for incomplete transmission AND whether TC interrupts are enabled before bailing to be retriggered. This makes sure the state machine handling is reached, and is properly set to WAIT_AFTER_SEND.

debian: CVE-2023-52456 was patched at 2024-05-15

ubuntu: CVE-2023-52456 was patched at 2024-03-11, 2024-04-09, 2024-04-16, 2024-06-07, 2024-06-10, 2024-06-11, 2024-06-12, 2024-06-14

72. Denial of Service - Linux Kernel (CVE-2024-26602) - Medium [286]

Description: {'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved:\n\nsched/membarrier: reduce the ability to hammer on sys_membarrier\n\nOn some systems, sys_membarrier can be very expensive, causing overall\nslowdowns for everything. So put a lock on the path in order to\nserialize the accesses to prevent the ability for this to be called at\ntoo high of a frequency and saturate the machine.', 'bdu_cve_data_all': '', 'combined_cve_data_all': ''}

almalinux: CVE-2024-26602 was patched at 2024-05-22

debian: CVE-2024-26602 was patched at 2024-05-06, 2024-05-15

oraclelinux: CVE-2024-26602 was patched at 2024-03-20, 2024-05-02, 2024-05-23

redhat: CVE-2024-26602 was patched at 2024-03-12, 2024-03-14, 2024-03-27, 2024-04-03, 2024-04-23, 2024-04-30, 2024-05-22, 2024-06-11

ubuntu: CVE-2024-26602 was patched at 2024-05-07, 2024-05-14, 2024-05-15, 2024-05-20, 2024-05-28, 2024-06-11

73. Memory Corruption - Unknown Product (CVE-2021-34981) - Medium [285]

Description: {'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.', 'bdu_cve_data_all': '', 'combined_cve_data_all': ''}

debian: CVE-2021-34981 was patched at 2024-05-15

oraclelinux: CVE-2021-34981 was patched at 2024-03-01

74. Security Feature Bypass - Unknown Product (CVE-2023-46838) - Medium [279]

Description: {'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'Transmit requests in Xen's virtual network protocol can consist of\nmultiple parts. While not really useful, except for the initial part\nany of them may be of zero length, i.e. carry no data at all. Besides a\ncertain initial portion of the to be transferred data, these parts are\ndirectly translated into what Linux calls SKB fragments. Such converted\nrequest parts can, when for a particular SKB they are all of length\nzero, lead to a de-reference of NULL in core networking code.\n', 'bdu_cve_data_all': '', 'combined_cve_data_all': ''}

debian: CVE-2023-46838 was patched at 2024-05-15

ubuntu: CVE-2023-46838 was patched at 2024-03-11, 2024-03-18, 2024-03-20, 2024-03-25, 2024-04-09, 2024-04-16, 2024-04-17

75. Denial of Service - Mozilla Firefox (CVE-2024-2613) - Medium [270]

Description: {'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'Data was not properly sanitized when decoding a QUIC ACK frame; this could have led to unrestricted memory consumption and a crash. This vulnerability affects Firefox < 124.', 'bdu_cve_data_all': '', 'combined_cve_data_all': ''}

debian: CVE-2024-26130 was patched at 2024-05-15

redos: CVE-2024-26130 was patched at 2024-04-22

ubuntu: CVE-2024-2613 was patched at 2024-03-20

ubuntu: CVE-2024-26130 was patched at 2024-03-04, 2024-05-27

76. Security Feature Bypass - Unknown Product (CVE-2023-46317) - Medium [267]

Description: {'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'Knot Resolver before 5.7.0 performs many TCP reconnections upon receiving certain nonsensical responses from servers.', 'bdu_cve_data_all': '', 'combined_cve_data_all': ''}

debian: CVE-2023-46317 was patched at 2024-02-27, 2024-05-15

77. Information Disclosure - Perl (CVE-2022-48623) - Medium [260]

Description: The Cpanel::JSON::XS package before 4.33 for Perl performs out-of-bounds accesses in a way that allows attackers to obtain sensitive information or cause a denial of service.

debian: CVE-2022-48623 was patched at 2024-05-15

ubuntu: CVE-2022-48623 was patched at 2024-02-28

78. Memory Corruption - Linux Kernel (CVE-2023-52454) - Medium [251]

Description: {'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved:\n\nnvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length\n\nIf the host sends an H2CData command with an invalid DATAL,\nthe kernel may crash in nvmet_tcp_build_pdu_iovec().\n\nUnable to handle kernel NULL pointer dereference at\nvirtual address 0000000000000000\nlr : nvmet_tcp_io_work+0x6ac/0x718 [nvmet_tcp]\nCall trace:\n process_one_work+0x174/0x3c8\n worker_thread+0x2d0/0x3e8\n kthread+0x104/0x110\n\nFix the bug by raising a fatal error if DATAL isn't coherent\nwith the packet size.\nAlso, the PDU length should never exceed the MAXH2CDATA parameter which\nhas been communicated to the host in nvmet_tcp_handle_icreq().', 'bdu_cve_data_all': '', 'combined_cve_data_all': ''}

debian: CVE-2023-52454 was patched at 2024-05-15

ubuntu: CVE-2023-52454 was patched at 2024-03-11, 2024-04-09, 2024-04-16, 2024-04-17, 2024-06-07, 2024-06-10, 2024-06-11, 2024-06-12, 2024-06-14

79. Memory Corruption - Linux Kernel (CVE-2023-52457) - Medium [251]

Description: In the Linux kernel, the following vulnerability has been resolved: serial: 8250: omap: Don't skip resource freeing if pm_runtime_resume_and_get() failed Returning an error code from .remove() makes the driver core emit the little helpful error message: remove callback returned a non-zero value. This will be ignored. and then remove the device anyhow. So all resources that were not freed are leaked in this case. Skipping serial8250_unregister_port() has the potential to keep enough of the UART around to trigger a use-after-free. So replace the error return (and with it the little helpful error message) by a more useful error message and continue to cleanup.

debian: CVE-2023-52457 was patched at 2024-05-15

ubuntu: CVE-2023-52457 was patched at 2024-03-11, 2024-04-09, 2024-04-16, 2024-04-17, 2024-06-07, 2024-06-10, 2024-06-11, 2024-06-12, 2024-06-14

80. Memory Corruption - Linux Kernel (CVE-2023-52458) - Medium [251]

Description: {'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved:\n\nblock: add check that partition length needs to be aligned with block size\n\nBefore calling add partition or resize partition, there is no check\non whether the length is aligned with the logical block size.\nIf the logical block size of the disk is larger than 512 bytes,\nthen the partition size maybe not the multiple of the logical block size,\nand when the last sector is read, bio_truncate() will adjust the bio size,\nresulting in an IO error if the size of the read command is smaller than\nthe logical block size.If integrity data is supported, this will also\nresult in a null pointer dereference when calling bio_integrity_free.', 'bdu_cve_data_all': '', 'combined_cve_data_all': ''}

debian: CVE-2023-52458 was patched at 2024-05-06, 2024-05-15

ubuntu: CVE-2023-52458 was patched at 2024-03-11, 2024-04-09, 2024-04-16, 2024-06-07, 2024-06-10, 2024-06-11, 2024-06-12, 2024-06-14

81. Memory Corruption - Linux Kernel (CVE-2023-52463) - Medium [251]

Description: {'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved:\n\nefivarfs: force RO when remounting if SetVariable is not supported\n\nIf SetVariable at runtime is not supported by the firmware we never assign\na callback for that function. At the same time mount the efivarfs as\nRO so no one can call that. However, we never check the permission flags\nwhen someone remounts the filesystem as RW. As a result this leads to a\ncrash looking like this:\n\n$ mount -o remount,rw /sys/firmware/efi/efivars\n$ efi-updatevar -f PK.auth PK\n\n[ 303.279166] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000\n[ 303.280482] Mem abort info:\n[ 303.280854] ESR = 0x0000000086000004\n[ 303.281338] EC = 0x21: IABT (current EL), IL = 32 bits\n[ 303.282016] SET = 0, FnV = 0\n[ 303.282414] EA = 0, S1PTW = 0\n[ 303.282821] FSC = 0x04: level 0 translation fault\n[ 303.283771] user pgtable: 4k pages, 48-bit VAs, pgdp=000000004258c000\n[ 303.284913] [0000000000000000] pgd=0000000000000000, p4d=0000000000000000\n[ 303.286076] Internal error: Oops: 0000000086000004 [#1] PREEMPT SMP\n[ 303.286936] Modules linked in: qrtr tpm_tis tpm_tis_core crct10dif_ce arm_smccc_trng rng_core drm fuse ip_tables x_tables ipv6\n[ 303.288586] CPU: 1 PID: 755 Comm: efi-updatevar Not tainted 6.3.0-rc1-00108-gc7d0c4695c68 #1\n[ 303.289748] Hardware name: Unknown Unknown Product/Unknown Product, BIOS 2023.04-00627-g88336918701d 04/01/2023\n[ 303.291150] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 303.292123] pc : 0x0\n[ 303.292443] lr : efivar_set_variable_locked+0x74/0xec\n[ 303.293156] sp : ffff800008673c10\n[ 303.293619] x29: ffff800008673c10 x28: ffff0000037e8000 x27: 0000000000000000\n[ 303.294592] x26: 0000000000000800 x25: ffff000002467400 x24: 0000000000000027\n[ 303.295572] x23: ffffd49ea9832000 x22: ffff0000020c9800 x21: ffff000002467000\n[ 303.296566] x20: 0000000000000001 x19: 00000000000007fc x18: 0000000000000000\n[ 303.297531] x17: 0000000000000000 x16: 0000000000000000 x15: 0000aaaac807ab54\n[ 303.298495] x14: ed37489f673633c0 x13: 71c45c606de13f80 x12: 47464259e219acf4\n[ 303.299453] x11: ffff000002af7b01 x10: 0000000000000003 x9 : 0000000000000002\n[ 303.300431] x8 : 0000000000000010 x7 : ffffd49ea8973230 x6 : 0000000000a85201\n[ 303.301412] x5 : 0000000000000000 x4 : ffff0000020c9800 x3 : 00000000000007fc\n[ 303.302370] x2 : 0000000000000027 x1 : ffff000002467400 x0 : ffff000002467000\n[ 303.303341] Call trace:\n[ 303.303679] 0x0\n[ 303.303938] efivar_entry_set_get_size+0x98/0x16c\n[ 303.304585] efivarfs_file_write+0xd0/0x1a4\n[ 303.305148] vfs_write+0xc4/0x2e4\n[ 303.305601] ksys_write+0x70/0x104\n[ 303.306073] __arm64_sys_write+0x1c/0x28\n[ 303.306622] invoke_syscall+0x48/0x114\n[ 303.307156] el0_svc_common.constprop.0+0x44/0xec\n[ 303.307803] do_el0_svc+0x38/0x98\n[ 303.308268] el0_svc+0x2c/0x84\n[ 303.308702] el0t_64_sync_handler+0xf4/0x120\n[ 303.309293] el0t_64_sync+0x190/0x194\n[ 303.309794] Code: ???????? ???????? ???????? ???????? (????????)\n[ 303.310612] ---[ end trace 0000000000000000 ]---\n\nFix this by adding a .reconfigure() function to the fs operations which\nwe can use to check the requested flags and deny anything that's not RO\nif the firmware doesn't implement SetVariable at runtime.', 'bdu_cve_data_all': '', 'combined_cve_data_all': ''}

debian: CVE-2023-52463 was patched at 2024-05-15

ubuntu: CVE-2023-52463 was patched at 2024-03-11, 2024-04-09, 2024-04-16, 2024-06-07, 2024-06-10, 2024-06-11, 2024-06-12, 2024-06-14

82. Memory Corruption - Linux Kernel (CVE-2023-52464) - Medium [251]

Description: {'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved:\n\nEDAC/thunderx: Fix possible out-of-bounds string access\n\nEnabling -Wstringop-overflow globally exposes a warning for a common bug\nin the usage of strncat():\n\n drivers/edac/thunderx_edac.c: In function 'thunderx_ocx_com_threaded_isr':\n drivers/edac/thunderx_edac.c:1136:17: error: 'strncat' specified bound 1024 equals destination size [-Werror=stringop-overflow=]\n 1136 | strncat(msg, other, OCX_MESSAGE_SIZE);\n | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n ...\n 1145 | strncat(msg, other, OCX_MESSAGE_SIZE);\n ...\n 1150 | strncat(msg, other, OCX_MESSAGE_SIZE);\n\n ...\n\nApparently the author of this driver expected strncat() to behave the\nway that strlcat() does, which uses the size of the destination buffer\nas its third argument rather than the length of the source buffer. The\nresult is that there is no check on the size of the allocated buffer.\n\nChange it to strlcat().\n\n [ bp: Trim compiler output, fixup commit message. ]', 'bdu_cve_data_all': '', 'combined_cve_data_all': ''}

debian: CVE-2023-52464 was patched at 2024-05-15

ubuntu: CVE-2023-52464 was patched at 2024-03-11, 2024-04-09, 2024-04-16, 2024-04-17, 2024-04-19, 2024-06-07, 2024-06-10, 2024-06-11, 2024-06-12, 2024-06-14

83. Memory Corruption - Linux Kernel (CVE-2023-52467) - Medium [251]

Description: {'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved:\n\nmfd: syscon: Fix null pointer dereference in of_syscon_register()\n\nkasprintf() returns a pointer to dynamically allocated memory\nwhich can be NULL upon failure.', 'bdu_cve_data_all': '', 'combined_cve_data_all': ''}

debian: CVE-2023-52467 was patched at 2024-05-15

ubuntu: CVE-2023-52467 was patched at 2024-03-11, 2024-04-09, 2024-04-16, 2024-06-07, 2024-06-10, 2024-06-11, 2024-06-12, 2024-06-14

84. Memory Corruption - Linux Kernel (CVE-2023-52469) - Medium [251]

Description: In the Linux kernel, the following vulnerability has been resolved: drivers/amd/pm: fix a use-after-free in kv_parse_power_table When ps allocated by kzalloc equals to NULL, kv_parse_power_table frees adev->pm.dpm.ps that allocated before. However, after the control flow goes through the following call chains: kv_parse_power_table |-> kv_dpm_init |-> kv_dpm_sw_init |-> kv_dpm_fini The adev->pm.dpm.ps is used in the for loop of kv_dpm_fini after its first free in kv_parse_power_table and causes a use-after-free bug.

debian: CVE-2023-52469 was patched at 2024-05-15

ubuntu: CVE-2023-52469 was patched at 2024-03-11, 2024-04-09, 2024-04-16, 2024-04-17, 2024-06-07, 2024-06-10, 2024-06-11, 2024-06-12, 2024-06-14

85. Memory Corruption - Linux Kernel (CVE-2023-52470) - Medium [251]

Description: {'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/radeon: check the alloc_workqueue return value in radeon_crtc_init()\n\ncheck the alloc_workqueue return value in radeon_crtc_init()\nto avoid null-ptr-deref.', 'bdu_cve_data_all': '', 'combined_cve_data_all': ''}

debian: CVE-2023-52470 was patched at 2024-05-15

ubuntu: CVE-2023-52470 was patched at 2024-03-11, 2024-04-09, 2024-04-16, 2024-04-17, 2024-06-07, 2024-06-10, 2024-06-11, 2024-06-12, 2024-06-14

86. Memory Corruption - Linux Kernel (CVE-2023-52594) - Medium [251]

Description: In the Linux kernel, the following vulnerability has been resolved: wifi: ath9k: Fix potential array-index-out-of-bounds read in ath9k_htc_txstatus() Fix an array-index-out-of-bounds read in ath9k_htc_txstatus(). The bug occurs when txs->cnt, data from a URB provided by a USB device, is bigger than the size of the array txs->txstatus, which is HTC_MAX_TX_STATUS. WARN_ON() already checks it, but there is no bug handling code after the check. Make the function return if that is the case. Found by a modified version of syzkaller. UBSAN: array-index-out-of-bounds in htc_drv_txrx.c index 13 is out of range for type '__wmi_event_txstatus [12]' Call Trace: ath9k_htc_txstatus ath9k_wmi_event_tasklet tasklet_action_common __do_softirq irq_exit_rxu sysvec_apic_timer_interrupt

almalinux: CVE-2023-52594 was patched at 2024-06-05

debian: CVE-2023-52594 was patched at 2024-05-06, 2024-05-15

oraclelinux: CVE-2023-52594 was patched at 2024-06-05

redhat: CVE-2023-52594 was patched at 2024-06-05

ubuntu: CVE-2023-52594 was patched at 2024-03-11, 2024-05-07, 2024-05-14, 2024-05-15, 2024-05-20, 2024-05-28, 2024-06-07, 2024-06-10, 2024-06-11, 2024-06-12, 2024-06-14

87. Memory Corruption - Linux Kernel (CVE-2024-26581) - Medium [251]

Description: {'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_set_rbtree: skip end interval element from gc\n\nrbtree lazy gc on insert might collect an end interval element that has\nbeen just added in this transactions, skip end interval elements that\nare not yet active.', 'bdu_cve_data_all': '', 'combined_cve_data_all': ''}

debian: CVE-2024-26581 was patched at 2024-05-06, 2024-05-15

ubuntu: CVE-2024-26581 was patched at 2024-03-11, 2024-04-19, 2024-04-22, 2024-04-23, 2024-04-24, 2024-06-10

88. Memory Corruption - Linux Kernel (CVE-2024-26592) - Medium [251]

Description: {'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix UAF issue in ksmbd_tcp_new_connection()\n\nThe race is between the handling of a new TCP connection and\nits disconnection. It leads to UAF on `struct tcp_transport` in\nksmbd_tcp_new_connection() function.', 'bdu_cve_data_all': '', 'combined_cve_data_all': ''}

debian: CVE-2024-26592 was patched at 2024-05-15

ubuntu: CVE-2024-26592 was patched at 2024-03-11, 2024-05-07, 2024-05-15, 2024-05-20, 2024-05-28, 2024-06-07, 2024-06-10, 2024-06-11, 2024-06-12, 2024-06-14

89. Memory Corruption - Linux Kernel (CVE-2024-26597) - Medium [251]

Description: In the Linux kernel, the following vulnerability has been resolved: net: qualcomm: rmnet: fix global oob in rmnet_policy The variable rmnet_link_ops assign a *bigger* maxtype which leads to a global out-of-bounds read when parsing the netlink attributes. See bug trace below: ================================================================== BUG: KASAN: global-out-of-bounds in validate_nla lib/nlattr.c:386 [inline] BUG: KASAN: global-out-of-bounds in __nla_validate_parse+0x24af/0x2750 lib/nlattr.c:600 Read of size 1 at addr ffffffff92c438d0 by task syz-executor.6/84207 CPU: 0 PID: 84207 Comm: syz-executor.6 Tainted: G N 6.1.0 #3 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x8b/0xb3 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:284 [inline] print_report+0x172/0x475 mm/kasan/report.c:395 kasan_report+0xbb/0x1c0 mm/kasan/report.c:495 validate_nla lib/nlattr.c:386 [inline] __nla_validate_parse+0x24af/0x2750 lib/nlattr.c:600 __nla_parse+0x3e/0x50 lib/nlattr.c:697 nla_parse_nested_deprecated include/net/netlink.h:1248 [inline] __rtnl_newlink+0x50a/0x1880 net/core/rtnetlink.c:3485 rtnl_newlink+0x64/0xa0 net/core/rtnetlink.c:3594 rtnetlink_rcv_msg+0x43c/0xd70 net/core/rtnetlink.c:6091 netlink_rcv_skb+0x14f/0x410 net/netlink/af_netlink.c:2540 netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline] netlink_unicast+0x54e/0x800 net/netlink/af_netlink.c:1345 netlink_sendmsg+0x930/0xe50 net/netlink/af_netlink.c:1921 sock_sendmsg_nosec net/socket.c:714 [inline] sock_sendmsg+0x154/0x190 net/socket.c:734 ____sys_sendmsg+0x6df/0x840 net/socket.c:2482 ___sys_sendmsg+0x110/0x1b0 net/socket.c:2536 __sys_sendmsg+0xf3/0x1c0 net/socket.c:2565 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7fdcf2072359 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fdcf13e3168 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007fdcf219ff80 RCX: 00007fdcf2072359 RDX: 0000000000000000 RSI: 0000000020000200 RDI: 0000000000000003 RBP: 00007fdcf20bd493 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007fffbb8d7bdf R14: 00007fdcf13e3300 R15: 0000000000022000 </TASK> The buggy address belongs to the variable: rmnet_policy+0x30/0xe0 The buggy address belongs to the physical page: page:0000000065bdeb3c refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x155243 flags: 0x200000000001000(reserved|node=0|zone=2) raw: 0200000000001000 ffffea00055490c8 ffffea00055490c8 0000000000000000 raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffffffff92c43780: f9 f9 f9 f9 00 00 00 02 f9 f9 f9 f9 00 00 00 07 ffffffff92c43800: f9 f9 f9 f9 00 00 00 05 f9 f9 f9 f9 06 f9 f9 f9 >ffffffff92c43880: f9 f9 f9 f9 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 ^ ffffffff92c43900: 00 00 00 00 00 00 00 00 07 f9 f9 f9 f9 f9 f9 f9 ffffffff92c43980: 00 00 00 07 f9 f9 f9 f9 00 00 00 05 f9 f9 f9 f9 According to the comment of `nla_parse_nested_deprecated`, the maxtype should be len(destination array) - 1. Hence use `IFLA_RMNET_MAX` here.

debian: CVE-2024-26597 was patched at 2024-05-15

ubuntu: CVE-2024-26597 was patched at 2024-03-11, 2024-03-20, 2024-03-21, 2024-03-25, 2024-03-28, 2024-04-09, 2024-04-16, 2024-04-17, 2024-04-30, 2024-06-10

90. Memory Corruption - Linux Kernel (CVE-2024-26598) - Medium [251]

Description: {'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: arm64: vgic-its: Avoid potential UAF in LPI translation cache\n\nThere is a potential UAF scenario in the case of an LPI translation\ncache hit racing with an operation that invalidates the cache, such\nas a DISCARD ITS command. The root of the problem is that\nvgic_its_check_cache() does not elevate the refcount on the vgic_irq\nbefore dropping the lock that serializes refcount changes.\n\nHave vgic_its_check_cache() raise the refcount on the returned vgic_irq\nand add the corresponding decrement after queueing the interrupt.', 'bdu_cve_data_all': '', 'combined_cve_data_all': ''}

debian: CVE-2024-26598 was patched at 2024-05-15

redhat: CVE-2024-26598 was patched at 2024-06-12

ubuntu: CVE-2024-26598 was patched at 2024-03-11, 2024-04-09, 2024-04-16, 2024-05-07, 2024-05-14, 2024-06-07, 2024-06-10, 2024-06-11, 2024-06-12, 2024-06-14

91. Memory Corruption - Linux Kernel (CVE-2024-26599) - Medium [251]

Description: {'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved:\n\npwm: Fix out-of-bounds access in of_pwm_single_xlate()\n\nWith args->args_count == 2 args->args[2] is not defined. Actually the\nflags are contained in args->args[1].', 'bdu_cve_data_all': '', 'combined_cve_data_all': ''}

debian: CVE-2024-26599 was patched at 2024-05-15

ubuntu: CVE-2024-26599 was patched at 2024-03-11, 2024-03-20, 2024-03-21, 2024-03-25, 2024-03-28

92. Memory Corruption - Linux Kernel (CVE-2024-26600) - Medium [251]

Description: {'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved:\n\nphy: ti: phy-omap-usb2: Fix NULL pointer dereference for SRP\n\nIf the external phy working together with phy-omap-usb2 does not implement\nsend_srp(), we may still attempt to call it. This can happen on an idle\nEthernet gadget triggering a wakeup for example:\n\nconfigfs-gadget.g1 gadget.0: ECM Suspend\nconfigfs-gadget.g1 gadget.0: Port suspended. Triggering wakeup\n...\nUnable to handle kernel NULL pointer dereference at virtual address\n00000000 when execute\n...\nPC is at 0x0\nLR is at musb_gadget_wakeup+0x1d4/0x254 [musb_hdrc]\n...\nmusb_gadget_wakeup [musb_hdrc] from usb_gadget_wakeup+0x1c/0x3c [udc_core]\nusb_gadget_wakeup [udc_core] from eth_start_xmit+0x3b0/0x3d4 [u_ether]\neth_start_xmit [u_ether] from dev_hard_start_xmit+0x94/0x24c\ndev_hard_start_xmit from sch_direct_xmit+0x104/0x2e4\nsch_direct_xmit from __dev_queue_xmit+0x334/0xd88\n__dev_queue_xmit from arp_solicit+0xf0/0x268\narp_solicit from neigh_probe+0x54/0x7c\nneigh_probe from __neigh_event_send+0x22c/0x47c\n__neigh_event_send from neigh_resolve_output+0x14c/0x1c0\nneigh_resolve_output from ip_finish_output2+0x1c8/0x628\nip_finish_output2 from ip_send_skb+0x40/0xd8\nip_send_skb from udp_send_skb+0x124/0x340\nudp_send_skb from udp_sendmsg+0x780/0x984\nudp_sendmsg from __sys_sendto+0xd8/0x158\n__sys_sendto from ret_fast_syscall+0x0/0x58\n\nLet's fix the issue by checking for send_srp() and set_vbus() before\ncalling them. For USB peripheral only cases these both could be NULL.', 'bdu_cve_data_all': '', 'combined_cve_data_all': ''}

debian: CVE-2024-26600 was patched at 2024-05-06, 2024-05-15

ubuntu: CVE-2024-26600 was patched at 2024-03-11, 2024-05-07, 2024-05-14, 2024-05-15, 2024-05-20, 2024-05-28, 2024-06-11

93. Memory Corruption - Linux Kernel (CVE-2024-26601) - Medium [251]

Description: {'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved:\n\next4: regenerate buddy after block freeing failed if under fc replay\n\nThis mostly reverts commit 6bd97bf273bd ("ext4: remove redundant\nmb_regenerate_buddy()") and reintroduces mb_regenerate_buddy(). Based on\ncode in mb_free_blocks(), fast commit replay can end up marking as free\nblocks that are already marked as such. This causes corruption of the\nbuddy bitmap so we need to regenerate it in that case.', 'bdu_cve_data_all': '', 'combined_cve_data_all': ''}

debian: CVE-2024-26601 was patched at 2024-05-06, 2024-05-15

ubuntu: CVE-2024-26601 was patched at 2024-03-11, 2024-06-07, 2024-06-10, 2024-06-11, 2024-06-14

94. Denial of Service - Unknown Product (CVE-2024-25111) - Medium [244]

Description: {'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'Squid is a web proxy cache. Starting in version 3.5.27 and prior to version 6.8, Squid may be vulnerable to a Denial of Service attack against HTTP Chunked decoder due to an uncontrolled recursion bug. This problem allows a remote attacker to cause Denial of Service when sending a crafted, chunked, encoded HTTP Message. This bug is fixed in Squid version 6.8. In addition, patches addressing this problem for the stable releases can be found in Squid's patch archives. There is no workaround for this issue.', 'bdu_cve_data_all': '', 'combined_cve_data_all': ''}

almalinux: CVE-2024-25111 was patched at 2024-03-19

debian: CVE-2024-25111 was patched at 2024-05-15

oraclelinux: CVE-2024-25111 was patched at 2024-03-20, 2024-03-21

redhat: CVE-2024-25111 was patched at 2024-03-19, 2024-03-25, 2024-03-26, 2024-04-16, 2024-05-09, 2024-05-13

ubuntu: CVE-2024-25111 was patched at 2024-04-10

95. Security Feature Bypass - Unknown Product (CVE-2024-23301) - Medium [244]

Description: {'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'Relax-and-Recover (aka ReaR) through 2.7 creates a world-readable initrd when using GRUB_RESCUE=y. This allows local attackers to gain access to system secrets otherwise only readable by root.', 'bdu_cve_data_all': '', 'combined_cve_data_all': ''}

almalinux: CVE-2024-23301 was patched at 2024-03-05, 2024-04-09

debian: CVE-2024-23301 was patched at 2024-05-15

oraclelinux: CVE-2024-23301 was patched at 2024-03-06, 2024-04-09

redhat: CVE-2024-23301 was patched at 2024-03-05, 2024-04-09

redos: CVE-2024-23301 was patched at 2024-03-28

96. Information Disclosure - Unknown Product (CVE-2024-0914) - Medium [243]

Description: {'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'A timing side-channel vulnerability has been discovered in the opencryptoki package while processing RSA PKCS#1 v1.5 padded ciphertexts. This flaw could potentially enable unauthorized RSA ciphertext decryption or signing, even without access to the corresponding private key.', 'bdu_cve_data_all': '', 'combined_cve_data_all': ''}

almalinux: CVE-2024-0914 was patched at 2024-03-07, 2024-04-02

debian: CVE-2024-0914 was patched at 2024-05-15

oraclelinux: CVE-2024-0914 was patched at 2024-03-08, 2024-04-03

redhat: CVE-2024-0914 was patched at 2024-03-07, 2024-03-19, 2024-04-02, 2024-04-16, 2024-04-23

redos: CVE-2024-0914 was patched at 2024-04-10

97. Unknown Vulnerability Type - PHP (CVE-2023-50251) - Medium [240]

Description: {'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'php-svg-lib is an SVG file parsing / rendering library. Prior to version 0.5.1, when parsing the attributes passed to a `use` tag inside an svg document, an attacker can cause the system to go to an infinite recursion. Depending on the system configuration and attack pattern this could exhaust the memory available to the executing process and/or to the server itself. An attacker sending multiple request to a system to render the above payload can potentially cause resource exhaustion to the point that the system is unable to handle incoming request. Version 0.5.1 contains a patch for this issue.', 'bdu_cve_data_all': '', 'combined_cve_data_all': ''}

debian: CVE-2023-50251 was patched at 2024-03-20, 2024-05-15

98. Elevation of Privilege - Unknown Product (CVE-2022-20567) - Medium [235]

Description: {'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'In pppol2tp_create of l2tp_ppp.c, there is a possible use after free due to a race condition. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-186777253References: Upstream kernel', 'bdu_cve_data_all': '', 'combined_cve_data_all': ''}

debian: CVE-2022-20567 was patched at 2024-05-15

ubuntu: CVE-2022-20567 was patched at 2024-03-18, 2024-03-21

99. Memory Corruption - Chromium (CVE-2024-1673) - Medium [234]

Description: Use after free in Accessibility in Google Chrome prior to 122.0.6261.57 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via specific UI gestures. (Chromium security severity: Medium)

debian: CVE-2024-1673 was patched at 2024-02-23, 2024-05-15

redos: CVE-2024-1673 was patched at 2024-05-07

100. Memory Corruption - Chromium (CVE-2024-1938) - Medium [234]

Description: Type Confusion in V8 in Google Chrome prior to 122.0.6261.94 allowed a remote attacker to potentially exploit object corruption via a crafted HTML page. (Chromium security severity: High)

debian: CVE-2024-1938 was patched at 2024-02-28, 2024-05-15

redos: CVE-2024-1938 was patched at 2024-05-07

101. Memory Corruption - Chromium (CVE-2024-1939) - Medium [234]

Description: Type Confusion in V8 in Google Chrome prior to 122.0.6261.94 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

debian: CVE-2024-1939 was patched at 2024-02-28, 2024-05-15

redos: CVE-2024-1939 was patched at 2024-05-07

102. Memory Corruption - Chromium (CVE-2024-2173) - Medium [234]

Description: Out of bounds memory access in V8 in Google Chrome prior to 122.0.6261.111 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)

debian: CVE-2024-2173 was patched at 2024-03-06, 2024-05-15

redos: CVE-2024-2173 was patched at 2024-05-03

103. Memory Corruption - Chromium (CVE-2024-2176) - Medium [234]

Description: Use after free in FedCM in Google Chrome prior to 122.0.6261.111 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

debian: CVE-2024-2176 was patched at 2024-03-06, 2024-05-15

redos: CVE-2024-2176 was patched at 2024-05-03

104. Memory Corruption - Chromium (CVE-2024-2400) - Medium [234]

Description: Use after free in Performance Manager in Google Chrome prior to 122.0.6261.128 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)